cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1274
Views
0
Helpful
10
Replies

Routing between two ASA's possible?

darthbishop79
Level 1
Level 1

Hello,

My name is Jay and I have a question on routing between two ASA'S....please allow me to explain the setup.

In the office we have one ASA 5505 with a Base License connected to a Cisco 1800 ISP router and a 2960S Layer 2 Lan Switch.

My supervisor wanted me to create a replica lab from our other location.  It consists of the following

An ASA 5510 with a Base License, a 2960s switch and a server.  There is no ISP connectivity on this ASA and there doesnt need to be any because its just a development replication setup from another site we have.

My supervisor would like to be able to connect to this development 5510 and access this server from whatever vlan its on.

Can I connect the 5510 to the 5505 and just give it a static route from both sides?  I know that these ASA's were never intended for routing per se.  But my supervisor now wants me to take down the 5505 and replace it with another 5510 in the hopes this will work.  I dont want him to waste resources if its not needed.

Can anybody tell me routing between these two is possible along with the users on the vlan hosted from the 5505 being able to access the server on the development/testing 5510/2960s/server?

Any advice on this be so much appreciated!

10 Replies 10

Julio Carvajal
VIP Alumni
VIP Alumni

Hola Jesus,

No problem at all man, the ASA's can route, they support EIGRP,OSPF,RIP and even OSPFv3 so go ahead and give it a try..

Now remember that you will need to play with the rules in order to allow traffic from a lower to a higher security layer just in case,

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you Julio,

I have included the config on the asa 5505.  So I just have to create another vlan on it with a security level nameif etc ?

ASA Version 8.2(5)

!

hostname bigred

enable password J52ZjGV907pWfK2E encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 108.x.x.x 255.255.255.248

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 4.2.2.2

name-server 167.206.112.138

name-server 167.206.7.4

object-group icmp-type ICMP-Types

description Allowed ICMP Types

icmp-object unreachable

icmp-object time-exceeded

icmp-object echo-reply

access-list outside_access_in remark Derek from Inverse SSH to PF box for MEC

access-list outside_access_in extended permit tcp any any eq ssh

access-list BRPACL standard permit 192.168.1.0 255.255.255.0

access-list BRPIPSECVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list NAT-EXEMPT extended permit ip host 192.168.1.36 host 192.168.1.36

access-list BRPIPSEC5_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip host 192.168.1.36 any

access-list Inbound extended permit icmp any any object-group ICMP-Types

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool client-pool 192.168.1.2-192.168.1.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (outside) 0 access-list outside_nat0_outbound

static (inside,outside) tcp interface ssh 192.168.1.32 ssh netmask 255.255.255.255

access-group Inbound in interface outside

route outside 0.0.0.0 0.0.0.0 108.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server MyRadius protocol radius

aaa-server MyRadius (inside) host 192.168.0.254

key *****

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set myset esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dynmap 1 set transform-set myset

crypto dynamic-map dynmap 1 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet 108.x.x.x 255.255.255.248 outside

telnet 108.x.x.x 255.255.255.255 outside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns 167.206.112.138

dhcpd lease 86400

!

dhcpd address 192.168.1.20-192.168.1.100 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable inside

enable outside

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy BRPACVPN7grp internal

group-policy BRPACVPN7grp attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc

group-policy BRPIPSEC5 internal

group-policy BRPIPSEC5 attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value BRPIPSEC5_splitTunnelAcl

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol IPSec l2tp-ipsec

username brpsupport password zI7LviwmgXkaZ/aa encrypted privilege 15

username dino password rMbZiny1o/BxpxEn encrypted

username nate password ASTjIxHZk2qtAyh4 encrypted

tunnel-group DefaultRAGroup general-attributes

address-pool AnyPool

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group BRPACVPN7 type remote-access

tunnel-group BRPACVPN7 general-attributes

address-pool AnyPool

default-group-policy BRPACVPN7grp

tunnel-group BRPIPSEC5 type remote-access

tunnel-group BRPIPSEC5 general-attributes

address-pool AnyPool

default-group-policy BRPIPSEC5

tunnel-group BRPIPSEC5 ipsec-attributes

pre-shared-key *****

tunnel-group client type remote-access

tunnel-group client general-attributes

address-pool client-pool

authentication-server-group MyRadius

tunnel-group client ipsec-attributes

pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:bde4c761e429c028f9a4902c211b7b16

: end

bigred#

Hello,

Exactly, just another interface as regularly , make sure both boxes have connectivity to each other and then configure routing as required,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio, I can now ping the ASA's to each other.  But I can't ping my 192.168.1.x to the subnet of the other ASA.

Do I need to configure an access list?

the asa 5505 is 192.168.1.1 and I created an inside interface on the 5510 as 192.168.9.1.  I can ping across both.

Hello Jesus,

Can you create a quick diagram of how the network is setup or share both ASAs configs?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Production Lan office:                                        Developement:

ISP - Cisco 1800 modem                                   

            |                                      Pingable                                  

ASA 5505 -Base License E0/2 ------------------------E0/2 (Inside 192.168.9.1)  ASA 5510 - Base License                                           |                                                                           |

2960S Switch                                                              2960S  Switch

Current config of 5505

show run

: Saved

:

ASA Version 8.2(5)

!

hostname bigred

enable password J52ZjGV907pWfK2E encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 108.x.x.x 255.255.255.248

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 4.2.2.2

name-server 167.206.112.138

name-server 167.206.7.4

object-group icmp-type ICMP-Types

description Allowed ICMP Types

icmp-object unreachable

icmp-object time-exceeded

icmp-object echo-reply

access-list outside_access_in remark Derek from Inverse SSH to PF box for M

access-list outside_access_in extended permit tcp any any eq ssh

access-list BRPACL standard permit 192.168.1.0 255.255.255.0

access-list BRPIPSECVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.

access-list split standard permit 192.168.1.0 255.255.255.0

access-list BRPIPSEC5_splitTunnelAcl standard permit 192.168.1.0 255.255.25

access-list capin extended permit ip host 192.168.1.200 host 10.10.10.1

access-list capin extended permit ip host 10.10.10.1 host 192.168.1.200

access-list Inbound extended permit icmp any any object-group ICMP-Types

access-list Inbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0255.255.0

access-list Inbound extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.10.10.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool client-pool 10.10.10.1-10.10.10.30 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

access-group Inbound in interface outside

route outside 0.0.0.0 0.0.0.0 108.58.169.9 1

route inside 192.168.9.0 255.255.255.0 192.168.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:0

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server MyRadius protocol radius

aaa-server MyRadius (inside) host 192.168.0.254

key *****

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set myset esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AE-SHA

crypto dynamic-map dynmap 1 set transform-set myset

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 33

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 108.x.x.x 255.255.255.248 outside

ssh 63.247.181.120 255.255.255.248 outside

ssh timeout 30

ssh version 2

console timeout 0

management-access inside

dhcpd dns 167.206.112.138

dhcpd lease 86400

!

dhcpd address 192.168.1.20-192.168.1.100 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 192.168.1.45 C:\OpenTFTPServer

webvpn

enable inside

enable outside

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy BRPVPN79 internal

group-policy BRPVPN79 attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol IPSec l2tp-ipsec

username brpsupport password zI7LviwmgXkaZ/aa encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted

username dino password rMbZiny1o/BxpxEn encrypted

username nate password ASTjIxHZk2qtAyh4 encrypted

tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group BRPVPN79 type remote-access

tunnel-group BRPVPN79 general-attributes

address-pool client-pool

default-group-policy BRPVPN79

tunnel-group BRPVPN79 ipsec-attributes

pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:c9cd3816db1bd739303764a863dc7d91

: end

Config of 5510 -- its a big one since its from our Production in another site.  We are trying to replicate it with a test lab

show run

: Saved

:

ASA Version 8.2(5)

!

hostname NJExpoCenter-ASA

domain-name NJExpoCenter

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

speed 100

duplex full

shutdown

nameif Internet

security-level 0

ip address 63.x.x.x 255.255.255.248

!

interface Ethernet0/1

shutdown

nameif packetfence-in

security-level 50

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/1.103

vlan 103

nameif packetfence-prod

security-level 50

ip address 10.3.0.1 255.255.0.0

!

interface Ethernet0/1.105

vlan 105

nameif packetfence-tier2

security-level 50

ip address 10.5.0.1 255.255.0.0

!

interface Ethernet0/1.106

vlan 106

nameif packetfence-tier3

security-level 50

ip address 10.6.0.1 255.255.0.0

!

interface Ethernet0/1.107

vlan 107

nameif packetfence-tier4

security-level 50

ip address 10.7.0.1 255.255.0.0

!

interface Ethernet0/1.120

vlan 120

nameif njexpo-retail

security-level 50

ip address 10.20.0.1 255.255.0.0

!

interface Ethernet0/1.130

vlan 130

nameif noshaping

security-level 50

ip address 10.30.0.1 255.255.0.0

!

interface Ethernet0/1.131

vlan 131

nameif libertySSID

security-level 50

ip address 10.31.0.1 255.255.0.0

!

interface Ethernet0/1.132

vlan 132

nameif nyscc

security-level 50

ip address 10.32.0.1 255.255.0.0

!

interface Ethernet0/1.133

vlan 133

nameif brpSSIDnoshaping

security-level 50

ip address 10.33.0.1 255.255.0.0

!

interface Ethernet0/1.150

vlan 150

nameif 5M-PrivateVLAN

security-level 50

ip address 10.150.0.1 255.255.0.0

!

interface Ethernet0/1.151

vlan 151

nameif 10M-PrivateVLAN

security-level 50

ip address 10.151.0.1 255.255.0.0

!

interface Ethernet0/1.152

vlan 152

nameif 20M-PrivateVLAN

security-level 50

ip address 10.152.0.1 255.255.0.0

!

interface Ethernet0/1.153

vlan 153

nameif 30M-PrivateVLAN

security-level 50

ip address 10.153.0.1 255.255.0.0

!

interface Ethernet0/1.154

vlan 154

nameif 40M-PrivateVLAN

security-level 50

ip address 10.154.0.1 255.255.0.0

!

interface Ethernet0/1.155

vlan 155

nameif 50M-PrivateVLAN

security-level 50

ip address 10.155.0.1 255.255.0.0

!

interface Ethernet0/1.156

vlan 156

nameif 60M-PrivateVLAN

security-level 50

ip address 10.156.0.1 255.255.0.0

!

interface Ethernet0/1.157

vlan 157

nameif 70M-PrivateVLAN

security-level 50

ip address 10.157.0.1 255.255.0.0

!

interface Ethernet0/1.158

vlan 158

nameif 80M-PrivateVLAN

security-level 50

ip address 10.158.0.1 255.255.0.0

!

interface Ethernet0/1.159

vlan 159

nameif 90M-PrivateVLAN

security-level 50

ip address 10.159.0.1 255.255.0.0

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.9.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Internet

dns server-group DefaultDNS

name-server 167.x.x.x

name-server 167.x.x.x

domain-name NJExpoCenter

same-security-traffic permit inter-interface

object-group service mysql tcp

port-object eq 3306

object-group icmp-type ICMP-Types

description Allowed ICMP Types

icmp-object unreachable

icmp-object time-exceeded

icmp-object echo-reply

access-list Internet-in extended permit icmp any any

access-list Internet-in extended permit tcp any any object-group mysql

access-list Internet-in extended permit udp any any eq snmp

access-list RemoteAccessVPN standard permit 192.168.10.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list packetfence-prod_nat0_outbound extended permit ip 10.3.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list packetfence-prod_nat0_outbound extended permit ip 10.3.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list packetfence-prod_access_in remark Deny everything to management

access-list packetfence-prod_access_in extended deny ip 10.3.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list packetfence-prod_access_in extended permit ip any any

access-list njexpo-retail_access_in extended deny ip 10.20.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list njexpo-retail_access_in extended permit ip any any

access-list njexpo-retail_nat0_outbound extended permit ip 10.20.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list njexpo-retail_nat0_outbound extended permit ip 10.20.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list njexpo-police extended permit ip 10.20.0.0 255.255.0.0 any

access-list njexpo-police extended permit ip any 10.20.0.0 255.255.0.0

access-list tier1-police extended permit ip 10.3.0.0 255.255.0.0 any

access-list tier1-police extended permit ip any 10.3.0.0 255.255.0.0

access-list tier2-police extended permit ip 10.5.0.0 255.255.0.0 any

access-list tier2-police extended permit ip any 10.5.0.0 255.255.0.0

access-list tier3-police extended permit ip 10.6.0.0 255.255.0.0 any

access-list tier3-police extended permit ip any 10.6.0.0 255.255.0.0

access-list tier4-police extended permit ip 10.7.0.0 255.255.0.0 any

access-list tier4-police extended permit ip any 10.7.0.0 255.255.0.0

access-list packetfence-tier3_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list packetfence-tier3_nat0_outbound extended permit ip 10.6.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list packetfence-tier2_nat0_outbound extended permit ip 10.5.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list packetfence-tier2_nat0_outbound extended permit ip 10.5.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list packetfence-tier4_nat0_outbound extended permit ip 10.7.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list packetfence-tier4_nat0_outbound extended permit ip 10.7.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list packetfence-tier4_access_in extended deny ip 10.7.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list packetfence-tier4_access_in extended permit ip any any

access-list packetfence-tier3_access_in extended deny ip 10.6.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list packetfence-tier3_access_in extended permit ip any any

access-list packetfence-tier2_access_in extended deny ip 10.5.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list packetfence-tier2_access_in extended permit ip any any

access-list noshaping_access_in extended deny ip any 192.168.10.0 255.255.255.0 inactive

access-list noshaping_access_in extended permit ip any any

access-list noshaping_nat0_outbound extended permit ip 10.30.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list noshaping_nat0_outbound extended permit ip 10.30.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list libertySSID_nat0_outbound extended permit ip 10.31.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list libertySSID_nat0_outbound extended permit ip 10.31.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list libertySSID_access_in extended deny ip 10.31.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list libertySSID_access_in extended permit ip any any

access-list liberty-police extended permit ip 10.31.0.0 255.255.0.0 any

access-list liberty-police extended permit ip any 10.31.0.0 255.255.0.0

access-list nyscc_nat0_outbound extended permit ip 10.32.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list nyscc_nat0_outbound extended permit ip 10.32.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list nyscc_access_in extended deny ip 10.32.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list nyscc_access_in extended permit ip any any

access-list nyscc_mpc extended permit ip 10.32.0.0 255.255.0.0 any

access-list nyscc_mpc extended permit ip any 10.32.0.0 255.255.0.0

access-list brpSSIDnoshaping_access_in extended permit ip 10.33.0.0 255.255.0.0 any

access-list brpSSIDnoshaping_access_in extended permit icmp 10.33.0.0 255.255.0.0 any

access-list brpSSIDnoshaping_nat0_outbound extended permit ip 10.33.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list brpSSIDnoshaping_nat0_outbound extended permit ip 10.33.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list packetfence-in_access_in extended permit icmp any any

access-list packetfence-in_access_in extended permit ip any any

access-list 5M-policy extended permit ip 10.150.0.0 255.255.0.0 any

access-list 5M-policy extended permit ip any 10.150.0.0 255.255.0.0

access-list 10M-policy extended permit ip 10.151.0.0 255.255.0.0 any

access-list 10M-policy extended permit ip any 10.151.0.0 255.255.0.0

access-list 20M-policy extended permit ip 10.152.0.0 255.255.0.0 any

access-list 20M-policy extended permit ip any 10.152.0.0 255.255.0.0

access-list 30M-policy extended permit ip 10.153.0.0 255.255.0.0 any

access-list 30M-policy extended permit ip any 10.153.0.0 255.255.0.0

access-list 40M-policy extended permit ip 10.154.0.0 255.255.0.0 any

access-list 40M-policy extended permit ip any 10.154.0.0 255.255.0.0

access-list 50M-policy extended permit ip 10.155.0.0 255.255.0.0 any

access-list 50M-policy extended permit ip any 10.155.0.0 255.255.0.0

access-list 60M-policy extended permit ip 10.156.0.0 255.255.0.0 any

access-list 60M-policy extended permit ip any 10.156.0.0 255.255.0.0

access-list 70M-policy extended permit ip 10.157.0.0 255.255.0.0 any

access-list 70M-policy extended permit ip any 10.157.0.0 255.255.0.0

access-list 80M-policy extended permit ip 10.158.0.0 255.255.0.0 any

access-list 80M-policy extended permit ip any 10.158.0.0 255.255.0.0

access-list 90M-policy extended permit ip 10.159.0.0 255.255.0.0 any

access-list 90M-policy extended permit ip any 10.159.0.0 255.255.0.0

access-list 5M-PrivateVLAN_nat0_outbound extended permit ip 10.150.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list 5M-PrivateVLAN_nat0_outbound extended permit ip 10.150.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 10M-PrivateVLAN_nat0_outbound extended permit ip 10.151.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list 10M-PrivateVLAN_nat0_outbound extended permit ip 10.151.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 20M-PrivateVLAN_nat0_outbound extended permit ip 10.152.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list 20M-PrivateVLAN_nat0_outbound extended permit ip 10.152.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 30M-PrivateVLAN_nat0_outbound extended permit ip 10.153.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list 30M-PrivateVLAN_nat0_outbound extended permit ip 10.153.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 40M-PrivateVLAN_nat0_outbound extended permit ip 10.154.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list 40M-PrivateVLAN_nat0_outbound extended permit ip 10.154.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 50M-PrivateVLAN_nat0_outbound extended permit ip 10.155.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list 50M-PrivateVLAN_nat0_outbound extended permit ip 10.155.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 60M-PrivateVLAN_nat0_outbound extended permit ip 10.156.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list 60M-PrivateVLAN_nat0_outbound extended permit ip 10.156.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 70M-PrivateVLAN_nat0_outbound extended permit ip 10.157.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list 70M-PrivateVLAN_nat0_outbound extended permit ip 10.157.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 80M-PrivateVLAN_nat0_outbound extended permit ip 10.158.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list 80M-PrivateVLAN_nat0_outbound extended permit ip 10.158.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 90M-PrivateVLAN_nat0_outbound extended permit ip 10.159.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list 90M-PrivateVLAN_nat0_outbound extended permit ip 10.159.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list 5M-PrivateVLAN_access_in extended deny ip 10.150.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list 5M-PrivateVLAN_access_in extended permit ip any any

access-list 10M-PrivateVLAN_access_in extended deny ip 10.151.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list 10M-PrivateVLAN_access_in extended permit ip any any

access-list 20M-PrivateVLAN_access_in extended deny ip 10.152.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list 20M-PrivateVLAN_access_in extended permit ip any any

access-list 30M-PrivateVLAN_access_in extended deny ip 10.153.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list 30M-PrivateVLAN_access_in extended permit ip any any

access-list 40M-PrivateVLAN_access_in extended deny ip 10.154.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list 40M-PrivateVLAN_access_in extended permit ip any any

access-list 50M-PrivateVLAN_access_in extended deny ip 10.155.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list 50M-PrivateVLAN_access_in extended permit ip any any

access-list 60M-PrivateVLAN_access_in extended deny ip 10.156.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list 60M-PrivateVLAN_access_in extended permit ip any any

access-list 70M-PrivateVLAN_access_in extended deny ip 10.157.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list 70M-PrivateVLAN_access_in extended permit ip any any

access-list 80M-PrivateVLAN_access_in extended deny ip 10.158.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list 80M-PrivateVLAN_access_in extended permit ip any any

access-list 90M-PrivateVLAN_access_in extended deny ip 10.159.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list 90M-PrivateVLAN_access_in extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 1024000

logging buffered debugging

logging asdm informational

mtu management 1500

mtu Internet 1500

mtu packetfence-in 1500

mtu packetfence-prod 1500

mtu packetfence-tier2 1500

mtu packetfence-tier3 1500

mtu packetfence-tier4 1500

mtu njexpo-retail 1500

mtu noshaping 1500

mtu libertySSID 1500

mtu nyscc 1500

mtu brpSSIDnoshaping 1500

mtu 5M-PrivateVLAN 1500

mtu 10M-PrivateVLAN 1500

mtu 20M-PrivateVLAN 1500

mtu 30M-PrivateVLAN 1500

mtu 40M-PrivateVLAN 1500

mtu 50M-PrivateVLAN 1500

mtu 60M-PrivateVLAN 1500

mtu 70M-PrivateVLAN 1500

mtu 80M-PrivateVLAN 1500

mtu 90M-PrivateVLAN 1500

mtu inside 1500

ip local pool remoteaccess 192.168.10.250-192.168.10.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

nat-control

global (Internet) 1 interface

nat (packetfence-in) 0 access-list nonat

nat (packetfence-in) 1 192.168.10.0 255.255.255.0

nat (packetfence-prod) 0 access-list packetfence-prod_nat0_outbound

nat (packetfence-prod) 1 10.3.0.0 255.255.0.0

nat (packetfence-tier2) 0 access-list packetfence-tier2_nat0_outbound

nat (packetfence-tier2) 1 10.5.0.0 255.255.0.0

nat (packetfence-tier3) 0 access-list packetfence-tier3_nat0_outbound

nat (packetfence-tier3) 1 10.6.0.0 255.255.0.0

nat (packetfence-tier4) 0 access-list packetfence-tier4_nat0_outbound

nat (packetfence-tier4) 1 10.7.0.0 255.255.0.0

nat (njexpo-retail) 0 access-list njexpo-retail_nat0_outbound

nat (njexpo-retail) 1 10.20.0.0 255.255.0.0

nat (noshaping) 0 access-list noshaping_nat0_outbound

nat (noshaping) 1 10.30.0.0 255.255.0.0

nat (libertySSID) 0 access-list libertySSID_nat0_outbound

nat (libertySSID) 1 10.31.0.0 255.255.0.0

nat (nyscc) 0 access-list nyscc_nat0_outbound

nat (nyscc) 1 10.32.0.0 255.255.0.0

nat (brpSSIDnoshaping) 0 access-list brpSSIDnoshaping_nat0_outbound

nat (brpSSIDnoshaping) 1 10.33.0.0 255.255.0.0

nat (5M-PrivateVLAN) 0 access-list 5M-PrivateVLAN_nat0_outbound

nat (5M-PrivateVLAN) 1 10.150.0.0 255.255.0.0

nat (10M-PrivateVLAN) 0 access-list 10M-PrivateVLAN_nat0_outbound

nat (10M-PrivateVLAN) 1 10.151.0.0 255.255.0.0

nat (20M-PrivateVLAN) 0 access-list 20M-PrivateVLAN_nat0_outbound

nat (20M-PrivateVLAN) 1 10.152.0.0 255.255.0.0

nat (30M-PrivateVLAN) 0 access-list 30M-PrivateVLAN_nat0_outbound

nat (30M-PrivateVLAN) 1 10.153.0.0 255.255.0.0

nat (40M-PrivateVLAN) 0 access-list 40M-PrivateVLAN_nat0_outbound

nat (40M-PrivateVLAN) 1 10.154.0.0 255.255.0.0

nat (50M-PrivateVLAN) 0 access-list 50M-PrivateVLAN_nat0_outbound

nat (50M-PrivateVLAN) 1 10.155.0.0 255.255.0.0

nat (60M-PrivateVLAN) 0 access-list 60M-PrivateVLAN_nat0_outbound

nat (60M-PrivateVLAN) 1 10.156.0.0 255.255.0.0

nat (70M-PrivateVLAN) 0 access-list 70M-PrivateVLAN_nat0_outbound

nat (70M-PrivateVLAN) 1 10.157.0.0 255.255.0.0

nat (80M-PrivateVLAN) 0 access-list 80M-PrivateVLAN_nat0_outbound

nat (80M-PrivateVLAN) 1 10.158.0.0 255.255.0.0

nat (90M-PrivateVLAN) 0 access-list 90M-PrivateVLAN_nat0_outbound

nat (90M-PrivateVLAN) 1 10.159.0.0 255.255.0.0

static (packetfence-in,Internet) tcp interface 3306 192.168.10.3 3306 netmask 255.255.255.255

static (packetfence-in,Internet) udp interface snmp 192.168.10.4 snmp netmask 255.255.255.255

access-group Internet-in in interface Internet

access-group packetfence-in_access_in in interface packetfence-in

access-group packetfence-prod_access_in in interface packetfence-prod

access-group packetfence-tier2_access_in in interface packetfence-tier2

access-group packetfence-tier3_access_in in interface packetfence-tier3

access-group packetfence-tier4_access_in in interface packetfence-tier4

access-group njexpo-retail_access_in in interface njexpo-retail

access-group noshaping_access_in in interface noshaping

access-group libertySSID_access_in in interface libertySSID

access-group nyscc_access_in in interface nyscc

access-group brpSSIDnoshaping_access_in in interface brpSSIDnoshaping

access-group 5M-PrivateVLAN_access_in in interface 5M-PrivateVLAN

access-group 10M-PrivateVLAN_access_in in interface 10M-PrivateVLAN

access-group 20M-PrivateVLAN_access_in in interface 20M-PrivateVLAN

access-group 30M-PrivateVLAN_access_in in interface 30M-PrivateVLAN

access-group 40M-PrivateVLAN_access_in in interface 40M-PrivateVLAN

access-group 50M-PrivateVLAN_access_in in interface 50M-PrivateVLAN

access-group 60M-PrivateVLAN_access_in in interface 60M-PrivateVLAN

access-group 70M-PrivateVLAN_access_in in interface 70M-PrivateVLAN

access-group 80M-PrivateVLAN_access_in in interface 80M-PrivateVLAN

access-group 90M-PrivateVLAN_access_in in interface 90M-PrivateVLAN

route Internet 0.0.0.0 0.0.0.0 63.x.x.x 1

route inside 192.168.1.0 255.255.255.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.10.0 255.255.255.0 packetfence-in

http 0.0.0.0 0.0.0.0 Internet

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynamic_outside_map 65535 set pfs

crypto dynamic-map dynamic_outside_map 65535 set transform-set ESP-AES-128-SHA ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic dynamic_outside_map

crypto map outside_map interface Internet

crypto isakmp identity address

crypto isakmp enable Internet

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

crypto isakmp disconnect-notify

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 management

ssh 0.0.0.0 0.0.0.0 Internet

ssh 192.168.10.0 255.255.255.0 packetfence-in

ssh timeout 30

console timeout 30

management-access packetfence-in

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcpd address 192.168.10.100-192.168.10.254 packetfence-in

dhcpd dns 167.x.x.x 167.x.x.x interface packetfence-in

!

dhcprelay server 192.168.10.3 packetfence-in

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 128.x.x.x source Internet

ntp server 209.x.x.x source Internet prefer

webvpn

enable Internet

svc enable

tunnel-group-list enable

group-policy remoteaccess internal

group-policy remoteaccess attributes

banner value NOTICE TO USERS

banner value This system is for authorized use only! Users have no explicit or implicit expectation of privacy. All uses of this system may be monitored, recorded, and may be disclosed to law enforcement for purposes of legal prosecution. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.

vpn-idle-timeout 60

vpn-session-timeout 720

vpn-tunnel-protocol IPSec

pfs enable

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteAccessVPN

group-policy InversePolicy internal

group-policy InversePolicy attributes

vpn-simultaneous-logins 5

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteAccessVPN

username admin password IDQpHFcEl9mYQs8n encrypted privilege 15

username inverse password PQoI60tNhS.EVEoN encrypted privilege 0

username inverse attributes

vpn-group-policy InversePolicy

username dino password 34BFk9MUmep0ekhh encrypted

username dino attributes

vpn-group-policy InversePolicy

service-type remote-access

username extricom password 2HJKDN.zrbPFB.GR encrypted

username extricom attributes

vpn-group-policy InversePolicy

vpn-simultaneous-logins 3

group-lock value Inverse

service-type remote-access

tunnel-group remoteaccess type remote-access

tunnel-group remoteaccess general-attributes

address-pool remoteaccess

default-group-policy remoteaccess

tunnel-group remoteaccess ipsec-attributes

pre-shared-key *****

tunnel-group Inverse type remote-access

tunnel-group Inverse general-attributes

address-pool remoteaccess

default-group-policy InversePolicy

tunnel-group Inverse webvpn-attributes

group-alias Inverse enable

!

class-map tier3-police

match access-list tier3-police

class-map tier2-police

match access-list tier2-police

class-map tier1-police

match access-list tier1-police

class-map liberty-police

match access-list liberty-police

class-map tier4-police

match access-list tier4-police

class-map nyscc-police

match access-list nyscc_mpc

class-map 5M-policy

match access-list 5M-policy

class-map 10M-policy

match access-list 10M-policy

class-map 20M-policy

match access-list 20M-policy

class-map 30M-policy

match access-list 30M-policy

class-map 40M-policy

match access-list 40M-policy

class-map 50M-policy

match access-list 50M-policy

class-map 60M-policy

match access-list 60M-policy

class-map 70M-policy

match access-list 70M-policy

class-map 80M-policy

match access-list 80M-policy

class-map 90M-policy

match access-list 90M-policy

class-map inspection_default

match default-inspection-traffic

class-map njexpo-police

match access-list njexpo-police

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map nyscc-policy

class nyscc-police

  police input 20000000 10000

  police output 20000000 10000

policy-map liberty-police

class liberty-police

  police input 25000000 12500

  police output 25000000 12500

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

policy-map 5M-policy

class 5M-policy

  police input 41943000

  police output 41943000

policy-map 10M-policy

class 10M-policy

  police input 83886000

  police output 83886000

policy-map 20M-policy

class 20M-policy

  police input 20000000

  police output 20000000

policy-map 30M-policy

class 30M-policy

  police input 30000000

  police output 30000000

policy-map 40M-policy

class 40M-policy

  police input 40000000

  police output 40000000

policy-map 50M-policy

class 50M-policy

  police input 50000000

  police output 50000000

policy-map 60M-policy

class 60M-policy

  police input 503312000

  police output 503312000

policy-map 70M-policy

class 70M-policy

  police input 587200000

  police output 587200000

policy-map 80M-policy

class 80M-policy

  police input 671088000

  police output 671088000

policy-map 90M-policy

class 90M-policy

  police input 754968000

  police output 754968000

policy-map shaping-njexpo-retail

class njexpo-police

  police input 2000000

  police output 2000000

policy-map shaping-tier4

class tier4-police

  police input 5000000

  police output 5000000

policy-map shaping-tier1

class tier1-police

  police input 256000

  police output 256000

policy-map shaping-tier3

class tier3-police

  police input 3250000

  police output 3250000

policy-map shaping-tier2

class tier2-police

  police input 1500000

  police output 1500000

!

service-policy global_policy global

service-policy shaping-tier1 interface packetfence-prod

service-policy shaping-tier2 interface packetfence-tier2

service-policy shaping-tier3 interface packetfence-tier3

service-policy shaping-tier4 interface packetfence-tier4

service-policy shaping-njexpo-retail interface njexpo-retail

service-policy liberty-police interface libertySSID

service-policy nyscc-policy interface nyscc

service-policy 5M-policy interface 5M-PrivateVLAN

service-policy 10M-policy interface 10M-PrivateVLAN

service-policy 20M-policy interface 20M-PrivateVLAN

service-policy 30M-policy interface 30M-PrivateVLAN

service-policy 40M-policy interface 40M-PrivateVLAN

service-policy 50M-policy interface 50M-PrivateVLAN

service-policy 60M-policy interface 60M-PrivateVLAN

service-policy 70M-policy interface 70M-PrivateVLAN

service-policy 80M-policy interface 80M-PrivateVLAN

service-policy 90M-policy interface 90M-PrivateVLAN

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:5fac371d1f4b2087e9d51f5334c87dec

: end

I just ran this Packet Tracer

bigred(config)# packet-tracer input inside tcp 192.168.1.1 echo 192.168.9.1 ec$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.9.0     255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hello,

What is the subnet that they have in common for reachability, I do not see that,

I mean I see them on completelety different brodcast domains,

Do you follow me?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Bingo,

Julio you are right.  I am having such an amatuer moment here, thank you for pointing this out.

I have now made the e0/2 interface on the 5510 192.168.1.10 and I can ping it from my laptop that is connected through the 5505. 

I have only one problem left and I believe its route issue.  I cannot ping the 192.168.10.x network on the 5510.  how do I advertise that subnet to the 5505 so the users can access the server on that subnet?

Again, thank you so much.

Hello Jesus,

Great to hear that,

Why dont you create a static route there as well pointing to the 5510,

Regards,

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card