Hi,
I have inherited a Cisco 5515 ASA, which is up and running on the company network. As a complete Noob to ASA’s I have the following problem.
Users require accessing an internal server via an external web address. The DNS map of the web address points to one of my Public IP addresses. I configured the ASA using the public servers wizard on the ASDM, everything seems to be fine.
I just can’t access the server from the web address. Below is my config. Any help would be most appreciated.
interface GigabitEthernet0/0
description WAN side to Router
nameif outside
security-level 0
ip address xx.xxx.xxx.xxx 255.255.255.248
!
interface GigabitEthernet0/1
description Link to Data Network
nameif data
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/2
description Link to Accounts VLAN
nameif Accounts
security-level 90
ip address 192.168.16.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif VOICE
security-level 2
ip address 192.168.14.1 255.255.255.0
!
interface GigabitEthernet0/4
nameif switchmanagement
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/5
no nameif
security-level 1
no ip address
!
interface GigabitEthernet0/5.11
vlan 11
nameif guestwireless
security-level 1
ip address 192.168.11.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network DATA_OBJ
subnet 192.168.2.0 255.255.255.0
object network VOICE_OBJ
subnet 192.168.14.0 255.255.255.0
object network ACCOUNTS_OBJ
subnet 192.168.16.0 255.255.255.0
object network GUEST_OBJ
subnet 192.168.11.0 255.255.255.0
object network PPTP_SERVER
host 192.168.2.234
object service TCP_PPTP
service tcp destination eq pptp
object network HOST_PPTP_TCP
host 192.168.2.234
object service GRE_PPTP
service gre
object network HOST_PPTP_GRE
host 192.168.2.234
object network ESAT_Host
host 192.168.2.145
object service ESAT_TCP1
service tcp destination range 2221 2225
object service ESAT_TCP2
service tcp destination eq 2846
object service ESAT_UDP1
service udp destination range netbios-ns 139
object service ESAT_TCP3
service tcp destination eq 445
object network NETWORK_OBJ_192.168.20.0_24
subnet 192.168.20.0 255.255.255.0
object network NETWORK_OBJ_192.168.16.0_24
subnet 192.168.16.0 255.255.255.0
object network NETWORK_OBJ_192.168.20.0_23
subnet 192.168.20.0 255.255.254.0
object network Video-Conferencing
host 192.168.2.147
object service http
service tcp source eq www destination eq www
object network DEV_SERV
host 192.168.2.32
object-group service PPTP_PROTS
service-object tcp destination eq pptp
service-object gre
object-group service ESAT_TCP tcp
port-object range 2221 2225
port-object eq 2846
port-object eq 445
object-group service ESAT_UDP udp
port-object range netbios-ns 139
object-group service Video_Conf_Group
service-object object Video
service-object object Video_Conf_1
service-object object Video_Conf_2
service-object object Video_Extra
service-object tcp destination eq h323
service-object tcp destination eq https
object-group network azure-networks
network-object 192.168.20.0 255.255.255.0
network-object 192.168.21.0 255.255.255.0
object-group network onprem-networks
network-object 192.168.16.0 255.255.255.0
object-group network DEV-SERV
network-object host 192.168.2.32
access-list OUTSIDE_IN extended permit object http any object DEV_SERV
access-list OUTSIDE_IN extended permit object-group PPTP_PROTS any object PPTP_SERVER
access-list OUTSIDE_IN extended permit tcp any object ESAT_Host object-group ESAT_TCP
access-list OUTSIDE_IN extended permit udp any object ESAT_Host object-group ESAT_UDP
access-list OUTSIDE_IN remark Inbound Video Conferencing
access-list OUTSIDE_IN extended permit object-group Video_Conf_Group host xx.xx.xxx.xx object Video-Conferencing
access-list outside_cryptomap extended permit ip 192.168.16.0 255.255.255.0 192.168.40.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu data 1500
mtu Accounts 1500
mtu VOICE 1500
mtu switchmanagement 1500
mtu guestwireless 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (data,outside) source static ESAT_Host interface service ESAT_TCP1 ESAT_TCP1
nat (data,outside) source static ESAT_Host interface service ESAT_TCP2 ESAT_TCP2
nat (data,outside) source static ESAT_Host interface service ESAT_TCP3 ESAT_TCP3
nat (data,outside) source static ESAT_Host interface service ESAT_UDP1 ESAT_UDP1
nat (outside,data) source static any any destination static interface Video-Conferencing service Video-TCP Video-TCP
nat (Accounts,outside) source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24 destination static NETWORK_OBJ_172.27.16.0_20 NETWORK_OBJ_172.27.16.0_20 no-proxy-arp route-lookup
nat (outside,data) source static any any destination static interface Video-Conferencing service Video_Conf_1 Video_Conf_1
nat (outside,data) source static any any destination static interface Video-Conferencing service Video_Conf_2 Video_Conf_2
!
object network DATA_OBJ
nat (data,outside) dynamic interface
object network VOICE_OBJ
nat (VOICE,outside) dynamic interface
object network GUEST_OBJ
nat (guestwireless,outside) dynamic interface
object network DEV_SERV
nat (data,outside) static xx.xx.xxx.xx service tcp www www
!
nat (Accounts,outside) after-auto source static NETWORK_OBJ_192.168.16.0_24 NETWORK_OBJ_192.168.16.0_24 destination static NETWORK_OBJ_192.168.40.0_24 NETWORK_OBJ_192.168.40.0_24 no-proxy-arp
nat (Accounts,outside) after-auto source static NETWORK_OBJ_192.168.16.0_24 interface no-proxy-arp
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 data
http 2.221.5.51 255.255.255.255 outside
http 213.249.189.232 255.255.255.248 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1350
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set ikev2 ipsec-proposal SHA1 DES 3DES AES AES192 AES256
crypto map outside_map0 1 match address outside_cryptomap_1
crypto map outside_map0 1 set peer xxx.xxx.xxx.xx
crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 2 match address outside_cryptomap_2
crypto map outside_map0 2 set peer 138.91.41.237
crypto map outside_map0 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=Rhead-Firewall.null,O=Rhead Group,C=UK
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=Rhead-Firewall
crl configure
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.248 outside
ssh xxx.xxx.xxx.xxx 255.255.255.0 data
ssh timeout 60
ssh version 2
console timeout 0
management-access data
dhcpd dns 194.72.6.57 194.73.82.242
dhcpd lease 43200
!
dhcpd address 192.168.2.50-192.168.2.254 data
dhcpd ping_timeout 1000 interface data
dhcpd option 3 ip 192.168.2.1 interface data
dhcpd enable data
!
dhcpd address 192.168.16.100-192.168.16.120 Accounts
dhcpd dns 192.168.16.11 interface Accounts
dhcpd option 3 ip 192.168.16.1 interface Accounts
dhcpd enable Accounts
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
webvpn
enable outside
group-policy GroupPolicy_xxx.xxx.128.78 internal
group-policy GroupPolicy_xxx.xxx.128.78 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_xxx.xx.41.237 internal
group-policy GroupPolicy_xxx.xx.41.237 attributes
vpn-tunnel-protocol ikev1
username admin password 2AUxfp8R5OBMFa5Y encrypted
username cisco password t6qc0eqEa2iqtcfC encrypted
tunnel-group xxx.xxx.xxx.78 type ipsec-l2l
tunnel-group xxx.xxx.xxx.78 general-attributes
default-group-policy GroupPolicy_xxxx.xxx.xxx.78
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 138.91.41.237 type ipsec-l2l
tunnel-group 138.91.41.237 general-attributes
default-group-policy GroupPolicy_138.91.41.237
tunnel-group 138.91.41.237 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Rhead_Group type remote-access
!
class-map inspection_d
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:9cb5eac49e7de6564e1f6712d13d66e6
: end
