05-25-2010 01:35 PM - edited 03-04-2019 08:35 AM
I'm running into problem configuring port address translation / forwarding from outside into internal network. What I have is ASA 5510 running on static address xx.xx.xx.38 and everything is working perfectly OK from inside to outside. I have also few VPN connections spun of of it to remote officess. What I'm trying to do now is to direct smtp and 5900 for VNC into internal network on spare public IP addresses that I have.
Following are commands I have added to the config which by theory it should work but I'm getting policy denied when I do packet trace
access-list Outside-in extended permit tcp any host xx.xx.xx.37 eq smtp
access-list Outside-in extended permit tcp any host xx.xx.xx.36 eq 5900
static (inside,outside) xx.xx.xx.37 192.168.2.12 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.36 192.168.2.13 netmask 255.255.255.255
access-group Outside-in in interface outside
looking for any help
Solved! Go to Solution.
05-28-2010 02:35 AM
Pls remove this line: access-group inside_access_out out interface inside
Test the connection again, and if it still doesn't work, please share the output of the following:
show access-list Outside-in
prior to the connection test, and test a few connections and grab the output again. Thx.
06-01-2010 01:31 AM
Not too sure what you mean by removing the policy, as we remove the outbound access-list applied to the inside interface,
not the NAT/PAT access-list.
Can you please share the latest configuration as well as what exactly was removed?
05-26-2010 03:00 AM
The configuration should work.
1) Did you "clear xlate" after the configuration change?
2) Also double check if proxy arp is enabled on the ASA outside interface. Just configure "no sysopt noproxyarp outside".
3) Either reload the next hop router, or if you have access "clear arp", and just make sure that the next hop router has the 2 public ip addresses with the ASA outside interface mac address in the ARP entry.
Hope that helps.
05-26-2010 11:47 AM
Thank you for your answer, however this does not work for
me. I had some issues in the past that I had to restart the ASA which I have done and I have also did a reload on it and cleared the xlate table.
To add the ASA is internet facing so there should be no issue with routing/getting those ips to the ASA.
why is it theory does not apply to practice
05-27-2010 04:34 AM
Seems like you have reloaded the ASA. Have you reloaded or clear the arp table on the next hop router?
Most times, it's the arp entry on the router which is missing for those new ip addresses that you have added to the ASA static translation. OR/ some other devices might proxy arp those ip addresses. Best thing is to check the next hop router if you have access. I am assuming that the 2 new ip addresses that you have created on the ASA, the ASA outside interface and the next hop router is in the same subnet. What subnet and mask are they?
05-28-2010 01:06 AM
The ASA is Internet fasing on public interface with router/modem between us and the ISP
Following is current config running on the ASA, there is some junk in it that I need to clean up and mostr likely cause of my problem
: Saved
:
ASA Version 8.0(2)
!
hostname portal
domain-name company.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 206.47.255.38 255.255.255.248
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.10.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
ospf cost 10
management-only
!
passwd NuLKvvWGg.x9HEKO encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.11
domain-name company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Finch
network-object 192.168.1.0 255.255.255.0
object-group network Midland
network-object 192.168.2.0 255.255.255.0
object-group network Sheppard
network-object 192.168.0.0 255.255.255.0
object-group network Downtown
network-object 192.168.3.0 255.255.255.0
object-group network ISAPYork
network-object 192.168.7.0 255.255.255.0
object-group network Markham
network-object 192.168.5.0 255.255.255.0
object-group network Woodside
network-object 192.168.6.0 255.255.255.0
object-group network York_region
network-object 192.168.4.0 255.255.255.0
object-group service Exchange tcp
description 5900
port-object range 3389 3389
port-object range https https
port-object range 5900 5900
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network CICS-network
network-object 192.168.2.0 255.255.255.0
group-object Downtown
group-object Finch
group-object ISAPYork
group-object Markham
group-object Midland
group-object Sheppard
group-object Woodside
group-object York_region
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit tcp host 192.168.2.12 eq smtp any eq smtp inactive
access-list inside_access_out extended deny tcp object-group CICS-network eq smtp any eq smtp inactive
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 192.168.2.0 255.255.255.0 object-group Sheppard
access-list outside_100_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group York_region
access-list outside_cryptomap_160 extended permit ip 192.168.2.0 255.255.255.0 object-group Finch
access-list outside_cryptomap_140 extended permit ip 192.168.2.0 255.255.255.0 object-group Woodside
access-list outside_180_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list outside_200_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group Markham
access-list outside_220_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group Downtown
access-list Outside-in extended permit tcp any host 206.47.255.36 eq smtp
access-list Outside-in extended permit tcp any host 206.47.255.37 eq https
access-list Outside-in extended permit tcp any host 206.47.255.37 eq 3389
access-list Outside-in extended permit tcp any host 206.47.255.37 eq 5900
access-list Mail_in extended permit tcp any host 206.47.255.36 eq smtp
access-list Inside_access_in extended permit tcp any any
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit tcp any host 192.168.2.12 object-group Exchange
pager lines 24
logging enable
logging list VPNnotification level emergencies class vpn
logging asdm informational
logging mail VPNnotification
logging from-address asa@company.com
logging rate-limit unlimited level 1
logging rate-limit 1 3600 level 4
logging rate-limit 1 3600 level 5
logging rate-limit 1 3600 level 6
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.2.0 255.255.255.0
static (inside,outside) 206.47.255.37 192.168.2.12 netmask 255.255.255.255
static (inside,outside) 206.47.255.36 192.168.2.13 netmask 255.255.255.255
access-group Outside-in in interface outside
access-group Inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server location 123 abc.blvd
snmp-server contact user 1
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set pfs
crypto map outside_map 60 set peer xx.xx.xx.xx
crypto map outside_map 60 set transform-set ESP-DES-SHA
crypto map outside_map 80 match address outside_220_cryptomap
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer xx.xx.xx.xx
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 100 match address outside_100_cryptomap
crypto map outside_map 100 set pfs
crypto map outside_map 100 set peer xx.xx.xx.xx
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 120 match address outside_200_cryptomap
crypto map outside_map 120 set pfs
crypto map outside_map 120 set peer xx.xx.xx.xx
crypto map outside_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set pfs
crypto map outside_map 140 set peer xx.xx.xx.xx
crypto map outside_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 160 match address outside_cryptomap_160
crypto map outside_map 160 set pfs
crypto map outside_map 160 set peer xx.xx.xx.xx
crypto map outside_map 160 set transform-set ESP-3DES-SHA
crypto map outside_map 180 match address outside_180_cryptomap
crypto map outside_map 180 set pfs
crypto map outside_map 180 set peer xx.xx.xx.xx
crypto map outside_map 180 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
management-access inside
vpdn username user@bellnet.ca password ********* store-local
dhcpd dns 192.168.2.11
dhcpd domain company.com
!
dhcpd dns 192.168.2.11 interface inside
dhcpd domain cicscanada.com interface inside
!
dhcpd address 192.168.100.10-192.168.100.254 management
dhcpd dns 192.168.2.11 interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
!
webvpn
csd image disk0:/securedesktop_asa_3_2_0_123.pkg.zip
csd enable
svc enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
nem enable
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc dpd-interval client none
svc dpd-interval gateway none
username admin password fAWUsRGXQYXX5p7B encrypted privilege 15
username root password RZOKkycYJJ6gKIFQ encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 70.55.231.5 type ipsec-l2l
tunnel-group 70.55.231.5 ipsec-attributes
pre-shared-key *
tunnel-group York_region type ipsec-l2l
tunnel-group York_region ipsec-attributes
pre-shared-key *
tunnel-group 174.88.240.25 type ipsec-l2l
tunnel-group 174.88.240.25 ipsec-attributes
pre-shared-key *
tunnel-group Woodside type ipsec-l2l
tunnel-group Woodside ipsec-attributes
pre-shared-key *
tunnel-group ISAP_York type ipsec-l2l
tunnel-group ISAP_York ipsec-attributes
pre-shared-key *
tunnel-group Markham type ipsec-l2l
tunnel-group Markham ipsec-attributes
pre-shared-key *
tunnel-group Downtown type ipsec-l2l
tunnel-group Downtown ipsec-attributes
pre-shared-key *
smtp-server 192.168.2.12
prompt hostname context state
Cryptochecksum:8485da6859c007e127209c4232785189
: end
05-28-2010 02:35 AM
Pls remove this line: access-group inside_access_out out interface inside
Test the connection again, and if it still doesn't work, please share the output of the following:
show access-list Outside-in
prior to the connection test, and test a few connections and grab the output again. Thx.
05-31-2010 01:27 PM
Thank you very much, that seems to did the trick.
Now I just need to verify why my SMTP server is not responding, but I least I have inbound connection
BTW following is responce from show access-list Outside-in
access-list Outside-in; 5 elements
access-list Outside-in line 1 extended permit tcp any host xx.xx.xx.36 eq smtp (hitcnt=10) 0x8eb06c52
access-list Outside-in line 2 extended permit tcp any host xx.xx.xx.37 eq https (hitcnt=4) 0x652492b3
access-list Outside-in line 3 extended permit tcp any host xx.xx.xx.37 eq 3389 (hitcnt=6) 0xdf66183
access-list Outside-in line 4 extended permit tcp any host xx.xx.xx.37 eq 5900 (hitcnt=4) 0x201c689
access-list Outside-in line 5 extended permit ip any any (hitcnt=32315) 0x8b61bb38
05-31-2010 09:29 PM
OK small problem
After removing the policy I have seem to lost all of my site-to-site VPN connections. Even the solution work helping my PAT situation it does not work for both PAT/NAT and VPN
Is there a work around to have both NAT and VPN running????
06-01-2010 01:31 AM
Not too sure what you mean by removing the policy, as we remove the outbound access-list applied to the inside interface,
not the NAT/PAT access-list.
Can you please share the latest configuration as well as what exactly was removed?
06-01-2010 07:46 AM
Sorry my mistake I meant the access list not the policy. I'm going back and forth between GUI and CLI as some things are more logical to 'me' in GUI and some in CLI
Anyway when I removed the Access-List I have lost VPN connection to all of my 7 remote officess. All entries in CLI are there however when I look through GUI there is no trace of any of them. They are not related in any way at least to what I see or maybe I do not have enough cafeene.
following is the current config as when the access list was removed
: Saved
:
ASA Version 7.2(2)
!
hostname portal
domain-name company.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xx.xx.xx.38 255.255.255.248
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.10.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
ospf cost 10
management-only
!
passwd NuLKvvWGg.x9HEKO encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.11
domain-name company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Finch
network-object 192.168.1.0 255.255.255.0
object-group network Midland
network-object 192.168.2.0 255.255.255.0
object-group network Sheppard
network-object 192.168.0.0 255.255.255.0
object-group network Downtown
network-object 192.168.3.0 255.255.255.0
object-group network ISAPYork
network-object 192.168.7.0 255.255.255.0
object-group network Markham
network-object 192.168.5.0 255.255.255.0
object-group network Woodside
network-object 192.168.6.0 255.255.255.0
object-group network York_region
network-object 192.168.4.0 255.255.255.0
object-group service Exchange tcp
description 5900
port-object range 3389 3389
port-object range https https
port-object range 5900 5900
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network internal-network
network-object 192.168.2.0 255.255.255.0
group-object Downtown
group-object Finch
group-object ISAPYork
group-object Markham
group-object Midland
group-object Sheppard
group-object Woodside
group-object York_region
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit tcp host 192.168.2.13 eq smtp any eq smtp inactive
access-list inside_access_out extended permit tcp object-group CICS-network eq smtp any eq smtp inactive
access-list inside_access_out extended deny tcp object-group CICS-network eq smtp any eq smtp inactive
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit tcp host 192.168.2.12 eq smtp any eq smtp inactive
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 192.168.2.0 255.255.255.0 object-group Sheppard
access-list outside_100_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group York_region
access-list outside_cryptomap_160 extended permit ip 192.168.2.0 255.255.255.0 object-group Finch
access-list outside_cryptomap_140 extended permit ip 192.168.2.0 255.255.255.0 object-group Woodside
access-list outside_180_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list outside_200_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group Markham
access-list outside_220_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group Downtown
access-list Outside-in extended permit tcp any host xx.xx.xx.36 eq smtp
access-list Outside-in extended permit tcp any host xx.xx.xx.37 eq https
access-list Outside-in extended permit tcp any host xx.xx.xx.37 eq 3389
access-list Outside-in extended permit tcp any host xx.xx.xx.37 eq 5900
access-list Outside-in extended permit ip any any inactive
access-list DMZ_access_in extended permit ip any any
access-list Inside_access_in extended permit tcp any any
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit tcp any host 192.168.2.12 object-group Exchange
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging list VPNnotification level emergencies class vpn
logging asdm informational
logging mail VPNnotification
logging from-address asa@cicscanada.com
logging rate-limit unlimited level 1
logging rate-limit 1 3600 level 4
logging rate-limit 1 3600 level 5
logging rate-limit 1 3600 level 6
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.2.0 255.255.255.0
static (inside,outside) xx.xx.xx.37 192.168.2.12 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.36 192.168.2.13 netmask 255.255.255.255
access-group Outside-in in interface outside
access-group Inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username admin password fAWUsRGXQYXX5p7B encrypted privilege 15
username root password RZOKkycYJJ6gKIFQ encrypted privilege 15
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 management
snmp-server location 2330 Midland Ave
snmp-server contact Ricky
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 70.31.154.92
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set pfs
crypto map outside_map 60 set peer 70.55.231.5
crypto map outside_map 60 set transform-set ESP-DES-SHA
crypto map outside_map 80 match address outside_220_cryptomap
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer 76.64.36.231
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 100 match address outside_100_cryptomap
crypto map outside_map 100 set pfs
crypto map outside_map 100 set peer 70.25.52.11
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 120 match address outside_200_cryptomap
crypto map outside_map 120 set pfs
crypto map outside_map 120 set peer 74.15.90.106
crypto map outside_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set pfs
crypto map outside_map 140 set peer 74.23.23.22
crypto map outside_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 160 match address outside_cryptomap_160
crypto map outside_map 160 set pfs
crypto map outside_map 160 set peer 70.31.154.92
crypto map outside_map 160 set transform-set ESP-3DES-SHA
crypto map outside_map 180 match address outside_180_cryptomap
crypto map outside_map 180 set pfs
crypto map outside_map 180 set peer 70.52.239.153
crypto map outside_map 180 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 70.55.231.5 type ipsec-l2l
tunnel-group 70.55.231.5 ipsec-attributes
pre-shared-key *
tunnel-group York_region type ipsec-l2l
tunnel-group York_region ipsec-attributes
pre-shared-key *
tunnel-group 174.88.240.25 type ipsec-l2l
tunnel-group 174.88.240.25 ipsec-attributes
pre-shared-key *
tunnel-group Woodside type ipsec-l2l
tunnel-group Woodside ipsec-attributes
pre-shared-key *
tunnel-group ISAP_York type ipsec-l2l
tunnel-group ISAP_York ipsec-attributes
pre-shared-key *
tunnel-group Markham type ipsec-l2l
tunnel-group Markham ipsec-attributes
pre-shared-key *
tunnel-group Downtown type ipsec-l2l
tunnel-group Downtown ipsec-attributes
pre-shared-key *
tunnel-group Finch type ipsec-l2l
tunnel-group Finch ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
management-access inside
vpdn username centre51@bellnet.ca password ********* store-local
dhcpd dns 192.168.2.11
dhcpd domain company.com
!
dhcpd dns 192.168.2.11 67.69.184.199 interface inside
dhcpd domain cicscanada.com interface inside
!
dhcpd address 192.168.100.10-192.168.100.254 management
dhcpd dns 192.168.2.11 interface management
dhcpd enable management
!
!
!
webvpn
csd image disk0:/securedesktop_asa_3_2_0_123.pkg.zip
csd enable
svc enable
smtp-server 192.168.2.12
prompt hostname context state
Cryptochecksum:ec61d1ccd17e8d38382dffc911746988
: end
06-02-2010 02:18 AM
Hi Jerry,
One thing that I found is somehow you have downgraded the ASA from version 8.0.2 to 7.2.2 as the latest configuration that you posted says it is running version 7.2.2 now. You might want to upgrade it back to 8.0.2 at least.
In regards to the VPN, I don't see any reason why all the 7 sites would not connect as the configuration looks OK.
You might want to add: crypto isakmp nat-traversal 25, in case there is PAT device between the tunnel.
I would suggest that you re-upgrade it back to 8.0.2, then check if the VPN tunnels come back up. If not, you might want to get the following:
show crypto isa sa
show crypto ipsec sa
Hope that helps.
06-09-2010 11:34 PM
I hate leaving things hanging. Never the less I got the box running. There was a reason for going back to 7.2.2 which at this time I really do not want to say it.
Any way, I originally had it running with 8.0 and after the access-list was removed all the VPN policies have disapeared and some of the tunnels through GUI, but the funny part was that through CLI everything was there as the OS was skipping on some of the config. Oce found I figured I try going back to 7.2.2 and see if the VPN would come back (not the reason for going back) and they where still not kicking in.
At the end what I had done was to clean up config through CLI for all the VPN config and policies and re-enter them back in. Its been a week now and every thing still is running. I got my 7 tunnels up and runnig along with my NAT/PAT to internal servers. Though one of the tunnels for some reason keeps on dropping off and coing back on line once I try reaching something on the other end, but that another item to fix.
to end this thread, A big thank you for your help and pointers halijenn
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide