- Cisco Community
- Technology and Support
- Networking
- Routing
- ASA5510: Changed destination object but traffic just will not go through
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA5510: Changed destination object but traffic just will not go through
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-08-2014 08:12 AM - edited 03-04-2019 11:43 PM
Hello
I have a fully functioning ASA5510. One of the things that go through it is OWA, presently it is routed to a particular address. I have just built a new Exchange server and I want to get OWA working. I created a new destination object, making sure that all the major details were the same as the original object, just changing the IP address only. I also did the same for the NAT. I have also done the same with the two smarthost rules.
Now when I apply the new config, OWA and external mail is affected. I can access OWA internally, and all I change is literally the destination point.
I have sat and gone through, line by line, the working and the non-working config.
Any ideas?
- Labels:
-
Other Routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2014 02:01 AM
Can you show me the config about your ASA5510 ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-10-2014 01:26 AM
Sorry for the delay Walter, which config would you like, the working or the non-working?
I can put the working one on, and change the font for the only different parts which is in the rules area.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-10-2014 01:34 AM
Yes, put the working one on, and change the font for the only different parts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-10-2014 03:05 AM
Thanks Walter, below then is the working config. I have removed some information from it and put the whole section of the rules that were changed in red.
: Saved
:
ASA Version 8.4(3)
!
hostname TAAS-FW-HH-01
domain-name domain.local
enable password N5MzNpZasdasdadadM.GwZSfSB encrypted
passwd 2KFQnbNIdasdasdadaI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif WAN-HH-0
security-level 0
ip address x.x.x.243 255.255.255.240
!
interface Ethernet0/1
nameif WAN-HH-1
security-level 0
pppoe client vpdn group PPPoE-GROUP
ip address pppoe
!
interface Ethernet0/2
nameif DMZ-HH
security-level 50
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet0/3
nameif LAN-HH
security-level 100
ip address 10.1.0.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup WAN-HH-0
dns domain-lookup WAN-HH-1
dns domain-lookup DMZ-HH
dns domain-lookup LAN-HH
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.1.0.41
domain-name domain.local
object network EXT-IP-HH4-244
host x.x.x..244
description EXT-IP-HH4-244 FOR NAT
object network RTR-HH
host x.x.x..241
description RTR-HH
object network EXT-IP-HH2-242
host x.x.x..242
description EXT-IP-HH2-242 FOR EXCHANGE SBS
object network WNAASBS
host 10.1.0.30
description WNAASBS
object network LAN-FUNDRAISING
subnet 10.3.0.0 255.255.255.0
description LAN-FUNDRAISING
object network LAN-HH
subnet 10.1.0.0 255.255.255.0
description LAN-HH
object network EXT-IP-RET
host 80.229.161.185
description EXT-IP-RET
object network LAN-RET
subnet 10.2.0.0 255.255.255.0
description LAN-RET
object network EXT-IP-COV1-130
host 213.120.84.130
description EXT-IP-COV1-130
object network LAN-COV
subnet 10.4.0.0 255.255.255.0
description LAN-COV
object network EXT-IP-DLR
host 81.130.196.105
description EXT-IP-DLR
object network LAN-DLR
subnet 10.5.0.0 255.255.255.0
description LAN-DLR
object network EXT-IP-HH5-245
host x.x.x..245
description EXT-IP-HH5-245 FOR FS
object network TAAS-FSP-HH-01
host 10.0.1.10
description TAAS-FSP-HH-01
object network EXT-IP-HH6-246
host x.x.x..246
description EXT-IP-HH6-246 FOR SSLVPN
object network EXT-IP-HH3-243
host x.x.x..243
description EXP-IP-HH3-243
object network LAN-LON
subnet 10.6.0.0 255.255.255.0
description LAN-LON
object network Supplier2-1-66.197.193.197
host 66.197.193.197
description Supplier2-1-66.197.193.197
object network Supplier2-2-92.48.99.0-mask-255.255.255.192
subnet 92.48.99.0 255.255.255.192
description Supplier2-2-92.48.99.0-mask-255.255.255.192
object network Supplier2-3-195.72.35.96-mask-255.255.255.240
subnet 195.72.35.96 255.255.255.240
description Supplier2-3-195.72.35.96-mask-255.255.255.240
object network Supplier2-4-95.154.198.192
subnet 95.154.198.192 255.255.255.192
description Supplier2-4-95.154.198.192
object network EXT-IP-HH14-254
host x.x.x..254
description EXT-IP-HH14-254
object network PANASONIC-PBX-IP
host 10.1.0.80
description PANASONIC-PBX-IP
object network SUPPLIER1-FIXED-IP
host 81.137.210.17
description SUPPLIER1-FIXED-IP
object network TAAS-DC-HH-01
host 10.1.0.16
description TAAS-DC-HH-01
object network TAAS-EX-HH-01
host 10.1.0.20
description TAAS-EX-HH-01
object network TAAS-FP-HH-01A
host 10.1.0.18
description TAAS-FP-HH-01A
object network Supplier3
subnet 10.0.0.0 255.255.0.0
description Supplier3
object network Supplier3IP
host 87.84.167.147
description Supplier3IP
object network LAN-RITM
subnet 10.71.139.0 255.255.255.0
description Translated LAN address for Supplier3
object network Supplier2_New1
subnet 5.172.153.128 255.255.255.128
description New Supplier2 5.172.153.128
object network Supplier2_New2
host 5.172.153.233
description Supplier2_New2 5.172.153.233
object network Supplier2_New3
range 5.172.153.150 5.172.153.160
description Supplier2_New3 5.172.153.150-160
object network Supplier2_New5
range 5.172.153.230 5.172.153.235
description Supplier2_New5 5.172.153.230-235
object network LAN-LF
subnet 10.177.163.0 255.255.255.0
object network TAAS-SP-APP-01
host 10.1.0.45
description Sharepoint
object network SSL-VPN
host 10.1.0.7
object network NETWORK_OBJ_10.1.0.192_26
subnet 10.1.0.192 255.255.255.192
object network LF
host 92.234.12.53
object service http
service tcp source eq www destination eq www
description http
object network 10.1.0.45
host 10.1.0.45
object network TAAS-EX-HH
host 10.1.0.31
description TAAS-EX-HH
object network 187.72.55.177
host 187.72.55.177
object network 92.51.156.106
host 92.51.156.106
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_2
network-object 10.0.1.0 255.255.255.0
network-object object LAN-HH
object-group network Supplier2-SMTP
description Supplier2-SMTP
network-object object Supplier2-1-66.197.193.197
network-object object Supplier2-2-92.48.99.0-mask-255.255.255.192
network-object object Supplier2-3-195.72.35.96-mask-255.255.255.240
network-object object Supplier2-4-95.154.198.192
object-group service PANASONIC-PBX tcp-udp
description PANASONIC-PBX
port-object eq 35300
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq ntp
object-group network New_Supplier2_SMTP
description New Supplier2 Group
network-object object Supplier2_New1
network-object object Supplier2_New2
network-object object Supplier2_New3
network-object object Supplier2_New5
network-object object LF
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
group-object TCPUDP
object-group network Malicious_IP_Addresses
network-object object 187.72.55.177
network-object object 92.51.156.106
access-list WAN-HH-0_access extended permit tcp any object WNAASBS eq https log debugging
access-list WAN-HH-0_access extended permit object-group TCPUDP object SUPPLIER1-FIXED-IP object PANASONIC-PBX-IP object-group PANASONIC-PBX
access-list WAN-HH-0_access extended permit tcp any object TAAS-FSP-HH-01 eq https
access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object WNAASBS eq smtp log debugging
access-list WAN-HH-0_access extended permit icmp any object-group DM_INLINE_NETWORK_2 echo-reply inactive
access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object WNAASBS eq smtp log debugging
access-list WAN-HH-0_access extended permit tcp any object TAAS-SP-APP-01 object-group DM_INLINE_TCP_1 log
access-list WAN-HH-0_access extended permit tcp any object SSL-VPN eq https
access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object TAAS-EX-HH eq smtp log debugging inactive
access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object TAAS-EX-HH eq smtp inactive
access-list WAN-HH-0_access extended permit tcp any eq https object TAAS-EX-HH eq https log debugging inactive
(The below part is the full section of that above with the new rules. This is the only thing that is different between the two running config files)
access-list WAN-HH-0_access extended permit tcp any object WNAASBS eq https log debugging inactive
access-list WAN-HH-0_access extended permit object-group TCPUDP object SUPPLIER1-FIXED-IP object PANASONIC-PBX-IP object-group PANASONIC-PBX
access-list WAN-HH-0_access extended permit tcp any object TAAS-FSP-HH-01 eq https
access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object WNAASBS eq smtp log debugging inactive
access-list WAN-HH-0_access extended permit icmp any object-group DM_INLINE_NETWORK_2 echo-reply inactive
access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object WNAASBS eq smtp log debugging inactive
access-list WAN-HH-0_access extended permit tcp any object TAAS-SP-APP-01 object-group DM_INLINE_TCP_1 log
access-list WAN-HH-0_access extended permit tcp any object SSL-VPN eq https
access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object TAAS-EX-HH eq smtp log debugging
access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object TAAS-EX-HH eq smtp
access-list WAN-HH-0_access extended permit tcp any object TAAS-EX-HH eq https log debugging
access-list WAN-HH-0_cryptomap extended permit ip object LAN-HH object LAN-RET
access-list WAN-HH-0_cryptomap_2 extended permit ip object LAN-HH object LAN-COV
access-list WAN-HH-0_cryptomap_3 extended permit ip object LAN-HH object LAN-DLR
access-list DMZ-HH_access_in extended permit tcp object TAAS-FSP-HH-01 object TAAS-FP-HH-01A eq https
access-list DMZ-HH_access_in extended permit object-group DM_INLINE_SERVICE_1 object TAAS-FSP-HH-01 any
access-list DMZ-HH_access_in extended deny object-group DM_INLINE_PROTOCOL_1 any any inactive
access-list WAN-HH-0_cryptomap_5 extended permit ip object LAN-HH object LAN-RET
access-list WAN-HH-1_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any log
pager lines 24
logging enable
logging asdm informational
mtu WAN-HH-0 1500
mtu WAN-HH-1 1500
mtu DMZ-HH 1500
mtu LAN-HH 1500
mtu management 1500
ip local pool VPNAddresses 10.1.0.200-10.1.0.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-FUNDRAISING LAN-FUNDRAISING no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-RET LAN-RET no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-COV LAN-COV no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-DLR LAN-DLR no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-LON LAN-LON no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-RITM destination static Supplier3 Supplier3
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-LF LAN-LF
nat (LAN-HH,WAN-HH-0) source static any any destination static NETWORK_OBJ_10.1.0.192_26 NETWORK_OBJ_10.1.0.192_26 no-proxy-arp route-lookup
!
object network WNAASBS
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH2-242
object network TAAS-FSP-HH-01
nat (DMZ-HH,WAN-HH-0) static EXT-IP-HH5-245
object network PANASONIC-PBX-IP
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH14-254
object network SSL-VPN
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH6-246
object network 10.1.0.45
nat (LAN-HH,WAN-HH-0) static interface service tcp www www
object network TAAS-EX-HH
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH2-242
!
nat (DMZ-HH,WAN-HH-0) after-auto source dynamic any EXT-IP-HH5-245 dns
nat (LAN-HH,WAN-HH-0) after-auto source dynamic any interface
access-group WAN-HH-0_access in interface WAN-HH-0
access-group WAN-HH-1_access_in in interface WAN-HH-1
access-group DMZ-HH_access_in in interface DMZ-HH
route WAN-HH-0 0.0.0.0 0.0.0.0 x.x.x..241 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 management
http 10.1.0.0 255.255.255.0 LAN-HH
http 195.171.184.58 255.255.255.255 WAN-HH-0
http 10.177.163.0 255.255.255.0 LAN-HH
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN-HH-0_map 1 match address WAN-HH-0_cryptomap
crypto map WAN-HH-0_map 1 set peer.110
crypto map WAN-HH-0_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN-HH-0_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map WAN-HH-0_map 2 match address WAN-HH-0_cryptomap_2
crypto map WAN-HH-0_map 2 set pfs
crypto map WAN-HH-0_map 2 set peer.130
crypto map WAN-HH-0_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN-HH-0_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map WAN-HH-0_map 2 set nat-t-disable
crypto map WAN-HH-0_map 4 match address WAN-HH-0_cryptomap_3
crypto map WAN-HH-0_map 4 set peer 105
crypto map WAN-HH-0_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN-HH-0_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map WAN-HH-0_map 6 match address WAN-HH-0_cryptomap_5
crypto map WAN-HH-0_map 6 set peer 78.154.108.110
crypto map WAN-HH-0_map 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN-HH-0_map 6 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map WAN-HH-0_map 6 set ikev2 pre-shared-key xxxxxxx
crypto map WAN-HH-0_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN-HH-0_map interface WAN-HH-0
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate TOOK THIS OUT AS WAY TOO MUCH TEXT
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable WAN-HH-0
crypto ikev2 enable WAN-HH-1
crypto ikev1 enable WAN-HH-0
crypto ikev1 enable WAN-HH-1
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh x.x.x.58 x.255.255.255 WAN-HH-0
ssh x.x.x.x 255.255.255.255 WAN-HH-0
ssh x.x.0.0 255.255.255.0 LAN-HH
ssh timeout 5
console timeout 0
management-access LAN-HH
vpdn group PPPoE_GROUP request dialout pppoe
vpdn group PPPoE_GROUP localname login
vpdn group PPPoE_GROUP ppp authentication chap
vpdn group PPPoE-GROUP request dialout pppoe
vpdn group PPPoE-GROUP localname login
vpdn group PPPoE-GROUP ppp authentication chap
vpdn username login password password
dhcpd address xx.x.x.-x.x.x.x. management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server x.x.x.x source LAN-HH prefer
ntp server 80.87.128.243 source WAN-HH-0
webvpn
enable WAN-HH-1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 1x.x.x.x
vpn-tunnel-protocol l2tp-ipsec
default-domain value domain.local
group-policy TestIPSECTunnel internal
group-policy TestIPSECTunnel attributes
dns-server value x.x.x.x
vpn-tunnel-protocol ikev1
default-domain value x.x.uk
group-policy DfltGrpPolicy attributes
dns-server value x.x.x.x
webvpn
url-list value Links
group-policy GroupPolicy_147 internal
group-policy GroupPolicy_.147 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_105 internal
group-policy GroupPolicy_105 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_130 internal
group-policy GroupPolicy_130 attributes
vpn-tunnel-protocol ikev1 ikev2
username user password password privilege 0
username user attributes
vpn-group-policy DfltGrpPolicy
username user2 password passwordy encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPNAddresses
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key xxxxxxxx
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group 10 type ipsec-l2l
tunnel-group110 ipsec-attributes
ikev1 pre-shared-key
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
tunnel-group 147 type ipsec-l2l
tunnel-group 147 general-attributes
default-group-policy GroupPolicy_87.84.164.147
tunnel-group 147 ipsec-attributes
ikev1 pre-shared-key
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
tunnel-group.130 type ipsec-l2l
tunnel-group.130 general-attributes
default-group-policy GroupPolicy_213.120.84.130
tunnel-group 130 ipsec-attributes
ikev1 pre-shared-key
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
tunnel-group 105 type ipsec-l2l
tunnel-group 105 general-attributes
default-group-policy GroupPolicy_81.130.196.105
tunnel-group.105 ipsec-attributes
ikev1 pre-shared-key xxxxxxx
ikev2 remote-authentication pre-shared-key xxxxxxx
ikev2 local-authentication pre-shared-key xxxxxxx
tunnel-group TestIPSECTunnel type remote-access
tunnel-group TestIPSECTunnel general-attributes
address-pool VPNAddresses
default-group-policy TestIPSECTunnel
tunnel-group TestIPSECTunnel ipsec-attributes
ikev1 pre-shared-key xxxxxxx
tunnel-group SSLVPN type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
hpm topN enable
Cryptochecksum:994038sdgfaefg cesrtsegse55fd0239
: end
no asdm history enable
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-10-2014 06:36 AM
What does it mean "debugging inactive" in access-list command ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-11-2014 03:03 AM
I turned up the logged to debugging and inactive is where I have disabled the rule as that was pointing to the old address
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2014 06:47 AM
you need to do
clea xlate
clea conn
after changing config
and dont forget to rate posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-10-2014 01:27 AM
Thanks Tagir, before I run these commands, can you just tell me what they do??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-22-2014 12:53 AM
Hi Tagir
I had chance to do this over the weekend and it still would not redirect it.
Any more ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2014 06:58 AM
So I did a show run nat today and I got the below, what I do notice is that the new rule is WAN/LAN as opposed to the old rule being LAN/WAN. Will this make a difference as it should be bi-directional?
Result of the command: "show run nat"
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-FUNDRAISING LAN-FUNDRAISING no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-RET LAN-RET no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-COV LAN-COV no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-DLR LAN-DLR no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-LON LAN-LON no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-RITM destination static Equanet Equanet
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-LF LAN-LF
nat (LAN-HH,WAN-HH-0) source static any any destination static NETWORK_OBJ_10.1.0.192_26 NETWORK_OBJ_10.1.0.192_26 no-proxy-arp route-lookup
!
object network EXT-IP-HH2-242
nat (WAN-HH-0,LAN-HH) static TAAS-EX-HH
object network WNAASBS
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH2-242
object network TAAS-FSP-HH-01
nat (DMZ-HH,WAN-HH-0) static EXT-IP-HH5-245
object network PANASONIC-PBX-IP
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH14-254
object network SSL-VPN
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH6-246
object network 10.1.0.45
nat (LAN-HH,WAN-HH-0) static interface service tcp www www
object network TAAS-EX-HH
nat (LAN-HH,WAN-HH-0) static EXT-IP-HH2-242
!
nat (DMZ-HH,WAN-HH-0) after-auto source dynamic any EXT-IP-HH5-245 dns
nat (LAN-HH,WAN-HH-0) after-auto source dynamic any interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2014 07:20 AM
Do I need to think about clear ip nat translation
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
