- Cisco Community
- Technology and Support
- Networking
- Routing
- Could you tell me what error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
I want map new WAN to application URL on ASA 5510
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2014 09:59 AM - edited 03-04-2019 11:20 PM
Hi,
I have 2 redudant ASA 5510 and 2 ISPs, with the new ISP I can't access the application URL but I can use VPN to access local servers, ping & SSH.
below my configurations.
:
ASA Version 8.0(2)
!
hostname ACTIVE-SITE1
enable password TBdKmmusfDZ7gglC encrypted
names
name 176.9.42.71 nl.2.pool.ntp.org
name 67.18.187.111 nl.0.pool.ntp.org
name 41.204.120.137 nl.mg.pool.ntp.orgame 41.216.193.18 nl.3.africa.pool.ntp.org
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 217.74.232.15 255.255.255.224
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.1
vlan 1
nameif DB
security-level 100
ip address 172.16.151.126 255.255.255.128
!
interface Ethernet0/1.2
vlan 2
nameif APP
security-level 100
ip address 172.16.152.126 255.255.255.128
!
interface Ethernet0/1.3
vlan 3
nameif WEB
security-level 100
ip address 172.16.153.126 255.255.255.128
!
interface Ethernet0/1.4
vlan 4
nameif ILO
security-level 100
ip address 172.16.154.126 255.255.255.128
!
interface Ethernet0/1.5
vlan 5
nameif Ops
security-level 100
ip address 172.16.155.126 255.255.255.128
!
interface Ethernet0/2
description LAN/STATE Failover Interface
!
interface Ethernet0/3
nameif BACKUP
security-level 0
ip address 154.66.244.71 255.255.255.192
!
interface Management0/0
speed 10
duplex half
nameif DMZ
security-level 100
ip address 10.76.172.201 255.0.0.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EAT 3
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Mmoney tcp
port-object eq 8092
port-object eq 8001
object-group service PG tcp
port-object eq 8900
port-object eq 8901
object-group service DM_INLINE_TCP_1 tcp
group-object Mmoney
port-object eq www
port-object eq https
group-object PG
object-group network DM_INLINE_NETWORK_1
network-object 172.16.151.0 255.255.255.128
network-object 172.16.152.0 255.255.255.128
network-object 172.16.153.0 255.255.255.128
network-object 172.16.154.0 255.255.255.128
network-object 172.16.155.0 255.255.255.128
object-group network DM_INLINE_NETWORK_4
network-object 172.16.151.0 255.255.255.128
network-object 172.16.152.0 255.255.255.128
object-group network DM_INLINE_NETWORK_5
network-object 172.16.161.0 255.255.255.128
network-object 172.16.162.0 255.255.255.128
access-list nationlink_splitTunnelAcl standard permit 172.16.162.0 255.255.255.128
access-list nationlink_splitTunnelAcl_1 standard permit 172.16.152.0 255.255.255.128
access-list nationlink_splitTunnelAcl_4 standard permit 172.16.152.0 255.255.255.128
access-list nationlink_splitTunnelAcl_4 standard permit 10.0.0.0 255.0.0.0
access-list APP_nat0_outbound extended permit ip 172.16.152.0 255.255.255.128 10.0.0.0 255.255.255.192
access-list APP_nat0_outbound extended permit ip 172.16.152.0 255.255.255.128 10.76.172.0 255.255.255.0
access-list APP_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_5
access-list APP_nat0_outbound extended permit ip 172.16.152.0 255.255.255.128 40.40.40.0 255.255.255.192
access-list APP_nat0_outbound extended permit ip 172.16.152.0 255.255.255.128 70.70.70.0 255.255.255.128
access-list APP_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 40.40.40.0 255.255.255.192
access-list APP_nat0_outbound extended permit ip 172.16.152.0 255.255.255.128 40.40.40.0 255.255.255.0
access-list APP_nat0_outbound extended permit ip 172.16.152.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list APP_nat0_outbound extended permit ip 172.16.155.0 255.255.255.128 192.168.46.0 255.255.255.0
access-list nationlink_splitTunnelAcl_2 standard permit 172.16.152.0 255.255.255.128
access-list nationlink_splitTunnelAcl_2 standard permit 172.16.151.0 255.255.255.128
access-list nationlink_splitTunnelAcl_2 standard permit 172.16.153.0 255.255.255.128
access-list nationlink_splitTunnelAcl_3 standard permit 172.16.151.0 255.255.255.128
access-list emaal-ilouser_splitTunnelAcl standard permit 172.16.154.0 255.255.255.128
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any any eq 6666
access-list outside_access_in extended permit tcp any any eq 7891
access-list outside_access_in extended permit udp any any eq ntp
access-list ILO_nat0_outbound extended permit ip 172.16.154.0 255.255.255.128 10.10.10.0 255.255.255.192
access-list ILO_nat0_outbound extended permit ip 172.16.154.0 255.255.255.128 40.40.40.0 255.255.255.0
access-list ILO_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 40.40.40.0 255.255.255.192
access-list outside_1_cryptomap extended permit ip 172.16.152.0 255.255.255.128 10.76.172.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.16.152.0 255.255.255.128 172.16.162.0 255.255.255.128
access-list ILOVLAN4_splitTunnelAcl standard permit 172.16.154.0 255.255.255.128
access-list sanovi-site1_splitTunnelAcl standard permit host 172.16.151.4
access-list DB_nat0_outbound extended permit ip host 172.16.151.4 25.25.25.0 255.255.255.224
access-list P2P extended permit ip 172.16.151.0 255.255.255.128 25.25.25.0 255.255.255.224
access-list P2P extended permit ip 172.16.151.0 255.255.255.128 172.16.161.0 255.255.255.128
access-list P2p_access_in extended permit ip any any
access-list nationlink3_splitTunnelAcl standard permit 172.16.154.0 255.255.255.128
access-list nationlink3_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list cisco_splitTunnelAcl standard permit 172.16.152.0 255.255.255.128
access-list cisco_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list test_splitTunnelAcl standard permit 172.16.152.0 255.255.255.128
access-list nonat extended permit ip 10.76.0.0 255.255.0.0 40.40.40.0 255.255.255.0
access-list nonatDMZ extended permit ip 10.0.0.0 255.0.0.0 40.40.40.0 255.255.255.0
access-list cap extended permit ip host 40.40.40.3 host 10.76.172.63
access-list cap extended permit ip host 10.76.172.63 host 40.40.40.3
access-list cap3 extended permit ip host 172.16.152.4 host 10.76.172.201
access-list cap3 extended permit ip host 10.76.172.201 host 172.16.152.4
access-list cap3 extended permit ip host 10.0.0.2 host 10.76.172.30
access-list cap3 extended permit ip host 10.76.172.30 host 10.0.0.2
access-list cap2 extended permit ip host 172.16.152.4 host 40.40.40.4
access-list cap2 extended permit ip host 40.40.40.4 host 172.16.152.4
access-list test extended permit ip host 172.16.151.4 host 10.76.172.63
access-list test extended permit ip host 10.76.172.63 host 172.16.151.4
access-list test1 extended permit ip host 172.16.152.4 host 10.76.172.63
access-list test1 extended permit ip host 10.76.172.63 host 172.16.152.4
access-list test2 extended permit ip host 172.16.152.4 host 10.76.172.201
access-list test2 extended permit ip host 10.76.172.201 host 172.16.152.4
access-list test3 extended permit ip host 172.16.152.4 host 172.16.151.126
access-list test3 extended permit ip host 172.16.151.126 host 172.16.152.4
access-list Ops_nat0_outbound extended permit ip 172.16.155.0 255.255.255.128 192.168.46.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 172.16.155.0 255.255.255.128 192.168.46.0 255.255.255.0
access-list NTP extended permit icmp host 172.16.153.3 any
access-list NTP extended permit icmp host 172.16.153.2 any
access-list NTP extended permit icmp host 172.16.153.1 any
access-list NTP extended permit udp host 172.16.153.3 host nl.2.pool.ntp.org eq ntp
access-list NTP extended permit udp host 172.16.153.2 host nl.2.pool.ntp.org eq ntp
access-list NTP extended permit udp host 172.16.153.1 host nl.2.pool.ntp.org eq ntp
access-list NTP extended permit udp host 172.16.153.3 host nl.0.pool.ntp.org eq ntp
access-list NTP extended permit udp host 172.16.153.2 host nl.0.pool.ntp.org eq ntp
access-list NTP extended permit udp host 172.16.153.1 host nl.0.pool.ntp.org eq ntp
access-list NTP extended permit udp host 172.16.153.3 host nl.mg.pool.ntp.org eq ntp
access-list NTP extended permit udp host 172.16.153.2 host nl.mg.pool.ntp.org eq ntp
access-list NTP extended permit udp host 172.16.153.1 host nl.mg.pool.ntp.org eq ntp
access-list NTP extended permit udp host 172.16.153.3 host nl.3.africa.pool.ntp.org eq ntp
access-list NTP extended permit udp host 172.16.153.2 host nl.3.africa.pool.ntp.org eq ntp
access-list NTP extended permit udp host 172.16.153.1 host nl.3.africa.pool.ntp.org eq ntp
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu DB 1500
mtu APP 1500
mtu WEB 1500
mtu ILO 1500
mtu Ops 1500
mtu BACKUP 1500
mtu DMZ 1500
ip local pool VPN 10.0.0.2-10.0.0.50 mask 255.255.255.128
ip local pool ilo 10.10.10.2-10.10.10.50 mask 255.255.255.128
ip local pool vpnpool 40.40.40.1-40.40.40.40 mask 255.255.255.0
ip local pool sanovi 25.25.25.2-25.25.25.25 mask 255.255.255.128
ip local pool newVPN 70.70.70.1-70.70.70.70 mask 255.255.0.0
failover
failover lan unit primary
failover lan interface failover Ethernet0/2
failover key *****
failover link failover Ethernet0/2
failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any APP
icmp permit any DMZ
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (BACKUP) 1 interface
nat (DB) 0 access-list P2P
nat (APP) 0 access-list APP_nat0_outbound
nat (WEB) 1 access-list NTP
nat (ILO) 0 access-list ILO_nat0_outbound
nat (DMZ) 0 access-list nonatDMZ
static (WEB,outside) tcp interface https 172.16.153.3 8001 netmask 255.255.255.255 norandomseq
static (APP,outside) tcp interface 8900 172.16.152.7 8900 netmask 255.255.255.255 norandomseq
static (APP,outside) tcp interface 8901 172.16.152.7 8901 netmask 255.255.255.255 norandomseq
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 217.74.232.1 1 track 1
route BACKUP 0.0.0.0 0.0.0.0 154.66.244.65 254
route DMZ 172.16.161.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 444
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 BACKUP
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map mydynamic 10 set transform-set ESP-DES-SHA ESP-DES-MD5 ESP-AES-256-MD5 ESP-AES-256-SHA ESP-AES-192-SHA ESP-3DES-SHA ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 217.74.232.3
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 84.233.182.218
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 121.241.107.34
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map mymap 2 match address outside_2_cryptomap
crypto map mymap 2 set pfs
crypto map mymap 2 set peer 84.233.182.218
crypto map mymap 2 set transform-set ESP-3DES-SHA
crypto map mymap 1000 ipsec-isakmp dynamic mydynamic
crypto map mymap interface BACKUP
crypto isakmp enable outside
crypto isakmp enable BACKUP
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 BACKUP
ssh timeout 60
console timeout 0
management-access DMZ
vpn load-balancing
interface lbprivate WEB
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
ntp server nl.2.pool.ntp.org
ntp server nl.mg.pool.ntp.org
ntp server nl.3.africa.pool.ntp.org
ntp server nl.0.pool.ntp.org
group-policy test internal
group-policy test attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
group-policy sanovi-site1 internal
group-policy sanovi-site1 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sanovi-site1_splitTunnelAcl
group-policy ILOVLAN4 internal
group-policy ILOVLAN4 attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ILOVLAN4_splitTunnelAcl
group-policy emaal-ilouser internal
group-policy emaal-ilouser attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value emaal-ilouser_splitTunnelAcl
group-policy cisco internal
group-policy cisco attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
group-policy nationlink3 internal
group-policy nationlink3 attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nationlink3_splitTunnelAcl
group-policy nationlink internal
group-policy nationlink attributes
vpn-simultaneous-logins 50
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nationlink_splitTunnelAcl_4
username test password P4ttSyrm33SV8TYp encrypted privilege 0
username test attributes
vpn-group-policy test
username sanovi password yVffc6q4JZU//5xU encrypted privilege 0
username sanovi attributes
vpn-group-policy sanovi-site1
username admin password SWZ1kF7VOHAXyK10 encrypted privilege 15
username emaal-ilouser password XCE.CqS6nvttZYic encrypted privilege 0
username emaal-ilouser attributes
vpn-group-policy emaal-ilouser
username cisco123 password ffIRPGpDSOJh9YLq encrypted privilege 0
username cisco123 attributes
vpn-group-policy cisco
username cisco1 password i675yHjYh7DFdX7e encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
username nationlink3 password Q3j4FV4cRow3qzQ6 encrypted privilege 0
username nationlink3 attributes
vpn-group-policy nationlink3
username nationlinkilo password guj9QBhuRxkKppvA encrypted privilege 0
username nationlinkilo attributes
vpn-group-policy ILOVLAN4
username nationlink password y/fB7FUObNv4Fjl2 encrypted privilege 0
username nationlink attributes
vpn-group-policy nationlink
vpn-access-hours none
vpn-simultaneous-logins 50
vpn-idle-timeout none
vpn-session-timeout none
tunnel-group nationlink type remote-access
tunnel-group nationlink general-attributes
address-pool VPN
default-group-policy nationlink
tunnel-group nationlink ipsec-attributes
pre-shared-key *
tunnel-group 217.74.232.3 type ipsec-l2l
tunnel-group 217.74.232.3 ipsec-attributes
pre-shared-key *
tunnel-group emaal-ilouser type remote-access
tunnel-group emaal-ilouser general-attributes
address-pool ilo
default-group-policy emaal-ilouser
tunnel-group emaal-ilouser ipsec-attributes
pre-shared-key *
tunnel-group 84.233.182.218 type ipsec-l2l
tunnel-group 84.233.182.218 ipsec-attributes
pre-shared-key *
tunnel-group ILOVLAN4 type remote-access
tunnel-group ILOVLAN4 general-attributes
address-pool ilo
default-group-policy ILOVLAN4
tunnel-group ILOVLAN4 ipsec-attributes
pre-shared-key *
tunnel-group sanovi-site1 type remote-access
tunnel-group sanovi-site1 general-attributes
address-pool sanovi
default-group-policy sanovi-site1
tunnel-group sanovi-site1 ipsec-attributes
pre-shared-key *
tunnel-group nationlink3 type remote-access
tunnel-group nationlink3 general-attributes
address-pool vpnpool
default-group-policy nationlink3
tunnel-group nationlink3 ipsec-attributes
pre-shared-key *
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
address-pool vpnpool
default-group-policy cisco
tunnel-group cisco ipsec-attributes
pre-shared-key *
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool newVPN
default-group-policy test
tunnel-group test ipsec-attributes
pre-shared-key *
tunnel-group 121.241.107.34 type ipsec-l2l
tunnel-group 121.241.107.34 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:bef76609e6eb18222281f7dc65964ca3
: end
Also I cant access the ASDM over WAN IP addresses.
Please help
- Labels:
-
Other Routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-17-2014 10:47 AM
Could you tell me what error exactly you are getting while accessing the ASDM and access the application URL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide