cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3592
Views
0
Helpful
29
Replies

Passing Public IPs through multiple ASA's (Part 2) - Continued

mst2irad4113
Level 1
Level 1
29 Replies 29

Jon Marshall
Hall of Fame
Hall of Fame

This configuration will just be for access to and from 10.20.0.20 ie. nothing else will work at the moment.

So remove all this -

nat (outside,inside) source static 70.x.x.231 70.x.x.231 destination static 10.20.0.20 10.20.0.20
nat (any,inside) source dynamic any interface
nat (any,outside) source dynamic any interface
!
object network 10.20.0.0
nat (any,outside) dynamic pat-pool interface

object network 70.x.x.231
host 70.x.x.231
object network 10.20.0.20
host 10.20.0.20

and then add this -

object network 10.20.0.20
host 10.20.0.20
nat (inside,outside) static 70.x.x.231

your acls are fine.

As long as ASA 5510 is permitting any access to 70.x.x.224 IPs and the route is there to pass it on to 5505 (1) you should hopefully be able to ping from the internet to the 70.x.x.231 IP and it should go through to 10.20.0.20.

Jon

I removed the items you mentioned. In order to remove the original 10.20.0.20 object I had to also remove the ACL's that contained them.

Then I created the object to mentioned.

I verified the route on the 5510 but was unable to ping.

 

Here is the Show Run on the 5505 (1)

interface Ethernet0/0
 description Port to 5510
 switchport access vlan 2
!
interface Ethernet0/1
 description Port to 5505(2)
 switchport access vlan 10
!
interface Ethernet0/2
 description Port to Laptop
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 10
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2   ***NOTE: I was mistaken. VLAN 2 is my outside VLAN.
 nameif outside
 security-level 0
 ip address 10.10.0.21 255.255.255.0
!
interface Vlan3    ***NOTE: I was mistaken. VLAN 2 is my outside VLAN.
 no nameif
 security-level 0
 ip address 10.39.0.2 255.255.255.0
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 10.20.0.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 10.20.0.11
 host 10.20.0.11
 description PSP-ASA
object network 70.x.x.231
 host 70.x.x.231
object network 10.20.0.20
 host 10.20.0.20
object-group network 22
object-group network 223
 network-object object 70.x.x.231
access-list outside_access_in_1 extended permit ip any any
access-list outside_access_in extended permit ip 10.39.0.0 255.255.255.0 any
access-list Inside_access_in extended permit ip any any
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network 10.20.0.20
 nat (inside,outside) static 70.x.x.231
access-group outside_access_in_1 in interface outside
access-group Inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.40.0.1 1
route inside 10.20.112.0 255.255.255.0 10.20.0.11 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.20.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:270767e7f7bccadc31dda28149c05a1e
: end

 

Here is the Show Route on the 5510

C    NEW_WAN 255.255.255.240 is directly connected, outside
S    PublicIPs 255.255.255.224 [1/0] via 10.40.0.21, inside
C    MCST-FW-Net 255.255.255.0 is directly connected, inside
S    10.20.0.11 255.255.255.255 [1/0] via 10.40.0.21, inside
S    10.20.0.0 255.255.255.0 [1/0] via 10.40.0.21, inside
S    10.20.112.0 255.255.255.0 [1/0] via 10.40.0.21, inside
S    10.10.64.0 255.255.192.0 [1/0] via 10.40.0.17, inside
S    10.10.128.0 255.255.192.0 [1/0] via 10.40.0.17, inside
S    10.60.0.233 255.255.255.255 [1/0] via 10.40.0.21, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 68.101.41.177, outside

Here is the Show Run | i PublicIPs

access-list inside_access_in extended permit ip PublicIPs 255.255.255.240 any
access-list outside_access_in extended permit ip any PublicIPs 255.255.255.240
access-list outside_access_in extended permit ip PublicIPs 255.255.255.240 NEW_WAN 255.255.255.248 inactive
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
route inside PublicIPs 255.255.255.224 10.10.0.21 1

 

 

I'm confused.

Your outside interface on 5505 (1) -

interface Vlan2   ***NOTE: I was mistaken. VLAN 2 is my outside VLAN.
 nameif outside
 security-level 0
 ip address 10.10.0.21 255.255.255.0

and the default route on 5505 (1) -

route outside 0.0.0.0 0.0.0.0 10.40.0.1 1

the next hop IP in the route is not a 10.10.0.x IP ?

Also on your 5510 the routing table is showing -

S    PublicIPs 255.255.255.224 [1/0] via 10.40.0.21, inside

but the static route in the configuration is -

route inside PublicIPs 255.255.255.224 10.10.0.21 1

are these just typos ?

Jon

 

Ok, I am doing my best to mask my actual internal IPs... but I am missing a bunch and at this point I am not sure it even matters. :(

 

The reason why I said "NOTE: I was mistaken. VLAN 2 is my outside VLAN." was because when I typed out my configuration originally to you I mentioned VLAN 3 was my outside VLAN. I was just pointing out that I was incorrect.

the default route (masked) should be route outside 0.0.0.0 0.0.0.0 10.10.0.1 1

Another typo... S    PublicIPs 255.255.255.224 [1/0] via 10.40.0.21, inside  should read S    PublicIPs 255.255.255.224 [1/0] via 10.10.0.21, inside

 

My ability to catch all of my actual IPs and manually changing isn't 100%. Is it common to mask your internal network on this forum since no one knows my external address?

If they are private IPs no need to mask on this forum.

If they are public then yes do what we have been doing ie. 70.x.x.231 for example.

Okay assuming everything is correct can you run this command on 5505 (1) and post the output -

"packet-tracer input outside tcp 8.8.8.8 12345 70.x.x.231 80"

Jon

Ok... then from here on out I will use my actual IPs. I can't apologize enough for the confusion.

The 10.10.0.0/24 network is really 10.40.0.0/24

The 10.20.0.0/24 network is really 10.50.0.0/24

 

When I ran that command, this is the result.


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 10.50.0.20
 nat (inside,outside) static 70.x.x.231
Additional Information:
NAT divert to egress interface inside
Untranslate 70.x.x.231/80 to 10.50.0.20/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in_1 in interface outside
access-list outside_access_in_1 extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network 10.50.0.20
 nat (inside,outside) static 70.x.x.231
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 39191, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Okay, no need to apologise, easy mistake to make.

As far as the 5505(1) is concerned it is working.

So we need to work out where else it is failing.

It is either the 5510 or the client.

I assume the client is a PC or laptop. If it is and you are testing with ping can you first try pinging it from 5505 (1), just to make sure it hasn't got a firewall blocking ping.

If you can ping it then can you confirm it has the default gateway set to the inside interface of 5505 (1).

If it does then we need to look at 5510's configuration.

Again x out the public IPs in the middle octets and any other information you need to keep private but leave the private IPs as they are.

Jon

I am able to ping the laptop from the ASA; firewall is off.

Default GW on the laptop is the inside interface of the ASA (10.50.0.1).

It has to be the 5510.

The Show Run on the 5510 has a lot of configurations... I need to delete/change anything that pertains to the company; which is a ton. Is there any other command besides the full Show Run that could reduce how much needs to be filtered? Not trying to avoid the work... it's just that though all the 5505's are fresh and I am building this network; we still are running a 5512 (10.40.0.17) feeding off of the 5510 and granting my lab users internet. So there are a lot of configs pertaining to them. Otherwise I am still altering the Show Run results.

 

 

Lets try the packet-tracer command again.

Use exactly the same command I posted before and post the results.

Jon

Results of Packet Tracer ran from the 5510

 

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
  match ip inside PublicIPs 255.255.255.240 outside any
    static translation to PublicIPs
    translate_hits = 2261, untranslate_hits = 9764
Additional Information:
NAT divert to egress interface inside
Untranslate PublicIPs/0 to PublicIPs/0 using netmask 255.255.255.240

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any PublicIPs 255.255.255.240
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface inside
access-list inside_access_out extended permit ip any any log
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
  match ip inside PublicIPs 255.255.255.240 outside any
    static translation to PublicIPs
    translate_hits = 2263, untranslate_hits = 9764
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
  match ip inside PublicIPs 255.255.255.240 outside any
    static translation to PublicIPs
    translate_hits = 2263, untranslate_hits = 9764
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4059085, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Here is a Show Run from the 5510 (heavily filtered)

 

names
name 10.40.0.0 MCST-FW-Net
name 70.x.x.179 Masked_FW_Outside
name 70.x.x.185 Dummy description Placeholder for 182
name 10.40.128.25 EMAIL
name 10.40.0.4 OpenVPN
name 68.x.x.176 NEW_WAN
name 10.39.0.2 CORE-ASA 
name 70.x.x.224 PublicIPs
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 68.x.x.178 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.40.0.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
boot system disk0:/asa825-13-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name MASKED
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TCP-Services tcp
 port-object eq 10101
 port-object eq 123
 port-object range 15000 19999
 port-object eq 2000
 port-object eq 2195
 port-object eq 2196
 port-object eq 5038
 port-object eq 5061
 port-object eq 5228
 port-object eq 5229
 port-object eq 5230
 port-object eq 5432
 port-object eq h323
 port-object eq www
 port-object eq https
 port-object eq kerberos
 port-object eq ldap
 port-object eq ldaps
 port-object eq sip
 port-object eq smtp
 port-object eq ssh
 port-object eq citrix-ica
 port-object eq 943
 port-object eq pptp
 port-object eq imap4
object-group service UDP-Services udp
 port-object eq 1718
 port-object eq 1719
 port-object eq 2727
 port-object eq 3478
 port-object eq 4500
 port-object eq 4520
 port-object eq 4569
 port-object eq 5000
 port-object range 50000 54999
 port-object range 60000 61799
 port-object eq 88
 port-object eq domain
 port-object eq sip
 port-object eq syslog
 port-object eq ntp
 port-object eq 1194
 port-object eq 8888
object-group protocol VPN-Traffic
 protocol-object esp
 protocol-object ah
object-group service TCP-Services-Inbound
 service-object esp
 service-object tcp eq 5228
 service-object tcp eq 5229
 service-object tcp eq 5230
 service-object tcp eq 5432
 service-object tcp eq ssh
object-group service UDP-Services-Inbound udp
 port-object eq 4500
 port-object eq domain
 port-object eq isakmp
object-group network test
 network-object 10.40.0.2 255.255.255.255
object-group service DM_INLINE_UDP_2 udp
 port-object eq 4500
 port-object eq isakmp
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_2
 icmp-object echo
 icmp-object echo-reply


object-group service DM_INLINE_TCP_2 tcp
 group-object Samsung_TCP_Ports
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object MCST-FW-Net 255.255.0.0
 network-object 70.x.x.160 255.255.255.224
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq 1701
 service-object udp eq 4500
 service-object udp eq isakmp
 service-object udp eq ntp
 service-object tcp eq www
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq https
 service-object udp eq 1194
 service-object udp eq 8080
object-group service DM_INLINE_SERVICE_3
 service-object icmp
 service-object tcp eq https

object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object udp
 protocol-object tcp

object-group network publicips

access-list inside_access_in extended permit ip PublicIPs 255.255.255.240 any

access-list inside_access_in extended permit ip host 70.x.x.225 any

access-list inside_access_in extended permit ip host 70.x.x.236 any
access-list inside_access_in extended permit udp MCST-FW-Net 255.255.0.0 any object-group UDP-Services log
access-list inside_access_in extended permit tcp MCST-FW-Net 255.255.0.0 any object-group TCP-Services log
access-list inside_access_in extended permit esp MCST-FW-Net 255.255.0.0 any log
access-list inside_access_in extended permit udp MCST-FW-Net 255.255.0.0 any object-group DM_INLINE_UDP_2 log

access-list inside_access_in extended permit tcp MCST-FW-Net 255.255.0.0 any object-group DM_INLINE_TCP_2 log

access-list inside_access_in extended permit icmp MCST-FW-Net 255.255.0.0 any log

access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.0 any eq 873 inactive

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 host OpenVPN any

access-list inside_access_in extended permit udp host 70.x.x.182 any eq 1194

access-list inside_access_in extended permit tcp host 70.x.x.182 any eq ssh

access-list inside_access_in extended permit ip host 70.x.x.231 any log

access-list inside_access_in extended permit ip host 70.x.x.232 any
access-list inside_access_in extended permit ip host 70.x.x.233 any log

access-list inside_access_in extended permit ip NEW_WAN 255.255.255.248 interface inside inactive
access-list inside_access_in extended deny ip any any log

access-list inside extended permit tcp 70.x.x.240 255.255.255.240 72.x.x.64 255.255.255.224 object-group TCP-Services
access-list inside extended permit udp 70.x.x.240 255.255.255.240 72.x.x.64 255.255.255.224 object-group UDP-Services
access-list outside extended permit udp 72.x.x.64 255.255.255.224 70.x.x.240 255.255.255.240 object-group UDP-Services
access-list outside extended permit tcp 72.x.x.64 255.255.255.224 70.x.x.240 255.255.255.240 object-group TCP-Services
access-list outside_access_in remark STEALTH RULE
access-list outside_access_in extended deny ip any host Masked_FW_Outside log
access-list outside_access_in extended permit ip any PublicIPs 255.255.255.240
access-list outside_access_in extended permit ip any host 70.x.x.225
access-list outside_access_in extended permit ip any host 70.x.x.231 log
access-list outside_access_in extended permit ip any host 70.x.x.232
access-list outside_access_in extended permit ip any host 70.x.x.233 log
access-list outside_access_in extended permit ip any host 70.x.x.236 log
access-list outside_access_in extended permit esp any 70.x.x.160 255.255.255.224 log
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 70.x.x.160 255.255.255.224 log
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any 70.x.x.160 255.255.255.224
access-list outside_access_in extended permit udp any host 70.x.x.182 eq 1194
access-list outside_access_in extended permit tcp any host 70.x.x.182 eq ssh
access-list outside_access_in remark Ping
access-list outside_access_in extended permit icmp any host 10.40.0.33 inactive
access-list outside_access_in extended permit tcp any 70.x.x.160 255.255.255.224 object-group TCP-Services inactive
access-list outside_access_in extended permit udp any 70.x.x.160 255.255.255.224 object-group UDP-Services inactive
access-list outside_access_in extended permit ip PublicIPs 255.255.255.240 NEW_WAN 255.255.255.248 inactive
access-list outside_access_in extended deny ip any any log
access-list Mobility_Infrastructure_access_in remark Ping Test
access-list inside_access_out extended permit ip any any log
access-list inside_access_out extended permit esp any object-group DM_INLINE_NETWORK_1 log
access-list inside_access_out extended permit icmp any any
access-list Inside2_access_in extended permit ip 10.39.0.0 255.255.255.0 any
access-list Inside2_access_in extended permit ip any 10.39.0.0 255.255.255.0

pager lines 24
logging enable
logging timestamp
logging console debugging
logging monitor informational
logging buffered debugging
logging trap informational
logging history critical
logging asdm warnings
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 70.x.x.182 10.40.0.7 netmask 255.255.255.255
static (inside,outside) 70.x.x.180 10.40.0.2 netmask 255.255.255.255
static (inside,outside) 70.x.x.181 10.40.0.17 netmask 255.255.255.255
static (outside,inside) 10.40.0.7 70.x.x.182 netmask 255.255.255.255
static (outside,inside) 10.40.0.2 70.x.x.180 netmask 255.255.255.255
static (outside,inside) 10.40.0.17 70.x.x.181 netmask 255.255.255.255
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 68.101.41.177 1
route inside 10.40.64.0 255.255.192.0 10.40.0.17 1
route inside 10.40.128.0 255.255.192.0 10.40.0.17 1
route inside 10.50.0.0 255.255.255.0 10.40.0.21 1
route inside 10.50.0.11 255.255.255.255 10.40.0.21 1
route inside 10.50.112.0 255.255.255.0 10.40.0.21 1
route inside 10.60.0.233 255.255.255.255 10.40.0.21 1
route inside PublicIPs 255.255.255.224 10.40.0.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server session-timeout 10
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
sysopt noproxyarp inside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 30
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 service-type nas-prompt
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bd962a8c0dd6b27b5b024778602f8b60
: end

Can you ping the outside interface of 5505 (1) from 5510 ?

You may need to temporarily add this to 5505 (1) -

"icmp permit any outside"

Jon

Actually forget that, I have just seen the acl in the packet-tracer output and it is allowed.

Let me have a think.

Jon

Not sure if this helps... but the laptop is able to ping 8.8.8.8 if I log into it and run the command myself.