03-31-2015 09:43 AM - edited 03-05-2019 01:08 AM
This is the continuation of an issue posted on : https://supportforums.cisco.com/discussion/12463791/passing-public-ips-through-multiple-asas-part-1
03-31-2015 09:49 AM
This configuration will just be for access to and from 10.20.0.20 ie. nothing else will work at the moment.
So remove all this -
nat (outside,inside) source static 70.x.x.231 70.x.x.231 destination static 10.20.0.20 10.20.0.20
nat (any,inside) source dynamic any interface
nat (any,outside) source dynamic any interface
!
object network 10.20.0.0
nat (any,outside) dynamic pat-pool interface
object network 70.x.x.231
host 70.x.x.231
object network 10.20.0.20
host 10.20.0.20
and then add this -
object network 10.20.0.20
host 10.20.0.20
nat (inside,outside) static 70.x.x.231
your acls are fine.
As long as ASA 5510 is permitting any access to 70.x.x.224 IPs and the route is there to pass it on to 5505 (1) you should hopefully be able to ping from the internet to the 70.x.x.231 IP and it should go through to 10.20.0.20.
Jon
03-31-2015 11:25 AM
I removed the items you mentioned. In order to remove the original 10.20.0.20 object I had to also remove the ACL's that contained them.
Then I created the object to mentioned.
I verified the route on the 5510 but was unable to ping.
Here is the Show Run on the 5505 (1)
interface Ethernet0/0
description Port to 5510
switchport access vlan 2
!
interface Ethernet0/1
description Port to 5505(2)
switchport access vlan 10
!
interface Ethernet0/2
description Port to Laptop
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2 ***NOTE: I was mistaken. VLAN 2 is my outside VLAN.
nameif outside
security-level 0
ip address 10.10.0.21 255.255.255.0
!
interface Vlan3 ***NOTE: I was mistaken. VLAN 2 is my outside VLAN.
no nameif
security-level 0
ip address 10.39.0.2 255.255.255.0
!
interface Vlan10
nameif inside
security-level 100
ip address 10.20.0.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 10.20.0.11
host 10.20.0.11
description PSP-ASA
object network 70.x.x.231
host 70.x.x.231
object network 10.20.0.20
host 10.20.0.20
object-group network 22
object-group network 223
network-object object 70.x.x.231
access-list outside_access_in_1 extended permit ip any any
access-list outside_access_in extended permit ip 10.39.0.0 255.255.255.0 any
access-list Inside_access_in extended permit ip any any
access-list global_access extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network 10.20.0.20
nat (inside,outside) static 70.x.x.231
access-group outside_access_in_1 in interface outside
access-group Inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.40.0.1 1
route inside 10.20.112.0 255.255.255.0 10.20.0.11 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.20.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:270767e7f7bccadc31dda28149c05a1e
: end
Here is the Show Route on the 5510
C NEW_WAN 255.255.255.240 is directly connected, outside
S PublicIPs 255.255.255.224 [1/0] via 10.40.0.21, inside
C MCST-FW-Net 255.255.255.0 is directly connected, inside
S 10.20.0.11 255.255.255.255 [1/0] via 10.40.0.21, inside
S 10.20.0.0 255.255.255.0 [1/0] via 10.40.0.21, inside
S 10.20.112.0 255.255.255.0 [1/0] via 10.40.0.21, inside
S 10.10.64.0 255.255.192.0 [1/0] via 10.40.0.17, inside
S 10.10.128.0 255.255.192.0 [1/0] via 10.40.0.17, inside
S 10.60.0.233 255.255.255.255 [1/0] via 10.40.0.21, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 68.101.41.177, outside
Here is the Show Run | i PublicIPs
access-list inside_access_in extended permit ip PublicIPs 255.255.255.240 any
access-list outside_access_in extended permit ip any PublicIPs 255.255.255.240
access-list outside_access_in extended permit ip PublicIPs 255.255.255.240 NEW_WAN 255.255.255.248 inactive
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
route inside PublicIPs 255.255.255.224 10.10.0.21 1
03-31-2015 11:30 AM
I'm confused.
Your outside interface on 5505 (1) -
interface Vlan2 ***NOTE: I was mistaken. VLAN 2 is my outside VLAN.
nameif outside
security-level 0
ip address 10.10.0.21 255.255.255.0
and the default route on 5505 (1) -
route outside 0.0.0.0 0.0.0.0 10.40.0.1 1
the next hop IP in the route is not a 10.10.0.x IP ?
Also on your 5510 the routing table is showing -
S PublicIPs 255.255.255.224 [1/0] via 10.40.0.21, inside
but the static route in the configuration is -
route inside PublicIPs 255.255.255.224 10.10.0.21 1
are these just typos ?
Jon
03-31-2015 11:42 AM
Ok, I am doing my best to mask my actual internal IPs... but I am missing a bunch and at this point I am not sure it even matters. :(
The reason why I said "NOTE: I was mistaken. VLAN 2 is my outside VLAN." was because when I typed out my configuration originally to you I mentioned VLAN 3 was my outside VLAN. I was just pointing out that I was incorrect.
the default route (masked) should be route outside 0.0.0.0 0.0.0.0 10.10.0.1 1
Another typo... S PublicIPs 255.255.255.224 [1/0] via 10.40.0.21, inside should read S PublicIPs 255.255.255.224 [1/0] via 10.10.0.21, inside
My ability to catch all of my actual IPs and manually changing isn't 100%. Is it common to mask your internal network on this forum since no one knows my external address?
03-31-2015 11:48 AM
If they are private IPs no need to mask on this forum.
If they are public then yes do what we have been doing ie. 70.x.x.231 for example.
Okay assuming everything is correct can you run this command on 5505 (1) and post the output -
"packet-tracer input outside tcp 8.8.8.8 12345 70.x.x.231 80"
Jon
03-31-2015 12:02 PM
Ok... then from here on out I will use my actual IPs. I can't apologize enough for the confusion.
The 10.10.0.0/24 network is really 10.40.0.0/24
The 10.20.0.0/24 network is really 10.50.0.0/24
When I ran that command, this is the result.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 10.50.0.20
nat (inside,outside) static 70.x.x.231
Additional Information:
NAT divert to egress interface inside
Untranslate 70.x.x.231/80 to 10.50.0.20/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in_1 in interface outside
access-list outside_access_in_1 extended permit ip any any
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network 10.50.0.20
nat (inside,outside) static 70.x.x.231
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 39191, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
03-31-2015 12:06 PM
Okay, no need to apologise, easy mistake to make.
As far as the 5505(1) is concerned it is working.
So we need to work out where else it is failing.
It is either the 5510 or the client.
I assume the client is a PC or laptop. If it is and you are testing with ping can you first try pinging it from 5505 (1), just to make sure it hasn't got a firewall blocking ping.
If you can ping it then can you confirm it has the default gateway set to the inside interface of 5505 (1).
If it does then we need to look at 5510's configuration.
Again x out the public IPs in the middle octets and any other information you need to keep private but leave the private IPs as they are.
Jon
03-31-2015 12:28 PM
I am able to ping the laptop from the ASA; firewall is off.
Default GW on the laptop is the inside interface of the ASA (10.50.0.1).
It has to be the 5510.
The Show Run on the 5510 has a lot of configurations... I need to delete/change anything that pertains to the company; which is a ton. Is there any other command besides the full Show Run that could reduce how much needs to be filtered? Not trying to avoid the work... it's just that though all the 5505's are fresh and I am building this network; we still are running a 5512 (10.40.0.17) feeding off of the 5510 and granting my lab users internet. So there are a lot of configs pertaining to them. Otherwise I am still altering the Show Run results.
03-31-2015 12:30 PM
Lets try the packet-tracer command again.
Use exactly the same command I posted before and post the results.
Jon
03-31-2015 12:36 PM
Results of Packet Tracer ran from the 5510
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
match ip inside PublicIPs 255.255.255.240 outside any
static translation to PublicIPs
translate_hits = 2261, untranslate_hits = 9764
Additional Information:
NAT divert to egress interface inside
Untranslate PublicIPs/0 to PublicIPs/0 using netmask 255.255.255.240
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any PublicIPs 255.255.255.240
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_out out interface inside
access-list inside_access_out extended permit ip any any log
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
match ip inside PublicIPs 255.255.255.240 outside any
static translation to PublicIPs
translate_hits = 2263, untranslate_hits = 9764
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
match ip inside PublicIPs 255.255.255.240 outside any
static translation to PublicIPs
translate_hits = 2263, untranslate_hits = 9764
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4059085, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
03-31-2015 12:41 PM
Here is a Show Run from the 5510 (heavily filtered)
names
name 10.40.0.0 MCST-FW-Net
name 70.x.x.179 Masked_FW_Outside
name 70.x.x.185 Dummy description Placeholder for 182
name 10.40.128.25 EMAIL
name 10.40.0.4 OpenVPN
name 68.x.x.176 NEW_WAN
name 10.39.0.2 CORE-ASA
name 70.x.x.224 PublicIPs
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 68.x.x.178 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.40.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa825-13-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
domain-name MASKED
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service TCP-Services tcp
port-object eq 10101
port-object eq 123
port-object range 15000 19999
port-object eq 2000
port-object eq 2195
port-object eq 2196
port-object eq 5038
port-object eq 5061
port-object eq 5228
port-object eq 5229
port-object eq 5230
port-object eq 5432
port-object eq h323
port-object eq www
port-object eq https
port-object eq kerberos
port-object eq ldap
port-object eq ldaps
port-object eq sip
port-object eq smtp
port-object eq ssh
port-object eq citrix-ica
port-object eq 943
port-object eq pptp
port-object eq imap4
object-group service UDP-Services udp
port-object eq 1718
port-object eq 1719
port-object eq 2727
port-object eq 3478
port-object eq 4500
port-object eq 4520
port-object eq 4569
port-object eq 5000
port-object range 50000 54999
port-object range 60000 61799
port-object eq 88
port-object eq domain
port-object eq sip
port-object eq syslog
port-object eq ntp
port-object eq 1194
port-object eq 8888
object-group protocol VPN-Traffic
protocol-object esp
protocol-object ah
object-group service TCP-Services-Inbound
service-object esp
service-object tcp eq 5228
service-object tcp eq 5229
service-object tcp eq 5230
service-object tcp eq 5432
service-object tcp eq ssh
object-group service UDP-Services-Inbound udp
port-object eq 4500
port-object eq domain
port-object eq isakmp
object-group network test
network-object 10.40.0.2 255.255.255.255
object-group service DM_INLINE_UDP_2 udp
port-object eq 4500
port-object eq isakmp
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
object-group service DM_INLINE_TCP_2 tcp
group-object Samsung_TCP_Ports
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object MCST-FW-Net 255.255.0.0
network-object 70.x.x.160 255.255.255.224
object-group service DM_INLINE_SERVICE_1
service-object tcp eq 1701
service-object udp eq 4500
service-object udp eq isakmp
service-object udp eq ntp
service-object tcp eq www
object-group service DM_INLINE_SERVICE_2
service-object tcp eq https
service-object udp eq 1194
service-object udp eq 8080
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object tcp eq https
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
object-group network publicips
access-list inside_access_in extended permit ip PublicIPs 255.255.255.240 any
access-list inside_access_in extended permit ip host 70.x.x.225 any
access-list inside_access_in extended permit ip host 70.x.x.236 any
access-list inside_access_in extended permit udp MCST-FW-Net 255.255.0.0 any object-group UDP-Services log
access-list inside_access_in extended permit tcp MCST-FW-Net 255.255.0.0 any object-group TCP-Services log
access-list inside_access_in extended permit esp MCST-FW-Net 255.255.0.0 any log
access-list inside_access_in extended permit udp MCST-FW-Net 255.255.0.0 any object-group DM_INLINE_UDP_2 log
access-list inside_access_in extended permit tcp MCST-FW-Net 255.255.0.0 any object-group DM_INLINE_TCP_2 log
access-list inside_access_in extended permit icmp MCST-FW-Net 255.255.0.0 any log
access-list inside_access_in extended permit tcp 10.10.10.0 255.255.255.0 any eq 873 inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 host OpenVPN any
access-list inside_access_in extended permit udp host 70.x.x.182 any eq 1194
access-list inside_access_in extended permit tcp host 70.x.x.182 any eq ssh
access-list inside_access_in extended permit ip host 70.x.x.231 any log
access-list inside_access_in extended permit ip host 70.x.x.232 any
access-list inside_access_in extended permit ip host 70.x.x.233 any log
access-list inside_access_in extended permit ip NEW_WAN 255.255.255.248 interface inside inactive
access-list inside_access_in extended deny ip any any log
access-list inside extended permit tcp 70.x.x.240 255.255.255.240 72.x.x.64 255.255.255.224 object-group TCP-Services
access-list inside extended permit udp 70.x.x.240 255.255.255.240 72.x.x.64 255.255.255.224 object-group UDP-Services
access-list outside extended permit udp 72.x.x.64 255.255.255.224 70.x.x.240 255.255.255.240 object-group UDP-Services
access-list outside extended permit tcp 72.x.x.64 255.255.255.224 70.x.x.240 255.255.255.240 object-group TCP-Services
access-list outside_access_in remark STEALTH RULE
access-list outside_access_in extended deny ip any host Masked_FW_Outside log
access-list outside_access_in extended permit ip any PublicIPs 255.255.255.240
access-list outside_access_in extended permit ip any host 70.x.x.225
access-list outside_access_in extended permit ip any host 70.x.x.231 log
access-list outside_access_in extended permit ip any host 70.x.x.232
access-list outside_access_in extended permit ip any host 70.x.x.233 log
access-list outside_access_in extended permit ip any host 70.x.x.236 log
access-list outside_access_in extended permit esp any 70.x.x.160 255.255.255.224 log
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any 70.x.x.160 255.255.255.224 log
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any 70.x.x.160 255.255.255.224
access-list outside_access_in extended permit udp any host 70.x.x.182 eq 1194
access-list outside_access_in extended permit tcp any host 70.x.x.182 eq ssh
access-list outside_access_in remark Ping
access-list outside_access_in extended permit icmp any host 10.40.0.33 inactive
access-list outside_access_in extended permit tcp any 70.x.x.160 255.255.255.224 object-group TCP-Services inactive
access-list outside_access_in extended permit udp any 70.x.x.160 255.255.255.224 object-group UDP-Services inactive
access-list outside_access_in extended permit ip PublicIPs 255.255.255.240 NEW_WAN 255.255.255.248 inactive
access-list outside_access_in extended deny ip any any log
access-list Mobility_Infrastructure_access_in remark Ping Test
access-list inside_access_out extended permit ip any any log
access-list inside_access_out extended permit esp any object-group DM_INLINE_NETWORK_1 log
access-list inside_access_out extended permit icmp any any
access-list Inside2_access_in extended permit ip 10.39.0.0 255.255.255.0 any
access-list Inside2_access_in extended permit ip any 10.39.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console debugging
logging monitor informational
logging buffered debugging
logging trap informational
logging history critical
logging asdm warnings
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 70.x.x.182 10.40.0.7 netmask 255.255.255.255
static (inside,outside) 70.x.x.180 10.40.0.2 netmask 255.255.255.255
static (inside,outside) 70.x.x.181 10.40.0.17 netmask 255.255.255.255
static (outside,inside) 10.40.0.7 70.x.x.182 netmask 255.255.255.255
static (outside,inside) 10.40.0.2 70.x.x.180 netmask 255.255.255.255
static (outside,inside) 10.40.0.17 70.x.x.181 netmask 255.255.255.255
static (inside,outside) PublicIPs PublicIPs netmask 255.255.255.240
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 68.101.41.177 1
route inside 10.40.64.0 255.255.192.0 10.40.0.17 1
route inside 10.40.128.0 255.255.192.0 10.40.0.17 1
route inside 10.50.0.0 255.255.255.0 10.40.0.21 1
route inside 10.50.0.11 255.255.255.255 10.40.0.21 1
route inside 10.50.112.0 255.255.255.0 10.40.0.21 1
route inside 10.60.0.233 255.255.255.255 10.40.0.21 1
route inside PublicIPs 255.255.255.224 10.40.0.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server session-timeout 10
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
sysopt noproxyarp inside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 30
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
service-type nas-prompt
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bd962a8c0dd6b27b5b024778602f8b60
: end
03-31-2015 12:46 PM
Can you ping the outside interface of 5505 (1) from 5510 ?
You may need to temporarily add this to 5505 (1) -
"icmp permit any outside"
Jon
03-31-2015 12:42 PM
Actually forget that, I have just seen the acl in the packet-tracer output and it is allowed.
Let me have a think.
Jon
03-31-2015 12:45 PM
Not sure if this helps... but the laptop is able to ping 8.8.8.8 if I log into it and run the command myself.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide