cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
615
Views
0
Helpful
4
Replies

Static nat is not working

Muthukumar P
Level 1
Level 1

Hi Team,

              We have configured natting at ASR but not working and Configuration(ASR,ASA,Nexus) attached for your reference and do the needful.details as below:

Traffic Flow: ASR---->ASA Firewall---->Nexus switch---->Private IP

 

Private IP---10.237.112.55 

Public IP-----203.153.40.229( This IP additional POOL and not configured any interface)

ASR Configuration:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.02.16 19:36:56 =~=~=~=~=~=~=~=~=~=~=~=

PMC-INT-R1#
PMC-INT-R1#
PMC-INT-R1#
PMC-INT-R1#rer   ter len 0
PMC-INT-R1#
PMC-INT-R1#
PMC-INT-R1#
PMC-INT-R1#show run
Building configuration...

Current configuration : 10852 bytes
!
! Last configuration change at 06:41:49 UTC Sat Feb 16 2019 by admin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname PMC-INT-R1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable password Lnt@scoc
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!


ip host PMC-INT-R1 10.237.121.7
ip name-server 8.8.8.8 4.2.2.2 10.237.112.5 10.237.112.6

!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
license udi pid ASR1001-X sn JAE211403M6
!
spanning-tree extend system-id
!
username admin privilege 15 password 0 Pune@lnt123
username lntscoc privilege 15 password 0 Lnt@scoc
!
redundancy
mode none
!
!
!
!
!
!
track 1 ip sla 1 reachability
!
!
class-map type inspect match-any INT-OUT-TO-IN
match protocol icmp
match protocol https
match protocol dns
match protocol echo
class-map match-any url-block-class
match protocol http url "*youtube.com*"
!
policy-map type inspect POL-1-OUT-TO-IN
class type inspect INT-OUT-TO-IN
inspect
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security OUT-IN source inside destination outside
service-policy type inspect POL-1-OUT-TO-IN
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key Lnt@scoc address 115.124.113.22
!
!
crypto ipsec transform-set psc esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set DR-TUNNEL esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map DR-CMAP 10 ipsec-isakmp
! Incomplete
set peer 115.124.113.22
! access-list has not been configured yet
set transform-set DR-TUNNEL
match address VPN-DR-TUNNE
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.237.121.7 255.255.255.255
!
interface Loopback100
ip address 203.153.40.34 255.255.255.248
!
interface TenGigabitEthernet0/0/0
description TO ASA-1 Te0/9 ( mgmt 10.237.113.211)
ip address 10.237.119.6 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ospf cost 10
!
interface TenGigabitEthernet0/0/1
description ***CONNECTED TO INT-ROUTER-2 FOR REDUNDANCY***
ip address 10.237.120.81 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip ospf cost 20
!
interface GigabitEthernet0/0/0
description ***CONNECTED TO ASA-1***
ip address 10.237.1.21 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip policy route-map NAT-ISP-10.237.1.21
negotiation auto
!
interface GigabitEthernet0/0/1
description ***CONNECTED TO RAILTEL INTERNET***
ip address 203.153.35.78 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip policy route-map NAT-ISP-203.153.35.75
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
negotiation auto
!
interface GigabitEthernet0/0/2.60
encapsulation dot1Q 60
ip nat outside
!
interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface TenGigabitEthernet0/1/0
ip address 10.237.120.42 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface GigabitEthernet0
description ***CONNECTED TO MGMT-SW***
vrf forwarding Mgmt-intf
ip address 10.237.113.202 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
!
router ospf 1
network 10.237.119.4 0.0.0.3 area 1
default-information originate always
!
ip local pool ippool 192.168.1.1 192.168.1.2
ip nat inside source static 10.237.119.5 203.153.35.75
ip nat inside source static 10.237.112.30 203.153.35.76 extendable
ip nat inside source static udp 10.237.112.85 161 203.153.35.77 161 extendable
ip nat inside source static udp 10.237.112.85 162 203.153.35.77 162 extendable
ip nat inside source static 10.237.112.55 203.153.40.229 extendable
ip nat inside source route-map NAT-ISP-10.237.1.21 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NAT-ISP-203.153.35.75 interface GigabitEthernet0/0/1 overload
ip nat outside source static udp 203.153.35.77 161 10.237.112.85 161 extendable
ip nat outside source static udp 203.153.35.77 162 10.237.112.85 162 extendable
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 203.153.35.73 track 1
ip route 0.0.0.0 0.0.0.0 10.237.1.17 10
ip route 8.8.8.8 255.255.255.255 203.153.35.73 permanent
ip route 10.237.112.0 255.255.255.0 10.237.119.5
ip route 10.237.113.0 255.255.255.0 10.237.119.5
ip route 10.237.114.0 255.255.255.0 10.237.119.5
ip route 100.101.0.0 255.255.240.0 10.237.119.5
ip route 203.153.40.32 255.255.255.248 203.153.35.73
ip route vrf Mgmt-intf 10.237.121.0 255.255.255.0 10.237.113.210
!
ip access-list extended RDP_BLOCK
deny tcp any any eq 3389
deny tcp any any eq 5938
deny udp any any eq 5938
deny udp any any eq 3389
permit ip any any
ip access-list extended VPN-DR-TUNNE
ip access-list extended VPN-DR-TUNNEL
permit 10 10.237.112.0 0.0.0.255 host 10.10.28.2
permit 10 10.237.112.0 0.0.0.255 host 10.10.28.3
permit 10 10.237.114.0 0.0.0.255 host 10.10.28.2
permit 10 10.237.114.0 0.0.0.255 host 10.10.28.3
ip access-list extended lnt
permit ip 100.101.0.0 0.0.12.255 192.168.1.0 0.0.0.255
!
ip sla 1
icmp-echo 8.8.8.8 source-ip 203.153.35.78
ip sla schedule 1 life forever start-time now
access-list 101 permit ip host 10.237.112.91 any
access-list 101 permit ip host 10.237.112.83 any
access-list 101 permit ip host 10.237.112.39 any
access-list 101 permit ip host 10.237.112.41 any
access-list 101 permit ip host 10.237.112.40 any
access-list 101 permit ip host 10.237.112.42 any
access-list 101 permit ip host 10.237.112.43 any
access-list 101 permit ip host 10.237.112.57 any
access-list 101 permit ip host 10.237.112.56 any
access-list 101 permit ip host 10.237.112.58 any
access-list 101 permit ip host 10.237.112.59 any
access-list 101 permit ip host 10.237.112.55 any
access-list 101 permit ip host 10.237.112.68 any
access-list 101 permit ip host 10.237.112.66 any
access-list 101 permit ip host 10.237.112.60 any
access-list 101 permit ip host 10.237.112.63 any
access-list 101 permit ip host 10.237.112.65 any
access-list 101 permit ip host 10.237.112.67 any
access-list 101 permit ip host 10.237.112.61 any
access-list 101 permit ip host 10.237.112.64 any
access-list 101 permit ip host 10.237.112.62 any
access-list 101 permit ip host 10.237.112.208 any
access-list 101 permit ip 10.237.114.0 0.0.0.255 any
access-list 101 permit ip host 10.237.112.17 any
access-list 101 permit ip host 10.237.112.5 any
access-list 101 permit ip host 10.237.112.6 any
access-list 101 permit ip host 10.237.112.30 any
access-list 101 permit ip host 10.237.112.78 any
access-list 101 permit ip host 10.237.112.89 any
access-list 101 permit ip host 10.237.112.29 any
access-list 101 permit ip host 10.237.112.70 any
access-list 101 permit ip host 10.237.112.111 any
access-list 101 permit ip host 10.237.112.112 any
access-list 101 permit ip host 10.237.112.90 any
access-list 101 permit ip 10.237.119.0 0.0.0.255 any
access-list 101 permit ip host 10.237.112.50 any
access-list 101 permit ip host 10.237.112.15 any
access-list 101 permit ip host 10.237.112.53 any
access-list 101 permit ip host 10.237.112.85 any
access-list 101 permit ip host 10.237.112.76 any
access-list 101 permit ip host 10.237.112.51 any
access-list 102 permit ip host 10.237.112.91 any
access-list 102 permit ip host 10.237.112.83 any
access-list 102 permit ip host 10.237.112.39 any
access-list 102 permit ip host 10.237.112.41 any
access-list 102 permit ip host 10.237.112.40 any
access-list 102 permit ip host 10.237.112.42 any
access-list 102 permit ip host 10.237.112.43 any
access-list 102 permit ip host 10.237.112.57 any
access-list 102 permit ip host 10.237.112.56 any
access-list 102 permit ip host 10.237.112.58 any
access-list 102 permit ip host 10.237.112.59 any
access-list 102 permit ip host 10.237.112.68 any
access-list 102 permit ip host 10.237.112.66 any
access-list 102 permit ip host 10.237.112.60 any
access-list 102 permit ip host 10.237.112.63 any
access-list 102 permit ip host 10.237.112.65 any
access-list 102 permit ip host 10.237.112.67 any
access-list 102 permit ip host 10.237.112.61 any
access-list 102 permit ip host 10.237.112.64 any
access-list 102 permit ip host 10.237.112.62 any
access-list 102 permit ip host 10.237.112.208 any
access-list 102 permit ip 10.237.114.0 0.0.0.255 any
access-list 102 permit ip host 10.237.112.17 any
access-list 102 permit ip host 10.237.112.5 any
access-list 102 permit ip host 10.237.112.6 any
access-list 102 permit ip host 10.237.112.30 any
access-list 102 permit ip host 10.237.112.78 any
access-list 102 permit ip host 10.237.112.89 any
access-list 102 permit ip host 10.237.112.29 any
access-list 102 permit ip host 10.237.112.70 any
access-list 102 permit ip host 10.237.112.111 any
access-list 102 permit ip host 10.237.112.112 any
access-list 102 permit ip 10.237.119.0 0.0.0.255 any
access-list 102 permit ip host 10.237.112.55 any
access-list 103 permit ip host 10.237.112.72 any
access-list 104 permit ip host 10.237.112.73 any
access-list 105 permit ip host 10.237.112.74 any
!
route-map test permit 10
!
route-map NAT-ISP-10.237.1.21 permit 20
match ip address 101
match interface GigabitEthernet0/0/0
!
route-map NAT-ISP-203.153.35.75 permit 10
match ip address 101
match interface GigabitEthernet0/0/1
!
route-map psc1 permit 10
match ip address 150
!
snmp-server community PUNE-scoc RW
snmp-server location DC-NETWORK-RACK-1
snmp-server host 10.237.112.82 version 2c PUNE-scoc
snmp-server host 10.237.112.85 version 2c PUNE-scoc
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^CUNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary


^C
!
line con 0
password Cisco@lnt123
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password Pune@lnt123
!
event manager applet NAT-Primary
event syslog pattern "%TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat tran for"
action 3.0 cli command "end"
event manager applet NAT-secondary
event syslog pattern "%TRACK-6-STATE: 1 ip sla 1 reachability Down -> Up"
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat tran for"
action 3.0 cli command "end"
!
end

PMC-INT-R1#
PMC-INT-R1#
PMC-INT-R1#
PMC-INT-R1#
PMC-INT-R1#exit

 

ASA Configuration:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.02.16 19:24:39 =~=~=~=~=~=~=~=~=~=~=~=
ter len 0
^
ERROR: % Invalid input detected at '^' marker.
PMC-ASA-1#
PMC-ASA-1# show run
: Saved

:
: Serial Number: JAD2112021Q
: Hardware: ASA5585-SSP-20, 12029 MB RAM, CPU Xeon 5500 series 2133 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(1)5
!
hostname PMC-ASA-1
enable password $sha512$5000$AxHrO7zph9PFAUFaOWo0ow==$8BlMmmO/B1m3gPEL896PgQ== pbkdf2
passwd DRlV7FOUXTseP5P0 encrypted
names
ip local pool Any-connect-IOC 192.168.2.1-192.168.2.254 mask 255.255.255.0
ip local pool sslclientpool 172.16.0.0-172.16.5.250 mask 255.255.0.0
ip local pool ECB-IP-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
ip local pool AnyConnect-pool-DC 192.168.20.1-192.168.20.15 mask 255.255.255.240
ip local pool AnyConnect-Pool-EXTERNAL 192.168.20.17-192.168.20.31 mask 255.255.255.240
ip local pool Anyconncetotherpool 192.168.80.1-192.168.80.100 mask 255.255.255.0

!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
<--- More ---> !
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
nameif ESDS
security-level 0
ip address 172.16.20.182 255.255.255.252
!
<--- More ---> interface GigabitEthernet0/5
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5.465
vlan 465
nameif VLAN465CCTV
security-level 0
ip address 172.16.109.65 255.255.255.252
!
interface GigabitEthernet0/6
nameif ECB
security-level 0
ip address 10.237.119.34 255.255.255.252
!
interface GigabitEthernet0/7
no nameif
security-level 100
no ip address
!
interface Management0/0
management-only
nameif management
<--- More ---> security-level 100
ip address 10.237.113.211 255.255.255.0
!
interface Management0/1
management-only
shutdown
no nameif
no security-level
no ip address
!
interface TenGigabitEthernet0/8
description Nexus 1 -management 10.237.113.1 eth1/15
nameif ROUTEIN
security-level 100
ip address 10.237.119.2 255.255.255.252
!
interface TenGigabitEthernet0/9
description Internet Router 1- 10.237.119.6/management 10.237.113.202 Tengig0/0/0
nameif ROUTEOUT
security-level 0
ip address 10.237.119.5 255.255.255.252
!
interface GigabitEthernet1/0
shutdown
<--- More ---> no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
<--- More ---> no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface TenGigabitEthernet1/8
no nameif
<--- More ---> no security-level
no ip address
!
interface TenGigabitEthernet1/9
no nameif
no security-level
no ip address
!
boot system disk0:/asa981-5-smp-k8.bin
ftp mode passive
clock timezone IST 5 30
dns domain-lookup ROUTEIN
dns server-group DefalutDns
name-server 8.8.8.8 ROUTEOUT
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 100.101.12.5
name-server 10.237.112.5
name-server 10.237.112.6
same-security-traffic permit inter-interface
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network allocatedpool
subnet 172.16.0.0 255.255.0.0
<--- More ---> object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
object network Allow-Access
subnet 100.101.0.0 255.255.240.0
object network Alangar-Square
subnet 192.168.1.0 255.255.255.0
object network AllowDNS
host 8.8.8.8
object network dns-google.com
fqdn google.com
object network ESDS-SERVERS
range 10.10.87.162 10.10.87.165
object network Netappservers
range 10.237.113.221 10.237.113.222
object service VEEAM
service tcp destination eq 10002
object service DRM
service tcp destination eq 46000
object service DRM-1
service tcp destination eq 45000
object service DRM-2
service tcp destination eq 45443
object network 10.237.112.42
host 10.237.112.42
<--- More ---> object-group network insidetooutside
network-object 10.237.112.0 255.255.255.0
network-object 10.237.114.0 255.255.255.0
network-object 10.237.113.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network ESDS-DC-SERVERS
network-object host 10.237.112.105
network-object host 10.237.112.112
network-object host 10.237.112.15
network-object host 10.237.112.208
network-object host 10.237.112.63
network-object host 10.237.112.67
network-object host 10.237.112.78
network-object host 10.237.112.81
network-object host 10.237.112.88
network-object object 10.237.112.42
object-group service ESDS
service-object icmp
service-object object DRM
service-object object DRM-1
service-object object DRM-2
service-object object VEEAM
<--- More ---> service-object tcp destination eq www
service-object tcp destination eq ssh
service-object tcp destination eq telnet
access-list out-in extended permit ip any any
access-list out-in extended permit udp any any eq snmp
access-list out-in extended permit udp any any eq snmptrap
access-list sfr_redirect extended permit ip any any
access-list outside_cryptomap extended permit ip object Allow-Access object Alangar-Square
access-list outside_cryptomap_1 extended permit ip object Allow-Access object Alangar-Square
access-list outside_cryptomap_2 extended permit ip object Allow-Access object Alangar-Square
access-list outside_cryptomap_3 extended permit ip object Allow-Access object Alangar-Square
access-list outside_cryptomap_4 extended permit ip object Allow-Access object Alangar-Square
access-list outside_cryptomap_5 extended permit ip object Allow-Access object Alangar-Square
access-list outside_cryptomap_6 extended permit ip object Allow-Access object Alangar-Square
access-list dns extended permit udp object Allow-Access object AllowDNS
access-list Allow extended permit ip any any
access-list split-tunnel-list standard permit 10.237.114.0 255.255.255.0
access-list split-tunnel-list standard permit 10.237.112.0 255.255.255.0
access-list split-tunnel-list standard permit 10.237.113.0 255.255.255.0
access-list split-tunnel-list standard permit 10.237.119.0 255.255.255.0
access-list nside_access_in extended permit object-group TCPUDP 10.237.112.0 255.255.255.0 any eq www
access-list nside_access_in extended permit object-group TCPUDP 10.237.112.0 255.255.255.0 any eq domain
access-list nside_access_in extended permit object-group TCPUDP 10.237.113.0 255.255.255.0 any eq www
access-list nside_access_in extended permit object-group TCPUDP 10.237.113.0 255.255.255.0 any eq domain
<--- More ---> access-list nside_access_in extended permit object-group TCPUDP 10.237.114.0 255.255.255.0 any eq domain
access-list nside_access_in extended permit object-group TCPUDP 10.237.114.0 255.255.255.0 any eq www
access-list nside_access_in extended permit object-group TCPUDP 10.237.112.0 255.255.255.0 any eq 443
access-list nside_access_in extended permit object-group TCPUDP 10.237.113.0 255.255.255.0 any eq 443
access-list nside_access_in extended permit object-group TCPUDP 10.237.114.0 255.255.255.0 any eq 443
access-list split-tunnel-listECB standard permit host 10.237.112.210
access-list split-tunnel-listECB standard permit host 10.237.112.201
access-list split-tunnel-listECB standard permit host 10.237.114.95
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.39
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.40
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.41
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.42
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.43
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.55
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.56
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.57
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.58
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.59
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.60
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.61
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.62
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.63
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.64
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.65
<--- More ---> access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.66
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.67
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.68
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.50
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.51
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.70
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.89
access-list split-tunnel-list-IBM-IOC standard permit host 10.237.112.119
access-list split-tunnel-list-CS standard permit host 10.237.112.210
access-list split-tunnel-list-CS standard permit host 10.237.112.201
access-list split-tunnel-list-OT standard permit host 10.237.112.215
access-list split-tunnel-list-OT standard permit host 10.237.112.201
access-list split-tunnel-list-OT standard permit host 10.237.112.210
access-list split-tunnel-list-OT standard permit host 10.237.112.230
access-list split-tunnel-list-OT standard permit host 10.237.112.15
access-list split-tunnel-list-OT standard permit host 10.237.112.111
access-list split-tunnel-list-OT standard permit host 10.237.112.112
access-list split-tunnel-list-HP standard permit host 10.237.112.80
access-list split-tunnel-list-HP standard permit host 10.237.112.81
access-list split-tunnel-list-HP standard permit host 10.237.112.82
access-list split-tunnel-list-HP standard permit host 10.237.112.83
access-list split-tunnel-list-HP standard permit host 10.237.112.84
access-list split-tunnel-list-HP standard permit host 10.237.112.85
access-list VPN-ACCESS-ECB-PUB standard permit host 182.74.142.2
<--- More ---> access-list ESDS_access_in extended permit object-group ESDS object ESDS-SERVERS object-group ESDS-DC-SERVERS
access-list ROUTEOUT_access_in extended permit ip any host 10.237.112.55
pager lines 24
logging enable
logging timestamp
logging asdm warnings
mtu VLAN465CCTV 1500
mtu ECB 1500
mtu management 1500
mtu ROUTEIN 1500
mtu ROUTEOUT 1500
mtu ESDS 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 32768
access-group ROUTEOUT_access_in in interface ROUTEOUT
access-group ESDS_access_in in interface ESDS
router ospf 1
network 10.237.119.0 255.255.255.252 area 1
<--- More ---> network 10.237.119.4 255.255.255.252 area 1
log-adj-changes
!
route ROUTEOUT 0.0.0.0 0.0.0.0 10.237.119.6 1
route ESDS 10.10.87.160 255.255.255.224 172.16.20.181 1
route ROUTEIN 10.237.112.0 255.255.255.0 10.237.119.1 1
route management 10.237.112.0 255.255.255.0 10.237.113.1 2
route ROUTEIN 10.237.113.0 255.255.255.0 10.237.119.1 1
route ROUTEIN 10.237.114.0 255.255.255.0 10.237.119.1 1
route ROUTEIN 10.237.119.0 255.255.255.0 110.237.119.1 1
route ROUTEIN 100.101.0.0 255.255.240.0 110.237.119.1 1
route ROUTEOUT 203.153.40.229 255.255.255.255 10.237.119.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
<--- More ---> aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 10.237.119.0 255.255.255.0 ROUTEIN
http 10.237.0.0 255.255.0.0 ROUTEIN
http 10.237.119.0 255.255.255.0 ROUTEOUT
http 10.237.0.0 255.255.0.0 ROUTEOUT
snmp-server host management 10.237.112.85 community ***** version 2c
snmp-server host management 10.237.112.82 community ***** version 2c
snmp-server location DC-NETWORK-RACK-1
no snmp-server contact
snmp-server community *****
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
<--- More ---> crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
<--- More ---> crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 4 match address outside_cryptomap_3
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
<--- More ---> crypto map outside_map 4 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 5 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 6 match address outside_cryptomap_5
crypto map outside_map 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 6 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set peer 100.74.205.168
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 7 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
<--- More ---> prf sha
lifetime seconds 86400
crypto ikev2 policy 15
encryption des
integrity md5
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
<--- More ---> prf sha
lifetime seconds 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
<--- More ---> group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
<--- More ---> group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet 10.237.113.0 255.255.255.0 management
telnet 10.237.112.0 255.255.255.0 management
telnet timeout 5
no ssh stricthostkeycheck
<--- More ---> ssh 10.237.113.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 100.101.12.5 prefer
ntp server 123.108.200.124
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
webvpn
port 8443
enable ECB
enable ROUTEIN
enable ROUTEOUT
dtls port 8443
anyconnect image disk0:/anyconnect-macosx-i386-4.2.04039-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.2.04039-k9.pkg 2
anyconnect enable
<--- More ---> tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_External-Integration internal
group-policy GroupPolicy_External-Integration attributes
wins-server none
dns-server value 8.8.8.8 100.101.12.5
vpn-tunnel-protocol ikev2 ssl-client
default-domain none
group-policy GroupPolicy_100.74.205.168 internal
group-policy GroupPolicy_100.74.205.168 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_HPOV internal
group-policy GroupPolicy_HPOV attributes
wins-server none
dns-server value 8.8.8.8 100.101.12.5
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel-list-HP
default-domain none
group-policy GroupPolicy_SMARTPUNE internal
<--- More ---> group-policy GroupPolicy_SMARTPUNE attributes
wins-server none
dns-server value 100.101.12.5
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel-list-IBM-IOC
default-domain value smartpune.com
group-policy GroupPolicy_Others internal
group-policy GroupPolicy_Others attributes
wins-server none
dns-server value 8.8.8.8 100.101.12.5
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel-list-OT
default-domain none
group-policy GroupPolicy_ECB internal
group-policy GroupPolicy_ECB attributes
wins-server none
dns-server value 8.8.8.8 100.101.12.5
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel-listECB
default-domain none
group-policy GroupPolicy_DATA-CENTER internal
<--- More ---> group-policy GroupPolicy_DATA-CENTER attributes
wins-server none
dns-server value 8.8.8.8 100.101.12.5
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel-list
default-domain none
group-policy GroupPolicy_0.0.0.0 internal
group-policy GroupPolicy_0.0.0.0 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy ECB internal
dynamic-access-policy-record DfltAccessPolicy
username lntscoc password $sha512$5000$GUYB11wzTSMhZ8cNv4PFHA==$Dy0agzhJiS+7/PM6KVKrqQ== pbkdf2 privilege 15
username admin password $sha512$5000$w2OEHIKNgy/DtYq8q3guNg==$z8GypvRJQejjJDpRhSsXzQ== pbkdf2 privilege 15
username IOC3 password $sha512$5000$IlF3VLzmJyC39tZBTs9+ug==$MPZ8GvkDYQjZG65OThVX+g== pbkdf2
username IOC2 password SYH7Bdt0DQOUhpc0 encrypted
username IOC1 password 2SxbjsS1BBqL0GHq encrypted
username ECB1 password $sha512$5000$gwT0cA11OfyEz8HUI/VBtw==$g4j5hrMmbvnjJ/81KTZIuQ== pbkdf2
username IOC5 password $sha512$5000$4MaVc67dqYerz7Vi8cYrpw==$W6+RuXFx3ohZfKkAn3LHxA== pbkdf2
username IOC4 password $sha512$5000$fqRwzat+j03rFfxaJJ/w+w==$UQ1fUKVIepN5cFwesytwrg== pbkdf2
username VPN04 password $sha512$5000$u6mwhhEE1tMXTKi2t3de7g==$WzxMwJ9lK1RXLTxqMyRXRg== pbkdf2
username VPN05 password $sha512$5000$QEalQ9YrpYpSW1h5lfk3KA==$moclK/L8X0V7grHRt2UgLA== pbkdf2
username VPN02 password $sha512$5000$Se0wbu/Gk0SI2Ps8loI/rg==$VdUB1bC6JqGcJefZezR5Ig== pbkdf2
username VPN03 password $sha512$5000$NnsX4/6ROXOqRPecKLxjHA==$Pb/SPGaBM+BVfv4JeaSY9w== pbkdf2
<--- More ---> username VPN01 password $sha512$5000$oRpioBIymd7NWekp2g6/Dw==$SKTPDgFZRWo03xKugqw3zg== pbkdf2
username DC01 password $sha512$5000$uNUtJ72X2U+bU7vq4D8Jcw==$rDX4MmRhXM+Qz31Z95ifuQ== pbkdf2
username DC02 password $sha512$5000$lbQY7sWTh/N1qar+hd6Oog==$FTujRu+GAvj9nloxYGzBQQ== pbkdf2
username DC03 password $sha512$5000$Ee2L0qdbUsEZOx4VkJjqZw==$GRSvH0qsQFLwV2DvbZshfA== pbkdf2
username DC04 password $sha512$5000$aK/AEh3gJpS8ZlE7xb0HHQ==$hVacA9Cu2es4im2Jz5kEcg== pbkdf2
username DC05 password $sha512$5000$Ja9biD3xvJrX4iRIOmifXw==$qdSXp/yVKVRa9UeJxuhj9A== pbkdf2
username HPOV04 password $sha512$5000$8FoxUSudJbGEXjjwmpq4Ow==$vCxyZVbSK8fnBZvN+xZCpQ== pbkdf2
username HPOV03 password $sha512$5000$YPMdvCQyVU/v0danZgXI1g==$WoCg0+hk9fijXgnzOJUlgg== pbkdf2
username HPOV02 password $sha512$5000$SgCZhbeUk3b5c4CZABe85w==$1LToEHwyHaVvkdwnu3SY+w== pbkdf2
username HPOV01 password $sha512$5000$5qH3IZnRK6Mq3q+z67CXVQ==$dY+HOaYr+Uw7I5ZSXFgpxw== pbkdf2
username EXTERNAL04 password $sha512$5000$emWeZdsLhDFB8D2gTz1m7Q==$gGkdTuiNS5VaUW3IjyQdmA== pbkdf2
username EXTERNAL05 password $sha512$5000$CwptI5/3x0zoNoKVpu0fng==$OyLQMiSwoqsZ79hulXN1jQ== pbkdf2
username EXTERNAL01 password $sha512$5000$k6xvu1OHFAElobrKZqA7Gw==$o2W0fLU7U1kVYAINrXLUWQ== pbkdf2
username EXTERNAL02 password $sha512$5000$bEaqZlagVlIfumco10AzdA==$L0UvuKM1gGGUniByNxIiyQ== pbkdf2
username EXTERNAL03 password $sha512$5000$mz1Q2lepIs6BquYuamuQDQ==$VCaqWsjTsGQYMz3DBFAn9g== pbkdf2
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group SMARTPUNE type remote-access
tunnel-group SMARTPUNE general-attributes
address-pool Any-connect-IOC
default-group-policy GroupPolicy_SMARTPUNE
tunnel-group SMARTPUNE webvpn-attributes
<--- More ---> group-alias SMARTPUNE enable
tunnel-group 100.74.205.168 type ipsec-l2l
tunnel-group 100.74.205.168 general-attributes
default-group-policy GroupPolicy_100.74.205.168
tunnel-group 100.74.205.168 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group ECB type remote-access
tunnel-group ECB general-attributes
address-pool ECB-IP-Pool
default-group-policy GroupPolicy_ECB
tunnel-group ECB webvpn-attributes
group-alias ECB enable
tunnel-group DATA-CENTER type remote-access
tunnel-group DATA-CENTER general-attributes
address-pool AnyConnect-pool-DC
default-group-policy GroupPolicy_DATA-CENTER
tunnel-group DATA-CENTER webvpn-attributes
group-alias DATA-CENTER enable
tunnel-group External-Integration type remote-access
tunnel-group External-Integration general-attributes
address-pool AnyConnect-Pool-EXTERNAL
default-group-policy GroupPolicy_External-Integration
<--- More ---> tunnel-group External-Integration webvpn-attributes
group-alias External-Integration enable
tunnel-group Others type remote-access
tunnel-group Others general-attributes
address-pool Anyconncetotherpool
default-group-policy GroupPolicy_Others
tunnel-group Others webvpn-attributes
group-alias Others enable
!
class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
<--- More ---> inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class sfr
sfr fail-open
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:bb0640812f6d9939493acf8dc8d9966a
: end
PMC-ASA-1#
PMC-ASA-1#
PMC-ASA-1#
PMC-ASA-1#
PMC-ASA-1#
PMC-ASA-1#
PMC-ASA-1#
PMC-ASA-1#
PMC-ASA-1#
PMC-ASA-1#
PMC-ASA-1#
PMC-ASA-1#
PMC-ASA-1# exit

Logoff


Nexus switch Configuration:

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2019.02.16 19:25:44 =~=~=~=~=~=~=~=~=~=~=~=
ter N5k-1-pune# terminal len N5k-1-pune# terminal length 0
N5k-1-pune#
N5k-1-pune#


`show running-config`

!Command: show running-config
!Time: Tue Nov 12 01:19:15 2002

version 7.1(3)N1(1)
install feature-set fabricpath
install feature-set fabric
hostname N5k-1-pune

feature telnet
feature http-server
cfs eth distribute
feature ospf
feature udld
feature interface-vlan
feature hsrp
feature lacp
feature dhcp
feature vpc
feature lldp
feature vtp
feature fex

role name priv-10
description This is a system defined privilege role.
rule 1 permit command show interface brief
username admin password 5 $1$ygCPk9bo$QYPEYMZQPqNGhnzJ6nGMx. role network-admin
username lntscoc password 5 $1$x404KKh.$cnrhENoN2c6N5X49fK58R/ role network-operator
no password strength-check
ip domain-lookup
ip name-server 10.237.112.5 10.237.112.6
ip host N5k-1-pune-DC 10.237.121.1
logging event link-status default
logging level ethpm link-down error
policy-map type network-qos jumbo
class type network-qos class-default
mtu 9216
system qos
service-policy type network-qos jumbo
service-policy type queuing input fcoe-default-in-policy
service-policy type queuing output fcoe-default-out-policy
service-policy type qos input fcoe-default-in-policy
fex 100
pinning max-links 1
description "FEX0100"
fex 101
pinning max-links 1
description "FEX0101"
slot 1
port 1-48 type ethernet
snmp-server location DC-NETWORK-RACK-1
snmp-server user admin network-admin auth md5 ***** priv ***** localizedkey
snmp-server user lntscoc network-operator auth md5 ***** priv ***** localizedkey
snmp-server host 10.237.112.82 traps version 2c <removed>
snmp-server host 10.237.112.85 traps version 2c <removed>
snmp-server community <removed> group network-admin
ntp distribute
ntp server 10.237.112.5
ntp commit

ip route 0.0.0.0/0 10.237.113.2 10
ip route 0.0.0.0/0 10.237.119.2
ip route 10.1.2.0/24 10.237.120.10
ip route 10.10.87.160/27 10.237.119.2
ip route 10.191.50.0/24 10.237.120.10
ip route 10.191.51.0/24 10.237.120.10
ip route 10.191.52.0/24 10.237.120.10
ip route 10.191.53.0/24 10.237.120.10
ip route 10.191.54.0/24 10.237.120.10
ip route 10.191.237.0/24 10.237.120.10
ip route 10.237.113.0/24 10.237.113.210
ip route 10.237.120.24/29 10.237.113.2 name MPLS-2-ROUTE
ip route 10.237.121.2/32 10.237.113.2
ip route 10.237.121.3/32 10.237.113.210
ip route 10.237.121.4/32 10.237.113.207
ip route 10.237.121.5/32 10.237.120.58 name LOOPBACK-IP-MPLS-2
ip route 10.237.121.6/32 10.237.120.10
ip route 10.237.121.8/32 10.237.113.2
ip route 10.237.121.10/32 10.237.112.245
ip route 10.239.0.0/18 10.237.120.10
ip route 10.239.0.0/18 10.237.120.58 100
ip route 10.239.12.0/24 10.237.120.106
ip route 100.100.0.0/20 10.237.120.10
ip route 100.100.0.0/20 10.237.120.58 100
ip route 100.100.1.1/32 100.101.4.245
ip route 100.100.1.248/32 100.101.4.245
ip route 100.100.1.250/32 100.101.4.245
ip route 100.101.1.4/30 100.101.1.11
ip route 100.101.3.0/30 100.101.1.11
ip route 100.101.7.4/30 100.101.1.11
ip route 100.101.12.112/30 100.101.3.6
ip route 172.16.0.0/22 10.237.120.10
ip route 172.16.20.180/30 10.237.119.2
ip route 172.18.0.0/21 10.237.120.10
ip route 172.29.0.0/24 10.237.120.10
ip route 172.30.0.0/30 10.237.120.10
ip route 203.153.35.76/32 100.101.3.6
ip route 203.153.40.229/32 10.237.119.2
track 1 ip route 10.237.119.4/30 reachability
delay up 3 down 3

service dhcp
ip dhcp relay
vrf context management
vrf context pune
vpc domain 1
peer-keepalive destination 100.101.2.2 source 100.101.2.1 vrf pune
delay restore 150
ip arp synchronize


interface Vlan1
no shutdown

interface Vlan10
no shutdown
ip address 100.101.0.1/24

interface Vlan11
no shutdown
no ip redirects
ip address 10.237.112.1/24
hsrp version 2
hsrp 5
preempt
priority 110
ip 10.237.112.3

interface Vlan12
no shutdown
no ip redirects
ip address 10.237.113.1/24
hsrp version 2
hsrp 6
preempt
priority 110
ip 10.237.113.3

interface Vlan13
no shutdown
no ip redirects
ip address 10.237.114.1/24
ip router ospf INT area 0.0.0.1
hsrp version 2
hsrp 7
preempt
priority 110
ip 10.237.114.3
ip dhcp relay address 10.237.112.5

interface Vlan14
no shutdown
no ip redirects
ip address 10.237.115.1/24
hsrp version 2
hsrp 8
preempt
priority 110
ip 10.237.115.3
ip dhcp relay address 10.237.112.5

interface Vlan15
no shutdown
no ip redirects
ip address 10.237.116.1/24
hsrp version 2
hsrp 9
preempt
priority 110
ip 10.237.116.3

interface Vlan16
no shutdown
no ip redirects
ip address 10.237.117.1/24
hsrp version 2
hsrp 10
preempt
priority 110
ip 10.237.117.3

interface Vlan18
no ip redirects
ip address 10.237.121.254/24

interface Vlan25
no shutdown
ip address 10.237.118.1/29
hsrp version 2
hsrp 25
preempt
priority 110
ip 10.237.118.3

interface Vlan35
no shutdown
ip address 10.237.118.9/29
hsrp 35
preempt
priority 110
ip 10.237.118.10

interface Vlan400
no shutdown
hsrp version 2

interface port-channel1
description description ***CONNECTED VPC KEEPALIVE***
no switchport
speed 10000
vrf member pune
ip address 100.101.2.1/30

interface port-channel2
description description ***CONNECTED PEER LINK***
switchport mode trunk
spanning-tree port type network
speed 10000
vpc peer-link

interface port-channel9
description description ***CONNECTED TO FI6248UP-A ON 1/1***
switchport mode trunk
spanning-tree bpduguard disable
spanning-tree bpdufilter disable
speed 10000

interface port-channel100
switchport mode fex-fabric
fex associate 100

interface Ethernet1/1

interface Ethernet1/2

interface Ethernet1/3
description connected to MPLS Router 2 10.237.121.5 TenTengig0/0/0
no switchport
no ip redirects
ip address 10.237.120.57/30

interface Ethernet1/4
description ***CONNECTED TO MPLS-ROUTER-1***
no switchport
no ip redirects
ip address 10.237.120.9/29

interface Ethernet1/5
description ***CONNECTED PO1 FRO VPC KEEPALIVE***
no switchport
channel-group 1

interface Ethernet1/6
description ***CONNECTED TO PO1 FOR VPC KEEPALIVE***
no switchport
channel-group 1

interface Ethernet1/7
description ***CONNECTED TO PO2 FOR VPC PEER LINK***
switchport mode trunk
channel-group 2 mode active

interface Ethernet1/8
description ***CONNECTED TO PO2 FOR VPC PEER LINK***
switchport mode trunk
channel-group 2 mode active

interface Ethernet1/9
description description ***CONNECTED TO PO9 FOR UPLINK ON 1/1***
switchport mode trunk
channel-group 9 mode active

interface Ethernet1/10
description description ***CONNECTED TO PO9 FOR UPLINK ON 1/1***
switchport mode trunk
channel-group 9 mode active

interface Ethernet1/11
description ***CONNECTED TO PMC-INTERNET-ROUTER-1***
shutdown
no switchport

interface Ethernet1/12

interface Ethernet1/13
description **** Connected to Nexus-2****
no switchport
no ip redirects
ip address 100.101.1.9/29
hsrp version 2
hsrp 1
preempt
priority 110
ip 100.101.1.10

interface Ethernet1/14

interface Ethernet1/15
description connected to the ASA1 10.237.113.211 tengig 0/8
no switchport
no ip redirects
ip address 10.237.119.1/30
ip router ospf INT area 0.0.0.1

interface Ethernet1/16

interface Ethernet1/17
shutdown
no switchport

interface Ethernet1/18
no switchport

interface Ethernet1/19

interface Ethernet1/20

interface Ethernet1/21

interface Ethernet1/22

interface Ethernet1/23
no switchport

interface Ethernet1/24

interface Ethernet1/25

interface Ethernet1/26

interface Ethernet1/27
no switchport
speed 1000

interface Ethernet1/28
no switchport
speed 1000
no ip redirects
ip address 10.237.120.105/29

interface Ethernet1/29
switchport mode trunk
switchport access vlan 10
speed 1000

interface Ethernet1/30
switchport access vlan 10
speed 1000

interface Ethernet1/31
switchport access vlan 10
spanning-tree port type edge
speed 1000

interface Ethernet1/32
switchport access vlan 10
spanning-tree port type edge
speed 1000

interface Ethernet1/33
switchport mode trunk
speed 1000

interface Ethernet1/34
switchport mode trunk
speed 1000

interface Ethernet1/35

interface Ethernet1/36

interface Ethernet1/37

interface Ethernet1/38

interface Ethernet1/39

interface Ethernet1/40

interface Ethernet1/41

interface Ethernet1/42

interface Ethernet1/43

interface Ethernet1/44

interface Ethernet1/45

interface Ethernet1/46

interface Ethernet1/47

interface Ethernet1/48

interface Ethernet2/1

interface Ethernet2/2

interface Ethernet2/3

interface Ethernet2/4

interface Ethernet2/5

interface Ethernet2/6

interface mgmt0
vrf member management
ip address 10.237.113.219/24

interface loopback0
ip address 10.237.121.1/32
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.1.3.N1.1.bin
boot system bootflash:/n6000-uk9.7.1.3.N1.1.bin
router ospf INT
area 0.0.0.1 range 10.237.114.0/24
area 0.0.0.1 range 10.237.119.0/24
poap transit
logging server 10.237.112.82 6 use-vrf management facility syslog


`show startup-config`

!Command: show startup-config
!Time: Tue Nov 12 01:19:16 2002
!Startup config saved at: Sat Feb 9 22:35:22 2002

version 7.1(3)N1(1)
install feature-set fabricpath
install feature-set fabric
hostname N5k-1-pune

feature telnet
feature http-server
cfs eth distribute
feature udld
feature interface-vlan
feature hsrp
feature lacp
feature dhcp
feature vpc
feature lldp
feature vtp
feature fex

username admin password 5 $1$ygCPk9bo$QYPEYMZQPqNGhnzJ6nGMx. role network-admin
no password strength-check
ip domain-lookup
ip name-server 10.237.112.5 10.237.112.6
ip host N5k-1-pune-DC 10.237.121.1
logging event link-status default
logging level ethpm link-down error
policy-map type network-qos jumbo
class type network-qos class-default
mtu 9216
system qos
service-policy type network-qos jumbo
service-policy type queuing input fcoe-default-in-policy
service-policy type queuing output fcoe-default-out-policy
service-policy type qos input fcoe-default-in-policy
fex 100
pinning max-links 1
description "FEX0100"
fex 101
pinning max-links 1
description "FEX0101"
slot 1
port 1-48 type ethernet
snmp-server location DC-NETWORK-RACK-1
snmp-server user admin network-admin auth md5 ***** priv ***** localizedkey
snmp-server host 10.237.112.82 traps version 2c <removed>
snmp-server host 10.237.112.85 traps version 2c <removed>
snmp-server community <removed> group network-admin
ntp distribute
ntp server 10.237.112.5
ntp commit

ip route 0.0.0.0/0 10.237.113.2 10
ip route 0.0.0.0/0 10.237.119.2
ip route 10.1.2.0/24 10.237.120.10
ip route 10.191.50.0/24 10.237.120.10
ip route 10.191.51.0/24 10.237.120.10
ip route 10.191.52.0/24 10.237.120.10
ip route 10.191.53.0/27 10.237.120.10
ip route 10.191.237.0/24 10.237.120.10
ip route 10.237.113.0/24 10.237.113.210
ip route 10.237.120.24/29 10.237.113.2 name MPLS-2-ROUTE
ip route 10.237.121.2/32 10.237.113.2
ip route 10.237.121.3/32 10.237.113.210
ip route 10.237.121.4/32 10.237.113.207
ip route 10.237.121.5/32 10.237.120.58 name LOOPBACK-IP-MPLS-2
ip route 10.237.121.6/32 10.237.120.10
ip route 10.237.121.8/32 10.237.113.2
ip route 10.237.121.10/32 10.237.112.245
ip route 10.239.0.0/18 10.237.120.10
ip route 10.239.0.0/18 10.237.120.58 100
ip route 10.239.12.0/24 10.237.120.106
ip route 100.100.0.0/20 10.237.120.10
ip route 100.100.0.0/20 10.237.120.58 100
ip route 100.100.1.1/32 100.101.4.245
ip route 100.100.1.248/32 100.101.4.245
ip route 100.100.1.250/32 100.101.4.245
ip route 100.101.1.4/30 100.101.1.11
ip route 100.101.3.0/30 100.101.1.11
ip route 100.101.7.4/30 100.101.1.11
ip route 100.101.12.112/30 100.101.3.6
ip route 172.16.0.0/22 10.237.120.10
ip route 172.18.0.0/21 10.237.120.10
ip route 172.29.0.0/24 10.237.120.10
ip route 172.30.0.0/30 10.237.120.10
ip route 203.153.35.76/32 100.101.3.6
track 1 ip route 10.237.119.4/30 reachability
delay up 3 down 3

service dhcp
ip dhcp relay
vrf context management
vrf context pune
vpc domain 1
peer-keepalive destination 100.101.2.2 source 100.101.2.1 vrf pune
delay restore 150
ip arp synchronize


interface Vlan1
no shutdown

interface Vlan10
no shutdown
ip address 100.101.0.1/24

interface Vlan11
no shutdown
no ip redirects
ip address 10.237.112.1/24
hsrp version 2
hsrp 5
preempt
priority 110
ip 10.237.112.3

interface Vlan12
no shutdown
no ip redirects
ip address 10.237.113.1/24
hsrp version 2
hsrp 6
preempt
priority 110
ip 10.237.113.3

interface Vlan13
no shutdown
no ip redirects
ip address 10.237.114.1/24
hsrp version 2
hsrp 7
preempt
priority 110
ip 10.237.114.3
ip dhcp relay address 10.237.112.5

interface Vlan14
no shutdown
no ip redirects
ip address 10.237.115.1/24
hsrp version 2
hsrp 8
preempt
priority 110
ip 10.237.115.3
ip dhcp relay address 10.237.112.5

interface Vlan15
no shutdown
no ip redirects
ip address 10.237.116.1/24
hsrp version 2
hsrp 9
preempt
priority 110
ip 10.237.116.3

interface Vlan16
no shutdown
no ip redirects
ip address 10.237.117.1/24
hsrp version 2
hsrp 10
preempt
priority 110
ip 10.237.117.3

interface Vlan18
no ip redirects
ip address 10.237.121.254/24

interface Vlan20
no shutdown
ip address 100.101.4.1/24
hsrp version 2
hsrp 2
preempt
priority 110
ip 100.101.4.3
ip dhcp relay address 100.101.12.5

interface Vlan25
no shutdown
ip address 10.237.118.1/29
hsrp version 2
hsrp 25
preempt
priority 110
ip 10.237.118.3

interface Vlan30
no shutdown
ip address 100.101.5.1/24
hsrp version 2
hsrp 3
preempt
priority 110
ip 100.101.5.3
ip dhcp relay address 100.101.12.5

interface Vlan35
no shutdown
ip address 10.237.118.9/29
hsrp 35
preempt
priority 110
ip 10.237.118.10

interface Vlan40
no shutdown
ip address 100.101.6.1/24
hsrp 4
preempt
priority 110
ip 100.101.6.3

interface Vlan50
no shutdown
ip address 100.101.10.1/23

interface Vlan60
no shutdown
ip address 100.101.12.1/23

interface Vlan400
no shutdown
hsrp version 2

interface port-channel1
description description ***CONNECTED VPC KEEPALIVE***
no switchport
speed 10000
vrf member pune
ip address 100.101.2.1/30

interface port-channel2
description description ***CONNECTED PEER LINK***
switchport mode trunk
spanning-tree port type network
speed 10000
vpc peer-link

interface port-channel9
description description ***CONNECTED TO FI6248UP-A ON 1/1***
switchport mode trunk
spanning-tree bpduguard disable
spanning-tree bpdufilter disable
speed 10000

interface port-channel100
switchport mode fex-fabric
fex associate 100

interface Ethernet1/1

interface Ethernet1/2

interface Ethernet1/3
description ***CONNECTED TO MPLS-ROUTER-2***
no switchport
no ip redirects
ip address 10.237.120.57/30

interface Ethernet1/4
description ***CONNECTED TO MPLS-ROUTER-1***
no switchport
no ip redirects
ip address 10.237.120.9/29

interface Ethernet1/5
description ***CONNECTED PO1 FRO VPC KEEPALIVE***
no switchport
channel-group 1

interface Ethernet1/6
description ***CONNECTED TO PO1 FOR VPC KEEPALIVE***
no switchport
channel-group 1

interface Ethernet1/7
description ***CONNECTED TO PO2 FOR VPC PEER LINK***
switchport mode trunk
channel-group 2 mode active

interface Ethernet1/8
description ***CONNECTED TO PO2 FOR VPC PEER LINK***
switchport mode trunk
channel-group 2 mode active

interface Ethernet1/9
description description ***CONNECTED TO PO9 FOR UPLINK ON 1/1***
switchport mode trunk
channel-group 9 mode active

interface Ethernet1/10
description description ***CONNECTED TO PO9 FOR UPLINK ON 1/1***
switchport mode trunk
channel-group 9 mode active

interface Ethernet1/11
description ***CONNECTED TO PMC-INTERNET-ROUTER-1***
shutdown
no switchport

interface Ethernet1/12

interface Ethernet1/13
description **** Connected to Nexus-2****
no switchport
ip address 100.101.1.9/29
hsrp version 2
hsrp 1
preempt
priority 110
ip 100.101.1.10

interface Ethernet1/14

interface Ethernet1/15
description ***CONNECTED TO ASA-1***
no switchport
no ip redirects
ip address 10.237.119.1/30

interface Ethernet1/16

interface Ethernet1/17
shutdown
no switchport

interface Ethernet1/18
no switchport

interface Ethernet1/19

interface Ethernet1/20

interface Ethernet1/21

interface Ethernet1/22

interface Ethernet1/23
no switchport

interface Ethernet1/24

interface Ethernet1/25

interface Ethernet1/26

interface Ethernet1/27
no switchport
speed 1000

interface Ethernet1/28
no switchport
speed 1000
ip address 10.237.120.105/29

interface Ethernet1/29
switchport access vlan 10
speed 1000

interface Ethernet1/30
switchport access vlan 10
speed 1000

interface Ethernet1/31
switchport access vlan 10
spanning-tree port type edge
speed 1000

interface Ethernet1/32
switchport access vlan 10
spanning-tree port type edge
speed 1000

interface Ethernet1/33
switchport mode trunk
speed 1000

interface Ethernet1/34
switchport mode trunk
speed 1000

interface Ethernet1/35

interface Ethernet1/36

interface Ethernet1/37

interface Ethernet1/38

interface Ethernet1/39

interface Ethernet1/40

interface Ethernet1/41

interface Ethernet1/42

interface Ethernet1/43

interface Ethernet1/44

interface Ethernet1/45

interface Ethernet1/46

interface Ethernet1/47

interface Ethernet1/48

interface Ethernet2/1

interface Ethernet2/2

interface Ethernet2/3

interface Ethernet2/4

interface Ethernet2/5

interface Ethernet2/6

interface mgmt0
vrf member management
ip address 10.237.113.219/24

interface loopback0
ip address 10.237.121.1/32
line console
line vty
boot kickstart bootflash:/n6000-uk9-kickstart.7.1.3.N1.1.bin
boot system bootflash:/n6000-uk9.7.1.3.N1.1.bin
poap transit
logging server 10.237.112.82 6 use-vrf management facility syslog

N5k-1-pune# exit

[Connection to 10.237.113.1 closed by foreign host]
MGMT-SWITCH-1#exit

 

Thanks

Muthukumar

4 Replies 4

Jaderson Pessoa
VIP Alumni
VIP Alumni

i was checking your route-maps and acls and some address in nat configuration, doens't allowed in acl 101.

Please, check your acl 101 to verify that your nat configuration is compatible with your need.

Jaderson Pessoa
*** Rate All Helpful Responses ***

Hi,

  As per my understanding allowed required IP address,Requesting you convey anything missing..

Thanks

Muthukumar

HI,

       We are suspecting firmware version bugs and find the following link for your reference.Please suggest on this    

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCth55652/?rfs=iqvred

Yes man, its possible too.
Jaderson Pessoa
*** Rate All Helpful Responses ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco