cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1394
Views
0
Helpful
20
Replies
dbuckley77
Beginner

Route Internet traffic across a P2P between two firewalls

I have two firewalls that are connected, an ASA and a Sonicwall.  I have a LAN hanging off the Sonicwall and want to send it's traffic across.  I have already created a route policy on the Sonicwall to send the traffic out the interface that faces the Cisco ASA.   I need to know how to create a route and access rule on the ASA to get this to work.

On the sonicwall:

LAN is on X5 interface and the subnet is 10.98.3.0

Interface facing the other Firewall is called city and the IP is 10.99.0.3

Route policy is already in place

On the ASA

interface facing the Sonicwall is 10.99.0.2

outside interface facing isp is 71.181.12.193 with gateway of .194

access rule is in place to allow all ip from the 10.98.3.0 network to the outside interface

I think I need some kind of static route in place to get the 10.98.3.0 traffic coming in on the interface facing the sonicawall to the outside interface facing the isp but am ata  loss to get this done

20 REPLIES 20
Jon Marshall
VIP Community Legend

Not sure what you are asking here.

On the Sonicwall you need a default route poiting to 10.99.0.2

On the ASA you need a default route pointing to the ISP (which it sounds like you have) and a route for the internal subnet pointing back to 10.99.0.3.

Unless you are translating the internal subnet to the 10.99.0.3 IP address in which case you don't need the route for the internal subnet on the ASA.

Jon

On the sonicwall it's not a default route pointing to 10.99.0.2 but a rout policy because we only want traffic from one of the LANs to go out that route.  Others LANs will take a different path out different interfaces.  This is setup properly as packet captures are showing traffic from hosts on that specific LAN hitting the 10.99.0.2 interface.

Yes, I have a default route on the ASA pointing to the ISP.

I think what I am missing is a route for the LAN hanging off the Sonicwall (10.98.3.0/24) pointing back to 10.99.0.3 as you mentioned.  I will create this route and let you know if it resolves the issue. 

We are not translating anything.

Thank you

SO I added a route for the 10.98.3.0/24 LAN but it's not working.  I'm not sure I created the route correctly.  I have attached a screenshot of the route.

It looks fine but then I use the CLI.

What does a "sh route" look like from the ASA.

Have you setup NAT on the ASA ?

Jon

sh route:

CON-ASA5510# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 71.181.12.193 to network 0.0.0.0

C    71.181.12.224 255.255.255.224 is directly connected, dmz
C    71.181.12.192 255.255.255.224 is directly connected, outside
O E2 172.16.0.0 255.255.0.0 [95/75] via 10.100.250.254, 835:46:05, inside
                            [95/75] via 10.100.250.253, 835:46:05, inside
O E2 192.168.200.0 255.255.255.0
           [95/100] via 10.100.250.254, 835:46:05, inside
O    10.100.110.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.111.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.108.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.109.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.107.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.104.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
O E2 10.0.0.0 255.192.0.0 [95/100] via 10.100.250.254, 835:46:08, inside
O    10.100.120.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
                                [80/11] via 10.100.250.254, 1193:02:47, inside
O    10.100.114.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
                                [80/12] via 10.100.250.254, 1193:02:47, inside
O    10.100.112.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
                                [80/12] via 10.100.250.254, 1193:02:47, inside
O    10.100.113.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
                                [80/12] via 10.100.250.254, 1193:02:47, inside
O    10.100.95.0 255.255.255.192
           [80/11] via 10.100.250.254, 1193:02:47, inside
           [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.34.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
                               [80/11] via 10.100.250.254, 1193:02:47, inside
O    10.100.32.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                               [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.33.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                               [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.1.12 255.255.255.252
           [80/11] via 10.100.250.254, 1193:02:47, inside
O    10.100.10.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                               [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.1.8 255.255.255.252 [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.9.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
                              [80/11] via 10.100.250.254, 1193:02:47, inside
O    10.100.6.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                              [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.7.0 255.255.255.0 [80/51] via 10.100.250.254, 1193:02:47, inside
                              [80/51] via 10.100.250.253, 1193:02:47, inside
C    10.99.0.0 255.255.255.0 is directly connected, Library
O    10.98.2.0 255.255.255.0 [80/20] via 10.99.0.3, 835:46:09, Library
O    10.100.4.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                              [80/11] via 10.100.250.253, 1193:02:47, inside
S    Library_Staff_Wired_Network 255.255.255.0 [1/0] via 10.99.0.3, Library
O    10.99.2.0 255.255.255.192 [80/21] via 10.100.250.253, 1193:02:47, inside
                               [80/21] via 10.100.250.254, 1193:02:47, inside
O    10.100.5.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                              [80/11] via 10.100.250.253, 1193:02:47, inside
O    Library_Staff_Wireless_Network 255.255.255.0
           [80/20] via 10.99.0.3, 835:46:09, Library
O    10.100.2.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                              [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.0.0 255.255.0.0 is a summary, 1193:02:47
O    10.100.30.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                               [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.25.0 255.255.255.192
           [80/11] via 10.100.250.254, 1193:02:47, inside
           [80/11] via 10.100.250.253, 1193:02:47, inside
O    Elm_High_Street_Garages 255.255.255.0
           [80/11] via 10.100.250.254, 1193:02:47, inside
           [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.21.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                               [80/11] via 10.100.250.253, 1193:02:47, inside
C    10.100.250.0 255.255.255.0 is directly connected, inside
O E2 10.100.200.0 255.255.255.0 [95/100] via 10.100.250.6, 835:46:13, inside
O    10.100.160.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 71.181.12.193, outside

Can't see a specific entry for 10.98.3.0/24 but it could be one of "Library_Staff ..." routes.

One thing though, you are receiving some OSPF routes from the Sonicwall by the looks of it so I would remove the static route and advertise it via OSPF to the ASA.

Jon

So I removed the static route and this is the routing table now:  I have bolded the route for the 10.98.30./24 network back to the Sonicwall but it's still not working.  When I ping the internet from a host on the 10.98.30.0 network it doesn't make it.  It does get forwarded by the Sonicwall so something is still not right on the ASA.

CON-ASA5510# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 71.181.12.193 to network 0.0.0.0

C    71.181.12.224 255.255.255.224 is directly connected, dmz
C    71.181.12.192 255.255.255.224 is directly connected, outside
O E2 172.16.0.0 255.255.0.0 [95/75] via 10.100.250.254, 835:59:27, inside
                            [95/75] via 10.100.250.253, 835:59:27, inside
O E2 192.168.200.0 255.255.255.0
           [95/100] via 10.100.250.254, 835:59:27, inside
O    10.100.110.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.111.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.108.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.109.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.107.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.104.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
O E2 10.0.0.0 255.192.0.0 [95/100] via 10.100.250.254, 835:59:29, inside
O    10.100.120.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
                                [80/11] via 10.100.250.254, 1193:02:47, inside
O    10.100.114.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
                                [80/12] via 10.100.250.254, 1193:02:47, inside
O    10.100.112.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
                                [80/12] via 10.100.250.254, 1193:02:47, inside
O    10.100.113.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
                                [80/12] via 10.100.250.254, 1193:02:47, inside
O    10.100.95.0 255.255.255.192
           [80/11] via 10.100.250.254, 1193:02:47, inside
           [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.34.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
                               [80/11] via 10.100.250.254, 1193:02:47, inside
O    10.100.32.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                               [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.33.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                               [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.1.12 255.255.255.252
           [80/11] via 10.100.250.254, 1193:02:47, inside
O    10.100.10.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                               [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.1.8 255.255.255.252 [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.9.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
                              [80/11] via 10.100.250.254, 1193:02:47, inside
O    10.100.6.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                              [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.7.0 255.255.255.0 [80/51] via 10.100.250.254, 1193:02:47, inside
                              [80/51] via 10.100.250.253, 1193:02:47, inside
C    10.99.0.0 255.255.255.0 is directly connected, Library
O    10.98.2.0 255.255.255.0 [80/20] via 10.99.0.3, 835:59:29, Library
O    10.100.4.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                              [80/11] via 10.100.250.253, 1193:02:47, inside
O    Library_Staff_Wired_Network 255.255.255.0
           [80/20] via 10.99.0.3, 0:00:09, Library
O    10.99.2.0 255.255.255.192 [80/21] via 10.100.250.253, 1193:02:47, inside
                               [80/21] via 10.100.250.254, 1193:02:47, inside
O    10.100.5.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                              [80/11] via 10.100.250.253, 1193:02:47, inside
O    Library_Staff_Wireless_Network 255.255.255.0
           [80/20] via 10.99.0.3, 835:59:29, Library
O    10.100.2.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                              [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.0.0 255.255.0.0 is a summary, 1193:02:47
O    10.100.30.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                               [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.25.0 255.255.255.192
           [80/11] via 10.100.250.254, 1193:02:47, inside
           [80/11] via 10.100.250.253, 1193:02:47, inside
O    Elm_High_Street_Garages 255.255.255.0
           [80/11] via 10.100.250.254, 1193:02:47, inside
           [80/11] via 10.100.250.253, 1193:02:47, inside
O    10.100.21.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                               [80/11] via 10.100.250.253, 1193:02:47, inside
C    10.100.250.0 255.255.255.0 is directly connected, inside
O E2 10.100.200.0 255.255.255.0 [95/100] via 10.100.250.6, 835:59:30, inside
O    10.100.160.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
                                [80/11] via 10.100.250.253, 1193:02:47, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 71.181.12.193, outside

So have you setup NAT on the ASA for the 10.98.3.x IPs ?

Jon

I have attached the nat rules. 

Sorry, but can you post "sh nat" from the ASA.

Also can you run this command -

"packet-tracer input inside tcp 10.98.3.3 12345 <public IP> 80"

just pick a random public IP doesn't matter.

And then post results.

Jon

CON-ASA5510# sh nat

NAT policies on Interface dmz:
  match ip dmz 71.181.12.224 255.255.255.224 outside any
    static translation to 71.181.12.224
    translate_hits = 8159654, untranslate_hits = 454970121
  match ip dmz any outside any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface Library:
  match ip Library any outside any
    NAT exempt
    translate_hits = 9, untranslate_hits = 0
  match ip Library any dmz any
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Library any Library any
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip Library any outside any
    no translation group, implicit deny
    policy_hits = 0
  match ip Library any dmz any
    no translation group, implicit deny
    policy_hits = 0
              
NAT policies on Interface inside:
  match ip inside 10.100.0.0 255.255.0.0 outside 10.100.105.0 255.255.255.0
    NAT exempt
    translate_hits = 1268505, untranslate_hits = 1181762
  match ip inside 172.16.0.0 255.255.0.0 outside 10.100.105.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.4.0 255.255.255.0 outside 10.100.104.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any outside 71.181.12.224 255.255.255.224
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.5.0 255.255.255.0 outside 10.100.104.0 255.255.255.0
    NAT exempt
    translate_hits = 5612, untranslate_hits = 0
  match ip inside 10.100.5.0 255.255.255.0 outside 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 3193716, untranslate_hits = 2885505
  match ip inside 10.100.4.0 255.255.255.0 outside 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 15, untranslate_hits = 347
  match ip inside 10.100.6.0 255.255.255.0 outside 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 192048, untranslate_hits = 56989
  match ip inside any outside 10.100.250.64 255.255.255.224
    NAT exempt
    translate_hits = 110286, untranslate_hits = 3869451
  match ip inside any outside 10.99.0.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any outside 10.98.0.0 255.255.0.0
    NAT exempt
    translate_hits = 13878, untranslate_hits = 0
  match ip inside any outside Library-Legacy 255.255.255.0
    NAT exempt
    translate_hits = 3, untranslate_hits = 0
  match ip inside 10.100.0.0 255.255.0.0 outside 10.100.106.0 255.255.255.128
    NAT exempt
    translate_hits = 1414, untranslate_hits = 19123
  match ip inside 10.100.0.0 255.255.0.0 dmz 10.100.105.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 172.16.0.0 255.255.0.0 dmz 10.100.105.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.4.0 255.255.255.0 dmz 10.100.104.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any dmz 71.181.12.224 255.255.255.224
    NAT exempt
    translate_hits = 16398798, untranslate_hits = 36873110
  match ip inside 10.100.5.0 255.255.255.0 dmz 10.100.104.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.5.0 255.255.255.0 dmz 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.4.0 255.255.255.0 dmz 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.6.0 255.255.255.0 dmz 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any dmz 10.100.250.64 255.255.255.224
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any dmz 10.99.0.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any dmz 10.98.0.0 255.255.0.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any dmz Library-Legacy 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.0.0 255.255.0.0 dmz 10.100.106.0 255.255.255.128
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.0.0 255.255.0.0 Library 10.100.105.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 172.16.0.0 255.255.0.0 Library 10.100.105.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.4.0 255.255.255.0 Library 10.100.104.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any Library 71.181.12.224 255.255.255.224
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.5.0 255.255.255.0 Library 10.100.104.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.5.0 255.255.255.0 Library 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.4.0 255.255.255.0 Library 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.6.0 255.255.255.0 Library 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any Library 10.100.250.64 255.255.255.224
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any Library 10.99.0.0 255.255.255.0
    NAT exempt
    translate_hits = 8185361, untranslate_hits = 2392180
  match ip inside any Library 10.98.0.0 255.255.0.0
    NAT exempt
    translate_hits = 41270570, untranslate_hits = 24664993
  match ip inside any Library Library-Legacy 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.0.0 255.255.0.0 Library 10.100.106.0 255.255.255.128
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.0.0 255.255.0.0 inside 10.100.105.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 172.16.0.0 255.255.0.0 inside 10.100.105.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.4.0 255.255.255.0 inside 10.100.104.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside 71.181.12.224 255.255.255.224
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.5.0 255.255.255.0 inside 10.100.104.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.5.0 255.255.255.0 inside 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.4.0 255.255.255.0 inside 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.6.0 255.255.255.0 inside 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside 10.100.250.64 255.255.255.224
    NAT exempt
    translate_hits = 12521, untranslate_hits = 0
  match ip inside any inside 10.99.0.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside 10.98.0.0 255.255.0.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside Library-Legacy 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.0.0 255.255.0.0 inside 10.100.106.0 255.255.255.128
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.0.0 255.255.0.0 management 10.100.105.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 172.16.0.0 255.255.0.0 management 10.100.105.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.4.0 255.255.255.0 management 10.100.104.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any management 71.181.12.224 255.255.255.224
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.5.0 255.255.255.0 management 10.100.104.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.5.0 255.255.255.0 management 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.4.0 255.255.255.0 management 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.6.0 255.255.255.0 management 10.100.106.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any management 10.100.250.64 255.255.255.224
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any management 10.99.0.0 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any management 10.98.0.0 255.255.0.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside any management Library-Legacy 255.255.255.0
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match ip inside 10.100.0.0 255.255.0.0 management 10.100.106.0 255.255.255.128
    NAT exempt
    translate_hits = 0, untranslate_hits = 0
  match tcp inside host Cablecast_Pro eq 80 outside any
    static translation to 71.181.12.194/8100
    translate_hits = 97, untranslate_hits = 62697
  match tcp inside host CitySMTP eq 25 outside any
    static translation to 71.181.12.194/25
    translate_hits = 0, untranslate_hits = 684
  match udp inside host Scrutinizer eq 2055 outside any
    static translation to 71.181.12.194/2055
    translate_hits = 0, untranslate_hits = 2
  match ip inside host CITYCAM_Inside outside any
    static translation to CITYCAM_Outside
    translate_hits = 3911, untranslate_hits = 100248
  match ip inside host 10.100.109.17 outside any
    static translation to MSW-DVR
    translate_hits = 0, untranslate_hits = 32453
  match ip inside host CityMail1 outside any
    static translation to mail.nashuanh.gov
    translate_hits = 1858088, untranslate_hits = 1780742
  match ip inside host 10.100.5.28 outside any
    static translation to CityRAS2
    translate_hits = 26, untranslate_hits = 33743
  match ip inside host 10.100.110.28 outside any
    static translation to BroadCast-PIX
    translate_hits = 173, untranslate_hits = 31003
  match ip inside host CityTelestaff outside any
    static translation to 71.181.12.215
    translate_hits = 88, untranslate_hits = 54895
  match ip inside host 10.100.32.16 outside any
    static translation to CityRouteCloud
    translate_hits = 63, untranslate_hits = 138515
  match ip inside host Slingbox_Private outside any
    static translation to Slingbox_Public
    translate_hits = 0, untranslate_hits = 32871
  match ip inside any outside any
    dynamic translation to pool 10 (71.181.12.199)
    translate_hits = 533149125, untranslate_hits = 38259009
  match ip inside any dmz any
    dynamic translation to pool 10 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any Library any
    dynamic translation to pool 10 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any inside any
    dynamic translation to pool 10 (No matching global)
    translate_hits = 165, untranslate_hits = 0
  match ip inside any management any
    dynamic translation to pool 10 (No matching global)
    translate_hits = 0, untranslate_hits = 0
  match ip inside any outside any
    no translation group, implicit deny
    policy_hits = 0
  match ip inside any dmz any
    no translation group, implicit deny
    policy_hits = 0
  match ip inside any Library any
    no translation group, implicit deny
    policy_hits = 0

NAT policies on Interface management:
  match ip management any outside any
    no translation group, implicit deny
    policy_hits = 0
  match ip management any dmz any
    no translation group, implicit deny
    policy_hits = 0
  match ip management any Library any
    no translation group, implicit deny
    policy_hits = 0

It told me the other command was incomplete.

That command should have read -

"packet-tracer input Library tcp 10.98.3.3 12345 <public IP> 80"

also can you just post the ASA configuration.

Jon

config below:

CON-ASA5510# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname CON-ASA5510
domain-name nashuanh.gov
enable password 5DvauU9v6Csl8a7g encrypted
passwd 5DvauU9v6Csl8a7g encrypted
names
name 10.100.6.38 CityRX2
name 10.100.5.8 CityApps description Citrix Server
name 10.100.5.7 CityApps2
name 10.100.120.152 FDD-PCs description Fire Dispatch Computers
name 10.100.5.52 CityMail1 description Hub Transport Server
name 192.168.12.0 Library-Legacy description "Old" Library Network
name 71.181.12.198 mail.nashuanh.gov description Mail natted Address
name 71.181.12.232 CityFTP description FTP server
name 71.181.12.211 CityRAS2 description PPTP VPN Server
name 64.222.165.243 DNS1 description Fairpoint DNS Server #1
name 64.222.84.243 DNS2 description Fairpoint DNS Server #2
name 71.181.12.231 CityWeb description Web Server
name 71.181.12.248 CityGISWeb2 description GIS Web Server
name 71.181.12.209 MSW-DVR description DVR Unit at Solid Waste
name 71.181.12.214 BroadCast-PIX description For PEG TV
name 10.100.6.32 CityTelestaff description Telestaff Server
name 64.22.125.89 atl01.telestaff.net description Telestaff Hosted Server
name 67.18.208.95 dal01.telestaff.net description Telestaff Hosted Server
name 66.160.141.75 fre01.telestaff.net description Telestaff Hosted Server
name 10.100.6.24 CityKronoss2
name 10.100.6.39 CityTrain
name 10.100.6.37 CityKronosS1
name 10.100.6.34 CityKronosTest
name 71.181.12.247 CityGISWeb3 description Another GIS Web Server
name 71.181.12.250 Wordpress-Centos-Server description Allow for SFTP to WordPress Server
name 209.67.142.202 psm.telestaff.net
name 10.100.5.40 citycmdb description access Change Gear
name 71.181.12.226 City-Nashua-DMV-VPN description Nashua-DMV-VPN-DMZ-IP
name 72.95.124.69 Concord-DMV-VPN description VPN endpoint at concord DMV
name 10.100.6.10 cityspicewin7
name 10.100.6.101 citywsus
name 71.181.12.219 CityRouteCloud description RouteMatch cloud to monitor
name 67.220.100.110 Route-Match-Cloud description data from cloud to terminal in transit
name 10.100.5.22 CityTerm1
name 10.100.5.27 CityTerm2
name 10.100.5.43 CityTerm3
name 199.192.3.10 Concord-DMV-VPN2 description New VPN Endpoint 1-15
name 71.181.12.240 Netscaler
name 10.100.5.63 CityCitrix1 description Citrix Storefront
name 10.100.5.60 CityCitrix2 description Citrix Delivery Controller
name 10.100.5.61 CityCitrix3 description Citix Mgmt
name 10.100.5.62 CityCitrixApp description Citrix Virtual Delivery Agent
name 10.100.22.0 Elm_High_Street_Garages description Elm & High Street Garages
name 10.100.5.67 CityFuelXP description CityFuelXP
name 10.100.120.13 CityIMCMSG description CityIMCMSG
name 10.100.5.13 Patriot description Patriot
name 10.100.5.45 CitySQLX description CityCluster1 SQL Address
name 10.100.6.42 CitySMTP description SMTP Server
name 10.100.5.14 Thunderstone description Thunderstone Search Appliance
name 10.100.6.27 CityGIS4 description GIS Virtual Server
name 10.100.5.51 CityNet description Intranet Server
name 10.100.6.49 CityVictor description Camera Server
name 71.181.12.251 CityFilr description Filr Server for File Sharing
name 10.100.6.23 CityManager2 description Server to manage Group Policy +
name 10.100.160.80 HuntBuildingPC description Hunt Building PC for Library Staff
name 10.100.5.2 CityDC2 description City Domain Controller 2
name 10.100.5.3 CityDC3 description City Domain Controller 3
name 10.100.5.5 CityDC5 description City Domain Controller 5
name 71.181.12.234 Netscaler_Management description Netscaler Management IP
name 71.181.12.235 Netscaler_Static_IP description Netscaler Static IP
name 10.98.3.4 NPL-DC1 description Library Domain Controller 1
name 10.98.3.25 NPL-DC2 description Library Domain Controller 2
name 10.100.5.35 CityFile
name 10.100.10.15 NPL-VM1
name 10.100.5.48 CityMail2 description City Mail Server 2
name 10.100.5.36 CityMail3 description City Mail Server 3
name 10.100.30.10 Cablecast_Pro
name 10.98.3.0 Library_Staff_Wired_Network description Wired Network for Library Staff
name 10.98.4.0 Library_Staff_Wireless_Network description Wireless for Library Staff
name 71.181.12.212 Slingbox_Public description Slingbox Public IP
name 10.100.110.25 Slingbox_Private description Slingbox Internal IP
name 71.181.12.218 City_HVAC_Controller description HVAC Controller at City Hall
name 173.162.244.73 HVAC_Vendor description HVAC Vendor
name 71.181.12.246 CITYCARTWEB description City Web Server
name 10.100.22.5 CITYCAM_Inside description Camera Server
name 71.181.12.201 CITYCAM_Outside description Camera Server
name 71.181.12.233 Google_Mini
name 10.100.6.56 CitySyslogWatcher description CitySyslogWatcher
name 10.100.6.48 Scrutinizer description Scrutinizer
name 71.181.4.142 CH_IT1941_Outside description Router Interface Facing Fairpoint
name 10.100.6.63 CITYPICTOMETRY1 description CITYPICTOMETRY IP 1
name 10.100.7.125 CITYPICTOMETRY2 description CITYPICTOMETRY IP 2
name 10.100.95.11 Dana_PC description Dana PC
name 10.100.5.90 DPW-Backup1 description DPW Backup Server
name 10.100.5.55 CITYWSUS2 description City Wsus Server
name 71.181.12.249 CityGISWeb4 description CityGISWeb4
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 71.181.12.194 255.255.255.224
!
interface Ethernet0/1
 nameif dmz
 security-level 50
 ip address 71.181.12.225 255.255.255.224
!
interface Ethernet0/2
 description Interface facing NPL Firewall
 nameif Library
 security-level 51
 ip address 10.99.0.2 255.255.255.0
!
interface Ethernet0/3
 nameif inside
 security-level 100
 ip address 10.100.250.2 255.255.255.0
 ospf message-digest-key 5 md5 *****
 ospf authentication message-digest
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.252
 management-only
!
!
time-range Temp
 absolute end 15:23 15 October 2011
 periodic daily 0:00 to 23:59
!
banner exec **You have reached the City of Nashua.  Any unauthorized users will be prosecuted to the fullest extent of the law**
banner login City of Nashua Property - Authorized Users Only
banner login Un-authorized tampering with this equipment is punishable by law
banner login Do not attempt to login if you are not authorized
banner asdm You have reached a device that is the sole property of the City of Nashua.  Unauthorized use that has not been given explicit permission by the City's CIO/IT Division Director is prohiibited.  
banner asdm Any unauthorized users will be prosecuted to the fullest extent of the law.  If you have reached this device in error, you MUST disconnect immediately.  
boot system disk0:/asa825-k8.bin
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup dmz
dns domain-lookup Library
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
 domain-name nashuanh.gov
same-security-traffic permit intra-interface
object-group service DVRMonitor
 description Allow Viewpoint monitoring company to access Landfill and Streets DVRs
 service-object tcp range 9002 9005
 service-object tcp eq www
object-group service TransitHVAC-tcp-udp
 description Access to Transit garage HVAC control from Control Technologies
 service-object tcp-udp eq 1911
 service-object tcp-udp eq 3011
 service-object tcp-udp eq 8080
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service For_Pete tcp
 description Web Access to SX2 Server
 port-object eq 8100
object-group service netflow udp
 description netflow monitoring
 port-object eq 9991
object-group service Netbios_All tcp
 description Netbois ports necessary for accessing a file share
 port-object range 135 netbios-ssn
object-group service Netbios udp
 description File sharing ports for NetBios
 port-object range 135 139
object-group service NetStat udp
 description Netstat port
 port-object eq 15
object-group network DM_INLINE_NETWORK_5
 network-object 10.100.4.0 255.255.255.0
 network-object 10.100.5.0 255.255.255.0
 network-object 10.100.6.0 255.255.255.0
 network-object host 10.100.30.36
 network-object host 10.100.32.80
object-group service AgentMon tcp
 description CBE Agent for monitoring servers port
 port-object eq 5721
object-group service Symantec
 description Ports for Symantec Endpoint Protection
 service-object tcp eq 8014
 service-object tcp eq www
 service-object tcp eq https
 service-object udp eq 39999
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp eq 814
object-group service PASV-FTP tcp
 description Passive FTP port range for FTP Server
 port-object range 1024 1033
object-group network Fairpoint-DNS
 description Fairpoint DNS Servers for EDIA Service
 network-object host DNS1
 network-object host DNS2
object-group service RouteMatch udp
 description RouteMatch Tablets to Web Server
 port-object range 55923 55925
object-group service RM_Out udp
 description Tablet Communication
 port-object eq 1234
object-group network DM_INLINE_NETWORK_4
 network-object host atl01.telestaff.net
 network-object host fre01.telestaff.net
 network-object host dal01.telestaff.net
 network-object host psm.telestaff.net
object-group network DM_INLINE_NETWORK_8
 network-object host CityMail1
 network-object host CityMail3
 network-object host CityMail2
object-group network DM_INLINE_NETWORK_9
 network-object host CityDC2
 network-object host CityDC3
 network-object host CityDC5
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https
object-group network CHECVPN
 description VPN Access Group for Edgewood Cemetary
 network-object 10.100.200.0 255.255.255.0
 network-object 10.100.4.0 255.255.254.0
 network-object 10.100.6.0 255.255.255.0
 network-object 10.100.95.0 255.255.255.192
object-group service CIFS tcp
 description File Sharing
 port-object range 137 netbios-ssn
 port-object eq 445
object-group service SFTP tcp
 description Secure FTP
 port-object eq ssh
object-group service DM_INLINE_SERVICE_3
 service-object tcp-udp
 service-object tcp range 3001 3001
object-group service autodiscover tcp
 port-object eq 587
object-group network Cocnord-DMV-endpoints
 network-object host Concord-DMV-VPN2
 network-object host Concord-DMV-VPN
object-group service DM_INLINE_TCP_6 tcp
 port-object eq www
 port-object eq https
object-group service citrix-storefront
 service-object tcp eq https
 service-object tcp eq 8443
 service-object tcp eq citrix-ica
 service-object tcp eq www
 service-object tcp eq 2598
object-group service citrix-delivery
 service-object tcp eq www
 service-object tcp eq https
 service-object tcp eq 88
 service-object tcp eq ldap
 service-object tcp eq 464
 service-object tcp eq 1433
 service-object tcp eq 8080
 service-object tcp eq citrix-ica
 service-object tcp eq 2598
 service-object tcp eq 8008
object-group service ADports
 service-object tcp-udp eq domain
 service-object tcp-udp eq 389
 service-object tcp eq ldaps
 service-object tcp eq 3268
 service-object tcp eq 3269
 service-object tcp-udp eq 88
 service-object tcp-udp eq 445
 service-object tcp eq smtp
 service-object tcp eq 135
 service-object tcp eq 5722
 service-object udp eq ntp
 service-object tcp-udp eq 464
 service-object udp eq netbios-dgm
 service-object tcp eq 9389
 service-object udp eq netbios-ns
 service-object tcp eq netbios-ssn
 service-object tcp-udp range 49152 65535
object-group network DM_INLINE_NETWORK_12
 network-object host CityFile
 network-object host citywsus
 network-object host cityspicewin7
 network-object host CityRX2
 network-object host CITYWSUS2
object-group network CityCitrix
 description Citrix Environment
 network-object host CityCitrix2
 network-object host CityCitrix3
 network-object host CityCitrixApp
 network-object host CityCitrix1
object-group network DM_INLINE_NETWORK_15
 network-object host Netscaler_Management
 network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_16
 network-object host Netscaler_Management
 network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_17
 network-object host Netscaler_Management
 network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_18
 network-object host Netscaler_Management
 network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_19
 network-object host Netscaler
 network-object host Netscaler_Management
 network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_23
 network-object host CityDC2
 network-object host CityDC3
object-group service radius
 service-object udp eq 1812
 service-object udp eq 1813
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 1433
 port-object eq www
object-group network DM_INLINE_NETWORK_1
 network-object host CityGISWeb3
 network-object host CityGISWeb2
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_10
 network-object host CityDC2
 network-object host CityDC3
object-group network DM_INLINE_NETWORK_11
 network-object host CityDC2
 network-object host CityDC3
object-group network DM_INLINE_NETWORK_7
 network-object host CityDC2
 network-object host CityDC3
object-group network DM_INLINE_NETWORK_2
 network-object host CityKronoss2
 network-object host CityKronosTest
 network-object host CityKronosS1
 network-object host CityTrain
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_3
 network-object host CityFile
 network-object host citywsus
 network-object host cityspicewin7
 network-object host CityRX2
 network-object host CITYWSUS2
object-group network DM_INLINE_NETWORK_6
 network-object host CityKronoss2
 network-object host CityKronosTest
 network-object host CityKronosS1
 network-object host CityTrain
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object tcp eq www
object-group service Cameras tcp
 description For Parking Garage Cameras
 port-object eq rtsp
object-group service Cameras_UDP udp
 port-object eq 554
object-group network DM_INLINE_NETWORK_13
 network-object host 71.181.12.227
 network-object host 71.181.12.228
 network-object host 71.181.12.229
object-group network DM_INLINE_NETWORK_14
 network-object host CITYPICTOMETRY1
 network-object host CITYPICTOMETRY2
object-group service VideoEdge tcp-udp
 description Camera Server Mobile App
 port-object eq 8125
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_20
 network-object host CITYWSUS2
 network-object host citywsus
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq 445
 service-object tcp eq netbios-ssn
 service-object udp eq netbios-dgm
 service-object udp eq netbios-ns
object-group network DM_INLINE_NETWORK_21
 network-object host CityGISWeb3
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_22
 network-object host CityGISWeb3
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_24
 network-object host CityGISWeb3
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_25
 network-object host CityGISWeb3
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_26
 network-object host CityGISWeb3
 network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_27
 network-object host CityGISWeb3
 network-object host CityGISWeb4
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 10.100.105.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.100.105.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.4.0 255.255.255.0 10.100.104.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 71.181.12.224 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.100.5.0 255.255.255.0 10.100.104.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.5.0 255.255.255.0 10.100.106.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.4.0 255.255.255.0 10.100.106.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.6.0 255.255.255.0 10.100.106.0 255.255.255.0
access-list inside_nat0_outbound remark Allow non-natted traffic for vpn clients
access-list inside_nat0_outbound extended permit ip any 10.100.250.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 10.99.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.98.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any Library-Legacy 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 10.100.106.0 255.255.255.128
access-list Library_access_in remark Allow in for ERP Servers
access-list Library_access_in extended permit tcp Library_Staff_Wired_Network 255.255.255.0 10.100.200.0 255.255.255.0
access-list Library_access_in remark Allow access for Change Gear
access-list Library_access_in extended permit object-group TCPUDP Library_Staff_Wired_Network 255.255.255.0 host citycmdb eq www
access-list Library_access_in remark Allow in for Web Servers
access-list Library_access_in extended permit tcp Library_Staff_Wired_Network 255.255.255.0 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_2
access-list Library_access_in remark Allow access for CityFile, citywsus, cityspicewin7, & CityRX2
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 host Thunderstone
access-list Library_access_in extended permit tcp Library_Staff_Wired_Network 255.255.255.0 host CityNet
access-list Library_access_in remark Allow access for Library Staff to Hunt Building PC
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 host HuntBuildingPC
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 host NPL-VM1
access-list Library_access_in extended permit icmp any any echo-reply
access-list Library_access_in extended permit icmp any any unreachable
access-list Library_access_in remark NPL Time Clock
access-list Library_access_in extended permit ip host 10.98.3.45 host CityKronoss2
access-list Library_access_in remark Allow in for domain controller authentication
access-list Library_access_in extended permit ip any object-group DM_INLINE_NETWORK_9
access-list Library_access_in remark Allow in for Exchange
access-list Library_access_in extended permit ip any object-group DM_INLINE_NETWORK_8
access-list Library_access_in remark Allow HTTP to Citywsus from library vlan with private and public PC's
access-list Library_access_in extended permit tcp 10.98.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_20 eq www
access-list Library_access_in remark Allow Library Domain COntroller 1 access into City
access-list Library_access_in extended permit ip host NPL-DC1 any
access-list Library_access_in remark Allow Library Domain Controller 2 access into City
access-list Library_access_in extended permit ip host NPL-DC2 any
access-list Library_access_in remark Allow Library Staff Wireless in for ERP Servers
access-list Library_access_in extended permit tcp Library_Staff_Wireless_Network 255.255.255.0 10.100.200.0 255.255.255.0
access-list Library_access_in remark Allow Library Staff Wireless in for Web Servers
access-list Library_access_in extended permit tcp Library_Staff_Wireless_Network 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_3
access-list Library_access_in remark Allow Library Staff Wireless access to CityFile, citywsus, cityspicewin7, & CityRX2
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 object-group DM_INLINE_NETWORK_12
access-list Library_access_in remark Allow Library Staff Wireless Access to Change Gear
access-list Library_access_in extended permit object-group TCPUDP Library_Staff_Wireless_Network 255.255.255.0 host citycmdb eq www
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 host Thunderstone
access-list Library_access_in extended permit tcp Library_Staff_Wireless_Network 255.255.255.0 host CityNet
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 host HuntBuildingPC
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 host NPL-VM1
access-list Library_access_in remark Allow for ftp.
access-list Library_access_in extended permit ip any host Dana_PC
access-list Library_access_in remark Allow Library Staff Internet Access Through EDIA
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 interface outside
access-list outside_access_in remark Temp Rule for web server issues
access-list outside_access_in extended deny ip 220.181.0.0 255.255.0.0 any
access-list outside_access_in extended deny ip host 69.4.232.112 any
access-list outside_access_in remark NJ IP that is downloading gigabytes from City Web Site
access-list outside_access_in extended deny ip host 76.116.26.132 any
access-list outside_access_in remark Allow web access from outside.
access-list outside_access_in extended permit tcp any host City-Nashua-DMV-VPN eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityWeb eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityFTP eq www
access-list outside_access_in extended permit tcp any host Google_Mini eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host Netscaler_Management eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host Netscaler_Static_IP eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host Netscaler eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CITYCARTWEB eq www inactive
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_27 object-group DM_INLINE_TCP_4
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityGISWeb2 eq www
access-list outside_access_in extended permit tcp any host Wordpress-Centos-Server eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityFilr eq www
access-list outside_access_in extended permit tcp any host 71.181.12.252 eq www inactive
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_13 eq www inactive
access-list outside_access_in extended permit tcp any host 71.181.12.230 eq www inactive
access-list outside_access_in extended permit tcp any host CityGISWeb4 eq www inactive
access-list outside_access_in extended permit tcp any 71.181.12.224 255.255.255.224 eq www inactive
access-list outside_access_in extended permit tcp any 71.181.12.224 255.255.255.224 eq https
access-list outside_access_in remark Rule to allow RedBarn access to Sandbox
access-list outside_access_in extended permit tcp any host CityWeb eq 82
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in remark Allow in for FTPS on CityFTP
access-list outside_access_in extended permit tcp any host CityFTP eq 990
access-list outside_access_in remark Allow in for FTPS on CityFTP
access-list outside_access_in extended permit tcp any host CityFTP object-group PASV-FTP
access-list outside_access_in remark Allow FTP in to CityFTP
access-list outside_access_in extended permit tcp any host CityFTP eq ftp
access-list outside_access_in remark Rule to allow SX2 in web access
access-list outside_access_in extended permit tcp any interface outside object-group For_Pete
access-list outside_access_in remark Allow in for MSW DVR monitoring
access-list outside_access_in extended permit ip 12.28.108.0 255.255.255.0 host MSW-DVR
access-list outside_access_in extended permit tcp any host mail.nashuanh.gov eq smtp
access-list outside_access_in extended permit tcp any host mail.nashuanh.gov eq https
access-list outside_access_in extended permit tcp any host mail.nashuanh.gov object-group autodiscover
access-list outside_access_in extended permit gre any host CityRAS2
access-list outside_access_in extended permit tcp any host CityRAS2 eq pptp
access-list outside_access_in remark Access to Remote TV Switcher
access-list outside_access_in extended permit tcp any host BroadCast-PIX eq 9999
access-list outside_access_in remark Allow Access to Citrix
access-list outside_access_in extended permit object-group citrix-storefront any host Netscaler
access-list outside_access_in remark Allow Telestaff Web Host Server to NAT of internal Telestaff Server
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 host 71.181.12.215 object-group DM_INLINE_TCP_5
access-list outside_access_in remark Concord DMV VPN IP to Nashua DMV VPN IP
access-list outside_access_in extended permit ip host Concord-DMV-VPN2 host City-Nashua-DMV-VPN
access-list outside_access_in remark In from Outside Route Match Cloud to Transit Route Match Monitor
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 host Route-Match-Cloud host CityRouteCloud
access-list outside_access_in extended permit tcp any host CityFilr eq 8443
access-list outside_access_in extended permit tcp any host Slingbox_Public eq 5001
access-list outside_access_in remark Allow HVAC Vendor Access to the HVAC System
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host HVAC_Vendor host City_HVAC_Controller
access-list outside_access_in remark Allow in for FrontDoor
access-list outside_access_in extended permit tcp any host Cablecast_Pro eq 8100
access-list outside_access_in extended permit tcp any host CITYCAM_Outside
access-list outside_access_in remark Allow Router to Internet Traffic Send to Scrutinizer
access-list outside_access_in extended permit udp host CH_IT1941_Outside interface outside eq 2055
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec interface dmz host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host City-Nashua-DMV-VPN host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityWeb host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityFTP host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Netscaler_Management host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Netscaler_Static_IP host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Netscaler host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CITYCARTWEB host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec object-group DM_INLINE_NETWORK_21 host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityGISWeb2 host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Wordpress-Centos-Server host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityFilr host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec 71.181.12.224 255.255.255.224 host CityRX2
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host City-Nashua-DMV-VPN any eq www
access-list dmz_access_in remark Allow web access
access-list dmz_access_in extended permit tcp host CityWeb any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CityFTP any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Netscaler_Management any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Netscaler_Static_IP any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Netscaler any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CITYCARTWEB any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_22 any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CityGISWeb2 any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Wordpress-Centos-Server any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CityFilr any eq www
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host City-Nashua-DMV-VPN any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityWeb any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityFTP any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Netscaler_Management any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Netscaler_Static_IP any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Netscaler any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CITYCARTWEB any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_24 any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityGISWeb2 any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityFilr any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Wordpress-Centos-Server any eq www
access-list dmz_access_in extended permit udp 71.181.12.224 255.255.255.224 any eq www
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP interface dmz object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host City-Nashua-DMV-VPN object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityWeb object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityFTP object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Netscaler_Management object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Netscaler_Static_IP object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Netscaler object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CITYCARTWEB object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_25 object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityGISWeb2 object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Wordpress-Centos-Server object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityFilr object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP 71.181.12.224 255.255.255.224 object-group Fairpoint-DNS eq domain
access-list dmz_access_in extended permit icmp any any echo-reply
access-list dmz_access_in extended permit icmp any any unreachable
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 host CityMail1 eq smtp
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 host CityMail1 object-group autodiscover
access-list dmz_access_in remark Allow the Google mini to ping citymailfe.
access-list dmz_access_in remark The google tried to perform this test before using a SMTP server.
access-list dmz_access_in extended permit icmp 71.181.12.224 255.255.255.224 host CityMail1 echo
access-list dmz_access_in extended permit object-group citrix-delivery object-group DM_INLINE_NETWORK_15 object-group CityCitrix
access-list dmz_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_16 object-group DM_INLINE_NETWORK_7 eq domain
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_17 object-group DM_INLINE_NETWORK_10 eq 3268
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_18 object-group DM_INLINE_NETWORK_23 eq ldap
access-list dmz_access_in extended permit icmp object-group DM_INLINE_NETWORK_19 object-group DM_INLINE_NETWORK_11
access-list dmz_access_in remark Allow out for NTP
access-list dmz_access_in extended permit udp host Wordpress-Centos-Server any eq ntp
access-list dmz_access_in remark Allow in for File Shares to CityPictometry.  Delete rule 12-31-13
access-list dmz_access_in extended permit tcp host CityGISWeb2 host 10.100.6.107 object-group CIFS
access-list dmz_access_in remark City DMV VPN to Concord DMV VPN
access-list dmz_access_in extended permit ip host City-Nashua-DMV-VPN host Concord-DMV-VPN2
access-list dmz_access_in extended permit tcp host CityWeb host Patriot object-group DM_INLINE_TCP_1
access-list dmz_access_in extended permit tcp host CityWeb host CitySQLX
access-list dmz_access_in extended permit icmp host CityWeb host CitySQLX
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host CitySQLX
access-list dmz_access_in extended permit udp host CityFilr host 129.6.15.28 eq ntp
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 host CitySMTP eq smtp
access-list dmz_access_in extended permit tcp host CityFilr host CityDC5 eq ldap
access-list dmz_access_in extended permit object-group radius host City-Nashua-DMV-VPN host CityDC5
access-list dmz_access_in extended permit tcp host CityFilr host CityFile eq cifs
access-list dmz_access_in extended permit ip host CityFilr host CityFile
access-list dmz_access_in extended permit udp host CityFilr host CityFile eq netbios-dgm
access-list dmz_access_in remark Syslog for Mark
access-list dmz_access_in extended permit udp host Netscaler_Management host CitySyslogWatcher eq syslog
access-list dmz_access_in remark for Angelo access to share
access-list dmz_access_in extended permit ip object-group DM_INLINE_NETWORK_26 object-group DM_INLINE_NETWORK_14
access-list dmz_access_in remark Allow CITYCARTWEB Access to DPW-Backup1
access-list dmz_access_in extended permit tcp host CITYCARTWEB host DPW-Backup1 eq 10000
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 host CityGISWeb2 host CITYPICTOMETRY1
access-list FireVPN-Permits extended permit ip any 10.100.120.0 255.255.255.240
access-list FireVPN-Permits extended permit object-group Symantec any host CityRX2
access-list FireVPN-Permits extended permit object-group TCPUDP any 10.100.5.0 255.255.255.0 eq domain
access-list FireVPN-Permits extended permit ip any host CityGIS4
access-list outside_cryptomap remark Edgewood
access-list outside_cryptomap extended permit ip object-group CHECVPN 10.100.106.0 255.255.255.128
access-list Library_nat0_outbound remark Exempt all NAT Traffic
access-list Library_nat0_outbound extended permit ip any any
access-list inside_mpc extended permit tcp any host CityRouteCloud eq 1287
access-list CH<>EC standard permit 10.100.4.0 255.255.255.0
access-list CH<>EC standard permit 10.100.5.0 255.255.255.0
access-list CH<>EC standard permit 10.100.6.0 255.255.255.0
access-list inside_access_in remark Allow mail server to send mail outgoing
access-list inside_access_in extended permit tcp host CityMail1 any eq smtp
access-list inside_access_in remark Deny all SMTP Out
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip FDD-PCs 255.255.255.248 71.181.12.224 255.255.255.224
access-list inside_access_in extended deny ip any host 69.4.232.112
access-list inside_access_in extended permit udp host CITYCAM_Inside any eq 554
access-list inside_access_in remark Allow Default outgoing
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny ip host CityFuelXP any
access-list inside_access_in extended permit tcp host CityIMCMSG any eq smtp
access-list inside_access_in extended permit ip host CityIMCMSG 10.100.250.64 255.255.255.224 log disable
access-list inside_access_in extended deny ip host CityIMCMSG any
access-list split_tunnel standard permit 10.100.0.0 255.255.0.0
access-list AC_VPN_Limited_Permit remark Allow access to servers
access-list AC_VPN_Limited_Permit extended permit ip any object-group DM_INLINE_NETWORK_5
access-list AC_VPN_Limited_Permit extended permit ip any 10.100.95.0 255.255.255.192
access-list AC_VPN_Limited_Denies extended deny ip any host CityManager2
access-list throttle extended permit ip host 71.181.12.199 any
access-list throttle extended permit ip host 71.181.12.200 any
access-list throttle extended permit ip any host 71.181.12.199
access-list throttle extended permit ip any host 71.181.12.200
access-list Bloxx-group remark Bloxx Unit
access-list Bloxx-group standard permit host 10.100.250.10
access-list Bloxx extended deny ip host 10.100.30.35 any
access-list Bloxx extended deny ip host 10.100.30.37 any
access-list Bloxx extended deny ip host 10.100.95.6 any
access-list Bloxx extended deny ip host 10.100.30.56 any
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 69.56.155.0 255.255.255.192
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 host 63.127.199.226
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 host 72.55.246.22
access-list Bloxx extended deny ip host 10.100.32.69 any
access-list Bloxx remark State's Server for legislative broadcasts
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 216.177.20.0 255.255.255.0
access-list Bloxx remark CDC Server for broadcasts
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 host 198.246.99.21
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 71.181.12.224 255.255.255.224
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list Bloxx remark do not forward web traffic to Library
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 10.98.0.0 255.255.0.0
access-list Bloxx remark us.getac.com
access-list Bloxx extended deny tcp any host 204.236.134.65 object-group DM_INLINE_TCP_6
access-list Bloxx remark Allow city traffic
access-list Bloxx extended permit tcp 10.100.0.0 255.255.0.0 any eq www
access-list Bloxx-Group1 extended permit ip host 10.100.250.10 any
access-list AC_VPN_Limited2_Permit extended permit ip any 10.100.200.0 255.255.255.0
access-list outside_cryptomap_1 remark Woodlawn Cemetary
access-list outside_cryptomap_1 extended permit ip 10.100.0.0 255.255.0.0 10.100.105.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 10.100.0.0 255.255.0.0 10.100.105.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging asdm-buffer-size 250
logging trap warnings
logging asdm debugging
logging from-address ASA5510@nashua.city
logging recipient-address italerts@nashuanh.gov level errors
logging facility 18
logging device-id hostname
logging host inside 10.100.6.20
logging host inside 10.100.5.114
logging host inside CitySyslogWatcher
logging class auth trap informational
logging class config trap notifications
logging class vpn trap informational
logging class vpnc trap notifications
logging class webvpn history notifications trap notifications
logging class ssl history notifications trap notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304002
no logging message 304001
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside Scrutinizer 9995
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu outside 1500
mtu dmz 1500
mtu Library 1500
mtu inside 1500
mtu management 1500
ip local pool VPNPool 10.250.0.1-10.250.0.50 mask 255.255.255.0
ip local pool RAVPN_POOL 10.100.250.65-10.100.250.95 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 11 64.80.28.136 netmask 255.0.0.0
global (outside) 99 64.80.28.135
global (outside) 10 71.181.12.199 netmask 255.255.255.255
global (outside) 10 71.181.12.200 netmask 255.255.255.255
nat (Library) 0 access-list Library_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8100 Cablecast_Pro www netmask 255.255.255.255
static (inside,outside) tcp interface smtp CitySMTP smtp netmask 255.255.255.255
static (inside,outside) udp interface 2055 Scrutinizer 2055 netmask 255.255.255.255
static (dmz,outside) 71.181.12.224 71.181.12.224 netmask 255.255.255.224
static (inside,outside) CITYCAM_Outside CITYCAM_Inside netmask 255.255.255.255
static (inside,outside) MSW-DVR 10.100.109.17 netmask 255.255.255.255
static (inside,outside) mail.nashuanh.gov CityMail1 netmask 255.255.255.255
static (inside,outside) CityRAS2 10.100.5.28 netmask 255.255.255.255
static (inside,outside) BroadCast-PIX 10.100.110.28 netmask 255.255.255.255
static (inside,outside) 71.181.12.215 CityTelestaff netmask 255.255.255.255
static (inside,outside) CityRouteCloud 10.100.32.16 netmask 255.255.255.255
static (inside,outside) Slingbox_Public Slingbox_Private netmask 255.255.255.255 tcp 2 0 udp 2
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group Library_access_in in interface Library
access-group inside_access_in in interface inside
!
router ospf 1
 router-id 10.100.250.2
 network 10.99.0.0 255.255.255.0 area 2
 network 10.100.250.0 255.255.255.0 area 0
 area 0 range 10.100.0.0 255.255.0.0
 distance ospf intra-area 80 inter-area 80 external 95
 log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 71.181.12.193 1
timeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
 user-message "Authorized Access Only"
 action terminate
dynamic-access-policy-record VPN-Limited
 description "VPN user group for limited City Access"
 user-message "Welcome to the City of Nashua's VPN network.  Unauthorized access prohibited."
 network-acl AC_VPN_Limited_Permit
 network-acl AC_VPN_Limited_Denies
 priority 500
 webvpn
  svc ask none default svc
dynamic-access-policy-record VPN-Fire
 description "Access for Fire Vehicles"
 network-acl FireVPN-Permits
 priority 600
 webvpn
  svc ask none default svc
dynamic-access-policy-record VPN-Limited2
 description "Adds Lawson Access"
 network-acl AC_VPN_Limited_Permit
 network-acl AC_VPN_Limited_Denies
 network-acl AC_VPN_Limited2_Permit
 priority 275
 webvpn
  svc ask enable default svc
dynamic-access-policy-record VPN-Admins
 description "Allow Administrative VPN Access"
 user-message "Unauthorized users will be shot.  Survivors will be shot again."
 priority 250
 webvpn
  svc ask none default svc
aaa-server VPN-LDAP protocol ldap
aaa-server VPN-LDAP (inside) host CityDC2
 timeout 15
 ldap-base-dn DC=nashua,DC=city
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=mgrjboss,OU=Resources,DC=nashua,DC=city
 server-type microsoft
aaa-server RADIUS protocol radius
 reactivation-mode timed
aaa-server RADIUS (inside) host CityDC5
 retry-interval 5
 key *****
aaa authentication ssh console RADIUS LOCAL
aaa authentication enable console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication serial console LOCAL
http server enable 8080
http server idle-timeout 30
http CityManager2 255.255.255.255 inside
http 10.100.95.0 255.255.255.192 inside
snmp-server host inside 10.100.5.114 trap community ***** version 2c
snmp-server host inside citycmdb community ***** version 2c
snmp-server host inside 10.100.5.76 community *****
snmp-server host inside 10.100.6.20 trap community ***** version 2c
snmp-server host inside 10.100.6.21 community *****
snmp-server host inside 10.100.6.25 community ***** version 2c
snmp-server host inside Scrutinizer community ***** version 2c
snmp-server host inside CitySyslogWatcher trap community ***** version 2c
snmp-server host inside 10.100.6.6 community *****
snmp-server host inside 10.100.95.50 trap community *****
snmp-server host inside 10.100.6.11 community *****
snmp-server location ""City Hall - 2nd Floor Equipment Room, right"
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps remote-access session-threshold-exceeded
sysopt noproxyarp dmz
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set peer 71.168.70.56
crypto map outside_map1 1 set transform-set ESP-AES-128-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash md5     
 group 5
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption aes-192
 hash sha     
 group 5
 lifetime 86400
telnet timeout 25
ssh scopy enable
ssh 10.100.6.20 255.255.255.255 inside
ssh CityManager2 255.255.255.255 inside
ssh 10.100.95.0 255.255.255.192 inside
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.2 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.100.0.0 255.255.0.0
threat-detection scanning-threat shun duration 300
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
wccp 200 redirect-list Bloxx group-list Bloxx-Group1
wccp interface inside 200 redirect in
ntp server 10.100.2.253
webvpn
 port 8484
 enable outside
 dtls port 8484
 svc image disk0:/anyconnect-macosx-i386-2.5.6005-k9.pkg 1
 svc image disk0:/anyconnect-win-2.5.6005-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol webvpn
group-policy AC-VPN-GP internal
group-policy AC-VPN-GP attributes
 banner none
 dns-server value 10.100.5.2 10.100.5.3
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value nashua.city
 address-pools value RAVPN_POOL
group-policy CH<>WL internal
group-policy CH<>WL attributes
 vpn-tunnel-protocol IPSec
group-policy CH<>MSW internal
group-policy CH<>MSW attributes
 vpn-tunnel-protocol IPSec
group-policy CH<>EC internal
group-policy CH<>EC attributes
 vpn-tunnel-protocol IPSec
username admin password 90nATqa6nCj5iJ88 encrypted privilege 15
username Cisco password kGOz5H/IcvmJAAtS encrypted privilege 15
username Cisco attributes
 service-type remote-access
username itadmin password sNnj/F6CPVWNeUXn encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
 isakmp ikev1-user-authentication none
tunnel-group 71.168.70.56 type ipsec-l2l
tunnel-group 71.168.70.56 general-attributes
 default-group-policy CH<>EC
tunnel-group 71.168.70.56 ipsec-attributes
 pre-shared-key *****
tunnel-group 75.144.145.93 type ipsec-l2l
tunnel-group 75.144.145.93 general-attributes
 default-group-policy CH<>MSW
tunnel-group 75.144.145.93 ipsec-attributes
 pre-shared-key *****
tunnel-group AC-VPN type remote-access
tunnel-group AC-VPN general-attributes
 authentication-server-group VPN-LDAP
 default-group-policy AC-VPN-GP
tunnel-group AC-VPN webvpn-attributes
 group-alias CityVPN enable
tunnel-group 68.238.57.133 type ipsec-l2l
tunnel-group 68.238.57.133 general-attributes
 default-group-policy CH<>WL
tunnel-group 68.238.57.133 ipsec-attributes
 pre-shared-key *****
!
class-map throttle
 match access-list throttle
class-map class_sqlnet
 match port tcp eq 1433
class-map inspection_default
 match default-inspection-traffic
class-map Routematch
 match access-list inside_mpc
class-map Netflow-Class
 description Use for netflow
 match any
class-map outside-class
 match port tcp range 1 65535
!
!
policy-map throttle-traffic
 class throttle
  police input 25000000 12500
  police output 25000000 12500
policy-map RouteMatch
 class Routematch
  set connection timeout half-closed 0:00:00 idle 0:00:00 dcd 0:15:00 5
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect ip-options
 class Netflow-Class
  flow-export event-type all destination Scrutinizer
policy-map outside-policy
 description Traffic limit on TCP to 40Mbs with a 5Mbs burst (prevent TCP from starving UPD and tunnel traffic on 50Mbs interface)
 class outside-class
  police input 35000000 1000000
  police output 35000000 1000000
!
service-policy global_policy global
service-policy outside-policy interface outside
service-policy RouteMatch interface inside
smtp-server 10.100.5.52
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:466657b28c7b6ba1cc2ade5b0132bbbe
: end

You have these lines in your configuration -

"access-list Library_nat0_outbound extended permit ip any any"

"nat (Library) 0 access-list Library_nat0_outbound"

which means do not NAT any IPs if they come in the Library interface which means your 10.98.3.x IPs are not translated.

But they are private IPs so they need translating.

It is not clear why those lines are there and also not clear what public IP you would want to use to translate the 10.98.3.x IPs to ?

Jon