03-01-2016 04:42 AM - edited 03-08-2019 04:46 AM
I have two firewalls that are connected, an ASA and a Sonicwall. I have a LAN hanging off the Sonicwall and want to send it's traffic across. I have already created a route policy on the Sonicwall to send the traffic out the interface that faces the Cisco ASA. I need to know how to create a route and access rule on the ASA to get this to work.
On the sonicwall:
LAN is on X5 interface and the subnet is 10.98.3.0
Interface facing the other Firewall is called city and the IP is 10.99.0.3
Route policy is already in place
On the ASA
interface facing the Sonicwall is 10.99.0.2
outside interface facing isp is 71.181.12.193 with gateway of .194
access rule is in place to allow all ip from the 10.98.3.0 network to the outside interface
I think I need some kind of static route in place to get the 10.98.3.0 traffic coming in on the interface facing the sonicawall to the outside interface facing the isp but am ata loss to get this done
03-01-2016 06:14 AM
Not sure what you are asking here.
On the Sonicwall you need a default route poiting to 10.99.0.2
On the ASA you need a default route pointing to the ISP (which it sounds like you have) and a route for the internal subnet pointing back to 10.99.0.3.
Unless you are translating the internal subnet to the 10.99.0.3 IP address in which case you don't need the route for the internal subnet on the ASA.
Jon
03-01-2016 07:14 AM
On the sonicwall it's not a default route pointing to 10.99.0.2 but a rout policy because we only want traffic from one of the LANs to go out that route. Others LANs will take a different path out different interfaces. This is setup properly as packet captures are showing traffic from hosts on that specific LAN hitting the 10.99.0.2 interface.
Yes, I have a default route on the ASA pointing to the ISP.
I think what I am missing is a route for the LAN hanging off the Sonicwall (10.98.3.0/24) pointing back to 10.99.0.3 as you mentioned. I will create this route and let you know if it resolves the issue.
We are not translating anything.
Thank you
03-01-2016 07:23 AM
03-01-2016 07:27 AM
It looks fine but then I use the CLI.
What does a "sh route" look like from the ASA.
Have you setup NAT on the ASA ?
Jon
03-01-2016 07:39 AM
sh route:
CON-ASA5510# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 71.181.12.193 to network 0.0.0.0
C 71.181.12.224 255.255.255.224 is directly connected, dmz
C 71.181.12.192 255.255.255.224 is directly connected, outside
O E2 172.16.0.0 255.255.0.0 [95/75] via 10.100.250.254, 835:46:05, inside
[95/75] via 10.100.250.253, 835:46:05, inside
O E2 192.168.200.0 255.255.255.0
[95/100] via 10.100.250.254, 835:46:05, inside
O 10.100.110.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.111.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.108.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.109.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.107.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.104.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
O E2 10.0.0.0 255.192.0.0 [95/100] via 10.100.250.254, 835:46:08, inside
O 10.100.120.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
[80/11] via 10.100.250.254, 1193:02:47, inside
O 10.100.114.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
[80/12] via 10.100.250.254, 1193:02:47, inside
O 10.100.112.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
[80/12] via 10.100.250.254, 1193:02:47, inside
O 10.100.113.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
[80/12] via 10.100.250.254, 1193:02:47, inside
O 10.100.95.0 255.255.255.192
[80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.34.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
[80/11] via 10.100.250.254, 1193:02:47, inside
O 10.100.32.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.33.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.1.12 255.255.255.252
[80/11] via 10.100.250.254, 1193:02:47, inside
O 10.100.10.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.1.8 255.255.255.252 [80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.9.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
[80/11] via 10.100.250.254, 1193:02:47, inside
O 10.100.6.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.7.0 255.255.255.0 [80/51] via 10.100.250.254, 1193:02:47, inside
[80/51] via 10.100.250.253, 1193:02:47, inside
C 10.99.0.0 255.255.255.0 is directly connected, Library
O 10.98.2.0 255.255.255.0 [80/20] via 10.99.0.3, 835:46:09, Library
O 10.100.4.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
S Library_Staff_Wired_Network 255.255.255.0 [1/0] via 10.99.0.3, Library
O 10.99.2.0 255.255.255.192 [80/21] via 10.100.250.253, 1193:02:47, inside
[80/21] via 10.100.250.254, 1193:02:47, inside
O 10.100.5.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O Library_Staff_Wireless_Network 255.255.255.0
[80/20] via 10.99.0.3, 835:46:09, Library
O 10.100.2.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.0.0 255.255.0.0 is a summary, 1193:02:47
O 10.100.30.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.25.0 255.255.255.192
[80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O Elm_High_Street_Garages 255.255.255.0
[80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.21.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
C 10.100.250.0 255.255.255.0 is directly connected, inside
O E2 10.100.200.0 255.255.255.0 [95/100] via 10.100.250.6, 835:46:13, inside
O 10.100.160.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 71.181.12.193, outside
03-01-2016 07:50 AM
Can't see a specific entry for 10.98.3.0/24 but it could be one of "Library_Staff ..." routes.
One thing though, you are receiving some OSPF routes from the Sonicwall by the looks of it so I would remove the static route and advertise it via OSPF to the ASA.
Jon
03-01-2016 07:55 AM
So I removed the static route and this is the routing table now: I have bolded the route for the 10.98.30./24 network back to the Sonicwall but it's still not working. When I ping the internet from a host on the 10.98.30.0 network it doesn't make it. It does get forwarded by the Sonicwall so something is still not right on the ASA.
CON-ASA5510# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 71.181.12.193 to network 0.0.0.0
C 71.181.12.224 255.255.255.224 is directly connected, dmz
C 71.181.12.192 255.255.255.224 is directly connected, outside
O E2 172.16.0.0 255.255.0.0 [95/75] via 10.100.250.254, 835:59:27, inside
[95/75] via 10.100.250.253, 835:59:27, inside
O E2 192.168.200.0 255.255.255.0
[95/100] via 10.100.250.254, 835:59:27, inside
O 10.100.110.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.111.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.108.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.109.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.107.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.104.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
O E2 10.0.0.0 255.192.0.0 [95/100] via 10.100.250.254, 835:59:29, inside
O 10.100.120.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
[80/11] via 10.100.250.254, 1193:02:47, inside
O 10.100.114.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
[80/12] via 10.100.250.254, 1193:02:47, inside
O 10.100.112.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
[80/12] via 10.100.250.254, 1193:02:47, inside
O 10.100.113.0 255.255.255.0 [80/12] via 10.100.250.253, 1193:02:47, inside
[80/12] via 10.100.250.254, 1193:02:47, inside
O 10.100.95.0 255.255.255.192
[80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.34.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
[80/11] via 10.100.250.254, 1193:02:47, inside
O 10.100.32.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.33.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.1.12 255.255.255.252
[80/11] via 10.100.250.254, 1193:02:47, inside
O 10.100.10.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.1.8 255.255.255.252 [80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.9.0 255.255.255.0 [80/11] via 10.100.250.253, 1193:02:47, inside
[80/11] via 10.100.250.254, 1193:02:47, inside
O 10.100.6.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.7.0 255.255.255.0 [80/51] via 10.100.250.254, 1193:02:47, inside
[80/51] via 10.100.250.253, 1193:02:47, inside
C 10.99.0.0 255.255.255.0 is directly connected, Library
O 10.98.2.0 255.255.255.0 [80/20] via 10.99.0.3, 835:59:29, Library
O 10.100.4.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O Library_Staff_Wired_Network 255.255.255.0
[80/20] via 10.99.0.3, 0:00:09, Library
O 10.99.2.0 255.255.255.192 [80/21] via 10.100.250.253, 1193:02:47, inside
[80/21] via 10.100.250.254, 1193:02:47, inside
O 10.100.5.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O Library_Staff_Wireless_Network 255.255.255.0
[80/20] via 10.99.0.3, 835:59:29, Library
O 10.100.2.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.0.0 255.255.0.0 is a summary, 1193:02:47
O 10.100.30.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.25.0 255.255.255.192
[80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O Elm_High_Street_Garages 255.255.255.0
[80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
O 10.100.21.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
C 10.100.250.0 255.255.255.0 is directly connected, inside
O E2 10.100.200.0 255.255.255.0 [95/100] via 10.100.250.6, 835:59:30, inside
O 10.100.160.0 255.255.255.0 [80/11] via 10.100.250.254, 1193:02:47, inside
[80/11] via 10.100.250.253, 1193:02:47, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 71.181.12.193, outside
03-01-2016 08:08 AM
So have you setup NAT on the ASA for the 10.98.3.x IPs ?
Jon
03-01-2016 08:19 AM
03-01-2016 08:28 AM
Sorry, but can you post "sh nat" from the ASA.
Also can you run this command -
"packet-tracer input inside tcp 10.98.3.3 12345 <public IP> 80"
just pick a random public IP doesn't matter.
And then post results.
Jon
03-01-2016 10:40 AM
CON-ASA5510# sh nat
NAT policies on Interface dmz:
match ip dmz 71.181.12.224 255.255.255.224 outside any
static translation to 71.181.12.224
translate_hits = 8159654, untranslate_hits = 454970121
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface Library:
match ip Library any outside any
NAT exempt
translate_hits = 9, untranslate_hits = 0
match ip Library any dmz any
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Library any Library any
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip Library any outside any
no translation group, implicit deny
policy_hits = 0
match ip Library any dmz any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface inside:
match ip inside 10.100.0.0 255.255.0.0 outside 10.100.105.0 255.255.255.0
NAT exempt
translate_hits = 1268505, untranslate_hits = 1181762
match ip inside 172.16.0.0 255.255.0.0 outside 10.100.105.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.4.0 255.255.255.0 outside 10.100.104.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any outside 71.181.12.224 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.5.0 255.255.255.0 outside 10.100.104.0 255.255.255.0
NAT exempt
translate_hits = 5612, untranslate_hits = 0
match ip inside 10.100.5.0 255.255.255.0 outside 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 3193716, untranslate_hits = 2885505
match ip inside 10.100.4.0 255.255.255.0 outside 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 15, untranslate_hits = 347
match ip inside 10.100.6.0 255.255.255.0 outside 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 192048, untranslate_hits = 56989
match ip inside any outside 10.100.250.64 255.255.255.224
NAT exempt
translate_hits = 110286, untranslate_hits = 3869451
match ip inside any outside 10.99.0.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any outside 10.98.0.0 255.255.0.0
NAT exempt
translate_hits = 13878, untranslate_hits = 0
match ip inside any outside Library-Legacy 255.255.255.0
NAT exempt
translate_hits = 3, untranslate_hits = 0
match ip inside 10.100.0.0 255.255.0.0 outside 10.100.106.0 255.255.255.128
NAT exempt
translate_hits = 1414, untranslate_hits = 19123
match ip inside 10.100.0.0 255.255.0.0 dmz 10.100.105.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 172.16.0.0 255.255.0.0 dmz 10.100.105.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.4.0 255.255.255.0 dmz 10.100.104.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any dmz 71.181.12.224 255.255.255.224
NAT exempt
translate_hits = 16398798, untranslate_hits = 36873110
match ip inside 10.100.5.0 255.255.255.0 dmz 10.100.104.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.5.0 255.255.255.0 dmz 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.4.0 255.255.255.0 dmz 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.6.0 255.255.255.0 dmz 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any dmz 10.100.250.64 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any dmz 10.99.0.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any dmz 10.98.0.0 255.255.0.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any dmz Library-Legacy 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.0.0 255.255.0.0 dmz 10.100.106.0 255.255.255.128
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.0.0 255.255.0.0 Library 10.100.105.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 172.16.0.0 255.255.0.0 Library 10.100.105.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.4.0 255.255.255.0 Library 10.100.104.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any Library 71.181.12.224 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.5.0 255.255.255.0 Library 10.100.104.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.5.0 255.255.255.0 Library 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.4.0 255.255.255.0 Library 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.6.0 255.255.255.0 Library 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any Library 10.100.250.64 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any Library 10.99.0.0 255.255.255.0
NAT exempt
translate_hits = 8185361, untranslate_hits = 2392180
match ip inside any Library 10.98.0.0 255.255.0.0
NAT exempt
translate_hits = 41270570, untranslate_hits = 24664993
match ip inside any Library Library-Legacy 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.0.0 255.255.0.0 Library 10.100.106.0 255.255.255.128
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.0.0 255.255.0.0 inside 10.100.105.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 172.16.0.0 255.255.0.0 inside 10.100.105.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.4.0 255.255.255.0 inside 10.100.104.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any inside 71.181.12.224 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.5.0 255.255.255.0 inside 10.100.104.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.5.0 255.255.255.0 inside 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.4.0 255.255.255.0 inside 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.6.0 255.255.255.0 inside 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any inside 10.100.250.64 255.255.255.224
NAT exempt
translate_hits = 12521, untranslate_hits = 0
match ip inside any inside 10.99.0.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any inside 10.98.0.0 255.255.0.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any inside Library-Legacy 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.0.0 255.255.0.0 inside 10.100.106.0 255.255.255.128
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.0.0 255.255.0.0 management 10.100.105.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 172.16.0.0 255.255.0.0 management 10.100.105.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.4.0 255.255.255.0 management 10.100.104.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any management 71.181.12.224 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.5.0 255.255.255.0 management 10.100.104.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.5.0 255.255.255.0 management 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.4.0 255.255.255.0 management 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.6.0 255.255.255.0 management 10.100.106.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any management 10.100.250.64 255.255.255.224
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any management 10.99.0.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any management 10.98.0.0 255.255.0.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside any management Library-Legacy 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 10.100.0.0 255.255.0.0 management 10.100.106.0 255.255.255.128
NAT exempt
translate_hits = 0, untranslate_hits = 0
match tcp inside host Cablecast_Pro eq 80 outside any
static translation to 71.181.12.194/8100
translate_hits = 97, untranslate_hits = 62697
match tcp inside host CitySMTP eq 25 outside any
static translation to 71.181.12.194/25
translate_hits = 0, untranslate_hits = 684
match udp inside host Scrutinizer eq 2055 outside any
static translation to 71.181.12.194/2055
translate_hits = 0, untranslate_hits = 2
match ip inside host CITYCAM_Inside outside any
static translation to CITYCAM_Outside
translate_hits = 3911, untranslate_hits = 100248
match ip inside host 10.100.109.17 outside any
static translation to MSW-DVR
translate_hits = 0, untranslate_hits = 32453
match ip inside host CityMail1 outside any
static translation to mail.nashuanh.gov
translate_hits = 1858088, untranslate_hits = 1780742
match ip inside host 10.100.5.28 outside any
static translation to CityRAS2
translate_hits = 26, untranslate_hits = 33743
match ip inside host 10.100.110.28 outside any
static translation to BroadCast-PIX
translate_hits = 173, untranslate_hits = 31003
match ip inside host CityTelestaff outside any
static translation to 71.181.12.215
translate_hits = 88, untranslate_hits = 54895
match ip inside host 10.100.32.16 outside any
static translation to CityRouteCloud
translate_hits = 63, untranslate_hits = 138515
match ip inside host Slingbox_Private outside any
static translation to Slingbox_Public
translate_hits = 0, untranslate_hits = 32871
match ip inside any outside any
dynamic translation to pool 10 (71.181.12.199)
translate_hits = 533149125, untranslate_hits = 38259009
match ip inside any dmz any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any Library any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any inside any
dynamic translation to pool 10 (No matching global)
translate_hits = 165, untranslate_hits = 0
match ip inside any management any
dynamic translation to pool 10 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
no translation group, implicit deny
policy_hits = 0
match ip inside any dmz any
no translation group, implicit deny
policy_hits = 0
match ip inside any Library any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface management:
match ip management any outside any
no translation group, implicit deny
policy_hits = 0
match ip management any dmz any
no translation group, implicit deny
policy_hits = 0
match ip management any Library any
no translation group, implicit deny
policy_hits = 0
It told me the other command was incomplete.
03-01-2016 11:09 AM
That command should have read -
"packet-tracer input Library tcp 10.98.3.3 12345 <public IP> 80"
also can you just post the ASA configuration.
Jon
03-01-2016 11:41 AM
config below:
CON-ASA5510# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname CON-ASA5510
domain-name nashuanh.gov
enable password 5DvauU9v6Csl8a7g encrypted
passwd 5DvauU9v6Csl8a7g encrypted
names
name 10.100.6.38 CityRX2
name 10.100.5.8 CityApps description Citrix Server
name 10.100.5.7 CityApps2
name 10.100.120.152 FDD-PCs description Fire Dispatch Computers
name 10.100.5.52 CityMail1 description Hub Transport Server
name 192.168.12.0 Library-Legacy description "Old" Library Network
name 71.181.12.198 mail.nashuanh.gov description Mail natted Address
name 71.181.12.232 CityFTP description FTP server
name 71.181.12.211 CityRAS2 description PPTP VPN Server
name 64.222.165.243 DNS1 description Fairpoint DNS Server #1
name 64.222.84.243 DNS2 description Fairpoint DNS Server #2
name 71.181.12.231 CityWeb description Web Server
name 71.181.12.248 CityGISWeb2 description GIS Web Server
name 71.181.12.209 MSW-DVR description DVR Unit at Solid Waste
name 71.181.12.214 BroadCast-PIX description For PEG TV
name 10.100.6.32 CityTelestaff description Telestaff Server
name 64.22.125.89 atl01.telestaff.net description Telestaff Hosted Server
name 67.18.208.95 dal01.telestaff.net description Telestaff Hosted Server
name 66.160.141.75 fre01.telestaff.net description Telestaff Hosted Server
name 10.100.6.24 CityKronoss2
name 10.100.6.39 CityTrain
name 10.100.6.37 CityKronosS1
name 10.100.6.34 CityKronosTest
name 71.181.12.247 CityGISWeb3 description Another GIS Web Server
name 71.181.12.250 Wordpress-Centos-Server description Allow for SFTP to WordPress Server
name 209.67.142.202 psm.telestaff.net
name 10.100.5.40 citycmdb description access Change Gear
name 71.181.12.226 City-Nashua-DMV-VPN description Nashua-DMV-VPN-DMZ-IP
name 72.95.124.69 Concord-DMV-VPN description VPN endpoint at concord DMV
name 10.100.6.10 cityspicewin7
name 10.100.6.101 citywsus
name 71.181.12.219 CityRouteCloud description RouteMatch cloud to monitor
name 67.220.100.110 Route-Match-Cloud description data from cloud to terminal in transit
name 10.100.5.22 CityTerm1
name 10.100.5.27 CityTerm2
name 10.100.5.43 CityTerm3
name 199.192.3.10 Concord-DMV-VPN2 description New VPN Endpoint 1-15
name 71.181.12.240 Netscaler
name 10.100.5.63 CityCitrix1 description Citrix Storefront
name 10.100.5.60 CityCitrix2 description Citrix Delivery Controller
name 10.100.5.61 CityCitrix3 description Citix Mgmt
name 10.100.5.62 CityCitrixApp description Citrix Virtual Delivery Agent
name 10.100.22.0 Elm_High_Street_Garages description Elm & High Street Garages
name 10.100.5.67 CityFuelXP description CityFuelXP
name 10.100.120.13 CityIMCMSG description CityIMCMSG
name 10.100.5.13 Patriot description Patriot
name 10.100.5.45 CitySQLX description CityCluster1 SQL Address
name 10.100.6.42 CitySMTP description SMTP Server
name 10.100.5.14 Thunderstone description Thunderstone Search Appliance
name 10.100.6.27 CityGIS4 description GIS Virtual Server
name 10.100.5.51 CityNet description Intranet Server
name 10.100.6.49 CityVictor description Camera Server
name 71.181.12.251 CityFilr description Filr Server for File Sharing
name 10.100.6.23 CityManager2 description Server to manage Group Policy +
name 10.100.160.80 HuntBuildingPC description Hunt Building PC for Library Staff
name 10.100.5.2 CityDC2 description City Domain Controller 2
name 10.100.5.3 CityDC3 description City Domain Controller 3
name 10.100.5.5 CityDC5 description City Domain Controller 5
name 71.181.12.234 Netscaler_Management description Netscaler Management IP
name 71.181.12.235 Netscaler_Static_IP description Netscaler Static IP
name 10.98.3.4 NPL-DC1 description Library Domain Controller 1
name 10.98.3.25 NPL-DC2 description Library Domain Controller 2
name 10.100.5.35 CityFile
name 10.100.10.15 NPL-VM1
name 10.100.5.48 CityMail2 description City Mail Server 2
name 10.100.5.36 CityMail3 description City Mail Server 3
name 10.100.30.10 Cablecast_Pro
name 10.98.3.0 Library_Staff_Wired_Network description Wired Network for Library Staff
name 10.98.4.0 Library_Staff_Wireless_Network description Wireless for Library Staff
name 71.181.12.212 Slingbox_Public description Slingbox Public IP
name 10.100.110.25 Slingbox_Private description Slingbox Internal IP
name 71.181.12.218 City_HVAC_Controller description HVAC Controller at City Hall
name 173.162.244.73 HVAC_Vendor description HVAC Vendor
name 71.181.12.246 CITYCARTWEB description City Web Server
name 10.100.22.5 CITYCAM_Inside description Camera Server
name 71.181.12.201 CITYCAM_Outside description Camera Server
name 71.181.12.233 Google_Mini
name 10.100.6.56 CitySyslogWatcher description CitySyslogWatcher
name 10.100.6.48 Scrutinizer description Scrutinizer
name 71.181.4.142 CH_IT1941_Outside description Router Interface Facing Fairpoint
name 10.100.6.63 CITYPICTOMETRY1 description CITYPICTOMETRY IP 1
name 10.100.7.125 CITYPICTOMETRY2 description CITYPICTOMETRY IP 2
name 10.100.95.11 Dana_PC description Dana PC
name 10.100.5.90 DPW-Backup1 description DPW Backup Server
name 10.100.5.55 CITYWSUS2 description City Wsus Server
name 71.181.12.249 CityGISWeb4 description CityGISWeb4
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 71.181.12.194 255.255.255.224
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 71.181.12.225 255.255.255.224
!
interface Ethernet0/2
description Interface facing NPL Firewall
nameif Library
security-level 51
ip address 10.99.0.2 255.255.255.0
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 10.100.250.2 255.255.255.0
ospf message-digest-key 5 md5 *****
ospf authentication message-digest
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.252
management-only
!
!
time-range Temp
absolute end 15:23 15 October 2011
periodic daily 0:00 to 23:59
!
banner exec **You have reached the City of Nashua. Any unauthorized users will be prosecuted to the fullest extent of the law**
banner login City of Nashua Property - Authorized Users Only
banner login Un-authorized tampering with this equipment is punishable by law
banner login Do not attempt to login if you are not authorized
banner asdm You have reached a device that is the sole property of the City of Nashua. Unauthorized use that has not been given explicit permission by the City's CIO/IT Division Director is prohiibited.
banner asdm Any unauthorized users will be prosecuted to the fullest extent of the law. If you have reached this device in error, you MUST disconnect immediately.
boot system disk0:/asa825-k8.bin
boot system disk0:/asa821-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup dmz
dns domain-lookup Library
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
domain-name nashuanh.gov
same-security-traffic permit intra-interface
object-group service DVRMonitor
description Allow Viewpoint monitoring company to access Landfill and Streets DVRs
service-object tcp range 9002 9005
service-object tcp eq www
object-group service TransitHVAC-tcp-udp
description Access to Transit garage HVAC control from Control Technologies
service-object tcp-udp eq 1911
service-object tcp-udp eq 3011
service-object tcp-udp eq 8080
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service For_Pete tcp
description Web Access to SX2 Server
port-object eq 8100
object-group service netflow udp
description netflow monitoring
port-object eq 9991
object-group service Netbios_All tcp
description Netbois ports necessary for accessing a file share
port-object range 135 netbios-ssn
object-group service Netbios udp
description File sharing ports for NetBios
port-object range 135 139
object-group service NetStat udp
description Netstat port
port-object eq 15
object-group network DM_INLINE_NETWORK_5
network-object 10.100.4.0 255.255.255.0
network-object 10.100.5.0 255.255.255.0
network-object 10.100.6.0 255.255.255.0
network-object host 10.100.30.36
network-object host 10.100.32.80
object-group service AgentMon tcp
description CBE Agent for monitoring servers port
port-object eq 5721
object-group service Symantec
description Ports for Symantec Endpoint Protection
service-object tcp eq 8014
service-object tcp eq www
service-object tcp eq https
service-object udp eq 39999
service-object icmp echo
service-object icmp echo-reply
service-object tcp eq 814
object-group service PASV-FTP tcp
description Passive FTP port range for FTP Server
port-object range 1024 1033
object-group network Fairpoint-DNS
description Fairpoint DNS Servers for EDIA Service
network-object host DNS1
network-object host DNS2
object-group service RouteMatch udp
description RouteMatch Tablets to Web Server
port-object range 55923 55925
object-group service RM_Out udp
description Tablet Communication
port-object eq 1234
object-group network DM_INLINE_NETWORK_4
network-object host atl01.telestaff.net
network-object host fre01.telestaff.net
network-object host dal01.telestaff.net
network-object host psm.telestaff.net
object-group network DM_INLINE_NETWORK_8
network-object host CityMail1
network-object host CityMail3
network-object host CityMail2
object-group network DM_INLINE_NETWORK_9
network-object host CityDC2
network-object host CityDC3
network-object host CityDC5
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group network CHECVPN
description VPN Access Group for Edgewood Cemetary
network-object 10.100.200.0 255.255.255.0
network-object 10.100.4.0 255.255.254.0
network-object 10.100.6.0 255.255.255.0
network-object 10.100.95.0 255.255.255.192
object-group service CIFS tcp
description File Sharing
port-object range 137 netbios-ssn
port-object eq 445
object-group service SFTP tcp
description Secure FTP
port-object eq ssh
object-group service DM_INLINE_SERVICE_3
service-object tcp-udp
service-object tcp range 3001 3001
object-group service autodiscover tcp
port-object eq 587
object-group network Cocnord-DMV-endpoints
network-object host Concord-DMV-VPN2
network-object host Concord-DMV-VPN
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
object-group service citrix-storefront
service-object tcp eq https
service-object tcp eq 8443
service-object tcp eq citrix-ica
service-object tcp eq www
service-object tcp eq 2598
object-group service citrix-delivery
service-object tcp eq www
service-object tcp eq https
service-object tcp eq 88
service-object tcp eq ldap
service-object tcp eq 464
service-object tcp eq 1433
service-object tcp eq 8080
service-object tcp eq citrix-ica
service-object tcp eq 2598
service-object tcp eq 8008
object-group service ADports
service-object tcp-udp eq domain
service-object tcp-udp eq 389
service-object tcp eq ldaps
service-object tcp eq 3268
service-object tcp eq 3269
service-object tcp-udp eq 88
service-object tcp-udp eq 445
service-object tcp eq smtp
service-object tcp eq 135
service-object tcp eq 5722
service-object udp eq ntp
service-object tcp-udp eq 464
service-object udp eq netbios-dgm
service-object tcp eq 9389
service-object udp eq netbios-ns
service-object tcp eq netbios-ssn
service-object tcp-udp range 49152 65535
object-group network DM_INLINE_NETWORK_12
network-object host CityFile
network-object host citywsus
network-object host cityspicewin7
network-object host CityRX2
network-object host CITYWSUS2
object-group network CityCitrix
description Citrix Environment
network-object host CityCitrix2
network-object host CityCitrix3
network-object host CityCitrixApp
network-object host CityCitrix1
object-group network DM_INLINE_NETWORK_15
network-object host Netscaler_Management
network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_16
network-object host Netscaler_Management
network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_17
network-object host Netscaler_Management
network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_18
network-object host Netscaler_Management
network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_19
network-object host Netscaler
network-object host Netscaler_Management
network-object host Netscaler_Static_IP
object-group network DM_INLINE_NETWORK_23
network-object host CityDC2
network-object host CityDC3
object-group service radius
service-object udp eq 1812
service-object udp eq 1813
object-group service DM_INLINE_TCP_1 tcp
port-object eq 1433
port-object eq www
object-group network DM_INLINE_NETWORK_1
network-object host CityGISWeb3
network-object host CityGISWeb2
network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_10
network-object host CityDC2
network-object host CityDC3
object-group network DM_INLINE_NETWORK_11
network-object host CityDC2
network-object host CityDC3
object-group network DM_INLINE_NETWORK_7
network-object host CityDC2
network-object host CityDC3
object-group network DM_INLINE_NETWORK_2
network-object host CityKronoss2
network-object host CityKronosTest
network-object host CityKronosS1
network-object host CityTrain
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_3
network-object host CityFile
network-object host citywsus
network-object host cityspicewin7
network-object host CityRX2
network-object host CITYWSUS2
object-group network DM_INLINE_NETWORK_6
network-object host CityKronoss2
network-object host CityKronosTest
network-object host CityKronosS1
network-object host CityTrain
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq www
object-group service Cameras tcp
description For Parking Garage Cameras
port-object eq rtsp
object-group service Cameras_UDP udp
port-object eq 554
object-group network DM_INLINE_NETWORK_13
network-object host 71.181.12.227
network-object host 71.181.12.228
network-object host 71.181.12.229
object-group network DM_INLINE_NETWORK_14
network-object host CITYPICTOMETRY1
network-object host CITYPICTOMETRY2
object-group service VideoEdge tcp-udp
description Camera Server Mobile App
port-object eq 8125
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_20
network-object host CITYWSUS2
network-object host citywsus
object-group service DM_INLINE_SERVICE_2
service-object tcp eq 445
service-object tcp eq netbios-ssn
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
object-group network DM_INLINE_NETWORK_21
network-object host CityGISWeb3
network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_22
network-object host CityGISWeb3
network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_24
network-object host CityGISWeb3
network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_25
network-object host CityGISWeb3
network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_26
network-object host CityGISWeb3
network-object host CityGISWeb4
object-group network DM_INLINE_NETWORK_27
network-object host CityGISWeb3
network-object host CityGISWeb4
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 10.100.105.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 10.100.105.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.4.0 255.255.255.0 10.100.104.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 71.181.12.224 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.100.5.0 255.255.255.0 10.100.104.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.5.0 255.255.255.0 10.100.106.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.4.0 255.255.255.0 10.100.106.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.6.0 255.255.255.0 10.100.106.0 255.255.255.0
access-list inside_nat0_outbound remark Allow non-natted traffic for vpn clients
access-list inside_nat0_outbound extended permit ip any 10.100.250.64 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 10.99.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.98.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any Library-Legacy 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 10.100.106.0 255.255.255.128
access-list Library_access_in remark Allow in for ERP Servers
access-list Library_access_in extended permit tcp Library_Staff_Wired_Network 255.255.255.0 10.100.200.0 255.255.255.0
access-list Library_access_in remark Allow access for Change Gear
access-list Library_access_in extended permit object-group TCPUDP Library_Staff_Wired_Network 255.255.255.0 host citycmdb eq www
access-list Library_access_in remark Allow in for Web Servers
access-list Library_access_in extended permit tcp Library_Staff_Wired_Network 255.255.255.0 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_2
access-list Library_access_in remark Allow access for CityFile, citywsus, cityspicewin7, & CityRX2
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 host Thunderstone
access-list Library_access_in extended permit tcp Library_Staff_Wired_Network 255.255.255.0 host CityNet
access-list Library_access_in remark Allow access for Library Staff to Hunt Building PC
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 host HuntBuildingPC
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 host NPL-VM1
access-list Library_access_in extended permit icmp any any echo-reply
access-list Library_access_in extended permit icmp any any unreachable
access-list Library_access_in remark NPL Time Clock
access-list Library_access_in extended permit ip host 10.98.3.45 host CityKronoss2
access-list Library_access_in remark Allow in for domain controller authentication
access-list Library_access_in extended permit ip any object-group DM_INLINE_NETWORK_9
access-list Library_access_in remark Allow in for Exchange
access-list Library_access_in extended permit ip any object-group DM_INLINE_NETWORK_8
access-list Library_access_in remark Allow HTTP to Citywsus from library vlan with private and public PC's
access-list Library_access_in extended permit tcp 10.98.2.0 255.255.255.0 object-group DM_INLINE_NETWORK_20 eq www
access-list Library_access_in remark Allow Library Domain COntroller 1 access into City
access-list Library_access_in extended permit ip host NPL-DC1 any
access-list Library_access_in remark Allow Library Domain Controller 2 access into City
access-list Library_access_in extended permit ip host NPL-DC2 any
access-list Library_access_in remark Allow Library Staff Wireless in for ERP Servers
access-list Library_access_in extended permit tcp Library_Staff_Wireless_Network 255.255.255.0 10.100.200.0 255.255.255.0
access-list Library_access_in remark Allow Library Staff Wireless in for Web Servers
access-list Library_access_in extended permit tcp Library_Staff_Wireless_Network 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_TCP_3
access-list Library_access_in remark Allow Library Staff Wireless access to CityFile, citywsus, cityspicewin7, & CityRX2
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 object-group DM_INLINE_NETWORK_12
access-list Library_access_in remark Allow Library Staff Wireless Access to Change Gear
access-list Library_access_in extended permit object-group TCPUDP Library_Staff_Wireless_Network 255.255.255.0 host citycmdb eq www
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 host Thunderstone
access-list Library_access_in extended permit tcp Library_Staff_Wireless_Network 255.255.255.0 host CityNet
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 host HuntBuildingPC
access-list Library_access_in extended permit ip Library_Staff_Wireless_Network 255.255.255.0 host NPL-VM1
access-list Library_access_in remark Allow for ftp.
access-list Library_access_in extended permit ip any host Dana_PC
access-list Library_access_in remark Allow Library Staff Internet Access Through EDIA
access-list Library_access_in extended permit ip Library_Staff_Wired_Network 255.255.255.0 interface outside
access-list outside_access_in remark Temp Rule for web server issues
access-list outside_access_in extended deny ip 220.181.0.0 255.255.0.0 any
access-list outside_access_in extended deny ip host 69.4.232.112 any
access-list outside_access_in remark NJ IP that is downloading gigabytes from City Web Site
access-list outside_access_in extended deny ip host 76.116.26.132 any
access-list outside_access_in remark Allow web access from outside.
access-list outside_access_in extended permit tcp any host City-Nashua-DMV-VPN eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityWeb eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityFTP eq www
access-list outside_access_in extended permit tcp any host Google_Mini eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host Netscaler_Management eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host Netscaler_Static_IP eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host Netscaler eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CITYCARTWEB eq www inactive
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_27 object-group DM_INLINE_TCP_4
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityGISWeb2 eq www
access-list outside_access_in extended permit tcp any host Wordpress-Centos-Server eq www
access-list outside_access_in remark Allow web access from outside
access-list outside_access_in extended permit tcp any host CityFilr eq www
access-list outside_access_in extended permit tcp any host 71.181.12.252 eq www inactive
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_13 eq www inactive
access-list outside_access_in extended permit tcp any host 71.181.12.230 eq www inactive
access-list outside_access_in extended permit tcp any host CityGISWeb4 eq www inactive
access-list outside_access_in extended permit tcp any 71.181.12.224 255.255.255.224 eq www inactive
access-list outside_access_in extended permit tcp any 71.181.12.224 255.255.255.224 eq https
access-list outside_access_in remark Rule to allow RedBarn access to Sandbox
access-list outside_access_in extended permit tcp any host CityWeb eq 82
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in remark Allow in for FTPS on CityFTP
access-list outside_access_in extended permit tcp any host CityFTP eq 990
access-list outside_access_in remark Allow in for FTPS on CityFTP
access-list outside_access_in extended permit tcp any host CityFTP object-group PASV-FTP
access-list outside_access_in remark Allow FTP in to CityFTP
access-list outside_access_in extended permit tcp any host CityFTP eq ftp
access-list outside_access_in remark Rule to allow SX2 in web access
access-list outside_access_in extended permit tcp any interface outside object-group For_Pete
access-list outside_access_in remark Allow in for MSW DVR monitoring
access-list outside_access_in extended permit ip 12.28.108.0 255.255.255.0 host MSW-DVR
access-list outside_access_in extended permit tcp any host mail.nashuanh.gov eq smtp
access-list outside_access_in extended permit tcp any host mail.nashuanh.gov eq https
access-list outside_access_in extended permit tcp any host mail.nashuanh.gov object-group autodiscover
access-list outside_access_in extended permit gre any host CityRAS2
access-list outside_access_in extended permit tcp any host CityRAS2 eq pptp
access-list outside_access_in remark Access to Remote TV Switcher
access-list outside_access_in extended permit tcp any host BroadCast-PIX eq 9999
access-list outside_access_in remark Allow Access to Citrix
access-list outside_access_in extended permit object-group citrix-storefront any host Netscaler
access-list outside_access_in remark Allow Telestaff Web Host Server to NAT of internal Telestaff Server
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_4 host 71.181.12.215 object-group DM_INLINE_TCP_5
access-list outside_access_in remark Concord DMV VPN IP to Nashua DMV VPN IP
access-list outside_access_in extended permit ip host Concord-DMV-VPN2 host City-Nashua-DMV-VPN
access-list outside_access_in remark In from Outside Route Match Cloud to Transit Route Match Monitor
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_3 host Route-Match-Cloud host CityRouteCloud
access-list outside_access_in extended permit tcp any host CityFilr eq 8443
access-list outside_access_in extended permit tcp any host Slingbox_Public eq 5001
access-list outside_access_in remark Allow HVAC Vendor Access to the HVAC System
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host HVAC_Vendor host City_HVAC_Controller
access-list outside_access_in remark Allow in for FrontDoor
access-list outside_access_in extended permit tcp any host Cablecast_Pro eq 8100
access-list outside_access_in extended permit tcp any host CITYCAM_Outside
access-list outside_access_in remark Allow Router to Internet Traffic Send to Scrutinizer
access-list outside_access_in extended permit udp host CH_IT1941_Outside interface outside eq 2055
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec interface dmz host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host City-Nashua-DMV-VPN host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityWeb host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityFTP host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Netscaler_Management host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Netscaler_Static_IP host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Netscaler host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CITYCARTWEB host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec object-group DM_INLINE_NETWORK_21 host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityGISWeb2 host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host Wordpress-Centos-Server host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec host CityFilr host CityRX2
access-list dmz_access_in remark Allow in for Symantec Port Management
access-list dmz_access_in extended permit object-group Symantec 71.181.12.224 255.255.255.224 host CityRX2
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host City-Nashua-DMV-VPN any eq www
access-list dmz_access_in remark Allow web access
access-list dmz_access_in extended permit tcp host CityWeb any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CityFTP any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Netscaler_Management any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Netscaler_Static_IP any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Netscaler any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CITYCARTWEB any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_22 any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CityGISWeb2 any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host Wordpress-Centos-Server any eq www
access-list dmz_access_in remark Allow web access.
access-list dmz_access_in extended permit tcp host CityFilr any eq www
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host City-Nashua-DMV-VPN any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityWeb any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityFTP any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Netscaler_Management any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Netscaler_Static_IP any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Netscaler any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CITYCARTWEB any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_24 any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityGISWeb2 any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host CityFilr any eq www
access-list dmz_access_in remark Allow web access UDP.
access-list dmz_access_in extended permit udp host Wordpress-Centos-Server any eq www
access-list dmz_access_in extended permit udp 71.181.12.224 255.255.255.224 any eq www
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP interface dmz object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host City-Nashua-DMV-VPN object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityWeb object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityFTP object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Netscaler_Management object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Netscaler_Static_IP object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Netscaler object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CITYCARTWEB object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_25 object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityGISWeb2 object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host Wordpress-Centos-Server object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP host CityFilr object-group Fairpoint-DNS eq domain
access-list dmz_access_in remark Allow DNS out for DMZ
access-list dmz_access_in extended permit object-group TCPUDP 71.181.12.224 255.255.255.224 object-group Fairpoint-DNS eq domain
access-list dmz_access_in extended permit icmp any any echo-reply
access-list dmz_access_in extended permit icmp any any unreachable
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 host CityMail1 eq smtp
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 host CityMail1 object-group autodiscover
access-list dmz_access_in remark Allow the Google mini to ping citymailfe.
access-list dmz_access_in remark The google tried to perform this test before using a SMTP server.
access-list dmz_access_in extended permit icmp 71.181.12.224 255.255.255.224 host CityMail1 echo
access-list dmz_access_in extended permit object-group citrix-delivery object-group DM_INLINE_NETWORK_15 object-group CityCitrix
access-list dmz_access_in extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_16 object-group DM_INLINE_NETWORK_7 eq domain
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_17 object-group DM_INLINE_NETWORK_10 eq 3268
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_18 object-group DM_INLINE_NETWORK_23 eq ldap
access-list dmz_access_in extended permit icmp object-group DM_INLINE_NETWORK_19 object-group DM_INLINE_NETWORK_11
access-list dmz_access_in remark Allow out for NTP
access-list dmz_access_in extended permit udp host Wordpress-Centos-Server any eq ntp
access-list dmz_access_in remark Allow in for File Shares to CityPictometry. Delete rule 12-31-13
access-list dmz_access_in extended permit tcp host CityGISWeb2 host 10.100.6.107 object-group CIFS
access-list dmz_access_in remark City DMV VPN to Concord DMV VPN
access-list dmz_access_in extended permit ip host City-Nashua-DMV-VPN host Concord-DMV-VPN2
access-list dmz_access_in extended permit tcp host CityWeb host Patriot object-group DM_INLINE_TCP_1
access-list dmz_access_in extended permit tcp host CityWeb host CitySQLX
access-list dmz_access_in extended permit icmp host CityWeb host CitySQLX
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host CitySQLX
access-list dmz_access_in extended permit udp host CityFilr host 129.6.15.28 eq ntp
access-list dmz_access_in extended permit tcp 71.181.12.224 255.255.255.224 host CitySMTP eq smtp
access-list dmz_access_in extended permit tcp host CityFilr host CityDC5 eq ldap
access-list dmz_access_in extended permit object-group radius host City-Nashua-DMV-VPN host CityDC5
access-list dmz_access_in extended permit tcp host CityFilr host CityFile eq cifs
access-list dmz_access_in extended permit ip host CityFilr host CityFile
access-list dmz_access_in extended permit udp host CityFilr host CityFile eq netbios-dgm
access-list dmz_access_in remark Syslog for Mark
access-list dmz_access_in extended permit udp host Netscaler_Management host CitySyslogWatcher eq syslog
access-list dmz_access_in remark for Angelo access to share
access-list dmz_access_in extended permit ip object-group DM_INLINE_NETWORK_26 object-group DM_INLINE_NETWORK_14
access-list dmz_access_in remark Allow CITYCARTWEB Access to DPW-Backup1
access-list dmz_access_in extended permit tcp host CITYCARTWEB host DPW-Backup1 eq 10000
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 host CityGISWeb2 host CITYPICTOMETRY1
access-list FireVPN-Permits extended permit ip any 10.100.120.0 255.255.255.240
access-list FireVPN-Permits extended permit object-group Symantec any host CityRX2
access-list FireVPN-Permits extended permit object-group TCPUDP any 10.100.5.0 255.255.255.0 eq domain
access-list FireVPN-Permits extended permit ip any host CityGIS4
access-list outside_cryptomap remark Edgewood
access-list outside_cryptomap extended permit ip object-group CHECVPN 10.100.106.0 255.255.255.128
access-list Library_nat0_outbound remark Exempt all NAT Traffic
access-list Library_nat0_outbound extended permit ip any any
access-list inside_mpc extended permit tcp any host CityRouteCloud eq 1287
access-list CH<>EC standard permit 10.100.4.0 255.255.255.0
access-list CH<>EC standard permit 10.100.5.0 255.255.255.0
access-list CH<>EC standard permit 10.100.6.0 255.255.255.0
access-list inside_access_in remark Allow mail server to send mail outgoing
access-list inside_access_in extended permit tcp host CityMail1 any eq smtp
access-list inside_access_in remark Deny all SMTP Out
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip FDD-PCs 255.255.255.248 71.181.12.224 255.255.255.224
access-list inside_access_in extended deny ip any host 69.4.232.112
access-list inside_access_in extended permit udp host CITYCAM_Inside any eq 554
access-list inside_access_in remark Allow Default outgoing
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny ip host CityFuelXP any
access-list inside_access_in extended permit tcp host CityIMCMSG any eq smtp
access-list inside_access_in extended permit ip host CityIMCMSG 10.100.250.64 255.255.255.224 log disable
access-list inside_access_in extended deny ip host CityIMCMSG any
access-list split_tunnel standard permit 10.100.0.0 255.255.0.0
access-list AC_VPN_Limited_Permit remark Allow access to servers
access-list AC_VPN_Limited_Permit extended permit ip any object-group DM_INLINE_NETWORK_5
access-list AC_VPN_Limited_Permit extended permit ip any 10.100.95.0 255.255.255.192
access-list AC_VPN_Limited_Denies extended deny ip any host CityManager2
access-list throttle extended permit ip host 71.181.12.199 any
access-list throttle extended permit ip host 71.181.12.200 any
access-list throttle extended permit ip any host 71.181.12.199
access-list throttle extended permit ip any host 71.181.12.200
access-list Bloxx-group remark Bloxx Unit
access-list Bloxx-group standard permit host 10.100.250.10
access-list Bloxx extended deny ip host 10.100.30.35 any
access-list Bloxx extended deny ip host 10.100.30.37 any
access-list Bloxx extended deny ip host 10.100.95.6 any
access-list Bloxx extended deny ip host 10.100.30.56 any
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 69.56.155.0 255.255.255.192
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 host 63.127.199.226
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 host 72.55.246.22
access-list Bloxx extended deny ip host 10.100.32.69 any
access-list Bloxx remark State's Server for legislative broadcasts
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 216.177.20.0 255.255.255.0
access-list Bloxx remark CDC Server for broadcasts
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 host 198.246.99.21
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 71.181.12.224 255.255.255.224
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list Bloxx remark do not forward web traffic to Library
access-list Bloxx extended deny ip 10.100.0.0 255.255.0.0 10.98.0.0 255.255.0.0
access-list Bloxx remark us.getac.com
access-list Bloxx extended deny tcp any host 204.236.134.65 object-group DM_INLINE_TCP_6
access-list Bloxx remark Allow city traffic
access-list Bloxx extended permit tcp 10.100.0.0 255.255.0.0 any eq www
access-list Bloxx-Group1 extended permit ip host 10.100.250.10 any
access-list AC_VPN_Limited2_Permit extended permit ip any 10.100.200.0 255.255.255.0
access-list outside_cryptomap_1 remark Woodlawn Cemetary
access-list outside_cryptomap_1 extended permit ip 10.100.0.0 255.255.0.0 10.100.105.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 10.100.0.0 255.255.0.0 10.100.105.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging asdm-buffer-size 250
logging trap warnings
logging asdm debugging
logging from-address ASA5510@nashua.city
logging recipient-address italerts@nashuanh.gov level errors
logging facility 18
logging device-id hostname
logging host inside 10.100.6.20
logging host inside 10.100.5.114
logging host inside CitySyslogWatcher
logging class auth trap informational
logging class config trap notifications
logging class vpn trap informational
logging class vpnc trap notifications
logging class webvpn history notifications trap notifications
logging class ssl history notifications trap notifications
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304002
no logging message 304001
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside Scrutinizer 9995
flow-export template timeout-rate 1
flow-export delay flow-create 15
mtu outside 1500
mtu dmz 1500
mtu Library 1500
mtu inside 1500
mtu management 1500
ip local pool VPNPool 10.250.0.1-10.250.0.50 mask 255.255.255.0
ip local pool RAVPN_POOL 10.100.250.65-10.100.250.95 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 11 64.80.28.136 netmask 255.0.0.0
global (outside) 99 64.80.28.135
global (outside) 10 71.181.12.199 netmask 255.255.255.255
global (outside) 10 71.181.12.200 netmask 255.255.255.255
nat (Library) 0 access-list Library_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8100 Cablecast_Pro www netmask 255.255.255.255
static (inside,outside) tcp interface smtp CitySMTP smtp netmask 255.255.255.255
static (inside,outside) udp interface 2055 Scrutinizer 2055 netmask 255.255.255.255
static (dmz,outside) 71.181.12.224 71.181.12.224 netmask 255.255.255.224
static (inside,outside) CITYCAM_Outside CITYCAM_Inside netmask 255.255.255.255
static (inside,outside) MSW-DVR 10.100.109.17 netmask 255.255.255.255
static (inside,outside) mail.nashuanh.gov CityMail1 netmask 255.255.255.255
static (inside,outside) CityRAS2 10.100.5.28 netmask 255.255.255.255
static (inside,outside) BroadCast-PIX 10.100.110.28 netmask 255.255.255.255
static (inside,outside) 71.181.12.215 CityTelestaff netmask 255.255.255.255
static (inside,outside) CityRouteCloud 10.100.32.16 netmask 255.255.255.255
static (inside,outside) Slingbox_Public Slingbox_Private netmask 255.255.255.255 tcp 2 0 udp 2
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group Library_access_in in interface Library
access-group inside_access_in in interface inside
!
router ospf 1
router-id 10.100.250.2
network 10.99.0.0 255.255.255.0 area 2
network 10.100.250.0 255.255.255.0 area 0
area 0 range 10.100.0.0 255.255.0.0
distance ospf intra-area 80 inter-area 80 external 95
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 71.181.12.193 1
timeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-message "Authorized Access Only"
action terminate
dynamic-access-policy-record VPN-Limited
description "VPN user group for limited City Access"
user-message "Welcome to the City of Nashua's VPN network. Unauthorized access prohibited."
network-acl AC_VPN_Limited_Permit
network-acl AC_VPN_Limited_Denies
priority 500
webvpn
svc ask none default svc
dynamic-access-policy-record VPN-Fire
description "Access for Fire Vehicles"
network-acl FireVPN-Permits
priority 600
webvpn
svc ask none default svc
dynamic-access-policy-record VPN-Limited2
description "Adds Lawson Access"
network-acl AC_VPN_Limited_Permit
network-acl AC_VPN_Limited_Denies
network-acl AC_VPN_Limited2_Permit
priority 275
webvpn
svc ask enable default svc
dynamic-access-policy-record VPN-Admins
description "Allow Administrative VPN Access"
user-message "Unauthorized users will be shot. Survivors will be shot again."
priority 250
webvpn
svc ask none default svc
aaa-server VPN-LDAP protocol ldap
aaa-server VPN-LDAP (inside) host CityDC2
timeout 15
ldap-base-dn DC=nashua,DC=city
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=mgrjboss,OU=Resources,DC=nashua,DC=city
server-type microsoft
aaa-server RADIUS protocol radius
reactivation-mode timed
aaa-server RADIUS (inside) host CityDC5
retry-interval 5
key *****
aaa authentication ssh console RADIUS LOCAL
aaa authentication enable console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL
aaa authentication serial console LOCAL
http server enable 8080
http server idle-timeout 30
http CityManager2 255.255.255.255 inside
http 10.100.95.0 255.255.255.192 inside
snmp-server host inside 10.100.5.114 trap community ***** version 2c
snmp-server host inside citycmdb community ***** version 2c
snmp-server host inside 10.100.5.76 community *****
snmp-server host inside 10.100.6.20 trap community ***** version 2c
snmp-server host inside 10.100.6.21 community *****
snmp-server host inside 10.100.6.25 community ***** version 2c
snmp-server host inside Scrutinizer community ***** version 2c
snmp-server host inside CitySyslogWatcher trap community ***** version 2c
snmp-server host inside 10.100.6.6 community *****
snmp-server host inside 10.100.95.50 trap community *****
snmp-server host inside 10.100.6.11 community *****
snmp-server location ""City Hall - 2nd Floor Equipment Room, right"
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps remote-access session-threshold-exceeded
sysopt noproxyarp dmz
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set peer 71.168.70.56
crypto map outside_map1 1 set transform-set ESP-AES-128-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
telnet timeout 25
ssh scopy enable
ssh 10.100.6.20 255.255.255.255 inside
ssh CityManager2 255.255.255.255 inside
ssh 10.100.95.0 255.255.255.192 inside
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.2 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.100.0.0 255.255.0.0
threat-detection scanning-threat shun duration 300
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
wccp 200 redirect-list Bloxx group-list Bloxx-Group1
wccp interface inside 200 redirect in
ntp server 10.100.2.253
webvpn
port 8484
enable outside
dtls port 8484
svc image disk0:/anyconnect-macosx-i386-2.5.6005-k9.pkg 1
svc image disk0:/anyconnect-win-2.5.6005-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
group-policy AC-VPN-GP internal
group-policy AC-VPN-GP attributes
banner none
dns-server value 10.100.5.2 10.100.5.3
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value nashua.city
address-pools value RAVPN_POOL
group-policy CH<>WL internal
group-policy CH<>WL attributes
vpn-tunnel-protocol IPSec
group-policy CH<>MSW internal
group-policy CH<>MSW attributes
vpn-tunnel-protocol IPSec
group-policy CH<>EC internal
group-policy CH<>EC attributes
vpn-tunnel-protocol IPSec
username admin password 90nATqa6nCj5iJ88 encrypted privilege 15
username Cisco password kGOz5H/IcvmJAAtS encrypted privilege 15
username Cisco attributes
service-type remote-access
username itadmin password sNnj/F6CPVWNeUXn encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
isakmp ikev1-user-authentication none
tunnel-group 71.168.70.56 type ipsec-l2l
tunnel-group 71.168.70.56 general-attributes
default-group-policy CH<>EC
tunnel-group 71.168.70.56 ipsec-attributes
pre-shared-key *****
tunnel-group 75.144.145.93 type ipsec-l2l
tunnel-group 75.144.145.93 general-attributes
default-group-policy CH<>MSW
tunnel-group 75.144.145.93 ipsec-attributes
pre-shared-key *****
tunnel-group AC-VPN type remote-access
tunnel-group AC-VPN general-attributes
authentication-server-group VPN-LDAP
default-group-policy AC-VPN-GP
tunnel-group AC-VPN webvpn-attributes
group-alias CityVPN enable
tunnel-group 68.238.57.133 type ipsec-l2l
tunnel-group 68.238.57.133 general-attributes
default-group-policy CH<>WL
tunnel-group 68.238.57.133 ipsec-attributes
pre-shared-key *****
!
class-map throttle
match access-list throttle
class-map class_sqlnet
match port tcp eq 1433
class-map inspection_default
match default-inspection-traffic
class-map Routematch
match access-list inside_mpc
class-map Netflow-Class
description Use for netflow
match any
class-map outside-class
match port tcp range 1 65535
!
!
policy-map throttle-traffic
class throttle
police input 25000000 12500
police output 25000000 12500
policy-map RouteMatch
class Routematch
set connection timeout half-closed 0:00:00 idle 0:00:00 dcd 0:15:00 5
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
class Netflow-Class
flow-export event-type all destination Scrutinizer
policy-map outside-policy
description Traffic limit on TCP to 40Mbs with a 5Mbs burst (prevent TCP from starving UPD and tunnel traffic on 50Mbs interface)
class outside-class
police input 35000000 1000000
police output 35000000 1000000
!
service-policy global_policy global
service-policy outside-policy interface outside
service-policy RouteMatch interface inside
smtp-server 10.100.5.52
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:466657b28c7b6ba1cc2ade5b0132bbbe
: end
03-01-2016 11:56 AM
You have these lines in your configuration -
"access-list Library_nat0_outbound extended permit ip any any"
"nat (Library) 0 access-list Library_nat0_outbound"
which means do not NAT any IPs if they come in the Library interface which means your 10.98.3.x IPs are not translated.
But they are private IPs so they need translating.
It is not clear why those lines are there and also not clear what public IP you would want to use to translate the 10.98.3.x IPs to ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide