12-13-2013 08:10 AM
hi ,all
asa5512 V8.6 nat web-server can not access.
my inside pc can access www.cisco.com,but outside client can not access my web-server inside..
all my config,i don not know which is error.
thank youe help.
ciscoasa#
ciscoasa# show run
ciscoasa# show running-config
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address X.X.X.1 255.255.255.240
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description Link To 3560 G0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.1.13 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
!
!
time-range k3used
absolute start 08:00 01 January 2008
periodic daily 0:00 to 23:59
periodic daily 9:00 to 18:00
!
ftp mode passive
clock timezone BeiJing 8
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network obj-192.168.200.0
subnet 192.168.200.0 255.255.255.0
object network obj-192.168.1.2
host 192.168.1.2
object network obj-192.168.1.2-01
host 192.168.1.2
object network obj-192.168.1.19
host 192.168.1.19
object network obj-192.168.1.20
host 192.168.1.20
object network obj-192.168.1.88
host 192.168.1.88
object network obj-192.168.1.1
host 192.168.1.1
object network obj-192.168.1.2-02
host 192.168.1.2
object network obj-192.168.1.6
host 192.168.1.6
object network obj-X.X.X.3
host X.X.X.3
object service obj-tcp-source-eq-25
service tcp source eq smtp
object service obj-tcp-source-eq-110
service tcp source eq pop3
object network obj-X.X.X.10
host X.X.X.10
object service obj-tcp-source-eq-8086
service tcp source eq 8086
object service obj-tcp-source-eq-80
service tcp source eq www
object network obj-192.168.1.1-01
host 192.168.1.1
object service obj-tcp-source-eq-3389
service tcp source eq 3389
object service obj-tcp-source-eq-9877
service tcp source eq 9877
object service obj-tcp-source-eq-21
service tcp source eq ftp
object service obj-tcp-source-eq-20
service tcp source eq ftp-data
object network obj-192.168.2.88
host 192.168.2.88
object network obj-192.168.2.88-01
host 192.168.2.88
object network obj-192.168.2.88-02
host 192.168.2.88
object network obj-192.168.1.19-01
host 192.168.1.19
object network obj-192.168.2.2
host 192.168.2.2
object network obj-192.168.2.2-01
host 192.168.2.2
object network obj-192.168.2.2-02
host 192.168.2.2
object network obj-192.168.3.2
host 192.168.3.2
object network obj-192.168.3.2-01
host 192.168.3.2
object network obj-192.168.3.2-02
host 192.168.3.2
object network obj-X.X.X.9
host X.X.X.9
object service obj-tcp-source-eq-8087
service tcp source eq 8087
object network obj-192.168.1.200
host 192.168.1.200
object network obj-192.168.1.200-01
host 192.168.1.200
object network obj-192.168.1.30
host 192.168.1.30
object network obj-192.168.1.30-01
host 192.168.1.30
object network obj-192.168.1.1-02
host 192.168.1.1
object network obj-X.X.X.6
host X.X.X.6
object service obj-tcp-source-eq-8088
service tcp source eq 8088
object network obj-192.168.3.5
host 192.168.3.5
object network obj-192.168.3.5-01
host 192.168.3.5
object network obj-192.168.3.5-02
host 192.168.3.5
object network obj-192.168.3.5-03
host 192.168.3.5
object network obj-192.168.3.5-04
host 192.168.3.5
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network obj-192.168.5.0
subnet 192.168.5.0 255.255.255.0
object network obj-192.168.6.0
subnet 192.168.6.0 255.255.255.0
object network obj-192.168.7.0
subnet 192.168.7.0 255.255.255.0
object network obj-192.168.8.0
subnet 192.168.8.0 255.255.255.0
access-list vpn_list extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list vpn_list extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended deny ip any host 58.215.78.113
access-list 101 extended deny ip any host 61.139.126.81
access-list 101 extended deny ip any host 61.152.94.154
access-list 101 extended permit ip host 192.168.4.2 any
access-list 101 extended permit ip host 192.168.4.3 any
access-list 101 extended permit ip host 192.168.4.4 any
access-list 101 extended permit ip host 192.168.4.5 any
access-list 101 extended permit ip host 192.168.4.7 any
access-list 101 extended permit ip host 192.168.4.8 any
access-list 101 extended permit ip host 192.168.4.9 any
access-list 101 extended permit ip host 192.168.4.10 any
access-list 101 extended permit ip host 192.168.4.11 any
access-list 101 extended permit ip host 192.168.4.12 any
access-list 101 extended permit ip host 192.168.4.13 any
access-list 101 extended permit ip host 192.168.4.14 any
access-list 101 extended permit ip host 192.168.4.15 any
access-list 101 extended permit ip host 192.168.4.16 any
access-list 101 extended permit ip host 192.168.4.18 any
access-list 101 extended permit ip host 192.168.4.19 any
access-list 101 extended permit ip host 192.168.4.20 any
access-list 101 extended permit ip host 192.168.4.180 any
access-list 101 extended deny ip 192.168.4.0 255.255.255.0 any
access-list 101 extended permit ip host 192.168.2.176 any
access-list 101 extended permit icmp any any
access-list 101 extended permit ip host 192.168.2.3 any
access-list 101 extended permit ip host 192.168.2.164 any
access-list 101 extended permit ip host 192.168.2.171 any
access-list 101 extended permit ip host 192.168.2.142 any
access-list 101 extended permit ip host 192.168.2.180 any
access-list 101 extended permit ip host 192.168.2.149 any
access-list 101 extended permit ip host 192.168.2.201 any
access-list 101 extended permit ip host 192.168.2.170 any
access-list 101 extended permit ip host 192.168.2.168 any
access-list 101 extended permit ip host 192.168.2.103 any
access-list 101 extended permit ip host 192.168.2.34 any
access-list 101 extended permit ip host 192.168.2.174 any
access-list 101 extended permit ip host 192.168.2.199 any
access-list 101 extended permit ip host 192.168.2.253 any
access-list 101 extended permit ip host 192.168.2.236 any
access-list 101 extended permit ip host 192.168.2.214 any
access-list 101 extended permit ip host 192.168.2.110 any
access-list 101 extended permit ip host 192.168.2.127 any
access-list 101 extended permit ip host 192.168.2.178 any
access-list 101 extended permit ip host 192.168.2.21 any
access-list 101 extended permit ip host 192.168.2.24 any
access-list 101 extended permit ip host 192.168.2.251 any
access-list 101 extended permit ip host 192.168.2.33 any
access-list 101 extended permit ip host 192.168.2.120 any
access-list 101 extended permit ip host 192.168.2.85 any
access-list 101 extended permit ip host 192.168.2.137 any
access-list 101 extended permit ip host 192.168.2.113 any
access-list 101 extended permit ip host 192.168.2.20 any
access-list 101 extended permit ip host 192.168.2.101 any
access-list 101 extended permit ip host 192.168.2.106 any
access-list 101 extended permit ip host 192.168.2.140 any
access-list 101 extended permit ip host 192.168.2.215 any
access-list 101 extended permit ip host 192.168.2.107 any
access-list 101 extended permit ip host 192.168.2.234 any
access-list 101 extended permit ip host 192.168.2.15 any
access-list 101 extended permit ip host 192.168.2.55 any
access-list 101 extended permit ip host 192.168.2.41 any
access-list 101 extended permit ip host 192.168.2.13 any
access-list 101 extended permit ip host 192.168.2.133 any
access-list 101 extended permit ip host 192.168.2.73 any
access-list 101 extended permit ip host 192.168.2.172 any
access-list 101 extended permit ip host 192.168.2.175 any
access-list 101 extended permit ip host 192.168.2.88 any
access-list 101 extended permit ip host 192.168.2.188 any
access-list 101 extended permit ip host 192.168.2.136 any
access-list 101 extended permit ip host 192.168.2.74 any
access-list 101 extended permit ip host 192.168.2.12 any
access-list 101 extended permit ip host 192.168.2.100 any
access-list 101 extended permit ip host 192.168.2.102 any
access-list 101 extended permit ip host 192.168.2.152 any
access-list 101 extended permit ip host 192.168.2.4 any
access-list 101 extended permit ip host 192.168.2.5 any
access-list 101 extended permit ip host 192.168.2.6 any
access-list 101 extended permit ip host 192.168.2.14 any
access-list 101 extended permit ip host 192.168.2.19 any
access-list 101 extended permit ip host 192.168.2.16 any
access-list 101 extended permit ip host 192.168.2.17 any
access-list 101 extended permit ip host 192.168.2.18 any
access-list 101 extended permit ip host 192.168.2.22 any
access-list 101 extended permit ip host 192.168.2.23 any
access-list 101 extended permit ip host 192.168.2.115 any
access-list 101 extended permit ip host 192.168.2.116 any
access-list 101 extended permit ip host 192.168.2.117 any
access-list 101 extended permit ip host 192.168.2.118 any
access-list 101 extended permit ip host 192.168.2.119 any
access-list 101 extended permit ip host 192.168.2.150 any
access-list 101 extended permit ip host 192.168.2.128 any
access-list 101 extended deny ip 192.168.2.0 255.255.255.0 any
access-list 101 extended permit ip host 192.168.3.2 any
access-list 101 extended permit ip host 192.168.3.3 any
access-list 101 extended permit ip host 192.168.3.4 any
access-list 101 extended permit ip host 192.168.3.5 any
access-list 101 extended permit ip host 192.168.3.6 any
access-list 101 extended permit ip host 192.168.3.7 any
access-list 101 extended permit ip host 192.168.3.8 any
access-list 101 extended permit ip host 192.168.3.9 any
access-list 101 extended permit ip host 192.168.3.10 any
access-list 101 extended permit ip host 192.168.3.11 any
access-list 101 extended permit ip host 192.168.3.12 any
access-list 101 extended permit ip host 192.168.3.13 any
access-list 101 extended permit ip host 192.168.3.14 any
access-list 101 extended permit ip host 192.168.3.15 any
access-list 101 extended permit ip host 192.168.3.16 any
access-list 101 extended permit ip host 192.168.3.17 any
access-list 101 extended permit ip host 192.168.3.18 any
access-list 101 extended permit ip host 192.168.3.19 any
access-list 101 extended permit ip host 192.168.3.20 any
access-list 101 extended permit ip host 192.168.3.21 any
access-list 101 extended permit ip host 192.168.3.22 any
access-list 101 extended permit ip host 192.168.3.23 any
access-list 101 extended permit ip host 192.168.3.24 any
access-list 101 extended permit ip host 192.168.3.25 any
access-list 101 extended permit ip host 192.168.3.26 any
access-list 101 extended permit ip host 192.168.3.27 any
access-list 101 extended permit ip host 192.168.3.28 any
access-list 101 extended permit ip host 192.168.3.29 any
access-list 101 extended permit ip host 192.168.3.30 any
access-list 101 extended permit ip host 192.168.3.31 any
access-list 101 extended permit ip host 192.168.3.32 any
access-list 101 extended permit ip host 192.168.3.33 any
access-list 101 extended permit ip host 192.168.3.34 any
access-list 101 extended permit ip host 192.168.3.35 any
access-list 101 extended permit ip host 192.168.3.36 any
access-list 101 extended permit ip host 192.168.3.37 any
access-list 101 extended permit ip host 192.168.3.38 any
access-list 101 extended permit ip host 192.168.3.39 any
access-list 101 extended permit ip host 192.168.3.40 any
access-list 101 extended permit ip host 192.168.3.41 any
access-list 101 extended permit ip host 192.168.3.42 any
access-list 101 extended permit ip host 192.168.3.43 any
access-list 101 extended permit ip host 192.168.3.86 any
access-list 101 extended permit ip host 192.168.3.88 any
access-list 101 extended permit ip host 192.168.3.89 any
access-list 101 extended permit ip host 192.168.3.56 any
access-list 101 extended permit ip host 192.168.3.55 any
access-list 101 extended permit ip host 192.168.3.96 any
access-list 101 extended permit ip host 192.168.3.97 any
access-list 101 extended permit ip host 192.168.3.98 any
access-list 101 extended permit ip host 192.168.3.116 any
access-list 101 extended permit ip host 192.168.3.111 any
access-list 101 extended permit ip host 192.168.3.175 any
access-list 101 extended permit ip host 192.168.3.176 any
access-list 101 extended permit ip host 192.168.3.201 any
access-list 101 extended permit ip host 192.168.3.202 any
access-list 101 extended permit ip host 192.168.3.203 any
access-list 101 extended permit ip host 192.168.3.204 any
access-list 101 extended permit ip host 192.168.3.205 any
access-list 101 extended permit ip host 192.168.3.206 any
access-list 101 extended permit ip host 192.168.3.207 any
access-list 101 extended permit ip host 192.168.3.208 any
access-list 101 extended permit ip host 192.168.3.209 any
access-list 101 extended permit ip host 192.168.3.210 any
access-list 101 extended permit ip host 192.168.3.213 any
access-list 101 extended permit ip host 192.168.3.214 any
access-list 101 extended permit ip host 192.168.3.215 any
access-list 101 extended permit ip host 192.168.3.101 any
access-list 101 extended permit ip host 192.168.3.102 any
access-list 101 extended permit ip host 192.168.3.103 any
access-list 101 extended permit ip host 192.168.3.106 any
access-list 101 extended permit ip host 192.168.3.107 any
access-list 101 extended permit ip host 192.168.3.152 any
access-list 101 extended permit ip host 192.168.3.151 any
access-list 101 extended permit ip host 192.168.3.153 any
access-list 101 extended permit ip host 192.168.3.195 any
access-list 101 extended permit ip host 192.168.3.45 any
access-list 101 extended permit ip host 192.168.3.46 any
access-list 101 extended permit ip host 192.168.3.199 any
access-list 101 extended permit ip host 192.168.3.157 any
access-list 101 extended deny ip 192.168.3.0 255.255.255.0 any
access-list 101 extended permit tcp any any
access-list 101 extended permit ip any any
access-list vpnclient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list 2 extended permit ip 192.168.2.0 255.255.255.0 any
access-list 3 extended permit ip 192.168.3.0 255.255.255.0 any
access-list 4 extended permit ip 192.168.4.0 255.255.255.0 any
access-list 500k extended permit ip host X.X.X.1 any
access-list 500k extended permit icmp host X.X.X.1 any
access-list 102 extended permit ip host 192.168.1.6 any
access-list 100 extended permit tcp any host 192.168.1.1 eq www
access-list 100 extended permit tcp any host 192.168.1.1 eq 8080
access-list 100 extended permit tcp any host X.X.X.4
access-list 100 extended permit ip any host X.X.X.4
access-list 100 extended permit icmp any host X.X.X.4
access-list 100 extended permit tcp any host 192.168.1.6 eq smtp
access-list 100 extended permit tcp any host 192.168.1.6 eq pop3
access-list 100 extended permit tcp any host 192.168.1.6 eq www
access-list 100 extended permit tcp any host 192.168.1.6
access-list 100 extended permit ip any host 192.168.1.6
access-list 100 extended permit icmp any host 192.168.1.6
access-list 100 extended permit tcp any host 192.168.1.19 eq 3389
access-list 100 extended permit tcp any host 192.168.1.20 eq 3389
access-list 100 extended permit tcp any host 192.168.1.88 eq 3389
access-list 100 extended permit tcp any host X.X.X.12
access-list 100 extended permit ip any host X.X.X.12
access-list 100 extended permit icmp any host X.X.X.12
access-list 100 extended permit tcp any host 192.168.1.6 eq 8086
access-list 100 extended permit tcp any host 192.168.1.1 eq 3389
access-list 100 extended permit tcp any host 192.168.1.6 eq 3389
access-list 100 extended permit tcp any host 192.168.1.6 eq ftp
access-list 100 extended permit tcp any host 192.168.1.6 eq ftp-data
access-list 100 extended permit tcp any host 192.168.2.88 eq 3389
access-list 100 extended permit tcp any host 192.168.2.88 eq 12172
access-list 100 extended permit tcp any host 192.168.2.2 eq 3389
access-list 100 extended permit tcp any host 192.168.2.2 eq 9116
access-list 100 extended permit tcp any host 192.168.3.2 eq 25243
access-list 100 extended permit tcp any host 192.168.3.2 eq 3389
access-list 100 extended permit tcp any host 192.168.1.200 eq www
access-list 100 extended permit tcp any host 192.168.1.200 eq 12001
access-list 100 extended permit tcp any host 192.168.1.30 eq 3389
access-list 100 extended permit tcp any host 192.168.3.5 eq 4160
access-list 100 extended permit tcp any host 192.168.3.5 eq 11111
access-list 100 extended permit tcp any host 192.168.3.5 eq 3389
access-list 100 extended permit tcp any host X.X.X.10
access-list 100 extended permit udp any host 192.168.2.88 eq 12172
access-list 100 extended permit udp any host 192.168.2.2 eq 9116
access-list 100 extended permit udp any host 192.168.3.2 eq 25243
access-list 100 extended permit udp any host 192.168.3.5 eq 4170
access-list 100 extended permit udp any host 192.168.3.5 eq 11111
access-list 100 extended permit ip any host X.X.X.10
access-list 100 extended permit tcp any host 192.168.1.6 eq 8087
access-list 100 extended permit tcp any host X.X.X.9
access-list 100 extended permit ip any host X.X.X.9
access-list 100 extended permit tcp any host 192.168.1.30 eq www
access-list 100 extended permit tcp any host X.X.X.5
access-list 100 extended permit ip any host X.X.X.5
access-list 100 extended permit icmp any any
access-list 100 extended permit tcp any host 192.168.1.6 eq 8088
access-list 100 extended permit ip any host X.X.X.6
access-list 100 extended permit tcp any host X.X.X.6
access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 eq 5872 time-range k3used
access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 eq 8088 time-range k3used
access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 eq 3389 time-range k3used
access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.19 eq www time-range k3used
access-list 100 extended permit tcp host 61.186.169.129 host X.X.X.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 eq 5872 time-range k3used
access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 eq 8088 time-range k3used
access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 eq 3389 time-range k3used
access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.19 eq www time-range k3used
access-list 100 extended permit tcp host 61.186.169.130 host X.X.X.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 eq 5872 time-range k3used
access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 eq 8088 time-range k3used
access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 eq 3389 time-range k3used
access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.19 eq www time-range k3used
access-list 100 extended permit tcp host 61.186.169.131 host X.X.X.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 eq 5872 time-range k3used
access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 eq 8088 time-range k3used
access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 eq 3389 time-range k3used
access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.19 eq www time-range k3used
access-list 100 extended permit tcp host 61.186.169.132 host X.X.X.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 eq 5872 time-range k3used
access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 eq 8088 time-range k3used
access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 eq 3389 time-range k3used
access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.19 eq www time-range k3used
access-list 100 extended permit tcp host 61.186.169.133 host X.X.X.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.129 host X.X.X.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.130 host X.X.X.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.131 host X.X.X.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.132 host X.X.X.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.133 host X.X.X.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.129 host X.X.X.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.130 host X.X.X.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.131 host X.X.X.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.132 host X.X.X.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.133 host X.X.X.2 time-range k3used
access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 eq 5872 time-range k3used
access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 eq 8088 time-range k3used
access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 eq 3389 time-range k3used
access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.19 eq www time-range k3used
access-list 100 extended permit tcp host 183.64.106.194 host X.X.X.2 time-range k3used
access-list 100 extended permit ip host 183.64.106.194 host X.X.X.2 time-range k3used
access-list 100 extended permit icmp host 183.64.106.194 host X.X.X.2 time-range k3used
access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 eq 5872 time-range k3used
access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 eq 8088 time-range k3used
access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 eq 3389 time-range k3used
access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.19 eq www time-range k3used
access-list 100 extended permit tcp host 183.64.106.195 host X.X.X.2 time-range k3used
access-list 100 extended permit ip host 183.64.106.195 host X.X.X.2 time-range k3used
access-list 100 extended permit icmp host 183.64.106.195 host X.X.X.2 time-range k3used
access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 eq 5872 time-range k3used
access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 eq 8088 time-range k3used
access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 eq 3389 time-range k3used
access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.19 eq www time-range k3used
access-list 100 extended permit tcp host 14.107.162.32 host X.X.X.2 time-range k3used
access-list 100 extended permit ip host 14.107.162.32 host X.X.X.2 time-range k3used
access-list 100 extended permit icmp host 14.107.162.32 host X.X.X.2 time-range k3used
access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 eq 5872 time-range k3used
access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 eq 8088 time-range k3used
access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 eq 3389 time-range k3used
access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.19 eq www time-range k3used
access-list 100 extended permit tcp host 14.107.247.121 host X.X.X.2 time-range k3used
access-list 100 extended permit ip host 14.107.247.121 host X.X.X.2 time-range k3used
access-list 100 extended permit icmp host 14.107.247.121 host X.X.X.2 time-range k3used
access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 eq 5872 time-range k3used
access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 eq 8088 time-range k3used
access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 eq 3389 time-range k3used
access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.19 eq www time-range k3used
access-list 100 extended permit tcp host 61.128.208.106 host X.X.X.2 time-range k3used
access-list 100 extended permit ip host 61.128.208.106 host X.X.X.2 time-range k3used
access-list 100 extended permit icmp host 61.128.208.106 host X.X.X.2 time-range k3used
access-list 100 extended deny tcp any host 192.168.1.2 eq 5872
access-list 100 extended deny tcp any host 192.168.1.2 eq 8088
access-list 100 extended deny tcp any host 192.168.1.2 eq 3389
access-list 100 extended deny tcp any host 192.168.1.19 eq www
access-list 100 extended deny tcp any host X.X.X.2
access-list 100 extended deny ip any host X.X.X.2
access-list 100 extended deny icmp any host X.X.X.2
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_pool 192.168.200.1-192.168.200.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp
nat (inside,any) source static obj-192.168.200.0 obj-192.168.200.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp
nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.3 service obj-tcp-source-eq-25 obj-tcp-source-eq-25
nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.3 service obj-tcp-source-eq-110 obj-tcp-source-eq-110
nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-8086 obj-tcp-source-eq-80
nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-3389 obj-tcp-source-eq-9877
nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-21 obj-tcp-source-eq-21
nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-20 obj-tcp-source-eq-20
nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.9 service obj-tcp-source-eq-8087 obj-tcp-source-eq-80
nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.6 service obj-tcp-source-eq-8088 obj-tcp-source-eq-80
nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.3 service obj-tcp-source-eq-80 obj-tcp-source-eq-80
nat (inside,outside) source dynamic obj-192.168.1.6 obj-X.X.X.3
!
object network obj-192.168.1.0
nat (inside,outside) dynamic interface
object network obj-192.168.200.0
nat (inside,outside) dynamic interface
object network obj-192.168.1.2
nat (inside,outside) static X.X.X.2 service tcp 5872 5872
object network obj-192.168.1.2-01
nat (inside,outside) static X.X.X.2 service tcp 8088 8088
object network obj-192.168.1.19
nat (inside,outside) static X.X.X.12 service tcp 3389 8001
object network obj-192.168.1.20
nat (inside,outside) static X.X.X.12 service tcp 3389 8002
object network obj-192.168.1.88
nat (inside,outside) static X.X.X.12 service tcp 3389 12345
object network obj-192.168.1.1
nat (inside,outside) static X.X.X.4 service tcp www www
object network obj-192.168.1.2-02
nat (inside,outside) static X.X.X.2 service tcp 3389 8005
object network obj-192.168.1.1-01
nat (inside,outside) static X.X.X.10 service tcp 3389 9876
object network obj-192.168.2.88
nat (inside,outside) static X.X.X.10 service tcp 3389 3129
object network obj-192.168.2.88-01
nat (inside,outside) static X.X.X.10 service tcp 12172 12172
object network obj-192.168.2.88-02
nat (inside,outside) static X.X.X.10 service udp 12172 12172
object network obj-192.168.1.19-01
nat (inside,outside) static X.X.X.2 service tcp www 8056
object network obj-192.168.2.2
nat (inside,outside) static X.X.X.10 service tcp 3389 3128
object network obj-192.168.2.2-01
nat (inside,outside) static X.X.X.10 service tcp 9116 9116
object network obj-192.168.2.2-02
nat (inside,outside) static X.X.X.10 service udp 9116 9116
object network obj-192.168.3.2
nat (inside,outside) static X.X.X.10 service tcp 25243 25243
object network obj-192.168.3.2-01
nat (inside,outside) static X.X.X.10 service udp 25243 25243
object network obj-192.168.3.2-02
nat (inside,outside) static X.X.X.10 service tcp 3389 3130
object network obj-192.168.1.200
nat (inside,outside) static X.X.X.10 service tcp www 1114
object network obj-192.168.1.200-01
nat (inside,outside) static X.X.X.10 service tcp 12001 12001
object network obj-192.168.1.30
nat (inside,outside) static X.X.X.5 service tcp www www
object network obj-192.168.1.30-01
nat (inside,outside) static X.X.X.10 service tcp 3389 9878
object network obj-192.168.1.1-02
nat (inside,outside) static X.X.X.4 service tcp 8080 8080
object network obj-192.168.3.5
nat (inside,outside) static X.X.X.10 service tcp 4160 4160
object network obj-192.168.3.5-01
nat (inside,outside) static X.X.X.10 service udp 4170 4170
object network obj-192.168.3.5-02
nat (inside,outside) static X.X.X.10 service tcp 11111 11111
object network obj-192.168.3.5-03
nat (inside,outside) static X.X.X.10 service tcp 3389 3127
object network obj-192.168.3.5-04
nat (inside,outside) static X.X.X.10 service udp 11111 11111
object network obj-192.168.2.0
nat (inside,outside) dynamic interface
object network obj-192.168.3.0
nat (inside,outside) dynamic interface
object network obj-192.168.4.0
nat (inside,outside) dynamic interface
object network obj-192.168.5.0
nat (inside,outside) dynamic interface
object network obj-192.168.6.0
nat (inside,outside) dynamic interface
object network obj-192.168.7.0
nat (inside,outside) dynamic interface
object network obj-192.168.8.0
nat (inside,outside) dynamic interface
access-group 100 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.14 1
route inside 192.168.2.0 255.255.255.0 192.168.1.12 1
route inside 192.168.3.0 255.255.255.0 192.168.1.12 1
route inside 192.168.4.0 255.255.255.0 192.168.1.12 1
route inside 192.168.5.0 255.255.255.0 192.168.1.12 1
route inside 192.168.6.0 255.255.255.0 192.168.1.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set vpn_set esp-des esp-md5-hmac
crypto dynamic-map vpn_map 10 set ikev1 transform-set vpn_set
crypto dynamic-map vpn_map 10 set reverse-route
crypto map vpnmap 10 ipsec-isakmp dynamic vpn_map
crypto map vpnmap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.43.244.18
group-policy vpnclient internal
group-policy vpnclient attributes
dns-server value 61.128.128.68
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient_splitTunnelAcl
username cisco password 3USUcOPFUiMCO4Jk encrypted
tunnel-group vpn_group type remote-access
tunnel-group vpn_group general-attributes
address-pool vpn_pool
default-group-policy vpnclient
tunnel-group vpn_group ipsec-attributes
ikev1 pre-shared-key *****
!
class-map 500k
match access-list 500k
class-map inspection_default
match default-inspection-traffic
class-map 2
match access-list 2
class-map 3
match access-list 3
class-map 4
match access-list 4
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
policy-map 500k
class 500k
policy-map 2
class 2
class 3
class 4
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 13
subscribe-to-alert-group configuration periodic monthly 13
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ecead54d7c85807eb47c7cdaf7d7e82a
: end
ciscoasa# $
ciscoasa#
ciscoasa#
Solved! Go to Solution.
12-13-2013 07:49 PM
hi,my
inside webserver 192.168.1.1 port 80 nat outside ip is 61.186.236.4 port 80
but i can not offer packet-tracer at the same time.
if later...may be.
like this:
object network obj-192.168.1.1
nat (inside,outside) static 61.186.236.4 service tcp www www
object network obj-192.168.1.1-01
nat (inside,outside) static 61.186.236.10 service tcp 3389 9876
object network obj-192.168.1.1-02
nat (inside,outside) static 61.186.236.4 service tcp 8080 8080
12-18-2013 04:01 AM
Hi,
You changed the source IP address in the command I suggested?
There is no reason to use the IP 192.168.1.1 as the source of this "packet-tracer" command as the source will NEVER be that IP address as its a private IP address not routable on the public Internet.
So can you try with the command I suggested.
packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80
I presume that the above command/test failed because you were using the servers real IP address as the source IP address for the test.
- Jouni
12-13-2013 08:15 AM
Hi,
You did not mention what your server IP address is.
Try using the "packet-tracer" with the correct information
packet-tracer input outside tcp
Post the output here. It should tell us what the problem is
- Jouni
12-13-2013 07:49 PM
hi,my
inside webserver 192.168.1.1 port 80 nat outside ip is 61.186.236.4 port 80
but i can not offer packet-tracer at the same time.
if later...may be.
like this:
object network obj-192.168.1.1
nat (inside,outside) static 61.186.236.4 service tcp www www
object network obj-192.168.1.1-01
nat (inside,outside) static 61.186.236.10 service tcp 3389 9876
object network obj-192.168.1.1-02
nat (inside,outside) static 61.186.236.4 service tcp 8080 8080
12-15-2013 04:30 AM
Hi,
I can't really find a specific reason in the configuration why this would not work.
There should be no overlap with the NAT configurations on a quick glance and you seem to have the ACL rule allow traffic to this server at the top of the ACL also.
We would really need to see the "packet-tracer" command issued from the CLI of the ASA. You can naturally do this from ASDM too by going to the top menus and choosing Command Line Interface from there.
packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80
If the "packet-tracer" output looks fine I would next look at the actual server behind the ASA.
- Jouni
12-18-2013 03:56 AM
hi,jouni:
my packer-tracer and my show tech
ciscoasa# packet-tracer input outside tcp 192.168.1.1 80 61.186.236.4 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network obj-192.168.1.1
nat (inside,outside) static 61.186.236.4 service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate 61.186.236.4/80 to 192.168.1.1/80
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 100 in interface outside
access-list 100 extended permit tcp any host 192.168.1.1 eq www
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network obj-192.168.1.1
nat (inside,outside) static 61.186.236.4 service tcp www www
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
12-18-2013 04:01 AM
Hi,
You changed the source IP address in the command I suggested?
There is no reason to use the IP 192.168.1.1 as the source of this "packet-tracer" command as the source will NEVER be that IP address as its a private IP address not routable on the public Internet.
So can you try with the command I suggested.
packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80
I presume that the above command/test failed because you were using the servers real IP address as the source IP address for the test.
- Jouni
12-19-2013 04:35 AM
ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static test test1 service obj-tcp-source-eq-80 obj-tcp-source-eq-80
Additional Information:
NAT divert to egress interface inside
Untranslate 61.186.236.4/80 to 192.168.1.1/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 100 in interface outside
access-list 100 extended permit tcp any host 192.168.1.1 eq www
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static test test1 service obj-tcp-source-eq-80 obj-tcp-source-eq-80
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9833, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
12-22-2013 12:11 AM
thank you .
my asa is ok and my config is ok.
The problem is the ISP.
it is have update long time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide