cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3711
Views
0
Helpful
7
Replies

asa5512 V8.6 nat web-server can not access

hailin huang
Level 1
Level 1

hi ,all

asa5512 V8.6 nat web-server can not access.

my inside pc can access www.cisco.com,but outside client can not access my web-server inside..

all my config,i don not know which is error.

thank youe help.

ciscoasa#

ciscoasa# show run

ciscoasa# show running-config

: Saved

:

ASA Version 8.6(1)2

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address X.X.X.1 255.255.255.240

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!           

interface GigabitEthernet0/3

description Link To 3560 G0/1

speed 1000

duplex full

nameif inside

security-level 100

ip address 192.168.1.13 255.255.255.0

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.100.1 255.255.255.0

!

!

time-range k3used

absolute start 08:00 01 January 2008

periodic daily 0:00 to 23:59

periodic daily 9:00 to 18:00

!

ftp mode passive

clock timezone BeiJing 8

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.200.0

subnet 192.168.200.0 255.255.255.0

object network obj-192.168.1.2

host 192.168.1.2

object network obj-192.168.1.2-01

host 192.168.1.2

object network obj-192.168.1.19

host 192.168.1.19

object network obj-192.168.1.20

host 192.168.1.20

object network obj-192.168.1.88

host 192.168.1.88

object network obj-192.168.1.1

host 192.168.1.1

object network obj-192.168.1.2-02

host 192.168.1.2

object network obj-192.168.1.6

host 192.168.1.6

object network obj-X.X.X.3

host X.X.X.3

object service obj-tcp-source-eq-25

service tcp source eq smtp

object service obj-tcp-source-eq-110

service tcp source eq pop3

object network obj-X.X.X.10

host X.X.X.10

object service obj-tcp-source-eq-8086

service tcp source eq 8086

object service obj-tcp-source-eq-80

service tcp source eq www

object network obj-192.168.1.1-01

host 192.168.1.1

object service obj-tcp-source-eq-3389

service tcp source eq 3389

object service obj-tcp-source-eq-9877

service tcp source eq 9877

object service obj-tcp-source-eq-21

service tcp source eq ftp

object service obj-tcp-source-eq-20

service tcp source eq ftp-data

object network obj-192.168.2.88

host 192.168.2.88

object network obj-192.168.2.88-01

host 192.168.2.88

object network obj-192.168.2.88-02

host 192.168.2.88

object network obj-192.168.1.19-01

host 192.168.1.19

object network obj-192.168.2.2

host 192.168.2.2

object network obj-192.168.2.2-01

host 192.168.2.2

object network obj-192.168.2.2-02

host 192.168.2.2

object network obj-192.168.3.2

host 192.168.3.2

object network obj-192.168.3.2-01

host 192.168.3.2

object network obj-192.168.3.2-02

host 192.168.3.2

object network obj-X.X.X.9

host X.X.X.9

object service obj-tcp-source-eq-8087

service tcp source eq 8087

object network obj-192.168.1.200

host 192.168.1.200

object network obj-192.168.1.200-01

host 192.168.1.200

object network obj-192.168.1.30

host 192.168.1.30

object network obj-192.168.1.30-01

host 192.168.1.30

object network obj-192.168.1.1-02

host 192.168.1.1

object network obj-X.X.X.6

host X.X.X.6

object service obj-tcp-source-eq-8088

service tcp source eq 8088

object network obj-192.168.3.5

host 192.168.3.5

object network obj-192.168.3.5-01

host 192.168.3.5

object network obj-192.168.3.5-02

host 192.168.3.5

object network obj-192.168.3.5-03

host 192.168.3.5

object network obj-192.168.3.5-04

host 192.168.3.5

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network obj-192.168.3.0

subnet 192.168.3.0 255.255.255.0

object network obj-192.168.4.0

subnet 192.168.4.0 255.255.255.0

object network obj-192.168.5.0

subnet 192.168.5.0 255.255.255.0

object network obj-192.168.6.0

subnet 192.168.6.0 255.255.255.0

object network obj-192.168.7.0

subnet 192.168.7.0 255.255.255.0

object network obj-192.168.8.0

subnet 192.168.8.0 255.255.255.0

access-list vpn_list extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list vpn_list extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 101 extended deny ip any host 58.215.78.113

access-list 101 extended deny ip any host 61.139.126.81

access-list 101 extended deny ip any host 61.152.94.154

access-list 101 extended permit ip host 192.168.4.2 any

access-list 101 extended permit ip host 192.168.4.3 any

access-list 101 extended permit ip host 192.168.4.4 any

access-list 101 extended permit ip host 192.168.4.5 any

access-list 101 extended permit ip host 192.168.4.7 any

access-list 101 extended permit ip host 192.168.4.8 any

access-list 101 extended permit ip host 192.168.4.9 any

access-list 101 extended permit ip host 192.168.4.10 any

access-list 101 extended permit ip host 192.168.4.11 any

access-list 101 extended permit ip host 192.168.4.12 any

access-list 101 extended permit ip host 192.168.4.13 any

access-list 101 extended permit ip host 192.168.4.14 any

access-list 101 extended permit ip host 192.168.4.15 any

access-list 101 extended permit ip host 192.168.4.16 any

access-list 101 extended permit ip host 192.168.4.18 any

access-list 101 extended permit ip host 192.168.4.19 any

access-list 101 extended permit ip host 192.168.4.20 any

access-list 101 extended permit ip host 192.168.4.180 any

access-list 101 extended deny ip 192.168.4.0 255.255.255.0 any

access-list 101 extended permit ip host 192.168.2.176 any

access-list 101 extended permit icmp any any

access-list 101 extended permit ip host 192.168.2.3 any

access-list 101 extended permit ip host 192.168.2.164 any

access-list 101 extended permit ip host 192.168.2.171 any

access-list 101 extended permit ip host 192.168.2.142 any

access-list 101 extended permit ip host 192.168.2.180 any

access-list 101 extended permit ip host 192.168.2.149 any

access-list 101 extended permit ip host 192.168.2.201 any

access-list 101 extended permit ip host 192.168.2.170 any

access-list 101 extended permit ip host 192.168.2.168 any

access-list 101 extended permit ip host 192.168.2.103 any

access-list 101 extended permit ip host 192.168.2.34 any

access-list 101 extended permit ip host 192.168.2.174 any

access-list 101 extended permit ip host 192.168.2.199 any

access-list 101 extended permit ip host 192.168.2.253 any

access-list 101 extended permit ip host 192.168.2.236 any

access-list 101 extended permit ip host 192.168.2.214 any

access-list 101 extended permit ip host 192.168.2.110 any

access-list 101 extended permit ip host 192.168.2.127 any

access-list 101 extended permit ip host 192.168.2.178 any

access-list 101 extended permit ip host 192.168.2.21 any

access-list 101 extended permit ip host 192.168.2.24 any

access-list 101 extended permit ip host 192.168.2.251 any

access-list 101 extended permit ip host 192.168.2.33 any

access-list 101 extended permit ip host 192.168.2.120 any

access-list 101 extended permit ip host 192.168.2.85 any

access-list 101 extended permit ip host 192.168.2.137 any

access-list 101 extended permit ip host 192.168.2.113 any

access-list 101 extended permit ip host 192.168.2.20 any

access-list 101 extended permit ip host 192.168.2.101 any

access-list 101 extended permit ip host 192.168.2.106 any

access-list 101 extended permit ip host 192.168.2.140 any

access-list 101 extended permit ip host 192.168.2.215 any

access-list 101 extended permit ip host 192.168.2.107 any

access-list 101 extended permit ip host 192.168.2.234 any

access-list 101 extended permit ip host 192.168.2.15 any

access-list 101 extended permit ip host 192.168.2.55 any

access-list 101 extended permit ip host 192.168.2.41 any

access-list 101 extended permit ip host 192.168.2.13 any

access-list 101 extended permit ip host 192.168.2.133 any

access-list 101 extended permit ip host 192.168.2.73 any

access-list 101 extended permit ip host 192.168.2.172 any

access-list 101 extended permit ip host 192.168.2.175 any

access-list 101 extended permit ip host 192.168.2.88 any

access-list 101 extended permit ip host 192.168.2.188 any

access-list 101 extended permit ip host 192.168.2.136 any

access-list 101 extended permit ip host 192.168.2.74 any

access-list 101 extended permit ip host 192.168.2.12 any

access-list 101 extended permit ip host 192.168.2.100 any

access-list 101 extended permit ip host 192.168.2.102 any

access-list 101 extended permit ip host 192.168.2.152 any

access-list 101 extended permit ip host 192.168.2.4 any

access-list 101 extended permit ip host 192.168.2.5 any

access-list 101 extended permit ip host 192.168.2.6 any

access-list 101 extended permit ip host 192.168.2.14 any

access-list 101 extended permit ip host 192.168.2.19 any

access-list 101 extended permit ip host 192.168.2.16 any

access-list 101 extended permit ip host 192.168.2.17 any

access-list 101 extended permit ip host 192.168.2.18 any

access-list 101 extended permit ip host 192.168.2.22 any

access-list 101 extended permit ip host 192.168.2.23 any

access-list 101 extended permit ip host 192.168.2.115 any

access-list 101 extended permit ip host 192.168.2.116 any

access-list 101 extended permit ip host 192.168.2.117 any

access-list 101 extended permit ip host 192.168.2.118 any

access-list 101 extended permit ip host 192.168.2.119 any

access-list 101 extended permit ip host 192.168.2.150 any

access-list 101 extended permit ip host 192.168.2.128 any

access-list 101 extended deny ip 192.168.2.0 255.255.255.0 any

access-list 101 extended permit ip host 192.168.3.2 any

access-list 101 extended permit ip host 192.168.3.3 any

access-list 101 extended permit ip host 192.168.3.4 any

access-list 101 extended permit ip host 192.168.3.5 any

access-list 101 extended permit ip host 192.168.3.6 any

access-list 101 extended permit ip host 192.168.3.7 any

access-list 101 extended permit ip host 192.168.3.8 any

access-list 101 extended permit ip host 192.168.3.9 any

access-list 101 extended permit ip host 192.168.3.10 any

access-list 101 extended permit ip host 192.168.3.11 any

access-list 101 extended permit ip host 192.168.3.12 any

access-list 101 extended permit ip host 192.168.3.13 any

access-list 101 extended permit ip host 192.168.3.14 any

access-list 101 extended permit ip host 192.168.3.15 any

access-list 101 extended permit ip host 192.168.3.16 any

access-list 101 extended permit ip host 192.168.3.17 any

access-list 101 extended permit ip host 192.168.3.18 any

access-list 101 extended permit ip host 192.168.3.19 any

access-list 101 extended permit ip host 192.168.3.20 any

access-list 101 extended permit ip host 192.168.3.21 any

access-list 101 extended permit ip host 192.168.3.22 any

access-list 101 extended permit ip host 192.168.3.23 any

access-list 101 extended permit ip host 192.168.3.24 any

access-list 101 extended permit ip host 192.168.3.25 any

access-list 101 extended permit ip host 192.168.3.26 any

access-list 101 extended permit ip host 192.168.3.27 any

access-list 101 extended permit ip host 192.168.3.28 any

access-list 101 extended permit ip host 192.168.3.29 any

access-list 101 extended permit ip host 192.168.3.30 any

access-list 101 extended permit ip host 192.168.3.31 any

access-list 101 extended permit ip host 192.168.3.32 any

access-list 101 extended permit ip host 192.168.3.33 any

access-list 101 extended permit ip host 192.168.3.34 any

access-list 101 extended permit ip host 192.168.3.35 any

access-list 101 extended permit ip host 192.168.3.36 any

access-list 101 extended permit ip host 192.168.3.37 any

access-list 101 extended permit ip host 192.168.3.38 any

access-list 101 extended permit ip host 192.168.3.39 any

access-list 101 extended permit ip host 192.168.3.40 any

access-list 101 extended permit ip host 192.168.3.41 any

access-list 101 extended permit ip host 192.168.3.42 any

access-list 101 extended permit ip host 192.168.3.43 any

access-list 101 extended permit ip host 192.168.3.86 any

access-list 101 extended permit ip host 192.168.3.88 any

access-list 101 extended permit ip host 192.168.3.89 any

access-list 101 extended permit ip host 192.168.3.56 any

access-list 101 extended permit ip host 192.168.3.55 any

access-list 101 extended permit ip host 192.168.3.96 any

access-list 101 extended permit ip host 192.168.3.97 any

access-list 101 extended permit ip host 192.168.3.98 any

access-list 101 extended permit ip host 192.168.3.116 any

access-list 101 extended permit ip host 192.168.3.111 any

access-list 101 extended permit ip host 192.168.3.175 any

access-list 101 extended permit ip host 192.168.3.176 any

access-list 101 extended permit ip host 192.168.3.201 any

access-list 101 extended permit ip host 192.168.3.202 any

access-list 101 extended permit ip host 192.168.3.203 any

access-list 101 extended permit ip host 192.168.3.204 any

access-list 101 extended permit ip host 192.168.3.205 any

access-list 101 extended permit ip host 192.168.3.206 any

access-list 101 extended permit ip host 192.168.3.207 any

access-list 101 extended permit ip host 192.168.3.208 any

access-list 101 extended permit ip host 192.168.3.209 any

access-list 101 extended permit ip host 192.168.3.210 any

access-list 101 extended permit ip host 192.168.3.213 any

access-list 101 extended permit ip host 192.168.3.214 any

access-list 101 extended permit ip host 192.168.3.215 any

access-list 101 extended permit ip host 192.168.3.101 any

access-list 101 extended permit ip host 192.168.3.102 any

access-list 101 extended permit ip host 192.168.3.103 any

access-list 101 extended permit ip host 192.168.3.106 any

access-list 101 extended permit ip host 192.168.3.107 any

access-list 101 extended permit ip host 192.168.3.152 any

access-list 101 extended permit ip host 192.168.3.151 any

access-list 101 extended permit ip host 192.168.3.153 any

access-list 101 extended permit ip host 192.168.3.195 any

access-list 101 extended permit ip host 192.168.3.45 any

access-list 101 extended permit ip host 192.168.3.46 any

access-list 101 extended permit ip host 192.168.3.199 any

access-list 101 extended permit ip host 192.168.3.157 any

access-list 101 extended deny ip 192.168.3.0 255.255.255.0 any

access-list 101 extended permit tcp any any

access-list 101 extended permit ip any any

access-list vpnclient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list 2 extended permit ip 192.168.2.0 255.255.255.0 any

access-list 3 extended permit ip 192.168.3.0 255.255.255.0 any

access-list 4 extended permit ip 192.168.4.0 255.255.255.0 any

access-list 500k extended permit ip host X.X.X.1 any

access-list 500k extended permit icmp host X.X.X.1 any

access-list 102 extended permit ip host 192.168.1.6 any

access-list 100 extended permit tcp any host 192.168.1.1 eq www

access-list 100 extended permit tcp any host 192.168.1.1 eq 8080

access-list 100 extended permit tcp any host X.X.X.4

access-list 100 extended permit ip any host X.X.X.4

access-list 100 extended permit icmp any host X.X.X.4

access-list 100 extended permit tcp any host 192.168.1.6 eq smtp

access-list 100 extended permit tcp any host 192.168.1.6 eq pop3

access-list 100 extended permit tcp any host 192.168.1.6 eq www

access-list 100 extended permit tcp any host 192.168.1.6

access-list 100 extended permit ip any host 192.168.1.6

access-list 100 extended permit icmp any host 192.168.1.6

access-list 100 extended permit tcp any host 192.168.1.19 eq 3389

access-list 100 extended permit tcp any host 192.168.1.20 eq 3389

access-list 100 extended permit tcp any host 192.168.1.88 eq 3389

access-list 100 extended permit tcp any host X.X.X.12

access-list 100 extended permit ip any host X.X.X.12

access-list 100 extended permit icmp any host X.X.X.12

access-list 100 extended permit tcp any host 192.168.1.6 eq 8086

access-list 100 extended permit tcp any host 192.168.1.1 eq 3389

access-list 100 extended permit tcp any host 192.168.1.6 eq 3389

access-list 100 extended permit tcp any host 192.168.1.6 eq ftp

access-list 100 extended permit tcp any host 192.168.1.6 eq ftp-data

access-list 100 extended permit tcp any host 192.168.2.88 eq 3389

access-list 100 extended permit tcp any host 192.168.2.88 eq 12172

access-list 100 extended permit tcp any host 192.168.2.2 eq 3389

access-list 100 extended permit tcp any host 192.168.2.2 eq 9116

access-list 100 extended permit tcp any host 192.168.3.2 eq 25243

access-list 100 extended permit tcp any host 192.168.3.2 eq 3389

access-list 100 extended permit tcp any host 192.168.1.200 eq www

access-list 100 extended permit tcp any host 192.168.1.200 eq 12001

access-list 100 extended permit tcp any host 192.168.1.30 eq 3389

access-list 100 extended permit tcp any host 192.168.3.5 eq 4160

access-list 100 extended permit tcp any host 192.168.3.5 eq 11111

access-list 100 extended permit tcp any host 192.168.3.5 eq 3389

access-list 100 extended permit tcp any host X.X.X.10

access-list 100 extended permit udp any host 192.168.2.88 eq 12172

access-list 100 extended permit udp any host 192.168.2.2 eq 9116

access-list 100 extended permit udp any host 192.168.3.2 eq 25243

access-list 100 extended permit udp any host 192.168.3.5 eq 4170

access-list 100 extended permit udp any host 192.168.3.5 eq 11111

access-list 100 extended permit ip any host X.X.X.10

access-list 100 extended permit tcp any host 192.168.1.6 eq 8087

access-list 100 extended permit tcp any host X.X.X.9

access-list 100 extended permit ip any host X.X.X.9

access-list 100 extended permit tcp any host 192.168.1.30 eq www

access-list 100 extended permit tcp any host X.X.X.5

access-list 100 extended permit ip any host X.X.X.5

access-list 100 extended permit icmp any any

access-list 100 extended permit tcp any host 192.168.1.6 eq 8088

access-list 100 extended permit ip any host X.X.X.6

access-list 100 extended permit tcp any host X.X.X.6

access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 eq 5872 time-range k3used

access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 eq 8088 time-range k3used

access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 eq 3389 time-range k3used

access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.19 eq www time-range k3used

access-list 100 extended permit tcp host 61.186.169.129 host X.X.X.2 time-range k3used

access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 eq 5872 time-range k3used

access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 eq 8088 time-range k3used

access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 eq 3389 time-range k3used

access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.19 eq www time-range k3used

access-list 100 extended permit tcp host 61.186.169.130 host X.X.X.2 time-range k3used

access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 eq 5872 time-range k3used

access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 eq 8088 time-range k3used

access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 eq 3389 time-range k3used

access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.19 eq www time-range k3used

access-list 100 extended permit tcp host 61.186.169.131 host X.X.X.2 time-range k3used

access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 eq 5872 time-range k3used

access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 eq 8088 time-range k3used

access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 eq 3389 time-range k3used

access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.19 eq www time-range k3used

access-list 100 extended permit tcp host 61.186.169.132 host X.X.X.2 time-range k3used

access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 eq 5872 time-range k3used

access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 eq 8088 time-range k3used

access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 eq 3389 time-range k3used

access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.19 eq www time-range k3used

access-list 100 extended permit tcp host 61.186.169.133 host X.X.X.2 time-range k3used

access-list 100 extended permit ip host 61.186.169.129 host X.X.X.2 time-range k3used

access-list 100 extended permit ip host 61.186.169.130 host X.X.X.2 time-range k3used

access-list 100 extended permit ip host 61.186.169.131 host X.X.X.2 time-range k3used

access-list 100 extended permit ip host 61.186.169.132 host X.X.X.2 time-range k3used

access-list 100 extended permit ip host 61.186.169.133 host X.X.X.2 time-range k3used

access-list 100 extended permit icmp host 61.186.169.129 host X.X.X.2 time-range k3used

access-list 100 extended permit icmp host 61.186.169.130 host X.X.X.2 time-range k3used

access-list 100 extended permit icmp host 61.186.169.131 host X.X.X.2 time-range k3used

access-list 100 extended permit icmp host 61.186.169.132 host X.X.X.2 time-range k3used

access-list 100 extended permit icmp host 61.186.169.133 host X.X.X.2 time-range k3used

access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 eq 5872 time-range k3used

access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 eq 8088 time-range k3used

access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 eq 3389 time-range k3used

access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.19 eq www time-range k3used

access-list 100 extended permit tcp host 183.64.106.194 host X.X.X.2 time-range k3used

access-list 100 extended permit ip host 183.64.106.194 host X.X.X.2 time-range k3used

access-list 100 extended permit icmp host 183.64.106.194 host X.X.X.2 time-range k3used

access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 eq 5872 time-range k3used

access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 eq 8088 time-range k3used

access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 eq 3389 time-range k3used

access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.19 eq www time-range k3used

access-list 100 extended permit tcp host 183.64.106.195 host X.X.X.2 time-range k3used

access-list 100 extended permit ip host 183.64.106.195 host X.X.X.2 time-range k3used

access-list 100 extended permit icmp host 183.64.106.195 host X.X.X.2 time-range k3used

access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 eq 5872 time-range k3used

access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 eq 8088 time-range k3used

access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 eq 3389 time-range k3used

access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.19 eq www time-range k3used

access-list 100 extended permit tcp host 14.107.162.32 host X.X.X.2 time-range k3used

access-list 100 extended permit ip host 14.107.162.32 host X.X.X.2 time-range k3used

access-list 100 extended permit icmp host 14.107.162.32 host X.X.X.2 time-range k3used

access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 eq 5872 time-range k3used

access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 eq 8088 time-range k3used

access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 eq 3389 time-range k3used

access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.19 eq www time-range k3used

access-list 100 extended permit tcp host 14.107.247.121 host X.X.X.2 time-range k3used

access-list 100 extended permit ip host 14.107.247.121 host X.X.X.2 time-range k3used

access-list 100 extended permit icmp host 14.107.247.121 host X.X.X.2 time-range k3used

access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 eq 5872 time-range k3used

access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 eq 8088 time-range k3used

access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 eq 3389 time-range k3used

access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.19 eq www time-range k3used

access-list 100 extended permit tcp host 61.128.208.106 host X.X.X.2 time-range k3used

access-list 100 extended permit ip host 61.128.208.106 host X.X.X.2 time-range k3used

access-list 100 extended permit icmp host 61.128.208.106 host X.X.X.2 time-range k3used

access-list 100 extended deny tcp any host 192.168.1.2 eq 5872

access-list 100 extended deny tcp any host 192.168.1.2 eq 8088

access-list 100 extended deny tcp any host 192.168.1.2 eq 3389

access-list 100 extended deny tcp any host 192.168.1.19 eq www

access-list 100 extended deny tcp any host X.X.X.2

access-list 100 extended deny ip any host X.X.X.2

access-list 100 extended deny icmp any host X.X.X.2

pager lines 24

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpn_pool 192.168.200.1-192.168.200.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp

nat (inside,any) source static obj-192.168.200.0 obj-192.168.200.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp

nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.3 service obj-tcp-source-eq-25 obj-tcp-source-eq-25

nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.3 service obj-tcp-source-eq-110 obj-tcp-source-eq-110

nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-8086 obj-tcp-source-eq-80

nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-3389 obj-tcp-source-eq-9877

nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-21 obj-tcp-source-eq-21

nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-20 obj-tcp-source-eq-20

nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.9 service obj-tcp-source-eq-8087 obj-tcp-source-eq-80

nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.6 service obj-tcp-source-eq-8088 obj-tcp-source-eq-80

nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.3 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

nat (inside,outside) source dynamic obj-192.168.1.6 obj-X.X.X.3

!

object network obj-192.168.1.0

nat (inside,outside) dynamic interface

object network obj-192.168.200.0

nat (inside,outside) dynamic interface

object network obj-192.168.1.2

nat (inside,outside) static X.X.X.2 service tcp 5872 5872

object network obj-192.168.1.2-01

nat (inside,outside) static X.X.X.2 service tcp 8088 8088

object network obj-192.168.1.19

nat (inside,outside) static X.X.X.12 service tcp 3389 8001

object network obj-192.168.1.20

nat (inside,outside) static X.X.X.12 service tcp 3389 8002

object network obj-192.168.1.88

nat (inside,outside) static X.X.X.12 service tcp 3389 12345

object network obj-192.168.1.1

nat (inside,outside) static X.X.X.4 service tcp www www

object network obj-192.168.1.2-02

nat (inside,outside) static X.X.X.2 service tcp 3389 8005

object network obj-192.168.1.1-01

nat (inside,outside) static X.X.X.10 service tcp 3389 9876

object network obj-192.168.2.88

nat (inside,outside) static X.X.X.10 service tcp 3389 3129

object network obj-192.168.2.88-01

nat (inside,outside) static X.X.X.10 service tcp 12172 12172

object network obj-192.168.2.88-02

nat (inside,outside) static X.X.X.10 service udp 12172 12172

object network obj-192.168.1.19-01

nat (inside,outside) static X.X.X.2 service tcp www 8056

object network obj-192.168.2.2

nat (inside,outside) static X.X.X.10 service tcp 3389 3128

object network obj-192.168.2.2-01

nat (inside,outside) static X.X.X.10 service tcp 9116 9116

object network obj-192.168.2.2-02

nat (inside,outside) static X.X.X.10 service udp 9116 9116

object network obj-192.168.3.2

nat (inside,outside) static X.X.X.10 service tcp 25243 25243

object network obj-192.168.3.2-01

nat (inside,outside) static X.X.X.10 service udp 25243 25243

object network obj-192.168.3.2-02

nat (inside,outside) static X.X.X.10 service tcp 3389 3130

object network obj-192.168.1.200

nat (inside,outside) static X.X.X.10 service tcp www 1114

object network obj-192.168.1.200-01

nat (inside,outside) static X.X.X.10 service tcp 12001 12001

object network obj-192.168.1.30

nat (inside,outside) static X.X.X.5 service tcp www www

object network obj-192.168.1.30-01

nat (inside,outside) static X.X.X.10 service tcp 3389 9878

object network obj-192.168.1.1-02

nat (inside,outside) static X.X.X.4 service tcp 8080 8080

object network obj-192.168.3.5

nat (inside,outside) static X.X.X.10 service tcp 4160 4160

object network obj-192.168.3.5-01

nat (inside,outside) static X.X.X.10 service udp 4170 4170

object network obj-192.168.3.5-02

nat (inside,outside) static X.X.X.10 service tcp 11111 11111

object network obj-192.168.3.5-03

nat (inside,outside) static X.X.X.10 service tcp 3389 3127

object network obj-192.168.3.5-04

nat (inside,outside) static X.X.X.10 service udp 11111 11111

object network obj-192.168.2.0

nat (inside,outside) dynamic interface

object network obj-192.168.3.0

nat (inside,outside) dynamic interface

object network obj-192.168.4.0

nat (inside,outside) dynamic interface

object network obj-192.168.5.0

nat (inside,outside) dynamic interface

object network obj-192.168.6.0

nat (inside,outside) dynamic interface

object network obj-192.168.7.0

nat (inside,outside) dynamic interface

object network obj-192.168.8.0

nat (inside,outside) dynamic interface

access-group 100 in interface outside

access-group 101 in interface inside

route outside 0.0.0.0 0.0.0.0 X.X.X.14 1

route inside 192.168.2.0 255.255.255.0 192.168.1.12 1

route inside 192.168.3.0 255.255.255.0 192.168.1.12 1

route inside 192.168.4.0 255.255.255.0 192.168.1.12 1

route inside 192.168.5.0 255.255.255.0 192.168.1.12 1

route inside 192.168.6.0 255.255.255.0 192.168.1.12 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set vpn_set esp-des esp-md5-hmac

crypto dynamic-map vpn_map 10 set ikev1 transform-set vpn_set

crypto dynamic-map vpn_map 10 set reverse-route

crypto map vpnmap 10 ipsec-isakmp dynamic vpn_map

crypto map vpnmap interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption des

hash md5

group 2    

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

ssh version 1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.43.244.18

group-policy vpnclient internal

group-policy vpnclient attributes

dns-server value 61.128.128.68

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnclient_splitTunnelAcl

username cisco password 3USUcOPFUiMCO4Jk encrypted

tunnel-group vpn_group type remote-access

tunnel-group vpn_group general-attributes

address-pool vpn_pool

default-group-policy vpnclient

tunnel-group vpn_group ipsec-attributes

ikev1 pre-shared-key *****

!

class-map 500k

match access-list 500k

class-map inspection_default

match default-inspection-traffic

class-map 2

match access-list 2

class-map 3

match access-list 3

class-map 4

match access-list 4

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

policy-map 500k

class 500k

policy-map 2

class 2

class 3

class 4

!           

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 13

  subscribe-to-alert-group configuration periodic monthly 13

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ecead54d7c85807eb47c7cdaf7d7e82a

: end

ciscoasa#                                                                     $

ciscoasa#

ciscoasa#

2 Accepted Solutions

Accepted Solutions

hi,my

inside webserver 192.168.1.1 port 80     nat outside ip is  61.186.236.4 port 80

but  i can not offer packet-tracer  at the same time.
if later...may be.

like this:

object network obj-192.168.1.1

nat (inside,outside) static 61.186.236.4 service tcp www www

object network obj-192.168.1.1-01

nat (inside,outside) static 61.186.236.10 service tcp 3389 9876

object network obj-192.168.1.1-02

nat (inside,outside) static 61.186.236.4 service tcp 8080 8080

View solution in original post

Hi,

You changed the source IP address in the command I suggested?

There is no reason to use the IP 192.168.1.1 as the source of this "packet-tracer" command as the source will NEVER be that IP address as its a private IP address not routable on the public Internet.

So can you try with the command I suggested.

packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80

I presume that the above command/test failed because you were using the servers real IP address as the source IP address for the test.

- Jouni

View solution in original post

7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

You did not mention what your server IP address is.

Try using the "packet-tracer" with the correct information

packet-tracer input outside tcp 12345 80

Post the output here. It should tell us what the problem is

- Jouni

hi,my

inside webserver 192.168.1.1 port 80     nat outside ip is  61.186.236.4 port 80

but  i can not offer packet-tracer  at the same time.
if later...may be.

like this:

object network obj-192.168.1.1

nat (inside,outside) static 61.186.236.4 service tcp www www

object network obj-192.168.1.1-01

nat (inside,outside) static 61.186.236.10 service tcp 3389 9876

object network obj-192.168.1.1-02

nat (inside,outside) static 61.186.236.4 service tcp 8080 8080

Hi,

I can't really find a specific reason in the configuration why this would not work.

There should be no overlap with the NAT configurations on a quick glance and you seem to have the ACL rule allow traffic to this server at the top of the ACL also.

We would really need to see the "packet-tracer" command issued from the CLI of the ASA. You can naturally do this from ASDM too by going to the top menus and choosing Command Line Interface from there.

packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80

If the "packet-tracer" output looks fine I would next look at the actual server behind the ASA.

- Jouni

hi,jouni:

my packer-tracer    and my show tech

ciscoasa# packet-tracer input outside tcp 192.168.1.1 80 61.186.236.4 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network obj-192.168.1.1

nat (inside,outside) static 61.186.236.4 service tcp www www

Additional Information:

NAT divert to egress interface inside

Untranslate 61.186.236.4/80 to 192.168.1.1/80

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:      

access-group 100 in interface outside

access-list 100 extended permit tcp any host 192.168.1.1 eq www

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network obj-192.168.1.1

nat (inside,outside) static 61.186.236.4 service tcp www www

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (sp-security-failed) Slowpath security checks failed

Hi,

You changed the source IP address in the command I suggested?

There is no reason to use the IP 192.168.1.1 as the source of this "packet-tracer" command as the source will NEVER be that IP address as its a private IP address not routable on the public Internet.

So can you try with the command I suggested.

packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80

I presume that the above command/test failed because you were using the servers real IP address as the source IP address for the test.

- Jouni

ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static test test1 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

Additional Information:

NAT divert to egress interface inside

Untranslate 61.186.236.4/80 to 192.168.1.1/80

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 100 in interface outside

access-list 100 extended permit tcp any host 192.168.1.1 eq www

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static test test1 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7     

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 9833, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

thank you .

my asa is ok and my config is ok.

The problem is the ISP.

it is  have update  long time.