- Cisco Community
- Technology and Support
- Security
- VPN
- migrate ASA5520-V7.0 to asa5512-v8.6,some question vpn cannot pi
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2013 06:44 AM
hi ,all
migrate ASA5520-V7.0 to asa5512-v8.6,some question vpn cannot ping and how failver?
file 1 asa5520 version 7.0
file 2 asa5512 version 8.6
file 3 asa3560X
file 4 top
question one:
my migrate file is right?copare v7.0 to v8.6.i do not ensure my config is ok .
question two
my easy vpn user 192.168.200.1 can not ping my server 192.168.1.41. . my server can ping vlan10 gateway ,but can not ping asa inside interface..
question three
if i want user the 5520 on this top, for failover.,which i can do .
first, i update V7.0 TO V8.6 LIKE ASA5512 version
secend,connect ASA5512(active) to ASA5520,AND config failover.
is ok?
file 2 ASA5512 Version 8.6
ciscoasa#
ciscoasa# show run
ciscoasa# show running-config
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif ouside
security-level 0
ip address X.X.X.1 255.255.255.240
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description Link To 3560 G0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.1.13 255.255.255.0
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
!
time-range k3used
absolute start 08:00 01 January 2008
periodic daily 0:00 to 23:59
periodic daily 9:00 to 18:00
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
object network internal_X.X.X.3
host X.X.X.3
object network inside_192.168.1.6
host 192.168.1.6
object network cisco
object network local-1-2
host 192.168.1.2
object service real_svc5872
service tcp source eq 5872
object network remote-lan2
host X.X.X.2
object service mapped_svc5872
service tcp destination eq 5872
object service real_svc8088
service tcp source eq 8088
object service mapped_svc8088
service tcp destination eq 8088
object service real_svc8005
service tcp source eq 8005
object service mapped_svc8005
service tcp destination eq 8005
object network local-1-19
host 192.168.1.19
object service real_svcwww
service tcp source eq www
object service mapped_svc8056
service tcp destination eq 8056
object network local-1-200
host 192.168.1.200
object service real_svc3389
service tcp source eq 3389
object service mapped_svc8001
service tcp destination eq 8001
object service mapped_svc8002
service tcp destination eq 8002
object service mapped_svc12345
service tcp destination eq 12345
object service mapped_svcwww
service tcp destination eq www
object service real_svcsmtp
service tcp source eq smtp
object service mapped_svcsmtp
service tcp destination eq smtp
object service real_svcpop3
service tcp source eq pop3
object service mapped_svcpop3
service tcp destination eq pop3
object service real_svc8086
service tcp source eq 8086
object service mapped_svc9876
service tcp destination eq 9876
object service mapped_svc9877
service tcp destination eq 9877
object service real_svcftp
service tcp source eq ftp
object service mapped_svcftp
service tcp destination eq ftp
object service real_svcftp-data
service tcp source eq ftp-data
object service mapped_svcftp-data
service tcp destination eq ftp-data
object service mapped_svc3129
service tcp destination eq 3129
object service real_svc12172
service tcp source eq 12172
object service mapped_svc12172
service tcp destination eq 12172
object service real_svcu12172
service udp source eq 12172
object service mapped_svcu12172
service udp destination eq 12172
object service mapped_svc3128
service tcp destination eq 3128
object service real_svc9116
service tcp source eq 9116
object service mapped_svc9116
service tcp destination eq 9116
object service real_svcu9116
service udp source eq 9116
object service mapped_svcu9116
service udp destination eq 9116
object service real_svc25243
service tcp source eq 25243
object service mapped_svc25243
service tcp destination eq 25243
object service real_svcu25243
service udp source eq 25243
object service mapped_svcu25243
service udp destination eq 25243
object service mapped_svc3130
service tcp destination eq 3130
object service real_svc8087
service tcp source eq 8087
object service mapped_svc1114
service tcp destination eq 1114
object service real_svc12001
service tcp source eq 12001
object service mapped_svc12001
service tcp destination eq 12001
object service mapped_svc19878
service tcp destination eq 9878
object service real_svc8080
service tcp source eq 8080
object service mapped_svc18080
service tcp destination eq 8080
object service real_svc4160
service tcp source eq 4160
object service mapped_svc4160
service tcp destination eq 4160
object service real_svcu4170
service udp source eq 4170
object service mapped_svcu4170
service udp destination eq 4170
object service real_svc11111
service tcp source eq 11111
object service mapped_svc11111
service tcp destination eq 11111
object service mapped_svc3127
service tcp destination eq 3127
object service real_svcu11111
service udp source eq 11111
object service mapped_svcu11111
service udp destination eq 11111
object network local-1-20
host 192.168.1.20
object network remote-lan12
host X.X.X.12
object network local-1-88
host 192.168.1.88
object network local-1-1
host 192.168.1.1
object network local-1-6
host 192.168.1.6
object network local-2-88
host 192.168.2.88
object network local-2-2
host 192.168.2.2
object network local-1-4
host 192.168.1.4
object network local-1-3
host 192.168.1.3
object network local-1-10
host 192.168.1.10
object network remote-lan4
host X.X.X.4
object network remote-lan3
host X.X.X.3
object network remote-lan10
host X.X.X.10
object network local-3-2
host 192.168.3.2
object network local-1-30
host 192.168.1.30
object network remote-lan9
host X.X.X.9
object network local-1-5
host 192.168.1.5
object service mapped_svc9878
service tcp destination eq 9878
object network remote-lan5
host X.X.X.5
object network remote-lan6
host X.X.X.6
object network local-3-5
host 192.168.3.5
object-group network pat-source
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
access-list 100 extended permit tcp any host 192.168.1.1
access-list 100 extended permit ip any host 192.168.1.1
access-list 100 extended permit icmp any host 192.168.1.1
access-list 100 extended permit tcp any host 192.168.1.6
access-list 100 extended permit ip any host 192.168.1.6
access-list 100 extended permit icmp any host 192.168.1.6
access-list 100 extended permit tcp any host 192.168.1.12
access-list 100 extended permit ip any host 192.168.1.12
access-list 100 extended permit icmp any host 192.168.1.12
access-list 100 extended permit tcp any host 192.168.1.30
access-list 100 extended permit ip any host 192.168.1.30
access-list 100 extended permit icmp any any
access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.129 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.130 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.131 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.132 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.133 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.129 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.130 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.131 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.132 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.133 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 183.64.106.194 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 183.64.106.194 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 183.64.106.195 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 183.64.106.195 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 14.107.162.32 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 14.107.162.32 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 14.107.247.121 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 14.107.247.121 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.128.208.106 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.128.208.106 host 192.168.1.2 time-range k3used
access-list 100 extended deny tcp any host 192.168.1.2
access-list 100 extended deny ip any host 192.168.1.2
access-list 100 extended deny icmp any host 192.168.1.2
access-list vpn_list extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list vpn_list extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended deny ip any host 58.215.78.113
access-list 101 extended deny ip any host 61.139.126.81
access-list 101 extended deny ip any host 61.152.94.154
access-list 101 extended permit ip host 192.168.4.2 any
access-list 101 extended permit ip host 192.168.4.3 any
access-list 101 extended permit ip host 192.168.4.4 any
access-list 101 extended permit ip host 192.168.4.5 any
access-list 101 extended permit ip host 192.168.4.7 any
access-list 101 extended permit ip host 192.168.4.8 any
access-list 101 extended permit ip host 192.168.4.9 any
access-list 101 extended permit ip host 192.168.4.10 any
access-list 101 extended permit ip host 192.168.4.11 any
access-list 101 extended permit ip host 192.168.4.12 any
access-list 101 extended permit ip host 192.168.4.13 any
access-list 101 extended permit ip host 192.168.4.14 any
access-list 101 extended permit ip host 192.168.4.15 any
access-list 101 extended permit ip host 192.168.4.16 any
access-list 101 extended permit ip host 192.168.4.18 any
access-list 101 extended permit ip host 192.168.4.19 any
access-list 101 extended permit ip host 192.168.4.20 any
access-list 101 extended permit ip host 192.168.4.180 any
access-list 101 extended deny ip 192.168.4.0 255.255.255.0 any
access-list 101 extended permit ip host 192.168.2.176 any
access-list 101 extended permit icmp any any
access-list 101 extended permit ip host 192.168.2.3 any
access-list 101 extended permit ip host 192.168.2.164 any
access-list 101 extended permit ip host 192.168.2.171 any
access-list 101 extended permit ip host 192.168.2.142 any
access-list 101 extended permit ip host 192.168.2.180 any
access-list 101 extended permit ip host 192.168.2.149 any
access-list 101 extended permit ip host 192.168.2.201 any
access-list 101 extended permit ip host 192.168.2.170 any
access-list 101 extended permit ip host 192.168.2.168 any
access-list 101 extended permit ip host 192.168.2.103 any
access-list 101 extended permit ip host 192.168.2.34 any
access-list 101 extended permit ip host 192.168.2.174 any
access-list 101 extended permit ip host 192.168.2.199 any
access-list 101 extended permit ip host 192.168.2.253 any
access-list 101 extended permit ip host 192.168.2.236 any
access-list 101 extended permit ip host 192.168.2.214 any
access-list 101 extended permit ip host 192.168.2.110 any
access-list 101 extended permit ip host 192.168.2.127 any
access-list 101 extended permit ip host 192.168.2.178 any
access-list 101 extended permit ip host 192.168.2.21 any
access-list 101 extended permit ip host 192.168.2.24 any
access-list 101 extended permit ip host 192.168.2.251 any
access-list 101 extended permit ip host 192.168.2.33 any
access-list 101 extended permit ip host 192.168.2.120 any
access-list 101 extended permit ip host 192.168.2.85 any
access-list 101 extended permit ip host 192.168.2.137 any
access-list 101 extended permit ip host 192.168.2.113 any
access-list 101 extended permit ip host 192.168.2.20 any
access-list 101 extended permit ip host 192.168.2.101 any
access-list 101 extended permit ip host 192.168.2.106 any
access-list 101 extended permit ip host 192.168.2.140 any
access-list 101 extended permit ip host 192.168.2.215 any
access-list 101 extended permit ip host 192.168.2.107 any
access-list 101 extended permit ip host 192.168.2.234 any
access-list 101 extended permit ip host 192.168.2.15 any
access-list 101 extended permit ip host 192.168.2.55 any
access-list 101 extended permit ip host 192.168.2.41 any
access-list 101 extended permit ip host 192.168.2.13 any
access-list 101 extended permit ip host 192.168.2.133 any
access-list 101 extended permit ip host 192.168.2.73 any
access-list 101 extended permit ip host 192.168.2.172 any
access-list 101 extended permit ip host 192.168.2.175 any
access-list 101 extended permit ip host 192.168.2.88 any
access-list 101 extended permit ip host 192.168.2.188 any
access-list 101 extended permit ip host 192.168.2.136 any
access-list 101 extended permit ip host 192.168.2.74 any
access-list 101 extended permit ip host 192.168.2.12 any
access-list 101 extended permit ip host 192.168.2.100 any
access-list 101 extended permit ip host 192.168.2.102 any
access-list 101 extended permit ip host 192.168.2.152 any
access-list 101 extended permit ip host 192.168.2.4 any
access-list 101 extended permit ip host 192.168.2.5 any
access-list 101 extended permit ip host 192.168.2.6 any
access-list 101 extended permit ip host 192.168.2.14 any
access-list 101 extended permit ip host 192.168.2.19 any
access-list 101 extended permit ip host 192.168.2.16 any
access-list 101 extended permit ip host 192.168.2.17 any
access-list 101 extended permit ip host 192.168.2.18 any
access-list 101 extended permit ip host 192.168.2.22 any
access-list 101 extended permit ip host 192.168.2.23 any
access-list 101 extended permit ip host 192.168.2.115 any
access-list 101 extended permit ip host 192.168.2.116 any
access-list 101 extended permit ip host 192.168.2.117 any
access-list 101 extended permit ip host 192.168.2.118 any
access-list 101 extended permit ip host 192.168.2.119 any
access-list 101 extended permit ip host 192.168.2.150 any
access-list 101 extended permit ip host 192.168.2.128 any
access-list 101 extended deny ip 192.168.2.0 255.255.255.0 any
access-list 101 extended permit ip host 192.168.3.2 any
access-list 101 extended permit ip host 192.168.3.3 any
access-list 101 extended permit ip host 192.168.3.4 any
access-list 101 extended permit ip host 192.168.3.5 any
access-list 101 extended permit ip host 192.168.3.6 any
access-list 101 extended permit ip host 192.168.3.7 any
access-list 101 extended permit ip host 192.168.3.8 any
access-list 101 extended permit ip host 192.168.3.9 any
access-list 101 extended permit ip host 192.168.3.10 any
access-list 101 extended permit ip host 192.168.3.11 any
access-list 101 extended permit ip host 192.168.3.12 any
access-list 101 extended permit ip host 192.168.3.13 any
access-list 101 extended permit ip host 192.168.3.14 any
access-list 101 extended permit ip host 192.168.3.15 any
access-list 101 extended permit ip host 192.168.3.16 any
access-list 101 extended permit ip host 192.168.3.17 any
access-list 101 extended permit ip host 192.168.3.18 any
access-list 101 extended permit ip host 192.168.3.19 any
access-list 101 extended permit ip host 192.168.3.20 any
access-list 101 extended permit ip host 192.168.3.21 any
access-list 101 extended permit ip host 192.168.3.22 any
access-list 101 extended permit ip host 192.168.3.23 any
access-list 101 extended permit ip host 192.168.3.24 any
access-list 101 extended permit ip host 192.168.3.25 any
access-list 101 extended permit ip host 192.168.3.26 any
access-list 101 extended permit ip host 192.168.3.27 any
access-list 101 extended permit ip host 192.168.3.28 any
access-list 101 extended permit ip host 192.168.3.29 any
access-list 101 extended permit ip host 192.168.3.30 any
access-list 101 extended permit ip host 192.168.3.31 any
access-list 101 extended permit ip host 192.168.3.32 any
access-list 101 extended permit ip host 192.168.3.33 any
access-list 101 extended permit ip host 192.168.3.34 any
access-list 101 extended permit ip host 192.168.3.35 any
access-list 101 extended permit ip host 192.168.3.36 any
access-list 101 extended permit ip host 192.168.3.37 any
access-list 101 extended permit ip host 192.168.3.38 any
access-list 101 extended permit ip host 192.168.3.39 any
access-list 101 extended permit ip host 192.168.3.40 any
access-list 101 extended permit ip host 192.168.3.41 any
access-list 101 extended permit ip host 192.168.3.42 any
access-list 101 extended permit ip host 192.168.3.43 any
access-list 101 extended permit ip host 192.168.3.86 any
access-list 101 extended permit ip host 192.168.3.88 any
access-list 101 extended permit ip host 192.168.3.89 any
access-list 101 extended permit ip host 192.168.3.56 any
access-list 101 extended permit ip host 192.168.3.55 any
access-list 101 extended permit ip host 192.168.3.96 any
access-list 101 extended permit ip host 192.168.3.97 any
access-list 101 extended permit ip host 192.168.3.98 any
access-list 101 extended permit ip host 192.168.3.116 any
access-list 101 extended permit ip host 192.168.3.111 any
access-list 101 extended permit ip host 192.168.3.175 any
access-list 101 extended permit ip host 192.168.3.176 any
access-list 101 extended permit ip host 192.168.3.201 any
access-list 101 extended permit ip host 192.168.3.202 any
access-list 101 extended permit ip host 192.168.3.203 any
access-list 101 extended permit ip host 192.168.3.204 any
access-list 101 extended permit ip host 192.168.3.205 any
access-list 101 extended permit ip host 192.168.3.206 any
access-list 101 extended permit ip host 192.168.3.207 any
access-list 101 extended permit ip host 192.168.3.208 any
access-list 101 extended permit ip host 192.168.3.209 any
access-list 101 extended permit ip host 192.168.3.210 any
access-list 101 extended permit ip host 192.168.3.213 any
access-list 101 extended permit ip host 192.168.3.214 any
access-list 101 extended permit ip host 192.168.3.215 any
access-list 101 extended permit ip host 192.168.3.101 any
access-list 101 extended permit ip host 192.168.3.102 any
access-list 101 extended permit ip host 192.168.3.103 any
access-list 101 extended permit ip host 192.168.3.106 any
access-list 101 extended permit ip host 192.168.3.107 any
access-list 101 extended permit ip host 192.168.3.152 any
access-list 101 extended permit ip host 192.168.3.151 any
access-list 101 extended permit ip host 192.168.3.153 any
access-list 101 extended permit ip host 192.168.3.195 any
access-list 101 extended permit ip host 192.168.3.45 any
access-list 101 extended permit ip host 192.168.3.46 any
access-list 101 extended permit ip host 192.168.3.199 any
access-list 101 extended permit ip host 192.168.3.157 any
access-list 101 extended deny ip 192.168.3.0 255.255.255.0 any
access-list 101 extended permit tcp any any
access-list 101 extended permit ip any any
access-list vpnclient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list 2 extended permit ip 192.168.2.0 255.255.255.0 any
access-list 3 extended permit ip 192.168.3.0 255.255.255.0 any
access-list 4 extended permit ip 192.168.4.0 255.255.255.0 any
access-list 500k extended permit ip host X.X.X.1 any
access-list 500k extended permit icmp host X.X.X.1 any
access-list 102 extended permit ip host 192.168.1.6 any
pager lines 24
logging asdm informational
mtu ouside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_pool 192.168.200.1-192.168.200.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,ouside) source dynamic pat-source interface
nat (inside,ouside) source static inside_192.168.1.6 internal_X.X.X.3
nat (inside,ouside) source static local-1-2 remote-lan2 service real_svc5872 mapped_svc5872
nat (inside,ouside) source static local-1-2 remote-lan2 service real_svc8088 mapped_svc8088
nat (inside,ouside) source static local-1-2 remote-lan2 service real_svc3389 mapped_svc8005
nat (inside,ouside) source static local-1-19 remote-lan12 service real_svc3389 mapped_svc8001
nat (inside,ouside) source static local-1-20 remote-lan12 service real_svc3389 mapped_svc8002
nat (inside,ouside) source static local-1-88 remote-lan12 service real_svc3389 mapped_svc12345
nat (inside,ouside) source static local-1-19 remote-lan12 service real_svcwww mapped_svc8056
nat (inside,ouside) source static local-1-1 remote-lan4 service real_svcwww mapped_svcwww
nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcsmtp mapped_svcsmtp
nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcpop3 mapped_svcpop3
nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc8086 mapped_svcwww
nat (inside,ouside) source static local-1-1 remote-lan10 service real_svc3389 mapped_svc9876
nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc3389 mapped_svc9877
nat (inside,ouside) source static local-1-6 remote-lan10 service real_svcftp mapped_svcftp
nat (inside,ouside) source static local-1-6 remote-lan10 service real_svcftp-data mapped_svcftp-data
nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc3389 mapped_svc3129
nat (inside,ouside) source static local-2-88 remote-lan10 service real_svc12172 mapped_svc12172
nat (inside,ouside) source static local-2-88 remote-lan10 service real_svcu12172 mapped_svcu12172
nat (inside,ouside) source static local-2-2 remote-lan10 service real_svc3389 mapped_svc3128
nat (inside,ouside) source static local-2-2 remote-lan10 service real_svc9116 mapped_svc9116
nat (inside,ouside) source static local-2-2 remote-lan10 service real_svcu9116 mapped_svcu9116
nat (inside,ouside) source static local-1-200 remote-lan10 service real_svcwww mapped_svc1114
nat (inside,ouside) source static local-1-200 remote-lan10 service real_svc12001 mapped_svc12001
nat (inside,ouside) source static local-3-2 remote-lan10 service real_svc25243 mapped_svc25243
nat (inside,ouside) source static local-3-2 remote-lan10 service real_svcu25243 mapped_svcu25243
nat (inside,ouside) source static local-3-2 remote-lan10 service real_svc3389 mapped_svc3130
nat (inside,ouside) source static local-1-6 remote-lan9 service real_svc8087 mapped_svcwww
nat (inside,ouside) source static local-1-30 remote-lan10 service real_svc3389 mapped_svc9878
nat (inside,ouside) source static local-1-30 remote-lan5 service real_svcwww mapped_svcwww
nat (inside,ouside) source static local-1-1 remote-lan4 service real_svc8080 mapped_svc8088
nat (inside,ouside) source static local-1-6 remote-lan6 service real_svc8088 mapped_svcwww
nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcwww mapped_svcwww
nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc4160 mapped_svc4160
nat (inside,ouside) source static local-3-5 remote-lan10 service real_svcu4170 mapped_svcu4170
nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc11111 mapped_svc11111
nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc3389 mapped_svc3127
nat (inside,ouside) source static local-3-5 remote-lan10 service real_svcu11111 mapped_svcu11111
access-group 100 in interface ouside
access-group 101 in interface inside
route ouside 0.0.0.0 0.0.0.0 X.X.X.14 1
route inside 192.168.1.0 255.255.255.0 192.168.1.12 1
route inside 192.168.2.0 255.255.255.0 192.168.1.12 1
route inside 192.168.3.0 255.255.255.0 192.168.1.12 1
route inside 192.168.4.0 255.255.255.0 192.168.1.12 1
route inside 192.168.5.0 255.255.255.0 192.168.1.12 1
route inside 192.168.6.0 255.255.255.0 192.168.1.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 ouside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set vpn_set esp-des esp-md5-hmac
crypto dynamic-map vpn_map 10 set ikev1 transform-set vpn_set
crypto dynamic-map vpn_map 10 set reverse-route
crypto map vpnmap 10 ipsec-isakmp dynamic vpn_map
crypto map vpnmap interface ouside
crypto ikev1 enable ouside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 ouside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1
webvpn
group-policy vpnclient internal
group-policy vpnclient attributes
dns-server value 61.128.128.68
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient_splitTunnelAcl
username cisco password 3USUcOPFUiMCO4Jk encrypted
username cisco attributes
vpn-group-policy vpnclient
tunnel-group vpn_group type remote-access
tunnel-group vpn_group general-attributes
address-pool vpn_pool
default-group-policy vpnclient
tunnel-group vpn_group ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:a08da6ec8948c7427396140d22675be0
: end
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2013 02:56 PM
1. One thing I see is you have neglected to exempt your VPN pool addresses from NAT. This will be necessary on the new configuration. This also impacts question #2.
2. Make sure to exempt the VPN from NAT. Also, your attachment shows that the 5512X inside interface is down:
GigabitEthernet0/3 192.168.1.13 YES CONFIG down down
That will certainly impact being able to reach inside resources like your server.
3. You cannot create a failover pair between different ASA models. The hardware must match exactly. Reference.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2013 02:56 PM
1. One thing I see is you have neglected to exempt your VPN pool addresses from NAT. This will be necessary on the new configuration. This also impacts question #2.
2. Make sure to exempt the VPN from NAT. Also, your attachment shows that the 5512X inside interface is down:
GigabitEthernet0/3 192.168.1.13 YES CONFIG down down
That will certainly impact being able to reach inside resources like your server.
3. You cannot create a failover pair between different ASA models. The hardware must match exactly. Reference.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2013 06:21 AM
hi,Marvin Rhoads:
thanks for helping me.
one and two question is ok when i add this config:
nat (inside,ouside) source static inside-192.168.1.0 inside-192.168.1.0 destination static vpn-192.168.200.0 vpn-192.168.200.0.
other question is :
1、my inside web-server 192.168.1.4 port 80 map to ouside X.X.X.4 port 80 is not ok.
i can not acces web-server or X.X.X.4 from internet
my inside PC can access internet(www.cisco.com),can ping ASA inside ip.
2、also my insde server have EMAIL AND OTHER all not ok.
my email web-server 192.168.1.6 map outside X.X.X.3
The new config file is ,is my config is fail or other thing?
thank you .
ASA Version 8.6(1)2
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif ouside
security-level 0
ip address X.X.X.1 255.255.255.240
interface GigabitEthernet0/3
description Link To 3560 G0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.1.13 255.255.255.0 !
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
!
time-range k3used
absolute start 08:00 01 January 2008
periodic daily 0:00 to 23:59
periodic daily 9:00 to 18:00
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone CST 8
dns server-group DefaultDNS
name-server 61.128.128.68
object network internal_X.X.X.3
host X.X.X.3
object network inside_192.168.1.6
host 192.168.1.6
object network cisco
object network local-1-2
host 192.168.1.2
object service real_svc5872
service tcp destination eq 5872
object network remote-lan2
host X.X.X.2
object service mapped_svc5872
service tcp destination eq 5872
object service real_svc8088
service tcp destination eq 8088
object service mapped_svc8088
service tcp destination eq 8088
object service real_svc8005
service tcp destination eq 8005
object service mapped_svc8005
service tcp destination eq 8005
object network local-1-19
host 192.168.1.19
object service real_svcwww
service tcp destination eq www
object service mapped_svc8056
service tcp destination eq 8056
object network local-1-200
host 192.168.1.200
object service real_svc3389
service tcp destination eq 3389
object service mapped_svc8001
service tcp destination eq 8001
object service mapped_svc8002
service tcp destination eq 8002
object service mapped_svc12345
service tcp destination eq 12345
object service mapped_svcwww
service tcp destination eq www
object service real_svcsmtp
service tcp destination eq smtp
object service mapped_svcsmtp
service tcp destination eq smtp
object service real_svcpop3
service tcp destination eq pop3
object service mapped_svcpop3
service tcp destination eq pop3
object service real_svc8086
service tcp destination eq 8086
object service mapped_svc9876
service tcp destination eq 9876
object service mapped_svc9877
service tcp destination eq 9877
object service real_svcftp
service tcp destination eq ftp
object service mapped_svcftp
service tcp destination eq ftp
object service real_svcftp-data
service tcp destination eq ftp-data
object service mapped_svcftp-data
service tcp destination eq ftp-data
object service mapped_svc3129
service tcp destination eq 3129
object service real_svc12172
service tcp destination eq 12172
object service mapped_svc12172
service tcp destination eq 12172
object service real_svcu12172
service udp destination eq 12172
object service mapped_svcu12172
service udp destination eq 12172
object service mapped_svc3128
service tcp destination eq 3128
object service real_svc9116
service tcp destination eq 9116
object service mapped_svc9116
service tcp destination eq 9116
object service real_svcu9116
service udp destination eq 9116
object service mapped_svcu9116
service udp destination eq 9116
object service real_svc25243
service tcp destination eq 25243
object service mapped_svc25243
service tcp destination eq 25243
object service real_svcu25243
service udp destination eq 25243
object service mapped_svcu25243
service udp destination eq 25243
object service mapped_svc3130
service tcp destination eq 3130
object service real_svc8087
service tcp destination eq 8087
object service mapped_svc1114
service tcp destination eq 1114
object service real_svc12001
service tcp destination eq 12001
object service mapped_svc12001
service tcp destination eq 12001
object service mapped_svc19878
service tcp destination eq 9878
object service real_svc8080
service tcp destination eq 8080
object service mapped_svc18080
service tcp destination eq 8080
object service real_svc4160
service tcp destination eq 4160
object service mapped_svc4160
service tcp destination eq 4160
object service real_svcu4170
service udp destination eq 4170
object service mapped_svcu4170
service udp destination eq 4170
object service real_svc11111
service tcp destination eq 11111
object service mapped_svc11111
service tcp destination eq 11111
object service mapped_svc3127
service tcp destination eq 3127
object service real_svcu11111
service udp destination eq 11111
object service mapped_svcu11111
service udp destination eq 11111
object network local-1-20
host 192.168.1.20
object network remote-lan12
host X.X.X.12
object network local-1-88
host 192.168.1.88
object network local-1-1
host 192.168.1.1
object network local-1-6
host 192.168.1.6
object network local-2-88
host 192.168.2.88
object network local-2-2
host 192.168.2.2
object network local-1-4
host 192.168.1.4
object network local-1-3
host 192.168.1.3
object network local-1-10
host 192.168.1.10
object network remote-lan4
host X.X.X.4
object network remote-lan3
host X.X.X.3
object network remote-lan10
host X.X.X.10
object network local-3-2
host 192.168.3.2
object network local-1-30
host 192.168.1.30
object network remote-lan9
host X.X.X.9
object network local-1-5
host 192.168.1.5
object service mapped_svc9878
service tcp destination eq 9878
object network remote-lan5
host X.X.X.5
object network remote-lan6
host X.X.X.6
object network local-3-5
host 192.168.3.5
object network inside-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network vpn-192.168.200.0
subnet 192.168.200.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_27
subnet 192.168.200.0 255.255.255.0
object service test1207www
service tcp destination eq www
object service test1207mapwww
service tcp destination eq www
object-group network pat-source
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.5.0 255.255.255.0
network-object 192.168.6.0 255.255.255.0
network-object 192.168.7.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
object-group service 192.168.1.6-smtp
service-object tcp destination eq pop3
service-object tcp destination eq smtp
access-list 100 extended permit tcp any host 192.168.1.1
access-list 100 extended permit ip any host 192.168.1.1
access-list 100 extended permit icmp any host 192.168.1.1
access-list 100 extended permit tcp any host 192.168.1.6
access-list 100 extended permit ip any host 192.168.1.6
access-list 100 extended permit icmp any host 192.168.1.6
access-list 100 extended permit tcp any host 192.168.1.12
access-list 100 extended permit ip any host 192.168.1.12
access-list 100 extended permit icmp any host 192.168.1.12
access-list 100 extended permit tcp any host 192.168.1.30
access-list 100 extended permit ip any host 192.168.1.30
access-list 100 extended permit icmp any any
access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.129 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.130 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.131 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.132 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.186.169.133 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.129 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.130 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.131 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.132 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.186.169.133 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 183.64.106.194 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 183.64.106.194 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 183.64.106.195 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 183.64.106.195 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 14.107.162.32 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 14.107.162.32 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 14.107.247.121 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 14.107.247.121 host 192.168.1.2 time-range k3used
access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 time-range k3used
access-list 100 extended permit ip host 61.128.208.106 host 192.168.1.2 time-range k3used
access-list 100 extended permit icmp host 61.128.208.106 host 192.168.1.2 time-range k3used
access-list 100 extended deny tcp any host 192.168.1.2
access-list 100 extended deny ip any host 192.168.1.2
access-list 100 extended deny icmp any host 192.168.1.2
access-list 100 extended permit object-group 192.168.1.6-smtp any object local-1-6
access-list vpn_list extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list vpn_list extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended deny ip any host 58.215.78.113
access-list 101 extended deny ip any host 61.139.126.81
access-list 101 extended deny ip any host 61.152.94.154
access-list 101 extended permit ip host 192.168.4.2 any
access-list 101 extended permit ip host 192.168.4.3 any
access-list 101 extended permit ip host 192.168.4.4 any
access-list 101 extended permit ip host 192.168.4.5 any
access-list 101 extended permit ip host 192.168.4.7 any
access-list 101 extended permit ip host 192.168.4.8 any
access-list 101 extended permit ip host 192.168.4.9 any
access-list 101 extended permit ip host 192.168.4.10 any
access-list 101 extended permit ip host 192.168.4.11 any
access-list 101 extended permit ip host 192.168.4.12 any
access-list 101 extended permit ip host 192.168.4.13 any
access-list 101 extended permit ip host 192.168.4.14 any
access-list 101 extended permit ip host 192.168.4.15 any
access-list 101 extended permit ip host 192.168.4.16 any
access-list 101 extended permit ip host 192.168.4.18 any
access-list 101 extended permit ip host 192.168.4.19 any
access-list 101 extended permit ip host 192.168.4.20 any
access-list 101 extended permit ip host 192.168.4.180 any
access-list 101 extended deny ip 192.168.4.0 255.255.255.0 any
access-list 101 extended permit ip host 192.168.2.176 any
access-list 101 extended permit icmp any any
access-list 101 extended permit ip host 192.168.2.3 any
access-list 101 extended permit ip host 192.168.2.164 any
access-list 101 extended permit ip host 192.168.2.171 any
access-list 101 extended permit ip host 192.168.2.142 any
access-list 101 extended permit ip host 192.168.2.180 any
access-list 101 extended permit ip host 192.168.2.149 any
access-list 101 extended permit ip host 192.168.2.201 any
access-list 101 extended permit ip host 192.168.2.170 any
access-list 101 extended permit ip host 192.168.2.168 any
access-list 101 extended permit ip host 192.168.2.103 any
access-list 101 extended permit ip host 192.168.2.34 any
access-list 101 extended permit ip host 192.168.2.174 any
access-list 101 extended permit ip host 192.168.2.199 any
access-list 101 extended permit ip host 192.168.2.253 any
access-list 101 extended permit ip host 192.168.2.236 any
access-list 101 extended permit ip host 192.168.2.214 any
access-list 101 extended permit ip host 192.168.2.110 any
access-list 101 extended permit ip host 192.168.2.127 any
access-list 101 extended permit ip host 192.168.2.178 any
access-list 101 extended permit ip host 192.168.2.21 any
access-list 101 extended permit ip host 192.168.2.24 any
access-list 101 extended permit ip host 192.168.2.251 any
access-list 101 extended permit ip host 192.168.2.33 any
access-list 101 extended permit ip host 192.168.2.120 any
access-list 101 extended permit ip host 192.168.2.85 any
access-list 101 extended permit ip host 192.168.2.137 any
access-list 101 extended permit ip host 192.168.2.113 any
access-list 101 extended permit ip host 192.168.2.20 any
access-list 101 extended permit ip host 192.168.2.101 any
access-list 101 extended permit ip host 192.168.2.106 any
access-list 101 extended permit ip host 192.168.2.140 any
access-list 101 extended permit ip host 192.168.2.215 any
access-list 101 extended permit ip host 192.168.2.107 any
access-list 101 extended permit ip host 192.168.2.234 any
access-list 101 extended permit ip host 192.168.2.15 any
access-list 101 extended permit ip host 192.168.2.55 any
access-list 101 extended permit ip host 192.168.2.41 any
access-list 101 extended permit ip host 192.168.2.13 any
access-list 101 extended permit ip host 192.168.2.133 any
access-list 101 extended permit ip host 192.168.2.73 any
access-list 101 extended permit ip host 192.168.2.172 any
access-list 101 extended permit ip host 192.168.2.175 any
access-list 101 extended permit ip host 192.168.2.88 any
access-list 101 extended permit ip host 192.168.2.188 any
access-list 101 extended permit ip host 192.168.2.136 any
access-list 101 extended permit ip host 192.168.2.74 any
access-list 101 extended permit ip host 192.168.2.12 any
access-list 101 extended permit ip host 192.168.2.100 any
access-list 101 extended permit ip host 192.168.2.102 any
access-list 101 extended permit ip host 192.168.2.152 any
access-list 101 extended permit ip host 192.168.2.4 any
access-list 101 extended permit ip host 192.168.2.5 any
access-list 101 extended permit ip host 192.168.2.6 any
access-list 101 extended permit ip host 192.168.2.14 any
access-list 101 extended permit ip host 192.168.2.19 any
access-list 101 extended permit ip host 192.168.2.16 any
access-list 101 extended permit ip host 192.168.2.17 any
access-list 101 extended permit ip host 192.168.2.18 any
access-list 101 extended permit ip host 192.168.2.22 any
access-list 101 extended permit ip host 192.168.2.23 any
access-list 101 extended permit ip host 192.168.2.115 any
access-list 101 extended permit ip host 192.168.2.116 any
access-list 101 extended permit ip host 192.168.2.117 any
access-list 101 extended permit ip host 192.168.2.118 any
access-list 101 extended permit ip host 192.168.2.119 any
access-list 101 extended permit ip host 192.168.2.150 any
access-list 101 extended permit ip host 192.168.2.128 any
access-list 101 extended deny ip 192.168.2.0 255.255.255.0 any
access-list 101 extended permit ip host 192.168.3.2 any
access-list 101 extended permit ip host 192.168.3.3 any
access-list 101 extended permit ip host 192.168.3.4 any
access-list 101 extended permit ip host 192.168.3.5 any
access-list 101 extended permit ip host 192.168.3.6 any
access-list 101 extended permit ip host 192.168.3.7 any
access-list 101 extended permit ip host 192.168.3.8 any
access-list 101 extended permit ip host 192.168.3.9 any
access-list 101 extended permit ip host 192.168.3.10 any
access-list 101 extended permit ip host 192.168.3.11 any
access-list 101 extended permit ip host 192.168.3.12 any
access-list 101 extended permit ip host 192.168.3.13 any
access-list 101 extended permit ip host 192.168.3.14 any
access-list 101 extended permit ip host 192.168.3.15 any
access-list 101 extended permit ip host 192.168.3.16 any
access-list 101 extended permit ip host 192.168.3.17 any
access-list 101 extended permit ip host 192.168.3.18 any
access-list 101 extended permit ip host 192.168.3.19 any
access-list 101 extended permit ip host 192.168.3.20 any
access-list 101 extended permit ip host 192.168.3.21 any
access-list 101 extended permit ip host 192.168.3.22 any
access-list 101 extended permit ip host 192.168.3.23 any
access-list 101 extended permit ip host 192.168.3.24 any
access-list 101 extended permit ip host 192.168.3.25 any
access-list 101 extended permit ip host 192.168.3.26 any
access-list 101 extended permit ip host 192.168.3.27 any
access-list 101 extended permit ip host 192.168.3.28 any
access-list 101 extended permit ip host 192.168.3.29 any
access-list 101 extended permit ip host 192.168.3.30 any
access-list 101 extended permit ip host 192.168.3.31 any
access-list 101 extended permit ip host 192.168.3.32 any
access-list 101 extended permit ip host 192.168.3.33 any
access-list 101 extended permit ip host 192.168.3.34 any
access-list 101 extended permit ip host 192.168.3.35 any
access-list 101 extended permit ip host 192.168.3.36 any
access-list 101 extended permit ip host 192.168.3.37 any
access-list 101 extended permit ip host 192.168.3.38 any
access-list 101 extended permit ip host 192.168.3.39 any
access-list 101 extended permit ip host 192.168.3.40 any
access-list 101 extended permit ip host 192.168.3.41 any
access-list 101 extended permit ip host 192.168.3.42 any
access-list 101 extended permit ip host 192.168.3.43 any
access-list 101 extended permit ip host 192.168.3.86 any
access-list 101 extended permit ip host 192.168.3.88 any
access-list 101 extended permit ip host 192.168.3.89 any
access-list 101 extended permit ip host 192.168.3.56 any
access-list 101 extended permit ip host 192.168.3.55 any
access-list 101 extended permit ip host 192.168.3.96 any
access-list 101 extended permit ip host 192.168.3.97 any
access-list 101 extended permit ip host 192.168.3.98 any
access-list 101 extended permit ip host 192.168.3.116 any
access-list 101 extended permit ip host 192.168.3.111 any
access-list 101 extended permit ip host 192.168.3.175 any
access-list 101 extended permit ip host 192.168.3.176 any
access-list 101 extended permit ip host 192.168.3.201 any
access-list 101 extended permit ip host 192.168.3.202 any
access-list 101 extended permit ip host 192.168.3.203 any
access-list 101 extended permit ip host 192.168.3.204 any
access-list 101 extended permit ip host 192.168.3.205 any
access-list 101 extended permit ip host 192.168.3.206 any
access-list 101 extended permit ip host 192.168.3.207 any
access-list 101 extended permit ip host 192.168.3.208 any
access-list 101 extended permit ip host 192.168.3.209 any
access-list 101 extended permit ip host 192.168.3.210 any
access-list 101 extended permit ip host 192.168.3.213 any
access-list 101 extended permit ip host 192.168.3.214 any
access-list 101 extended permit ip host 192.168.3.215 any
access-list 101 extended permit ip host 192.168.3.101 any
access-list 101 extended permit ip host 192.168.3.102 any
access-list 101 extended permit ip host 192.168.3.103 any
access-list 101 extended permit ip host 192.168.3.106 any
access-list 101 extended permit ip host 192.168.3.107 any
access-list 101 extended permit ip host 192.168.3.152 any
access-list 101 extended permit ip host 192.168.3.151 any
access-list 101 extended permit ip host 192.168.3.153 any
access-list 101 extended permit ip host 192.168.3.195 any
access-list 101 extended permit ip host 192.168.3.45 any
access-list 101 extended permit ip host 192.168.3.46 any
access-list 101 extended permit ip host 192.168.3.199 any
access-list 101 extended permit ip host 192.168.3.157 any
access-list 101 extended deny ip 192.168.3.0 255.255.255.0 any
access-list 101 extended permit tcp any any
access-list 101 extended permit ip any any
access-list 101 extended permit ip 192.168.200.0 255.255.255.0 any
access-list 101 extended permit ip host 192.168.1.6 any
access-list vpnclient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list 2 extended permit ip 192.168.2.0 255.255.255.0 any
access-list 3 extended permit ip 192.168.3.0 255.255.255.0 any
access-list 4 extended permit ip 192.168.4.0 255.255.255.0 any
access-list 500k extended permit ip host X.X.X.1 any
access-list 500k extended permit icmp host X.X.X.1 any
access-list 102 extended permit ip host 192.168.1.6 any
access-list test1207_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu ouside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_pool 192.168.200.1-192.168.200.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,ouside) source dynamic pat-source interface
nat (inside,ouside) source static local-1-2 remote-lan2 service real_svc8088 mapped_svc8088
nat (inside,ouside) source static local-1-2 remote-lan2 service real_svc3389 mapped_svc8005
nat (inside,ouside) source static local-1-19 remote-lan12 service real_svc3389 mapped_svc8001
nat (inside,ouside) source static local-1-20 remote-lan12 service real_svc3389 mapped_svc8002
nat (inside,ouside) source static local-1-88 remote-lan12 service real_svc3389 mapped_svc12345
nat (inside,ouside) source static local-1-19 remote-lan12 service real_svcwww mapped_svc8056
nat (inside,ouside) source static local-1-1 remote-lan4 service real_svcwww mapped_svcwww
nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcsmtp mapped_svcsmtp
nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcpop3 mapped_svcpop3
nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc8086 mapped_svcwww
nat (inside,ouside) source static local-1-1 remote-lan10 service real_svc3389 mapped_svc9876
nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc3389 mapped_svc9877
nat (inside,ouside) source static local-1-6 remote-lan10 service real_svcftp mapped_svcftp
nat (inside,ouside) source static local-1-6 remote-lan10 service real_svcftp-data mapped_svcftp-data
nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc3389 mapped_svc3129
nat (inside,ouside) source static local-2-88 remote-lan10 service real_svc12172 mapped_svc12172
nat (inside,ouside) source static local-2-88 remote-lan10 service real_svcu12172 mapped_svcu12172
nat (inside,ouside) source static local-2-2 remote-lan10 service real_svc3389 mapped_svc3128
nat (inside,ouside) source static local-2-2 remote-lan10 service real_svc9116 mapped_svc9116
nat (inside,ouside) source static local-2-2 remote-lan10 service real_svcu9116 mapped_svcu9116
nat (inside,ouside) source static local-1-200 remote-lan10 service real_svcwww mapped_svc1114
nat (inside,ouside) source static local-1-200 remote-lan10 service real_svc12001 mapped_svc12001
nat (inside,ouside) source static local-3-2 remote-lan10 service real_svc25243 mapped_svc25243
nat (inside,ouside) source static local-3-2 remote-lan10 service real_svcu25243 mapped_svcu25243
nat (inside,ouside) source static local-3-2 remote-lan10 service real_svc3389 mapped_svc3130
nat (inside,ouside) source static local-1-6 remote-lan9 service real_svc8087 mapped_svcwww
nat (inside,ouside) source static local-1-30 remote-lan10 service real_svc3389 mapped_svc9878
nat (inside,ouside) source static local-1-30 remote-lan5 service real_svcwww mapped_svcwww
nat (inside,ouside) source static local-1-1 remote-lan4 service real_svc8080 mapped_svc8088
nat (inside,ouside) source static local-1-6 remote-lan6 service real_svc8088 mapped_svcwww
nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcwww mapped_svcwww
nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc4160 mapped_svc4160
nat (inside,ouside) source static local-3-5 remote-lan10 service real_svcu4170 mapped_svcu4170
nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc11111 mapped_svc11111
nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc3389 mapped_svc3127
nat (inside,ouside) source static local-3-5 remote-lan10 service real_svcu11111 mapped_svcu11111
nat (inside,ouside) source static inside-192.168.1.0 inside-192.168.1.0 destination static vpn-192.168.200.0 vpn-192.168.200.0
nat (inside,ouside) source static inside-192.168.1.0 inside-192.168.1.0 destination static NETWORK_OBJ_192.168.200.0_27 NETWORK_OBJ_192.168.200.0_27 no-proxy-arp route-lookup
access-group 100 in interface ouside
access-group 101 in interface inside
route ouside 0.0.0.0 0.0.0.0 X.X.X.14 1
route inside 192.168.2.0 255.255.255.0 192.168.1.12 1
route inside 192.168.3.0 255.255.255.0 192.168.1.12 1
route inside 192.168.4.0 255.255.255.0 192.168.1.12 1
route inside 192.168.5.0 255.255.255.0 192.168.1.12 1
route inside 192.168.6.0 255.255.255.0 192.168.1.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 ouside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set vpn_set esp-des esp-md5-hmac
crypto dynamic-map vpn_map 10 set pfs group1
crypto dynamic-map vpn_map 10 set ikev1 transform-set vpn_set
crypto dynamic-map vpn_map 10 set reverse-route
crypto map vpnmap 10 ipsec-isakmp dynamic vpn_map
crypto map vpnmap interface ouside
crypto ikev1 enable ouside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 ouside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.43.244.18
ssl encryption 3des-sha1
webvpn
group-policy test1207 internal
group-policy test1207 attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
group-policy vpnclient internal
group-policy vpnclient attributes
dns-server value 61.128.128.68
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient_splitTunnelAcl
username cisco password 3USUcOPFUiMCO4Jk encrypted
username cisco attributes
vpn-group-policy vpnclient
tunnel-group vpn_group type remote-access
tunnel-group vpn_group general-attributes
address-pool vpn_pool
default-group-policy vpnclient
tunnel-group vpn_group ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group test1207 type remote-access
tunnel-group test1207 general-attributes
address-pool vpn_pool
default-group-policy test1207
tunnel-group test1207 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2013 11:38 AM
You're welcome.
For your 192.168.1.6 web server, you have the necessary access-list entry and the access-group is applied to the outside interface:
access-list 100 extended permit tcp any host 192.168.1.6
access-group 100 in interface ouside
but you seem to have lost the NAT rule you had in the original configuration according to the lastest one you posted:
nat (inside,ouside) source static inside_192.168.1.6 internal_61.186.236.3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-07-2013 07:53 PM
hi,
in my new config ,the nat and acl all i have config.
my web-server real ip 192.168.1.1 and maping ip is 61.186.236.4
access-list 100 extended permit tcp any host 192.168.1.1
access-group 100 in interface ouside
nat (inside,ouside) source static local-1-1 remote-lan4 service real_svcwww mapped_svcwww
but,all can not access my web server from internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide