HI All,
We have got a cisco ASA 5505 firewall, configured with a DMZ, see config below
Every now and again approx every hour we just lose connection i.e. we inside the LAN cannot communicate with the DMZ and Vice Versa.
Can someone suggest anything values i.e. timeout or anything which may be causing this.
Thanks
: Saved
:
ASA Version 8.0(3)6
!
hostname ciscoasa1
domain-name granbymarketing.com
enable password 7gjjyRLlGDnFP7M4 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.30.30.x WEB001-DMZ
name 10.30.30.x WEB002-DMZ
name 87.83.120.x WEB002-Internet
name 10.30.30.x WEBCluster-DMZ
name 87.83.120.x WEBCluster-Internet
name 192.168.36.x SQL7_Blackburn
name 87.83.120.x WEB001-Internet
name 192.168.36.x ContentFilter
name 192.168.36.x BDC
name 192.168.36.x PDC
name 192.168.36.x DC
name 192.168.36.x DCV2
name 212.135.1.x EasynetDNS1
name 195.40.1.x EasynetDNS2
name 192.168.36.x James_PC
name 192.168.36.x Mo_PC
name 192.168.36.x Leons_PC
name 192.168.36.x Petes_PC
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.36.x 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 87.x.x.x 255.255.255.240
!
interface Vlan12
nameif DMZ
security-level 50
ip address 10.30.30.x 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server EasynetDNS1
name-server EasynetDNS2
domain-name ranmarketing.com
object-group network DM_INLINE_NETWORK_1
network-object host WEBCluster-Internet
network-object host WEB001-Internet
network-object host WEB002-Internet
object-group service sql
service-object tcp source range 1024 65535 eq 1433
object-group service WindowsDomainLogin
service-object udp eq netbios-ns
service-object tcp source range 1024 65535 eq 135
service-object tcp source range 1024 65535 eq 42
service-object tcp eq netbios-ssn
service-object udp eq netbios-dgm
object-group network WebServerGroupDMZ
network-object host WEBCluster-DMZ
network-object host WEB001-DMZ
network-object host WEB002-DMZ
object-group network EasynetDNSServers
network-object host EasynetDNS2
network-object host EasynetDNS1
object-group service DM_INLINE_SERVICE_1
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
service-object icmp
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
object-group network ITAdminPCs
network-object host Mo_PC
network-object host James_PC
network-object host Leons_PC
network-object host Petes_PC
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object tcp eq www
service-object tcp eq https
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
object-group service vnc tcp
port-object eq 5900
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 192.168.0.0 255.255.0.0 object-group WebServerGroupDMZ
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 object-group ITAdminPCs any
access-list inside_access_in extended permit tcp object-group ITAdminPCs object-group WebServerGroupDMZ object-group vnc
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object-group DM_INLINE_NETWORK_1
access-list DMZ_access_in extended permit object-group sql object-group WebServerGroupDMZ host SQL7_Blackburn
access-list DMZ_access_in extended permit tcp object-group WebServerGroupDMZ host ContentFilter eq smtp
access-list DMZ_access_in extended permit object-group sql object-group WebServerGroupDMZ host DC
access-list DMZ_access_in extended permit ip object-group WebServerGroupDMZ host DCV2
access-list DMZ_access_in extended permit icmp object-group WebServerGroupDMZ 192.168.0.0 255.255.0.0
access-list DMZ_access_in extended deny ip any 192.168.0.0 255.255.0.0
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group WebServerGroupDMZ any
access-list DMZ_access_in extended permit udp object-group WebServerGroupDMZ object-group EasynetDNSServers eq domain
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (DMZ,outside) WEB001-Internet WEB001-DMZ netmask 255.255.255.255
static (DMZ,outside) WEB002-Internet WEB002-DMZ netmask 255.255.255.255
static (DMZ,outside) WEBCluster-Internet WEBCluster-DMZ netmask 255.255.255.255
static (outside,DMZ) WEB001-DMZ WEB001-Internet netmask 255.255.255.255
static (outside,DMZ) WEB002-DMZ WEB002-Internet netmask 255.255.255.255
static (outside,DMZ) WEBCluster-DMZ WEBCluster-Internet netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 87.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-reco
rd DfltAccessPolicy
http server enable
http 192.168.36.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_AES-256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-256_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_AES-256_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
!
!
prompt hostname context
Cryptochecksum:a6cc7ed3a60
c0adee327d
eb868cb244
6
: end
