[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.6

NAT on CISCO ASA 5510

Asked by jeremymjackson in Cisco PIX Firewall, Networking Hardware Firewalls, Enterprise Firewalls

Tags: CISCO ASA 5510

I have a CISCO ASA 5510 that is firewalling and NATing for our network.  We have three DMZ servers on the DMZ interface of this ASA that host websites.  SRWEB08 hosts corporate web, SRES01 hosts OWA for Exchange, SRHD01 hosts helpdesk web.  Each of these sites work great from the inside of the network.  Only SRWEB08 and SRES01 work from outside the network.  The site on SRHD01 times out after approximately 5 minutes. 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:
470:
471:
472:
473:
474:
475:
476:
477:
478:
479:
480:
481:
482:
483:
484:
485:
486:
487:
488:
489:
490:
491:
492:
493:
494:
495:
496:
497:
498:
499:
500:
501:
502:
503:
504:
505:
506:
507:
508:
509:
510:
511:
512:

: Saved
:
ASA Version 8.0(3) 
!
hostname YODA
enable password XXXXXXXXXXXXXXXXXXXXX encrypted
multicast-routing
names
name 172.31.0.0 DMZ
name 172.16.0.0 PRODUCTION
name 172.30.0.0 VPN
name 172.31.3.33 SPF01
name 172.31.3.34 SRES01
name 172.31.3.40 SRHD01
name 172.31.3.13 SRNASFTP
name 172.31.3.36 SRRA01
name 172.31.3.6 SRTS02
name 172.30.1.0 VPN_SUBNET
name 192.192.192.0 PRODUCTION_WORKSTATIONS_GENERAL
name 192.192.191.0 PRODUCTION_WORKSTATIONS_OPS
name 172.17.0.0 QALAB
name 172.31.3.44 SRBES01
name 172.31.3.51 SRWEB08
name 172.16.3.15 XSTORE1
name 172.31.3.35 SRSQLSB01
name 10.1.1.0 INternal description internal network
name 172.31.3.10 SRPBX01
!
interface Ethernet0/0
 description CONNECTION_TO_LUKE
 nameif INSIDE
 security-level 100
 ip address 10.1.1.6 255.255.255.252 
!
interface Ethernet0/1
 description CONNECTION_TO_DMZ
 nameif DMZ
 security-level 50
 ip address 172.31.1.1 255.255.0.0 
!
interface Ethernet0/2
 description CONNECTION_TO_CSC-SSM
 nameif CSC-SSM
 security-level 0
 ip address 10.3.1.1 255.255.255.252 
!
interface Ethernet0/3
 description CONNECTION_TO_VADER
 nameif OUTSIDE
 security-level 0
 ip address 10.1.1.9 255.255.255.252 
!
interface Management0/0
 description MANAGEMENT
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd xxxxxxxxxxxxxx encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup INSIDE
dns domain-lookup DMZ
dns domain-lookup CSC-SSM
dns domain-lookup OUTSIDE
dns server-group DNS_SERVERS
 name-server 172.16.3.1
 name-server 172.16.3.3
 domain-name xxxx.xxxxxxxxxxxxx.com
dns-group DNS_SERVERS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group network VPNPOOL
 network-object VPN_SUBNET 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service dhcp tcp-udp
 port-object range 67 68
object-group service VPN tcp-udp
 port-object eq 500
 port-object eq 10000
 port-object eq 7777
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object gre 
 service-object esp 
 service-object udp eq isakmp 
 service-object ah 
object-group service DM_INLINE_SERVICE_2
 service-object gre 
 service-object esp 
 service-object udp eq isakmp 
 service-object ah 
object-group network DM_INLINE_NETWORK_7
 network-object PRODUCTION 255.255.0.0
 network-object VPN_SUBNET 255.255.255.0
object-group service ALTIGEN_TCP tcp
 port-object range 10025 10050
 port-object eq 10064
 port-object range 49152 49220
 port-object eq 69
 port-object eq h323
object-group service ALTIGEN_UDP udp
 port-object eq 10060
 port-object range 49152 49220
 port-object eq sip
object-group network INTERNAL_INSPECT_ADDRESSES
 network-object PRODUCTION_WORKSTATIONS_OPS 255.255.255.0
 network-object PRODUCTION_WORKSTATIONS_GENERAL 255.255.255.0
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group service SMTP_ALL tcp
 port-object eq 587
 port-object eq smtp
object-group network DM_INLINE_NETWORK_5
 network-object host SRES01
 network-object host SRWEB08
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_6 tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_3
 service-object tcp-udp eq www 
 service-object tcp eq www 
 service-object tcp eq https 
object-group service DM_INLINE_TCPUDP_1 tcp-udp
 port-object eq domain
 port-object eq kerberos
object-group service DM_INLINE_SERVICE_4
 service-object tcp eq 135 
 service-object tcp eq 137 
 service-object tcp eq 3268 
 service-object tcp eq 445 
 service-object tcp eq 88 
 service-object tcp eq ldap 
 service-object udp eq 389 
 service-object udp eq netbios-ns 
object-group service DM_INLINE_SERVICE_5
 service-object tcp eq www 
 service-object udp eq ntp 
object-group service UDP6001-6194 udp
 port-object range 6004 6194
object-group service DM_INLINE_TCP_7 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service DM_INLINE_TCP_8 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_9 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_10 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_11 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_12 tcp
 port-object eq www
 port-object eq https
object-group network SMTP_ALLOWED
 network-object host JJACKSON
object-group service DM_INLINE_TCP_13 tcp
 port-object eq www
 port-object eq https
access-list OUTSIDE_access_in extended deny ip any host XSTORE1 log debugging 
access-list OUTSIDE_access_in extended deny ip any host 172.17.1.29 log debugging 
access-list OUTSIDE_access_in extended permit ip any any 
access-list OUTSIDE_access_in remark ALLOW VPN SUBNET ANYWHERE
access-list OUTSIDE_access_in extended permit ip VPN_SUBNET 255.255.255.0 any 
access-list OUTSIDE_access_in remark ALLOW HTTP/HTTPS ACCESS FROM ANYWHERE TO NAT TO SRWEB08
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.2 object-group DM_INLINE_TCP_5 
access-list OUTSIDE_access_in remark ALLOW FTP ACCESS FROM ANYWHERE TO NAT TO SRNASFTP
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.3 object-group DM_INLINE_TCP_6 
access-list OUTSIDE_access_in remark ALLOW VPN ACCESS FROM ANYWHERE
access-list OUTSIDE_access_in extended permit object-group TCPUDP any host 111.111.111.10 object-group VPN 
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.2 object-group SMTP_ALL 
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.13 object-group DM_INLINE_TCP_8 
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.4 object-group DM_INLINE_TCP_11 
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.5 object-group DM_INLINE_TCP_13 
access-list OUTSIDE_access_in extended permit tcp any host SRSQLSB01 object-group DM_INLINE_TCP_9 
access-list OUTSIDE_access_in extended permit tcp any host SRES01 object-group DM_INLINE_TCP_3 
access-list OUTSIDE_access_in extended permit tcp any host SRHD01 object-group DM_INLINE_TCP_10 
access-list OUTSIDE_access_in extended permit tcp any host SRWEB08 object-group DM_INLINE_TCP_4 
access-list OUTSIDE_access_in extended permit tcp any host SPF01 object-group SMTP_ALL 
access-list OUTSIDE_access_in extended permit tcp any host SRNASFTP object-group DM_INLINE_TCP_7 
access-list OUTSIDE_access_in extended permit icmp any any inactive 
access-list OUTSIDE_access_in extended permit object-group TCPUDP any any object-group VPN 
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_2 any any 
access-list OUTSIDE_access_in extended deny ip any any log debugging 
access-list INSIDE_access_in extended permit tcp any host SRES01 eq smtp 
access-list INSIDE_access_in extended deny tcp any any eq smtp 
access-list INSIDE_access_in extended permit udp any any eq sip log debugging 
access-list INSIDE_access_in extended permit icmp any any 
access-list INSIDE_access_in extended permit object-group TCPUDP any any log debugging 
access-list INSIDE_access_in extended permit object-group TCPUDP any any object-group VPN 
access-list INSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
access-list INSIDE_access_in extended permit ip object-group DM_INLINE_NETWORK_7 DMZ 255.255.0.0 
access-list INSIDE_nat0_outbound extended permit ip any 10.3.1.0 255.255.255.252 
access-list global_mpc extended permit tcp object-group INTERNAL_INSPECT_ADDRESSES any object-group DM_INLINE_TCP_1 inactive 
access-list DRXDRX_splitTunnelAcl standard permit PRODUCTION 255.255.0.0 
access-list DRXDRX_splitTunnelAcl standard permit DMZ 255.255.0.0 
access-list DRXDRX_splitTunnelAcl standard permit VPN_SUBNET 255.255.255.0 
access-list DRXDRX_splitTunnelAcl standard permit QALAB 255.255.0.0 
access-list inside_nat0_outbound extended permit ip PRODUCTION 255.255.0.0 VPN_SUBNET 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.4 255.255.255.252 10.3.1.0 255.255.255.252 
access-list inside_nat0_outbound extended permit ip any DMZ 255.255.0.0 
access-list inside_nat0_outbound extended permit ip VERIZON_NETS 255.255.255.248 10.1.1.8 255.255.255.252 
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 
access-list outside_cryptomap extended permit ip any VPN_SUBNET 255.255.255.0 
access-list outside_cryptomap_20.20 extended permit ip any object-group VPNPOOL 
access-list OUTSIDE_nat0_outbound extended permit ip any VERIZON_NETS 255.255.255.248 
access-list OUTSIDE_nat0_outbound extended permit ip 10.1.1.8 255.255.255.252 any 
access-list OUTSIDE_nat0_outbound extended permit ip VPN_SUBNET 255.255.255.0 DMZ 255.255.0.0 
access-list DMZ_nat0_outbound extended permit ip DMZ 255.255.0.0 PRODUCTION 255.255.0.0 
access-list DMZ_nat0_outbound extended permit ip DMZ 255.255.0.0 VPN_SUBNET 255.255.255.0 
access-list DMZ_access_in extended permit ip DMZ 255.255.0.0 VPN_SUBNET 255.255.255.0 log 
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any eq smtp log debugging 
access-list DMZ_access_in extended deny tcp any any eq smtp log debugging 
access-list DMZ_access_in extended permit tcp host SRHD01 any object-group DM_INLINE_TCP_12 log debugging 
access-list DMZ_access_in remark ALLOW SRES01 SMTP ACCESS ANYWHERE
access-list DMZ_access_in extended permit tcp host SRES01 any eq smtp log inactive 
access-list DMZ_access_in extended permit ip DMZ 255.255.0.0 any 
access-list DMZ_access_in extended permit ip host SRSQLSB01 any log debugging 
access-list DMZ_access_in remark ALLOW ANYTHING FROM DMZ TO VPN_SUBNET
access-list DMZ_access_in remark ALLOW DHCP REQUESTS FROM DMZ TO PRODUCTION
access-list DMZ_access_in extended permit object-group TCPUDP DMZ 255.255.0.0 PRODUCTION 255.255.0.0 object-group dhcp log disable inactive 
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_5 host SPF01 any inactive 
access-list DMZ_access_in remark ALLOW SRES01 IP ACCESS ANYWHERE
access-list DMZ_access_in extended permit ip host SRES01 any log disable inactive 
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 DMZ 255.255.0.0 PRODUCTION 255.255.0.0 log disable inactive 
access-list DMZ_access_in remark ALOW DMZ DNS ACCESS ANYWHERE
access-list DMZ_access_in extended permit object-group TCPUDP DMZ 255.255.0.0 any object-group DM_INLINE_TCPUDP_1 log disable inactive 
access-list DMZ_access_in remark ALLOW SRES01 HTTP AND HTTPS ACCESS ANYWHERE
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_3 host SRES01 any log disable inactive 
access-list DMZ_access_in extended permit udp host SRES01 any object-group UDP6001-6194 inactive 
access-list DMZ_access_in extended permit udp host SRES01 any eq 1899 inactive 
access-list DMZ_access_in extended permit object-group TCPUDP host SRRA01 host 64.222.71.25 eq www inactive 
access-list DMZ_access_in extended permit tcp any DMZ 255.255.0.0 eq domain log disable inactive 
access-list DMZ_access_in extended permit object-group TCPUDP any host SRES01 eq www inactive 
access-list DMZ_access_in extended permit ip any host SRES01 inactive 
access-list DMZ_access_in remark DENY AND LOG
access-list DMZ_access_in extended deny ip any any log debugging 
access-list OUTSIDE_nat_static extended permit object-group TCPUDP host 111.111.111.10 object-group VPN any object-group VPN 
access-list acl-out extended permit object-group TCPUDP any object-group VPN host 111.111.111.10 object-group VPN 
access-list OUTSIDE_nat0_outbound_1 extended permit ip any host 111.111.111.14 
access-list CSC-SSM_access_in extended permit ip host 10.3.1.2 any 
access-list LAN2LAN_NAT0 extended permit ip PRODUCTION 255.255.0.0 object-group XXXXXXXXXX_SUBNETS 
access-list INSIDE_access_in_1 extended permit tcp any host SRES01 object-group SMTP_ALL log debugging 
access-list INSIDE_access_in_1 extended permit tcp object-group SMTP_ALLOWED any object-group SMTP_ALL log debugging 
access-list INSIDE_access_in_1 extended deny tcp any any object-group SMTP_ALL log debugging 
access-list INSIDE_access_in_1 extended permit ip any any 
access-list DMZ_access_out extended permit ip VPN_SUBNET 255.255.255.0 DMZ 255.255.0.0 
access-list DMZ_access_out extended permit ip any any log debugging 
access-list DMZ_access_out extended deny ip any any log debugging 
access-list OUTSIDE_access_in_1 extended permit ip host 10.1.1.10 any 
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm informational
logging mail informational
logging debug-trace
mtu INSIDE 1500
mtu DMZ 1500
mtu CSC-SSM 1500
mtu OUTSIDE 1500
mtu management 1500
ip local pool vpnpool VPN_SUBNET-172.30.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
icmp permit any DMZ
icmp permit any CSC-SSM
icmp permit any OUTSIDE
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list inside_nat0_outbound
nat (INSIDE) 1 INternal 255.255.255.0
nat (INSIDE) 1 PRODUCTION 255.255.0.0
nat (INSIDE) 1 QALAB 255.255.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 1 DMZ 255.255.0.0
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound_1 outside
static (OUTSIDE,INSIDE) udp 10.1.1.4 sip 10.1.1.8 sip netmask 255.255.255.252 
static (DMZ,OUTSIDE) tcp 111.111.111.2 smtp SPF01 smtp netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.3 www SRWEB08 www netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.3 ftp-data SRNASFTP ftp-data netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.3 ftp SRNASFTP ftp netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.2 www SRES01 www netmask 255.255.255.255  norandomseq
static (DMZ,OUTSIDE) tcp 111.111.111.2 https SRES01 https netmask 255.255.255.255  norandomseq
static (DMZ,OUTSIDE) tcp 111.111.111.2 imap4 SRES01 imap4 netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.5 www SRHD01 www netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.5 https SRHD01 https netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.13 https SRSQLSB01 https netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.13 www SRSQLSB01 www netmask 255.255.255.255 
access-group INSIDE_access_in_1 in interface INSIDE
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group CSC-SSM_access_in in interface CSC-SSM
access-group OUTSIDE_access_in in interface OUTSIDE
!
router rip
 network 10.0.0.0
 network PRODUCTION
 network QALAB
 network 172.18.0.0
 network 172.19.0.0
 network 172.29.0.0
 network VPN
 network DMZ
 redistribute connected metric transparent
 version 2
!
route OUTSIDE 0.0.0.0 0.0.0.0 10.1.1.10 1
route INSIDE PRODUCTION 255.255.0.0 10.1.1.5 1
route DMZ DMZ 255.255.0.0 172.31.255.254 1
route INSIDE 192.168.169.0 255.255.255.0 10.1.1.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server MD_RAD_SVR-GRP protocol radius
aaa-server MD_RAD_SVR-GRP host 172.16.3.3
 key cisco
aaa-server MD_RAD_SVR_VPN protocol radius
aaa-server MD_RAD_SVR_VPN host 172.16.3.3
 key cisco
aaa authentication enable console MD_RAD_SVR-GRP LOCAL
aaa authentication http console MD_RAD_SVR-GRP LOCAL
aaa authentication serial console MD_RAD_SVR-GRP LOCAL
aaa authentication ssh console MD_RAD_SVR-GRP LOCAL
aaa authentication telnet console MD_RAD_SVR-GRP LOCAL
aaa authorization command LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http INternal 255.255.255.0 INSIDE
http PRODUCTION 255.255.0.0 INSIDE
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface OUTSIDE
crypto isakmp identity address 
crypto isakmp enable CSC-SSM
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet PRODUCTION 255.255.0.0 INSIDE
telnet 10.1.1.10 255.255.255.255 OUTSIDE
telnet timeout 5
console timeout 0
management-access INSIDE
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay server 172.16.3.1 INSIDE
dhcprelay enable DMZ
dhcprelay timeout 60
vpn load-balancing 
 interface lbpublic CSC-SSM
 interface lbprivate CSC-SSM
threat-detection basic-threat
threat-detection statistics
tftp-server INSIDE 172.16.3.3 c:\tftp-root\
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol webvpn
group-policy DRXDRX internal
group-policy DRXDRX attributes
 dns-server value 172.16.3.1 172.16.3.3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DRXDRX_splitTunnelAcl
username admin password EzWnaLdExFoNnglv encrypted privilege 15
tunnel-group DRXDRX type remote-access
tunnel-group DRXDRX general-attributes
 address-pool vpnpool
 authentication-server-group MD_RAD_SVR_VPN LOCAL
 default-group-policy DRXDRX
tunnel-group DRXDRX ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match access-list global_mpc
class-map INSPECTION_DEFAULT
 match default-inspection-traffic
!
!
policy-map global_policy
 class global-class
  csc fail-close
  inspect sip  
 class INSPECTION_DEFAULT
  inspect pptp 
  inspect ipsec-pass-thru 
  inspect sip  
  inspect ftp 
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context 
Cryptochecksum:64d40b67c73e5b36a9a8ab955f069a7b
: end
asdm image disk0:/asdm-611.bin
asdm location VERIZON_NETS 255.255.255.248 INSIDE
asdm location MPL911 255.255.255.0 INSIDE
asdm location PRODUCTION_WORKSTATIONS_OPS 255.255.255.0 INSIDE
asdm location QALAB 255.255.0.0 INSIDE
asdm location SRBES01 255.255.255.255 INSIDE
asdm location SRWEB08 255.255.255.255 INSIDE
asdm location XSTORE1 255.255.255.255 INSIDE
asdm location INternal 255.255.255.0 INSIDE
asdm location SRPBX01 255.255.255.255 INSIDE
no asdm history enable
 
Related Solutions
Keywords: NAT on CISCO ASA 5510
Title
1 Cisco ASA 5200 and ISA 2k4
2 Outbound emails blocked by ASA
3 Cisco ASA Remote Access VPN and E…
4 Do I need a separate firewall? and wir…
 
Loading Advertisement...
 
[+][-]03/30/09 11:55 AM, ID: 24021998Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03/30/09 12:05 PM, ID: 24022110Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/30/09 12:20 PM, ID: 24022260Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03/30/09 12:29 PM, ID: 24022361Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/30/09 12:31 PM, ID: 24022374Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03/30/09 12:32 PM, ID: 24022386Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03/30/09 12:45 PM, ID: 24022533Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/30/09 12:52 PM, ID: 24022611Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Cisco PIX Firewall, Networking Hardware Firewalls, Enterprise Firewalls
Tags: CISCO ASA 5510
Sign Up Now!
Solution Provided By: JFrederick29
Participating Experts: 1
Solution Grade: A
 
 
Loading Advertisement...
20091021-EE-VQP-81 - Hierarchy / EE_QW_3_20080625