Advertisement

01.16.2008 at 12:15AM PST, ID: 23086333
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
5.2

Routing not working with Cisco ASA 5510

Zones: Network Management, Networking Hardware, Network Operations
Tags: Cisco, ASA 5510, Cisco, ASA 5510
I'm having problems with routing through my ASA 5510.

I can ping the gateway and beyond from the ASA - 172.31.50.1 & 172.31.3.252 but I can't ping from the internal network through the device, it doesn't seem to be letting any traffic through.

Here's the config:

pix# show running-config
: Saved
:
ASA Version 7.0(7)
!
hostname pix
domain-name waterfrontstudios.co.za
enable password fXEvDioRaOdx6xq3 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Internet
 security-level 0
 ip address 172.31.50.10 255.255.255.0
!
interface Ethernet0/1
 nameif Trusted
 security-level 100
 ip address 192.168.21.1 255.255.0.0
!
interface Ethernet0/2
 description DMZ - Web, FTP, Mysql
 nameif DMZ
 security-level 50
 ip address 10.10.20.1 255.255.255.0
!
interface Ethernet0/3
 description Clients - Client Network
 shutdown
 nameif Clients
 security-level 3
 ip address 10.10.30.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.10.10.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group service Farmers-Wife tcp
 description Farmers-Wife External Access
 port-object eq www
 port-object range 22000 22000
 port-object range 3389 3389
 port-object eq echo
object-group service Zimbra tcp
 description Email Servers
 port-object eq echo
 port-object eq www
 port-object range 7071 7071
 port-object eq ssh
 port-object eq pop3
 port-object eq https
 port-object eq smtp
 port-object eq imap4
object-group service webservices tcp
 description Preview,FTP,Webe
 port-object eq echo
 port-object eq www
 port-object eq ctiqbe
 port-object eq ssh
 port-object range 3389 3389
 port-object eq ftp
 port-object range 3306 3306
access-list Internet_access_in extended permit tcp any host 172.31.50.8 object-group Zimbra
access-list Internet_access_in extended permit tcp any host 172.31.50.6 object-group Zimbra
access-list Internet_access_in extended permit tcp any host 172.31.50.14 object-group webservices
access-list Internet_access_in extended permit tcp any host 172.31.50.7 object-group webservices
access-list Internet_access_in extended permit tcp any host 172.31.50.76 object-group webservices
access-list Internet_access_in extended permit tcp any host 172.31.50.77 object-group webservices
access-list Internet_access_in extended permit tcp any host 172.31.50.5 object-group Farmers-Wife
access-list Internet_access_in extended permit tcp any host 172.31.50.70 object-group webservices
access-list Internet_access_in extended permit tcp any host 172.31.50.13 object-group webservices
access-list Internet_access_in remark Waterfront Proxy Redirect
access-list Internet_access_in extended permit tcp any eq www host 172.31.50.81 eq 8080
access-list Internet_access_in extended permit icmp any any
access-list Trusted_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.224
access-list DMZ_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.224
pager lines 24
logging asdm informational
mtu Internet 1500
mtu Trusted 1500
mtu DMZ 1500
mtu Clients 1500
mtu management 1500
ip local pool VPN 192.168.0.10-192.168.0.20 mask 255.255.0.0
no failover
icmp permit any Internet
icmp permit any Trusted
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (Internet) 2 172.31.50.100-172.31.50.239 netmask 255.255.255.0
global (DMZ) 1 10.10.20.50-10.10.20.100
nat (Trusted) 0 access-list Trusted_nat0_outbound
nat (Trusted) 0 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
static (DMZ,Internet) 172.31.50.8 10.10.20.2 netmask 255.255.255.255
static (DMZ,Internet) 172.31.50.6 10.10.20.3 netmask 255.255.255.255
static (DMZ,Internet) 172.31.50.14 10.10.20.4 netmask 255.255.255.255
static (DMZ,Internet) 172.31.50.7 10.10.20.5 netmask 255.255.255.255
static (DMZ,Internet) 172.31.50.76 10.10.20.6 netmask 255.255.255.255
static (DMZ,Internet) 172.31.50.77 10.10.20.7 netmask 255.255.255.255
static (Trusted,Internet) 172.31.50.5 192.168.0.53 netmask 255.255.255.255
static (Trusted,Internet) 172.31.50.70 192.168.0.54 netmask 255.255.255.255
static (Trusted,Internet) 172.31.50.13 192.168.21.151 netmask 255.255.255.255
static (Trusted,Internet) 172.31.50.81 192.168.0.60 netmask 255.255.255.255
access-group Internet_access_in in interface Internet
route Internet 0.0.0.0 0.0.0.0 172.31.50.1 1
route Trusted 192.0.0.0 255.255.0.0 192.168.21.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy CiscoASA internal
group-policy CiscoASA attributes
 wins-server value 192.168.0.51 192.168.0.52
 dns-server value 192.168.0.51 192.168.0.52
 default-domain value waterfrontvpn.co.za
 webvpn
username admin password nfxQSC/KrSi6UL15 encrypted privilege 15
username waterfront password iomyORe9E.7C9YY2 encrypted privilege 0
username waterfront attributes
 vpn-group-policy CiscoASA
 webvpn
aaa authentication telnet console LOCAL
http server enable
http 192.168.21.0 255.255.255.0 Trusted
http 192.168.0.0 255.255.255.255 Trusted
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Internet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map 65535 ipsec-isakmp dynamic Internet_dyn_map
crypto map Internet_map interface Internet
isakmp enable Internet
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group CiscoASA type ipsec-ra
tunnel-group CiscoASA general-attributes
 address-pool VPN
 default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
 pre-shared-key *
telnet 192.168.0.0 255.255.0.0 Trusted
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Trusted
dhcpd address 10.10.10.2-10.10.10.10 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 192.168.21.8
Cryptochecksum:9f90e62bd17f1f8763398562958d460b
: end


Anyone have any ideas?
Start your free trial to view this solution
Question Stats
Zone: Software
Question Asked By: condorcape
Solution Provided By: condorcape
Participating Experts: 2
Solution Grade: A
Views: 61
Translate:
Loading Advertisement...
01.16.2008 at 03:31AM PST, ID: 20670791
condorcape:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.16.2008 at 11:28AM PST, ID: 20675153
noctot:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.16.2008 at 10:49PM PST, ID: 20679204
condorcape:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.22.2008 at 08:39AM PST, ID: 20715770
stuknhawaii:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.24.2008 at 12:33AM PST, ID: 20731614
condorcape:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.24.2008 at 12:34AM PST, ID: 20731616
condorcape:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.24.2008 at 07:56AM PST, ID: 20734116
stuknhawaii:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.24.2008 at 07:59AM PST, ID: 20734143
stuknhawaii:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.24.2008 at 08:04AM PST, ID: 20734191
condorcape:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.24.2008 at 08:13AM PST, ID: 20734278
condorcape:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.24.2008 at 08:28AM PST, ID: 20734447
stuknhawaii:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.24.2008 at 10:50PM PST, ID: 20740595
condorcape:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.25.2008 at 05:07AM PST, ID: 20742101
stuknhawaii:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.25.2008 at 05:12AM PST, ID: 20742134
condorcape:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.28.2008 at 05:26AM PST, ID: 20758640
condorcape:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
01.31.2008 at 04:07AM PST, ID: 20785803
condorcape:

All comments and solutions are available to Premium Service Members only.

Start your 7 day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Handhelds / PDAs
  • Displays / Monitors
  • Components
  • Networking Hardware
  • Peripherals
  • Laptops/Notebooks
  • Storage
  • Servers
  • Desktops
  • New Users
  • Misc
  • Apple
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMWare
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMWare
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Community Advisor
  • Lounge
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • Community Advisor
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
01.16.2008 at 03:31AM PST, ID: 20670791
condorcape:
Here's the routing table;

pix# show route

S    0.0.0.0 0.0.0.0 [1/0] via 172.31.50.1, Internet
C    172.31.50.0 255.255.255.0 is directly connected, Internet
S    192.0.0.0 255.0.0.0 [1/0] via 192.168.21.1, Trusted
C    192.168.0.0 255.255.0.0 is directly connected, Trusted
 
01.16.2008 at 11:28AM PST, ID: 20675153
noctot:
What is the IP address you are pinging from and to?
 
01.16.2008 at 10:49PM PST, ID: 20679204
condorcape:
I'm pinging from 192.168.21.130 and trying to get out to 172.31.3.252 & 254

The thing is that I can't even ping the outside interface from the internal network (172.31.50.10). Nor can I ping the default route gateway (172.31.50.1)

If I login to the ASA though I can ping everything.
 
01.22.2008 at 08:39AM PST, ID: 20715770
stuknhawaii:
1. What's the default gateway for your Trusted PC?
2. Can you ping the inside (Trusted) interface on the ASA?
3. On the ASA, if you monitor the real time logging do you see your packets being blocked?
 
01.24.2008 at 12:33AM PST, ID: 20731614
condorcape:
OKay, I found a bit of the problem. The route was set to tunneled.

I've got this currently set up.

pix# show route
S    0.0.0.0 0.0.0.0 [1/0] via 172.31.50.1, Internet
C    172.31.50.0 255.255.255.0 is directly connected, Internet
C    192.168.0.0 255.255.0.0 is directly connected, Trusted
pix#

I can ping everything from the firewall but nothing from internal.

I've check the access  rules and I def have icmp enabled.

My internal network is 192.168.*.* / 255.255.0.0.

I can't even ping the external interface from the internal network.

Any ideas?
 
01.24.2008 at 12:34AM PST, ID: 20731616
condorcape:
Just to reply.

1. 192.168.21.1 (The address of the pix internal interface)
2. Yes, I can ping both inside and out
3. Nothing that I can see.
 
01.24.2008 at 07:56AM PST, ID: 20734116
stuknhawaii:
Just for verification, is the ASA routing normal HTTP traffic through or are you down? Is this ping only? Thanks.
 
01.24.2008 at 07:59AM PST, ID: 20734143
stuknhawaii:
Here's something that may help:
http://www.cisco.com/E-Learning/bulk/public/celc/QLM_ASA_72_01_Final/course_skin.html
It's a learning module from CIsco on how to use the ASA's built in Packet Tracer. This way we can trace what's happening to your ICMP packets.
 
01.24.2008 at 08:04AM PST, ID: 20734191
condorcape:
No packet tracer on my ASA :(

I'm going to update the firmware now which hopefully includes the update.
 
01.24.2008 at 08:13AM PST, ID: 20734278
condorcape:
Not eligible for the download. argh.

I've asked our resellers to get it for me.
 
01.24.2008 at 08:28AM PST, ID: 20734447
stuknhawaii:
It's not hard to use, its a button on the top row in the ASDM named Packet Tracer. You can just enter the source and destination IP's and then have it trace the packet to find out what's happening to it.
 
01.24.2008 at 10:50PM PST, ID: 20740595
condorcape:
Okay, I've made some progress :)

I can ping out of I nat an internal address to an external address.

i.e 192.168.21.137 NAT'd to 172.31.50.75 - I can get out no problems.

Naturally I thought that I'd need a PAT then for all the internal's to get out, I've added an address pool and nat'd 192.168.0.0/16 to the pool but it still doesn't work.

Is there anything specific I need to do to get all inside ip's (clients) to get out to the net?
 
01.25.2008 at 05:07AM PST, ID: 20742101
stuknhawaii:
Can you post the updated config so we can see the new NAT config?
 
01.25.2008 at 05:12AM PST, ID: 20742134
condorcape:
I've got it working :)

I needed to NAT outgoing lan connections to an external pool of addresses.

Thanks everyone for their comments.

Here's the config out of interest;


pix# show config
: Saved
: Written by enable_15 at 04:15:24.370 UTC Fri Jan 25 2008
!
ASA Version 8.0(2)
!
hostname pix
domain-name waterfrontstudios.co.za
enable password fXEvDioRaOdx6xq3 encrypted
names
name 172.31.50.75 HERE
dns-guard
!
interface Ethernet0/0
 nameif Internet
 security-level 0
 ip address 172.31.50.12 255.255.255.0
!
interface Ethernet0/1
 nameif Trusted
 security-level 100
 ip address 192.168.21.3 255.255.0.0
!
interface Ethernet0/2
 description DMZ - Web, FTP, Mysql
 shutdown
 nameif DMZ
 security-level 50
 ip address 10.10.20.1 255.255.255.0
!
interface Ethernet0/3
 description Clients - Client Network
 shutdown
 nameif Clients
 security-level 3
 ip address 10.10.30.1 255.255.255.0
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 10.10.10.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name waterfrontstudios.co.za
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Farmers-Wife tcp
 description Farmers-Wife External Access
 port-object eq www
 port-object range 22000 22000
 port-object range 3389 3389
 port-object eq echo
object-group service Zimbra tcp
 description Email Servers
 port-object eq echo
 port-object eq www
 port-object range 7071 7071
 port-object eq ssh
 port-object eq pop3
 port-object eq https
 port-object eq smtp
 port-object eq imap4
object-group service webservices tcp
 description Preview,FTP,Webe
 port-object eq echo
 port-object eq www
 port-object eq ctiqbe
 port-object eq ssh
 port-object range 3389 3389
 port-object eq ftp
 port-object range 3306 3306
access-list Trusted_access_in extended permit tcp any any
access-list Trusted_access_in extended permit icmp any any
access-list Trusted_access_out extended permit icmp any any
access-list Internet_access_in extended permit icmp any any
pager lines 24
logging asdm informational
mtu Internet 1500
mtu Trusted 1500
mtu DMZ 1500
mtu Clients 1500
mtu management 1500
ip local pool VPN 192.168.0.10-192.168.0.20 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internet
icmp permit any Trusted
asdm image disk0:/asdm-602.bin
asdm location 192.168.0.53 255.255.255.255 Trusted
asdm location 10.10.20.2 255.255.255.255 DMZ
asdm location 172.31.50.5 255.255.255.255 DMZ
no asdm history enable
arp timeout 14400
global (Internet) 2 172.31.50.240-172.31.50.250 netmask 255.255.0.0
nat (Trusted) 2 192.168.0.0 255.255.0.0
access-group Internet_access_in in interface Internet
access-group Trusted_access_in in interface Trusted
access-group Trusted_access_out out interface Trusted
route Internet 0.0.0.0 0.0.0.0 172.31.50.1 1
route Trusted 192.0.0.0 255.0.0.0 192.168.21.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 management
http 192.168.0.0 255.255.255.255 Trusted
http 192.168.21.0 255.255.255.0 Trusted
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Internet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Internet_map 65535 ipsec-isakmp dynamic Internet_dyn_map
crypto map Internet_map interface Internet
crypto isakmp identity hostname
crypto isakmp enable Internet
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.0.0 Trusted
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Trusted
dhcpd address 10.10.10.2-10.10.10.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy CiscoASA internal
group-policy CiscoASA attributes
 wins-server value 192.168.0.51 192.168.0.52
 dns-server value 192.168.0.51 192.168.0.52
 default-domain value waterfrontvpn.co.za
username admin password nfxQSC/KrSi6UL15 encrypted privilege 15
username waterfront password iomyORe9E.7C9YY2 encrypted privilege 0
username waterfront attributes
 vpn-group-policy CiscoASA
tunnel-group CiscoASA type remote-access
tunnel-group CiscoASA general-attributes
 address-pool VPN
 default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
 pre-shared-key *
smtp-server 192.168.21.8
prompt hostname context
Cryptochecksum:306c682b6730cd6fdaf98a7aa1cbd4db
 
01.28.2008 at 05:26AM PST, ID: 20758640
condorcape:
Am I right in saying that you do need to nat all inside addresses in order to get out?

This thing is really annoying me now.

We have an entire range of external ip's 172.31.50.1 - 172.31.50.254.

I have to add a dynamic nat from 192.168.0.0 - 172.31.50.100 - 200 in order to get out. Is that correct?

If possible, does anyone have a working config of an ASA 5510 with a DMZ and multiple external ip addresses that I could use as a base?

 
01.31.2008 at 04:07AM PST, ID: 20785803
condorcape:
So, for the record I've managed to sort it out after much frustration and anger. I nearly threw this thing out of the window.

In the end it was something silly. I was trying to do this translation:

192.168.0.0/16 - 10.10.20.0/24

To fix, it was simply doing the following

192.168.0.0/16 - 10.10.20.0/16

Thanks for all the help guys.

Accepted Solution
 
 
20080236-EE-VQP-29 / EE_QW_2_20070628