Cannot get Port Forwarding to work
I have 12 external IP Addresses that I will be adding to the 5510 from a Watchguard that we are replacing. Currently We are using AnyConnect VPN and routing to different internal subnets which work fine. Now we want to start moving some of services over to the 5510. I tried to setup Port forwarding by testing 2 of the external IPs that are not being used, But I cannot get it to work. Any help will be greatly appreciated.
ASA Version 8.0(2)
!
hostname RobbinstbmFW
domain-name Corporate
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 192.168.0.0 Internal_Net description Local Lan
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.X.47 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.101.10 255.255.255.0
!
interface Ethernet0/2
description Lan2 Network Port
shutdown
nameif Lan2
security-level 100
ip address dhcp setroute
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.101.19
name-server 192.168.101.20
name-server 65.106.1.196
name-server 65.106.7.196
domain-name Corporate
object-group network VPNSplitTunnel
network-object 192.168.110.0 255.255.255.0
object-group service Netbios udp
port-object eq domain
port-object eq netbios-dgm
port-object eq netbios-ns
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host X.X.X.45 eq www
access-list outside_access_in extended permit tcp any host X.X.X.46 eq www
access-list outside_access_in extended permit tcp any host X.X.X.45 eq 3389
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit udp any interface outside eq netbios-ns
access-list inside_nat0_outbound extended permit ip any 192.168.110.0 255.255.255.0
access-list inside_authentication extended permit tcp any any
access-list VPNSplit extended permit ip 192.168.110.0 255.255.255.0 any inactive
access-list VPNSplit remark Client Split Tunnel Access
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit udp any any
access-list inside_access_out extended permit tcp 192.168.110.0 255.255.255.0 any
access-list inside_access_out extended permit tcp any any
access-list nonat extended permit ip any 192.168.110.0 255.255.255.0 inactive
access-list Split_Tunnel_List remark The corporate network behind the ASA.
access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0
access-list Split_Tunnel_List remark Kent Network
access-list Split_Tunnel_List standard permit 192.168.100.0 255.255.255.0
access-list Split_Tunnel_List remark WV Network
access-list Split_Tunnel_List standard permit 192.168.102.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Lan2 1500
mtu management 1500
ip local pool VPNPool 192.168.110.50-192.168.110.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Internal_Net 255.255.0.0
static (inside,outside) X.X.X.45 192.168.101.26 netmask 255.255.255.255
static (inside,outside) X.X.X.46 192.168.101.8 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.33 1
route inside Internal_Net 255.255.0.0 192.168.101.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
network-acl inside_access_out
network-acl outside_access_in
webvpn
url-list value CorporateMail,Solon-TS1
file-browsing enable
file-entry enable
url-entry enable
svc ask enable default svc
aaa-server Cisco protocol radius
aaa-server Cisco host 192.168.101.19
timeout 5
key alpha1111
radius-common-pw alpha1111
acl-netmask-convert auto-detect
aaa authentication match inside_authentication inside Cisco
aaa authentication enable console Cisco
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.101.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server location Solon HQ
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 outside
telnet Internal_Net 255.255.0.0 inside
telnet timeout 120
ssh timeout 5
console timeout 0
dhcp-client client-id interface Lan2
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0128-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
wins-server value 192.168.101.19
dns-server value 192.168.101.19
vpn-tunnel-protocol IPSec svc webvpn
ip-comp enable
re-xauth enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
webvpn
url-list value CorporateMail
svc rekey time 30
svc rekey method ssl
svc modules value vpngina
svc ask none default webvpn
group-policy Split_Tunnel internal
group-policy Split_Tunnel attributes
vpn-filter value VPNSplit
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc modules value vpngina
svc ask none default webvpn
tunnel-group DefaultRAGroup webvpn-attributes
hic-fail-group-policy Split_Tunnel
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPool
authentication-server-group Cisco
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 192.168.101.19 master timeout 2 retry 2
prompt hostname context
Cryptochecksum:5fc8b93aa79b99bd19b90e11664de406
: end
asdm image disk0:/asdm-602.bin
asdm location 192.168.101.5 255.255.255.255 outside
no asdm history enable
debuggerau
looks ok, have you tried to trace through the ADSM to see if packets are infact getting passed through?
ASKER
No I have not , I am by no means an expert on setting this up, But using multiple IP address didn't seem to difficult. As soon as I have a chance I will do the trace and then Let you know what it say's. Thanks
Are you certain that the router is passing those IP through?
The trace test will only verify the ASA.
The trace test will only verify the ASA.
ASKER
Yes, The IP Addresses where on the WatchGuard and being used. I removed 2 of them as Aliases from the WatchGuard and rebooted it to flush everything out of it?
did you restart the ASA after setting it up?
ASKER
Took a couple of day's off. Thank you for your patience and support. I will pick it back up tomorrow and I will post the results, Thanks again
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help