Cant seem to get OWA through the firewall
We have an ASA and i am trying to open up communication from our exchange server OWA to the outside. Here is the way our setup looks. Our exchange server sits in the local LAN but we have a PGP and a Symantec Mail Security Gateway server in the DMZ that our mail passes through.
Mailserver internal LAN address is 192.168.1.239
When going to the internet and findind the WAN IP from the mailserver it comes back as 12.111.128.186
I try to set a static to it of 12.111.128.184 --> 192.168.1.239 but when i do that the internet dies.
Here is our config below. If someone could help me figure out what i need to do to get OWA to show up on the outside i would be gracious !! I already have a certificate and OWA setup on the inside of the LAN working perfectly.
ASA Version 7.0(6)
!
hostname fhkfw
domain-name XXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXX encrypted
no names
name 192.168.3.235 fw2
name 192.168.4.102 relay
name 192.168.4.100 keys-untrusted
name 192.168.4.101 keys-trusted
name 192.168.4.253 vpn
name 192.168.3.234 isa
dns-guard
!
interface GigabitEthernet0/0
description External Interface
nameif Outside
security-level 0
ip address 12.111.128.186 255.255.255.248
!
interface GigabitEthernet0/1
description Entry to Internal network
nameif Inside
security-level 100
ip address 192.168.1.235 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ entry to web-servers
nameif DMZ
security-level 50
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet0/3
description ACS P2P to FHKC
nameif ACS
security-level 25
ip address 192.168.90.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Welcome to $(domain).
banner exec UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device.
banner login Welcome to $(domain)
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns retries 5
dns domain-lookup Outside
access-list Outside_access_in extended permit tcp any host 12.111.128.187 eq smtp
access-list Outside_access_in extended permit ip any host 12.111.128.189
access-list Outside_access_in extended permit tcp any host 12.111.128.187 eq pptp
access-list Outside_access_in extended permit tcp any host 12.111.128.184 eq https
access-list FHKCvpn_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list FHKCvpn_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list FHKCvpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list outdmz extended permit tcp any host 12.111.128.187 eq smtp
access-list dmzin extended permit tcp host 192.168.4.102 any eq smtp
access-list split extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list split extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list split extended permit ip 192.168.4.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list split extended permit ip 10.10.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list ALLOW_ALL extended permit ip any any
access-list ACSP2P_access_in extended permit tcp any host 192.168.1.245 eq ftp
access-list ACSP2P_access_in extended permit tcp any host 192.168.1.245 eq ftp-data
access-list http-list extended permit ip any any
!
tcp-map tmap
exceed-mss allow
!
pager lines 24
logging enable
logging timestamp
logging list Log_Everything level warnings
logging list VPN-Traffic level informational class vpn
logging asdm-buffer-size 200
logging monitor notifications
logging asdm debugging
logging from-address webvpn@healthykids.org
logging recipient-address techsupport@healthykids.or
logging host Inside 192.168.1.253 format emblem
logging debug-trace
logging permit-hostdown
logging class vpn buffered informational trap informational
logging class vpnc trap informational
logging class vpnfo trap informational
logging class vpnlb trap informational
logging class webvpn trap informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu ACS 1500
mtu management 1500
ip local pool VpnPool 192.168.12.1-192.168.12.50
ip verify reverse-path interface Outside
ip verify reverse-path interface Inside
ip verify reverse-path interface DMZ
ip verify reverse-path interface ACS
ip audit attack action alarm drop
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface DMZ
monitor-interface ACS
monitor-interface management
asdm image disk0:/asdm506.bin
asdm history enable
arp timeout 14400
global (Outside) 200 interface
global (Outside) 100 12.111.128.187 netmask 255.255.255.255
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 200 0.0.0.0 0.0.0.0
nat (DMZ) 200 0.0.0.0 0.0.0.0
static (DMZ,Outside) 12.111.128.189 192.168.4.253 netmask 255.255.255.255
static (Inside,ACS) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (DMZ,Outside) 12.111.128.188 192.168.4.100 netmask 255.255.255.255
static (DMZ,Outside) 12.111.128.187 192.168.4.201 netmask 255.255.255.255
static (DMZ,Outside) 12.111.128.184 192.168.1.239 netmask 255.255.255.255 ********This is the line i try fo the static that kills the internet **************************
access-group Outside_access_in in interface Outside
access-group ALLOW_ALL in interface DMZ
access-group ACSP2P_access_in in interface ACS
route Outside 0.0.0.0 0.0.0.0 12.111.128.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list ApplicationServer "FHKC USERS (Z:)" cifs://192.168.1.240/users
url-list ApplicationServer "FHKC (M:) Drive" cifs://192.168.1.240/FHKC
url-list ApplicationServer "FHKC USERS ( Z: )" cifs://192.168.1.238/users
url-list ApplicationServer "FHKC Intranet" http://192.168.1.233
url-list ApplicationServer "FHKC ( M: ) Drive" cifs://192.168.1.238/FHKC
url-list ApplicationServer "Outlook Web Access" https://192.168.1.239/exchange
aaa-server healthykids.org protocol nt
reactivation-mode timed
max-failed-attempts 5
aaa-server healthykids.org host 192.168.1.230
nt-auth-domain-controller 192.168.1.230
aaa-server fhkc_author_grp protocol ldap
aaa-server fhkc_authent_grp protocol kerberos
aaa-server fhkc_authent_grp host 192.168.1.230
kerberos-realm HEALTHYKIDS.ORG
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry file-access file-entry file-browsing
url-list value ApplicationServer
port-forward-name value Application Access
group-policy FHKCvpn internal
group-policy FHKCvpn attributes
banner value XXXXXXXXXXXXXXXXXXXXXXXXXX
banner value +-------------------------
banner value This system is for authorized users only. Unauthorized access is prohibited,
banner value and violators will be prosecuted. System activity is monitored and keystroke
banner value entries may be monitored. Anyone using the system expressly consents to such monitoring.
banner value --------------------------
wins-server value 192.168.1.230
dns-server value 192.168.1.230 199.44.22.132
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value healthykids.org
webvpn
functions url-entry file-access file-entry file-browsing mapi
url-list value ApplicationServer
XXXXXXXXXXXXXXXXXXXXXXXXXX
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 0.0.0.0 0.0.0.0 management
http redirect Outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
auth-prompt accept Access Granted
auth-prompt reject Access Rejected
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto ca trustpoint my.goDaddy.trustpoint
enrollment terminal
XXXXXXXXXXXXXXXXXXXXXXXXXX
keypair my.goDaddy.key
crl configure
crypto ca certificate chain my.goDaddy.trustpoint
certificate 417ede
30820512 308203fa a0030201 02020341 7ede300d 06092a86 4886f70d 01010505
003081ca 310b3009 06035504 06130255 53311030 0e060355 04081307 4172697a
6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018 06035504
0a131147 6f446164 64792e63 6f6d2c20 496e632e 31333031 06035504 0b132a68
7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63 6f6d2f72
65706f73 69746f72 79313030 2e060355 04031327 476f2044 61646479 20536563
75726520 43657274 69666963 6174696f 6e204175 74686f72 69747931 11300f06
03550405 13083037 39363932 3837301e 170d3037 31303235 32313431 34355a17
0d303831 30323532 31343134 355a3065 311f301d 06035504 0a131677 65627670
6e2e6865 616c7468 796b6964 732e6f72 67312130 1f060355 040b1318 446f6d61
696e2043 6f6e7472 6f6c2056 616c6964 61746564 311f301d 06035504 03131677
65627670 6e2e6865 616c7468 796b6964 732e6f72 6730819f 300d0609 2a864886
f70d0101 01050003 818d0030 81890281 8100ccdc 9127eb50 d914aa4e c6945638
9dfeff30 6985daf2 c5bfc5b8 e60b4525 6f705e63 2d240864 cf1324d3 0752689f
41a774da b5551ba4 66fe37e9 efba3a8e f9d6d65c 73235f92 3733d9f0 a74a0566
3d1882bd 0fb05e8e 516f5f34 65e48046 75586a2c d4730dbf b3c52497 584b1d68
3f138c36 2ebbd312 74648831 897c7012 d5fb0203 010001a3 8201e730 8201e330
09060355 1d130402 3000300b 0603551d 0f040403 0205a030 1d060355 1d250416
30140608 2b060105 05070301 06082b06 01050507 03023056 0603551d 1f044f30
4d304ba0 49a04786 45687474 703a2f2f 63657274 69666963 61746573 2e676f64
61646479 2e636f6d 2f726570 6f736974 6f72792f 676f6461 64647965 7874656e
64656469 73737569 6e672e63 726c3052 0603551d 20044b30 49304706 0b608648
0186fd6d 01071701 30383036 06082b06 01050507 0201162a 68747470 3a2f2f63
65727469 66696361 7465732e 676f6461 6464792e 636f6d2f 7265706f 7369746f
7279307f 06082b06 01050507 01010473 30713023 06082b06 01050507 30018617
68747470 3a2f2f6f 6373702e 676f6461 6464792e 636f6d30 4a06082b 06010505
07300286 3e687474 703a2f2f 63657274 69666963 61746573 2e676f64 61646479
2e636f6d 2f726570 6f736974 6f72792f 67645f69 6e746572 6d656469 6174652e
63727430 1d060355 1d0e0416 04147cf4 05679485 0534d0a6 2d969d27 fe451e0e
88cf301f 0603551d 23041830 168014fd ac613293 6c45d6e2 ee855f9a bae77699
68cce730 3d060355 1d110436 30348216 77656276 706e2e68 65616c74 68796b69
64732e6f 7267821a 7777772e 77656276 706e2e68 65616c74 68796b69 64732e6f
7267300d 06092a86 4886f70d 01010505 00038201 010085a7 51187110 78ab315a
c7a43619 5e00551e ba52d320 0540dcd6 59f9a5ee 908450c2 80d18b07 15f88a39
aea4a696 881a5b1f aa723f3b f1ebd80d d909f9db 37ff1939 44d5adf2 1fdf6801
39d36e13 e3086f0a 257cf26d 3682229b 7a43dbe7 f27e4e2e 2f443cf1 6b14e5e2
04240469 c440bb51 9334b09c 9e26ac50 96c9216b 5ac95a04 a96c1c3c 9989cd56
99927d40 7f92c736 6100baad 165a5da5 56952b73 d524ab2f 66760eaa 65bb1d9d
e5f58a28 c8960b65 9202fdba f7a429d0 4f889f7f 1398a750 954e3db2 ec89578c
e01a9db2 933c40f5 6e8fa7ad 28cc9bcd 28803753 f2f51afb 3958338e dcf35a04
4cd6dd93 e9f33327 f945e6fa 87441066 25e36706 67fc
quit
certificate ca 0301
308204de 308203c6 a0030201 02020203 01300d06 092a8648 86f70d01 01050500
3063310b 30090603 55040613 02555331 21301f06 0355040a 13185468 6520476f
20446164 64792047 726f7570 2c20496e 632e3131 302f0603 55040b13 28476f20
44616464 7920436c 61737320 32204365 72746966 69636174 696f6e20 41757468
6f726974 79301e17 0d303631 31313630 31353433 375a170d 32363131 31363031
35343337 5a3081ca 310b3009 06035504 06130255 53311030 0e060355 04081307
4172697a 6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018
06035504 0a131147 6f446164 64792e63 6f6d2c20 496e632e 31333031 06035504
0b132a68 7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63
6f6d2f72 65706f73 69746f72 79313030 2e060355 04031327 476f2044 61646479
20536563 75726520 43657274 69666963 6174696f 6e204175 74686f72 69747931
11300f06 03550405 13083037 39363932 38373082 0122300d 06092a86 4886f70d
01010105 00038201 0f003082 010a0282 010100c4 2dd5158c 9c264cec 3235eb5f
b859015a a6618159 3b7063ab e3dc3dc7 2ab8c933 d379e43a ed3c3023 848eb330
14b6b287 c33d9554 049edf99 dd0b251e 21de6529 7e35a8a9 54ebf6f7 3239d426
5595adef fbfe5886 d79ef400 8d8c2a0c bd4204ce a73f04f6 ee80f2aa ef52a169
66dabe1a ad5dda2c 66ea1a6b bbe51a51 4a002f48 c79875d8 b929c8ee f8666d0a
9cb3f3fc 787ca2f8 a3f2b5c3 f3b97a91 c1a7e625 2e9ca8ed 12656e6a f6124453
703095c3 9c2b582b 3d08744a f2be51b0 bf87d04c 27586bb5 35c59daf 1731f80b
8feead81 36058908 98cf3aaf 2587c049 eaa7fd67 f7458e97 cc1439e2 3685b57e
1a37fd16 f671119a 743016fe 1394a33f 840d4f02 03010001 a3820132 3082012e
301d0603 551d0e04 160414fd ac613293 6c45d6e2 ee855f9a bae77699 68cce730
1f060355 1d230418 30168014 d2c4b0d2 91d44c11 71b361cb 3da1fedd a86ad4e3
30120603 551d1301 01ff0408 30060101 ff020100 30330608 2b060105 05070101
04273025 30230608 2b060105 05073001 86176874 74703a2f 2f6f6373 702e676f
64616464 792e636f 6d304606 03551d1f 043f303d 303ba039 a0378635 68747470
3a2f2f63 65727469 66696361 7465732e 676f6461 6464792e 636f6d2f 7265706f
7369746f 72792f67 64726f6f 742e6372 6c304b06 03551d20 04443042 30400604
551d2000 30383036 06082b06 01050507 0201162a 68747470 3a2f2f63 65727469
66696361 7465732e 676f6461 6464792e 636f6d2f 7265706f 7369746f 7279300e
0603551d 0f0101ff 04040302 0106300d 06092a86 4886f70d 01010505 00038201
0100d286 c0ecbdf9 a1b667ee 660ba206 3a04508e 1572ac4a 749553cb 37cb4449
ef07906b 33d996f0 9456a513 30053c85 32217bc9 c70aa824 a490de46 d3252314
0367c210 d66f0f5d 7b7acc9f c5582ac1 c49e21a8 5af3aca4 46f39ee4 63cb2f90
a4292901 d9722c29 df370127 bc4fee68 d3218fc0 b3e4f509 edd210aa 53b4bef0
cc590bd6 3b961c95 2449dfce ecfda748 9114450e 3a366fda 45b345a2 41c9d4d7
444e3eb9 7476d5a2 13552cc6 87a3b599 ac068487 7f7506fc bf144c0e cc6ec4df
3db71271 f4e8f151 40222849 e01d4b87 a834cc06 a2dd125a d1863664 03356f6f
776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee
quit
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group FHKCvpn type ipsec-ra
tunnel-group FHKCvpn general-attributes
address-pool VpnPool
authorization-server-group
default-group-policy FHKCvpn
tunnel-group FHKCvpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 Inside
ssh timeout 60
ssh version 2
console timeout 60
management-access Inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map http
match access-list http-list
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect icmp
inspect http
inspect dns maximum-length 1024
inspect esmtp
class http
set connection advanced-options tmap
policy-map DfltGrpPolicy
!
service-policy global_policy global
tftp-server Inside 192.168.1.49 ASAConfig_04302008.txt
ssl trust-point my.goDaddy.trustpoint
ssl trust-point my.goDaddy.trustpoint Outside
ssl trust-point my.goDaddy.trustpoint Inside
webvpn
enable Outside
title XXXXXXXXXXXXXXXXXXXXXXXXXX
nbns-server 192.168.1.230 master timeout 2 retry 2
authentication-server-grou
smtps
enable DMZ
port 25
server 192.168.4.101
authentication-server-grou
authorization-server-group
default-group-policy DfltGrpPolicy
smtp-server 192.168.1.239
Cryptochecksum:6b1bb2e5b65
: end
Mailserver internal LAN address is 192.168.1.239
When going to the internet and findind the WAN IP from the mailserver it comes back as 12.111.128.186
I try to set a static to it of 12.111.128.184 --> 192.168.1.239 but when i do that the internet dies.
Here is our config below. If someone could help me figure out what i need to do to get OWA to show up on the outside i would be gracious !! I already have a certificate and OWA setup on the inside of the LAN working perfectly.
ASA Version 7.0(6)
!
hostname fhkfw
domain-name XXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXX encrypted
no names
name 192.168.3.235 fw2
name 192.168.4.102 relay
name 192.168.4.100 keys-untrusted
name 192.168.4.101 keys-trusted
name 192.168.4.253 vpn
name 192.168.3.234 isa
dns-guard
!
interface GigabitEthernet0/0
description External Interface
nameif Outside
security-level 0
ip address 12.111.128.186 255.255.255.248
!
interface GigabitEthernet0/1
description Entry to Internal network
nameif Inside
security-level 100
ip address 192.168.1.235 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ entry to web-servers
nameif DMZ
security-level 50
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet0/3
description ACS P2P to FHKC
nameif ACS
security-level 25
ip address 192.168.90.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
banner exec Welcome to $(domain).
banner exec UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device.
banner login Welcome to $(domain)
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns retries 5
dns domain-lookup Outside
access-list Outside_access_in extended permit tcp any host 12.111.128.187 eq smtp
access-list Outside_access_in extended permit ip any host 12.111.128.189
access-list Outside_access_in extended permit tcp any host 12.111.128.187 eq pptp
access-list Outside_access_in extended permit tcp any host 12.111.128.184 eq https
access-list FHKCvpn_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0
access-list FHKCvpn_splitTunnelAcl standard permit 192.168.4.0 255.255.255.0
access-list FHKCvpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list outdmz extended permit tcp any host 12.111.128.187 eq smtp
access-list dmzin extended permit tcp host 192.168.4.102 any eq smtp
access-list split extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list split extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list split extended permit ip 192.168.4.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list split extended permit ip 10.10.1.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list ALLOW_ALL extended permit ip any any
access-list ACSP2P_access_in extended permit tcp any host 192.168.1.245 eq ftp
access-list ACSP2P_access_in extended permit tcp any host 192.168.1.245 eq ftp-data
access-list http-list extended permit ip any any
!
tcp-map tmap
exceed-mss allow
!
pager lines 24
logging enable
logging timestamp
logging list Log_Everything level warnings
logging list VPN-Traffic level informational class vpn
logging asdm-buffer-size 200
logging monitor notifications
logging asdm debugging
logging from-address webvpn@healthykids.org
logging recipient-address techsupport@healthykids.or
logging host Inside 192.168.1.253 format emblem
logging debug-trace
logging permit-hostdown
logging class vpn buffered informational trap informational
logging class vpnc trap informational
logging class vpnfo trap informational
logging class vpnlb trap informational
logging class webvpn trap informational
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu ACS 1500
mtu management 1500
ip local pool VpnPool 192.168.12.1-192.168.12.50
ip verify reverse-path interface Outside
ip verify reverse-path interface Inside
ip verify reverse-path interface DMZ
ip verify reverse-path interface ACS
ip audit attack action alarm drop
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface DMZ
monitor-interface ACS
monitor-interface management
asdm image disk0:/asdm506.bin
asdm history enable
arp timeout 14400
global (Outside) 200 interface
global (Outside) 100 12.111.128.187 netmask 255.255.255.255
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 200 0.0.0.0 0.0.0.0
nat (DMZ) 200 0.0.0.0 0.0.0.0
static (DMZ,Outside) 12.111.128.189 192.168.4.253 netmask 255.255.255.255
static (Inside,ACS) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (Inside,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (DMZ,Outside) 12.111.128.188 192.168.4.100 netmask 255.255.255.255
static (DMZ,Outside) 12.111.128.187 192.168.4.201 netmask 255.255.255.255
static (DMZ,Outside) 12.111.128.184 192.168.1.239 netmask 255.255.255.255 ********This is the line i try fo the static that kills the internet **************************
access-group Outside_access_in in interface Outside
access-group ALLOW_ALL in interface DMZ
access-group ACSP2P_access_in in interface ACS
route Outside 0.0.0.0 0.0.0.0 12.111.128.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list ApplicationServer "FHKC USERS (Z:)" cifs://192.168.1.240/users
url-list ApplicationServer "FHKC (M:) Drive" cifs://192.168.1.240/FHKC
url-list ApplicationServer "FHKC USERS ( Z: )" cifs://192.168.1.238/users
url-list ApplicationServer "FHKC Intranet" http://192.168.1.233
url-list ApplicationServer "FHKC ( M: ) Drive" cifs://192.168.1.238/FHKC
url-list ApplicationServer "Outlook Web Access" https://192.168.1.239/exchange
aaa-server healthykids.org protocol nt
reactivation-mode timed
max-failed-attempts 5
aaa-server healthykids.org host 192.168.1.230
nt-auth-domain-controller 192.168.1.230
aaa-server fhkc_author_grp protocol ldap
aaa-server fhkc_authent_grp protocol kerberos
aaa-server fhkc_authent_grp host 192.168.1.230
kerberos-realm HEALTHYKIDS.ORG
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry file-access file-entry file-browsing
url-list value ApplicationServer
port-forward-name value Application Access
group-policy FHKCvpn internal
group-policy FHKCvpn attributes
banner value XXXXXXXXXXXXXXXXXXXXXXXXXX
banner value +-------------------------
banner value This system is for authorized users only. Unauthorized access is prohibited,
banner value and violators will be prosecuted. System activity is monitored and keystroke
banner value entries may be monitored. Anyone using the system expressly consents to such monitoring.
banner value --------------------------
wins-server value 192.168.1.230
dns-server value 192.168.1.230 199.44.22.132
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value healthykids.org
webvpn
functions url-entry file-access file-entry file-browsing mapi
url-list value ApplicationServer
XXXXXXXXXXXXXXXXXXXXXXXXXX
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 0.0.0.0 0.0.0.0 management
http redirect Outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
auth-prompt accept Access Granted
auth-prompt reject Access Rejected
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto ca trustpoint my.goDaddy.trustpoint
enrollment terminal
XXXXXXXXXXXXXXXXXXXXXXXXXX
keypair my.goDaddy.key
crl configure
crypto ca certificate chain my.goDaddy.trustpoint
certificate 417ede
30820512 308203fa a0030201 02020341 7ede300d 06092a86 4886f70d 01010505
003081ca 310b3009 06035504 06130255 53311030 0e060355 04081307 4172697a
6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018 06035504
0a131147 6f446164 64792e63 6f6d2c20 496e632e 31333031 06035504 0b132a68
7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63 6f6d2f72
65706f73 69746f72 79313030 2e060355 04031327 476f2044 61646479 20536563
75726520 43657274 69666963 6174696f 6e204175 74686f72 69747931 11300f06
03550405 13083037 39363932 3837301e 170d3037 31303235 32313431 34355a17
0d303831 30323532 31343134 355a3065 311f301d 06035504 0a131677 65627670
6e2e6865 616c7468 796b6964 732e6f72 67312130 1f060355 040b1318 446f6d61
696e2043 6f6e7472 6f6c2056 616c6964 61746564 311f301d 06035504 03131677
65627670 6e2e6865 616c7468 796b6964 732e6f72 6730819f 300d0609 2a864886
f70d0101 01050003 818d0030 81890281 8100ccdc 9127eb50 d914aa4e c6945638
9dfeff30 6985daf2 c5bfc5b8 e60b4525 6f705e63 2d240864 cf1324d3 0752689f
41a774da b5551ba4 66fe37e9 efba3a8e f9d6d65c 73235f92 3733d9f0 a74a0566
3d1882bd 0fb05e8e 516f5f34 65e48046 75586a2c d4730dbf b3c52497 584b1d68
3f138c36 2ebbd312 74648831 897c7012 d5fb0203 010001a3 8201e730 8201e330
09060355 1d130402 3000300b 0603551d 0f040403 0205a030 1d060355 1d250416
30140608 2b060105 05070301 06082b06 01050507 03023056 0603551d 1f044f30
4d304ba0 49a04786 45687474 703a2f2f 63657274 69666963 61746573 2e676f64
61646479 2e636f6d 2f726570 6f736974 6f72792f 676f6461 64647965 7874656e
64656469 73737569 6e672e63 726c3052 0603551d 20044b30 49304706 0b608648
0186fd6d 01071701 30383036 06082b06 01050507 0201162a 68747470 3a2f2f63
65727469 66696361 7465732e 676f6461 6464792e 636f6d2f 7265706f 7369746f
7279307f 06082b06 01050507 01010473 30713023 06082b06 01050507 30018617
68747470 3a2f2f6f 6373702e 676f6461 6464792e 636f6d30 4a06082b 06010505
07300286 3e687474 703a2f2f 63657274 69666963 61746573 2e676f64 61646479
2e636f6d 2f726570 6f736974 6f72792f 67645f69 6e746572 6d656469 6174652e
63727430 1d060355 1d0e0416 04147cf4 05679485 0534d0a6 2d969d27 fe451e0e
88cf301f 0603551d 23041830 168014fd ac613293 6c45d6e2 ee855f9a bae77699
68cce730 3d060355 1d110436 30348216 77656276 706e2e68 65616c74 68796b69
64732e6f 7267821a 7777772e 77656276 706e2e68 65616c74 68796b69 64732e6f
7267300d 06092a86 4886f70d 01010505 00038201 010085a7 51187110 78ab315a
c7a43619 5e00551e ba52d320 0540dcd6 59f9a5ee 908450c2 80d18b07 15f88a39
aea4a696 881a5b1f aa723f3b f1ebd80d d909f9db 37ff1939 44d5adf2 1fdf6801
39d36e13 e3086f0a 257cf26d 3682229b 7a43dbe7 f27e4e2e 2f443cf1 6b14e5e2
04240469 c440bb51 9334b09c 9e26ac50 96c9216b 5ac95a04 a96c1c3c 9989cd56
99927d40 7f92c736 6100baad 165a5da5 56952b73 d524ab2f 66760eaa 65bb1d9d
e5f58a28 c8960b65 9202fdba f7a429d0 4f889f7f 1398a750 954e3db2 ec89578c
e01a9db2 933c40f5 6e8fa7ad 28cc9bcd 28803753 f2f51afb 3958338e dcf35a04
4cd6dd93 e9f33327 f945e6fa 87441066 25e36706 67fc
quit
certificate ca 0301
308204de 308203c6 a0030201 02020203 01300d06 092a8648 86f70d01 01050500
3063310b 30090603 55040613 02555331 21301f06 0355040a 13185468 6520476f
20446164 64792047 726f7570 2c20496e 632e3131 302f0603 55040b13 28476f20
44616464 7920436c 61737320 32204365 72746966 69636174 696f6e20 41757468
6f726974 79301e17 0d303631 31313630 31353433 375a170d 32363131 31363031
35343337 5a3081ca 310b3009 06035504 06130255 53311030 0e060355 04081307
4172697a 6f6e6131 13301106 03550407 130a5363 6f747473 64616c65 311a3018
06035504 0a131147 6f446164 64792e63 6f6d2c20 496e632e 31333031 06035504
0b132a68 7474703a 2f2f6365 72746966 69636174 65732e67 6f646164 64792e63
6f6d2f72 65706f73 69746f72 79313030 2e060355 04031327 476f2044 61646479
20536563 75726520 43657274 69666963 6174696f 6e204175 74686f72 69747931
11300f06 03550405 13083037 39363932 38373082 0122300d 06092a86 4886f70d
01010105 00038201 0f003082 010a0282 010100c4 2dd5158c 9c264cec 3235eb5f
b859015a a6618159 3b7063ab e3dc3dc7 2ab8c933 d379e43a ed3c3023 848eb330
14b6b287 c33d9554 049edf99 dd0b251e 21de6529 7e35a8a9 54ebf6f7 3239d426
5595adef fbfe5886 d79ef400 8d8c2a0c bd4204ce a73f04f6 ee80f2aa ef52a169
66dabe1a ad5dda2c 66ea1a6b bbe51a51 4a002f48 c79875d8 b929c8ee f8666d0a
9cb3f3fc 787ca2f8 a3f2b5c3 f3b97a91 c1a7e625 2e9ca8ed 12656e6a f6124453
703095c3 9c2b582b 3d08744a f2be51b0 bf87d04c 27586bb5 35c59daf 1731f80b
8feead81 36058908 98cf3aaf 2587c049 eaa7fd67 f7458e97 cc1439e2 3685b57e
1a37fd16 f671119a 743016fe 1394a33f 840d4f02 03010001 a3820132 3082012e
301d0603 551d0e04 160414fd ac613293 6c45d6e2 ee855f9a bae77699 68cce730
1f060355 1d230418 30168014 d2c4b0d2 91d44c11 71b361cb 3da1fedd a86ad4e3
30120603 551d1301 01ff0408 30060101 ff020100 30330608 2b060105 05070101
04273025 30230608 2b060105 05073001 86176874 74703a2f 2f6f6373 702e676f
64616464 792e636f 6d304606 03551d1f 043f303d 303ba039 a0378635 68747470
3a2f2f63 65727469 66696361 7465732e 676f6461 6464792e 636f6d2f 7265706f
7369746f 72792f67 64726f6f 742e6372 6c304b06 03551d20 04443042 30400604
551d2000 30383036 06082b06 01050507 0201162a 68747470 3a2f2f63 65727469
66696361 7465732e 676f6461 6464792e 636f6d2f 7265706f 7369746f 7279300e
0603551d 0f0101ff 04040302 0106300d 06092a86 4886f70d 01010505 00038201
0100d286 c0ecbdf9 a1b667ee 660ba206 3a04508e 1572ac4a 749553cb 37cb4449
ef07906b 33d996f0 9456a513 30053c85 32217bc9 c70aa824 a490de46 d3252314
0367c210 d66f0f5d 7b7acc9f c5582ac1 c49e21a8 5af3aca4 46f39ee4 63cb2f90
a4292901 d9722c29 df370127 bc4fee68 d3218fc0 b3e4f509 edd210aa 53b4bef0
cc590bd6 3b961c95 2449dfce ecfda748 9114450e 3a366fda 45b345a2 41c9d4d7
444e3eb9 7476d5a2 13552cc6 87a3b599 ac068487 7f7506fc bf144c0e cc6ec4df
3db71271 f4e8f151 40222849 e01d4b87 a834cc06 a2dd125a d1863664 03356f6f
776eebf2 8550985e ab0353ad 9123631f 169ccdb9 b205633a e1f4681b 17053595 53ee
quit
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group FHKCvpn type ipsec-ra
tunnel-group FHKCvpn general-attributes
address-pool VpnPool
authorization-server-group
default-group-policy FHKCvpn
tunnel-group FHKCvpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 Inside
ssh timeout 60
ssh version 2
console timeout 60
management-access Inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map http
match access-list http-list
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect icmp
inspect http
inspect dns maximum-length 1024
inspect esmtp
class http
set connection advanced-options tmap
policy-map DfltGrpPolicy
!
service-policy global_policy global
tftp-server Inside 192.168.1.49 ASAConfig_04302008.txt
ssl trust-point my.goDaddy.trustpoint
ssl trust-point my.goDaddy.trustpoint Outside
ssl trust-point my.goDaddy.trustpoint Inside
webvpn
enable Outside
title XXXXXXXXXXXXXXXXXXXXXXXXXX
nbns-server 192.168.1.230 master timeout 2 retry 2
authentication-server-grou
smtps
enable DMZ
port 25
server 192.168.4.101
authentication-server-grou
authorization-server-group
default-group-policy DfltGrpPolicy
smtp-server 192.168.1.239
Cryptochecksum:6b1bb2e5b65
: end
ASKER
That was actually a mistake on trying some things and i accidentally left that in there.
I did it the exact way you said to no avail.
Still kills the internet everytime i add a static in for the mail server.
I did it the exact way you said to no avail.
Still kills the internet everytime i add a static in for the mail server.
It might be a problem w/ your NAT statements. Try changing your NAT DMZ and Inside statements to reflect the corresponding internal LAN's.
ASKER
Give me an example of how you are suggesting me to change it
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
first of all, the line that kills the internet :
static (DMZ,Outside) 12.111.128.184 192.168.1.239 netmask 255.255.255.255
should really be:
static (Inside,Outside) 12.111.128.184 192.168.1.239 netmask 255.255.255.255
Please try and let me know.
Regards,
Christophe