• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1656
  • Last Modified:

Cannot access internet through CISCO 2800 Router

I re-configured our router from scratch today, installing a new WAN connection.  I am unable to pass traffic to the internet.
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VADER
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 XXXXXXXXXXXX
enable password XXXXXXXXXXX
!
no aaa new-model
dot11 syslog
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name XXX.XXXX.XXXX
ip name-server 172.16.3.1
ip name-server 4.2.2.2
!
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 password 0 XXXXXXXX
archive
 log config
  hidekeys
! 
!
!
!
!
!
!
interface GigabitEthernet0/0
 description FIBER WAN CONNECTION$ETH-WAN$
 ip address 111.1111.111.14 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description CABLE WAN CONNECTION$ETH-WAN$
 ip address 222.222.222.2 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/2/0
 shutdown
!
interface FastEthernet0/2/1
 shutdown
!
interface FastEthernet0/2/2
 shutdown
!
interface FastEthernet0/2/3
 shutdown
!
interface FastEthernet0/3/0
 description CONNECTION TO YODA$ETH-LAN$
 ip address 10.1.1.10 255.255.255.252
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed auto
 no mop enabled
!
interface Vlan1
 no ip address
 shutdown
!
router rip
 version 2
 passive-interface GigabitEthernet0/0
 passive-interface GigabitEthernet0/1
 network 10.0.0.0
 network 172.16.0.0
 network 172.17.0.0
 network 172.18.0.0
 network 172.19.0.0
 network 172.29.0.0
 network 172.30.0.0
 network 172.31.0.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 111.111.111.1 permanent
ip route 10.0.0.0 255.0.0.0 10.1.1.9
ip route 111.111.111.2 255.255.255.255 10.1.1.9
ip route 111.111.111.3 255.255.255.255 10.1.1.9
ip route 111.111.111.4 255.255.255.255 10.1.1.9
ip route 111.111.111.5 255.255.255.255 10.1.1.9
ip route 111.111.111.6 255.255.255.255 10.1.1.9
ip route 111.111.111.7 255.255.255.255 10.1.1.9
ip route 111.111.111.8 255.255.255.255 10.1.1.9
ip route 111.111.111.9 255.255.255.255 10.1.1.9
ip route 111.111.111.10 255.255.255.255 10.1.1.9
ip route 111.111.111.11 255.255.255.255 10.1.1.9
ip route 111.111.111.12 255.255.255.255 10.1.1.9
ip route 111.111.111.13 255.255.255.255 10.1.1.9
ip route 172.16.0.0 255.255.0.0 10.1.1.9
!
!
ip http server
ip http access-class 2
no ip http secure-server
ip nat pool FIBER_POOL 111.111.111.2 111.111.111.14 netmask 255.255.255.240
ip nat inside source list 1 pool FIBER_POOL
ip nat inside source list 10 pool FIBER_POOL
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.8 0.0.0.3
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 10 remark NAT
access-list 10 remark SDM_ACL Category=2
access-list 10 permit 172.0.0.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq telnet
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 22
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq www
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 443
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq cmd
access-list 100 deny   tcp any host 10.1.1.10 eq telnet
access-list 100 deny   tcp any host 10.1.1.10 eq 22
access-list 100 deny   tcp any host 10.1.1.10 eq www
access-list 100 deny   tcp any host 10.1.1.10 eq 443
access-list 100 deny   tcp any host 10.1.1.10 eq cmd
access-list 100 deny   udp any host 10.1.1.10 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 access-class 101 in
 password XXXXXX
 login
 transport input telnet ssh
 transport output telnet ssh
!
scheduler allocate 20000 1000
!
end

Open in new window

0
jeremymjackson
Asked:
jeremymjackson
  • 5
  • 5
  • 2
2 Solutions
 
ciscoml320Commented:
hi:
if you apply the following:

"interface FastEthernet0/3/0
 no ip access-group 100 in"

are you then able to pass traffic?  I think the problem may be related to the access-list 100
do try removing it and see if traffic can flow with no ACLs applied.  If you can pass traffic, then we can work on fine tuning your ACL to fit what you're trying to accomplish.  
if you are still unable to pass traffic, post the "sh ip nat translations" as you're trying to pass traffic.

0
 
jeremymjacksonAuthor Commented:
Done.  Still unable to pass traffic.

My ultimate goal is to Pass all Web traffic 80, 443, etc out GigabitEthernet0/1 and Everything else out GigabitEthernet0/0.

However, I would like to at least get the router passing traffic first.

I ran "sh ip nat translations" while trying to access the web and the result was blank.
0
 
ciscoml320Commented:
actually come more thoughts on this:
1. What kind of device is "10.1.1.9" A Firewall? Another Router?
2. Do you really need this route" ip route 10.0.0.0 255.0.0.0 10.1.1.9 (since the 10.1.1.8/30 is a "connected" network on that router) - do you actually have other subnets on your inside network that fall in the 10.0.0.0/8 range? - if so, add more specific routes to them.
3. Depends on your answer to question 1 above, we can determine whether you need the following
access-list 1 permit 10.1.1.8 0.0.0.3
ip nat inside source list 1 pool FIBER_POOL
4. Also, it may be easier to NAT all your internal hosts behind a single public IP and create static entries for hosts that actually need it.  Eliminating the potential issue with unavailable IPs left in the Pool.
0
[Video] Create a Disruption-Free Workspace

Open offices have their challenges. And Sometimes, it's even hard to work at work. It's time to reclaim your office and create a disruption-free workspace. With the MB 660, you can:

-Increase Concentration
-Improve well-being
-Boost Productivity

 
jeremymjacksonAuthor Commented:
1:  Is a CISC ASA 5510 Firewall
2:  No, thank you.  Removed.
4:  I do my forwarding at the ASA 5510.  I forward all my External Addresses to 10.1.1.9, and from there i can direct certian IPs to certain devices on the DMZ.
0
 
jeremymjacksonAuthor Commented:
Update.

here are my NAT Translations.

Pro Inside global         Inside local          Outside local         Outside global
udp 24.181.250.7:1026     10.1.1.10:1026        60.222.224.137:38551  60.222.224.137:38551
udp 24.181.250.7:1027     10.1.1.10:1027        60.222.224.137:38551  60.222.224.137:38551
udp 24.181.250.7:1026     10.1.1.10:1026        202.97.238.234:46037  202.97.238.234:46037
--- 24.181.250.7          10.1.1.10             ---                   ---

Open in new window

0
 
ciscoml320Commented:
ok Does this reflect more or less your topology?
Couple thoughts on this.
1. I am assuming your ASA is configured to NAT/PAT all your internal networks as 10.1.1.10; in which case, your router will never see any internal hosts with their original 172.16.0.0 IPs...so, you do not need to "ip route 172.16.0.0 255.255.0.0 10.1.1.9"
2. I am also assuming on your asa, you have "route outside 0.0.0.0 0.0.0.0 10.1.1.9"...if so, are you able to successfully ping external host from the ASA itself?
3. based on #1 above, you do not need this "ip nat inside source list 10 pool FIBER_POOL"
4. update your NAT configuration as follows:

ip nat pool FIBER_POOL 111.111.111.2 111.111.111.2 netmask 255.255.255.255
ip nat inside source list 1 pool FIBER_POOL overload
access-list 1 permit 10.1.1.8 0.0.0.3

at this point you should have basic natting outbound, all as the .2 IP address coming from the 10.1.1.9 IP

let me know how you make out with this.  
Then we'll address the other host routes you have for the public IPs pointing to the firewall (there is another way you can accomplish the same without routing) - Also will address the RIP on the router. based on assumption 1 above, you do not need that either.
PolicyRouting.jpg
0
 
jeremymjacksonAuthor Commented:
Thanks for all the support!

Yes this diamgram is accurate.  The DMZ is 172.31.0.0/16 and FW1 inside is 172.16.0.0.

I am able to ping 69.147.76.15 (yahoos web server) from both the Router and ASA.

I am able to the router's outside interface on the fiber side 111.111.111.2 from outside.

I have attached an update copy of the router config and the ASA config.  
********************************************************
BEGIN ROUTER CONFIG
*******************************************************
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VADER
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
enable secret 5 XXXXXXXXXXXXX
enable password XXXXXXXXXXX
!
no aaa new-model
dot11 syslog
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name XXXXXXXXXXXXXX
ip name-server 172.16.3.1
ip name-server 4.2.2.2
!
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 password 0 s1thl0rd
archive
 log config
  hidekeys
! 
!
!
!
!
!
!
interface GigabitEthernet0/0
 description FIBER WAN CONNECTION$ETH-WAN$
 ip address 111.111.111.14 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description CABLE WAN CONNECTION$ETH-WAN$
 ip address 222.222.222.253 255.255.255.248
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/2/0
 shutdown
!
interface FastEthernet0/2/1
 shutdown
!
interface FastEthernet0/2/2
 shutdown
!
interface FastEthernet0/2/3
 shutdown
!
interface FastEthernet0/3/0
 description CONNECTION TO YODA$ETH-LAN$
 ip address 10.1.1.10 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed auto
 no mop enabled
!
interface Vlan1
 no ip address
 shutdown
!
router rip
 version 2
 passive-interface GigabitEthernet0/0
 passive-interface GigabitEthernet0/1
 network 10.0.0.0
 network 172.16.0.0
 network 172.17.0.0
 network 172.18.0.0
 network 172.19.0.0
 network 172.29.0.0
 network 172.30.0.0
 network 172.31.0.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 24.181.250.1 permanent
ip route 111.111.111.2 255.255.255.255 10.1.1.9
ip route 111.111.111.3 255.255.255.255 10.1.1.9
ip route 111.111.111.4 255.255.255.255 10.1.1.9
ip route 111.111.111.5 255.255.255.255 10.1.1.9
ip route 111.111.111.6 255.255.255.255 10.1.1.9
ip route 111.111.111.7 255.255.255.255 10.1.1.9
ip route 111.111.111.8 255.255.255.255 10.1.1.9
ip route 111.111.111.9 255.255.255.255 10.1.1.9
ip route 111.111.111.10 255.255.255.255 10.1.1.9
ip route 111.111.111.11 255.255.255.255 10.1.1.9
ip route 111.111.111.12 255.255.255.255 10.1.1.9
ip route 111.111.111.13 255.255.255.255 10.1.1.9
!
!
ip http server
ip http access-class 3
no ip http secure-server
ip nat pool FIBER_POOL 111.111.111.2 111.111.111.2 netmask 255.255.255.255
ip nat inside source list 1 pool FIBER_POOL overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.8 0.0.0.3
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 172.16.0.0 0.0.255.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 172.16.3.1 eq domain any
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq telnet
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 22
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq www
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 443
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq cmd
access-list 100 deny   tcp any host 10.1.1.10 eq telnet
access-list 100 deny   tcp any host 10.1.1.10 eq 22
access-list 100 deny   tcp any host 10.1.1.10 eq www
access-list 100 deny   tcp any host 10.1.1.10 eq 443
access-list 100 deny   tcp any host 10.1.1.10 eq cmd
access-list 100 deny   udp any host 10.1.1.10 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 access-class 101 in
 password XXXXXXXXXXXXXXX
 login
 transport input telnet ssh
 transport output telnet ssh
!
scheduler allocate 20000 1000
!
end
 
********************************************************
END ROUTER CONFIG
*******************************************************
********************************************************
BEGIN ASA CONFIG
*******************************************************
: Saved
:
ASA Version 8.0(3) 
!
hostname YODA
enable password fZQupi8v.T5XHE8Y encrypted
multicast-routing
names
name 172.31.0.0 DMZ
name 172.16.0.0 PRODUCTION
name 172.30.0.0 VPN
name 10.1.4.0 MPL911
name 172.31.3.33 SPF01
name 172.31.3.34 SRES01
name 172.31.3.40 SRHD01
name 172.31.3.13 SRNASFTP
name 172.31.3.36 SRRA01
name 172.16.3.17 SRSQLSB01
name 172.31.3.6 SRTS02
name XXXXXXXXX VT911_MPL
name XXXXXXXXXXXX VERIZON_NETS
name 172.30.1.0 VPN_SUBNET
name 192.192.192.0 PRODUCTION_WORKSTATIONS_GENERAL
name 192.192.191.0 PRODUCTION_WORKSTATIONS_OPS
name 10.65.0.0 WILLISTON
name 10.66.0.0 DERBY
name 10.67.0.0 ROCKINGHAM
name 10.68.0.0 RUTLAND
name 10.97.0.0 SPRINGFIELD_PD
name 10.98.0.0 ST_ALBANS_PD
name 10.99.0.0 HARTFORD_PD
name 10.100.0.0 LAMOILLE_PD
name 10.101.0.0 MONTPELIER_PD
name 10.224.0.0 MONTPELIER_BOARD
name 10.32.4.0 SAINT_JOHNS
name 10.96.0.0 LOCAL_PSAP
name 172.17.0.0 QALAB
name 172.31.3.44 SRBES01
name 172.31.3.51 SRWEB08
!
interface Ethernet0/0
 description CONNECTION_TO_LUKE
 nameif INSIDE
 security-level 100
 ip address 10.1.1.6 255.255.255.252 
!
interface Ethernet0/1
 description CONNECTION_TO_DMZ
 nameif DMZ
 security-level 50
 ip address 172.31.1.1 255.255.0.0 
!
interface Ethernet0/2
 description CONNECTION_TO_CSC-SSM
 nameif CSC-SSM
 security-level 0
 ip address 10.3.1.1 255.255.255.252 
!
interface Ethernet0/3
 description CONNECTION_TO_VADER
 nameif OUTSIDE
 security-level 0
 ip address 10.1.1.9 255.255.255.252 
!
interface Management0/0
 description MANAGEMENT
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd XXXXXXXXXX encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup INSIDE
dns domain-lookup DMZ
dns domain-lookup CSC-SSM
dns domain-lookup OUTSIDE
dns server-group DNS_SERVERS
 name-server 172.16.3.1
 name-server 172.16.3.3
 domain-name XXXXXXXXXXXXXXXXXXXXXX
dns-group DNS_SERVERS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group network VPNPOOL
 network-object VPN_SUBNET 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service dhcp tcp-udp
 port-object range 67 68
object-group service VPN tcp-udp
 port-object eq 500
 port-object eq 10000
 port-object eq 7777
object-group network DM_INLINE_NETWORK_3
 network-object VERIZON_NETS 255.255.255.248
 network-object host ZXXXXXXXXXXXXXXXXXXXXXXX
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object gre 
 service-object esp 
 service-object udp eq isakmp 
 service-object ah 
object-group service DM_INLINE_SERVICE_2
 service-object gre 
 service-object esp 
 service-object udp eq isakmp 
 service-object ah 
object-group network DM_INLINE_NETWORK_7
 network-object PRODUCTION 255.255.0.0
 network-object VPN_SUBNET 255.255.255.0
object-group service ALTIGEN_TCP tcp
 port-object range 10025 10050
 port-object eq 10064
 port-object range 49152 49220
 port-object eq 69
 port-object eq h323
object-group service ALTIGEN_UDP udp
 port-object eq 10060
 port-object range 49152 49220
 port-object eq sip
object-group network INTERNAL_INSPECT_ADDRESSES
 network-object PRODUCTION_WORKSTATIONS_OPS 255.255.255.0
 network-object PRODUCTION_WORKSTATIONS_GENERAL 255.255.255.0
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group network MONTPELIER_911_SUBNETS
 XXXXXXXXXXXXXXX
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group service SMTP_ALL tcp
 port-object eq 587
 port-object eq smtp
object-group network DM_INLINE_NETWORK_5
 network-object host SRES01
 network-object host SRBES01
 network-object host SRWEB08
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_6 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service DM_INLINE_SERVICE_3
 service-object tcp-udp eq www 
 service-object tcp eq www 
 service-object tcp eq https 
object-group service DM_INLINE_TCPUDP_1 tcp-udp
 port-object eq domain
 port-object eq kerberos
object-group service DM_INLINE_SERVICE_4
 service-object tcp eq 135 
 service-object tcp eq 137 
 service-object tcp eq 3268 
 service-object tcp eq 445 
 service-object tcp eq 88 
 service-object tcp eq ldap 
 service-object udp eq 389 
 service-object udp eq netbios-ns 
object-group service DM_INLINE_SERVICE_5
 service-object tcp eq www 
 service-object udp eq ntp 
object-group service UDP6001-6194 udp
 port-object range 6004 6194
object-group service DM_INLINE_TCP_7 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list OUTSIDE_access_in extended permit ip any any log disable inactive 
access-list OUTSIDE_access_in remark ALLOW VPN SUBNET ANYWHERE
access-list OUTSIDE_access_in extended permit ip VPN_SUBNET 255.255.255.0 any 
access-list OUTSIDE_access_in extended permit tcp any host 24.181.250.2 object-group DM_INLINE_TCP_5 log disable 
access-list OUTSIDE_access_in extended permit tcp any host 24.181.250.3 object-group DM_INLINE_TCP_6 log disable 
access-list OUTSIDE_access_in extended permit object-group TCPUDP any host 24.181.250.10 object-group VPN 
access-list OUTSIDE_access_in extended permit tcp any host 24.181.250.2 object-group SMTP_ALL log disable 
access-list OUTSIDE_access_in extended permit tcp any host SRES01 object-group DM_INLINE_TCP_3 log disable 
access-list OUTSIDE_access_in extended permit tcp any host SRRA01 object-group DM_INLINE_TCP_4 log disable 
access-list OUTSIDE_access_in extended permit tcp any host SPF01 object-group SMTP_ALL log disable 
access-list OUTSIDE_access_in extended permit tcp any host SRNASFTP object-group DM_INLINE_TCP_7 
access-list OUTSIDE_access_in extended permit icmp any any inactive 
access-list OUTSIDE_access_in extended permit object-group TCPUDP any any object-group VPN 
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_2 any any 
access-list OUTSIDE_access_in extended deny ip any any log debugging 
access-list INSIDE_access_in extended permit udp any any eq sip log debugging 
access-list INSIDE_access_in extended permit icmp any any 
access-list INSIDE_access_in extended permit object-group TCPUDP any any log debugging 
access-list INSIDE_access_in extended permit object-group TCPUDP any any object-group VPN 
access-list INSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
access-list INSIDE_access_in extended permit ip object-group DM_INLINE_NETWORK_7 DMZ 255.255.0.0 
access-list INSIDE_nat0_outbound extended permit ip any 10.3.1.0 255.255.255.252 
access-list global_mpc extended permit tcp object-group INTERNAL_INSPECT_ADDRESSES any object-group DM_INLINE_TCP_1 inactive 
access-list DRXDRX_splitTunnelAcl standard permit PRODUCTION 255.255.0.0 
access-list DRXDRX_splitTunnelAcl standard permit DMZ 255.255.0.0 
access-list DRXDRX_splitTunnelAcl standard permit VPN_SUBNET 255.255.255.0 
access-list DRXDRX_splitTunnelAcl standard permit QALAB 255.255.0.0 
access-list inside_nat0_outbound extended permit ip PRODUCTION 255.255.0.0 VPN_SUBNET 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.4 255.255.255.252 10.3.1.0 255.255.255.252 
access-list inside_nat0_outbound extended permit ip any DMZ 255.255.0.0 
access-list inside_nat0_outbound extended permit ip VERIZON_NETS 255.255.255.248 10.1.1.8 255.255.255.252 
access-list inside_nat0_outbound extended permit ip PRODUCTION 255.255.0.0 10.0.0.0 255.0.0.0 
access-list outside_cryptomap extended permit ip any VPN_SUBNET 255.255.255.0 
access-list outside_cryptomap_20.20 extended permit ip any object-group VPNPOOL 
access-list OUTSIDE_nat0_outbound extended permit ip any VERIZON_NETS 255.255.255.248 
access-list OUTSIDE_nat0_outbound extended permit ip 10.1.1.8 255.255.255.252 any 
access-list DMZ_nat0_outbound extended permit ip DMZ 255.255.0.0 PRODUCTION 255.255.0.0 
access-list DMZ_access_in extended permit ip DMZ 255.255.0.0 any log disable 
access-list DMZ_access_in remark ALLOW ANYTHING FROM DMZ TO VPN_SUBNET
access-list DMZ_access_in extended permit ip DMZ 255.255.0.0 VPN_SUBNET 255.255.255.0 log disable inactive 
access-list DMZ_access_in extended permit object-group TCPUDP DMZ 255.255.0.0 PRODUCTION 255.255.0.0 object-group dhcp log disable inactive 
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_5 host SPF01 any inactive 
access-list DMZ_access_in extended permit tcp host SRES01 any eq smtp log disable inactive 
access-list DMZ_access_in extended permit ip host SRES01 any log disable inactive 
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 DMZ 255.255.0.0 PRODUCTION 255.255.0.0 log disable inactive 
access-list DMZ_access_in extended permit object-group TCPUDP DMZ 255.255.0.0 any object-group DM_INLINE_TCPUDP_1 log disable inactive 
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_3 host SRES01 any log disable inactive 
access-list DMZ_access_in extended permit udp host SRES01 any object-group UDP6001-6194 inactive 
access-list DMZ_access_in extended permit udp host SRES01 any eq 1899 inactive 
access-list DMZ_access_in extended permit object-group TCPUDP host SRRA01 host 64.222.71.25 eq www inactive 
access-list DMZ_access_in extended permit ip any host 64.222.71.29 inactive 
access-list DMZ_access_in extended permit tcp any DMZ 255.255.0.0 eq domain log disable inactive 
access-list DMZ_access_in extended permit object-group TCPUDP any host SRES01 eq www inactive 
access-list DMZ_access_in extended permit ip any host SRES01 inactive 
access-list DMZ_access_in extended deny ip any any log debugging 
access-list OUTSIDE_nat_static extended permit object-group TCPUDP host 111.111.111.10 object-group VPN any object-group VPN 
access-list acl-out extended permit object-group TCPUDP any object-group VPN host 111.111.111.10 object-group VPN 
access-list OUTSIDE_nat0_outbound_1 extended permit ip any host 111.111.111.14 
access-list CSC-SSM_access_in extended permit ip host 10.3.1.2 any 
access-list LAN2LAN_NAT0 extended permit ip PRODUCTION 255.255.0.0 object-group MONTPELIER_911_SUBNETS 
access-list OUTSIDE_access_out extended permit tcp object-group DM_INLINE_NETWORK_5 any object-group SMTP_ALL log disable 
access-list OUTSIDE_access_out extended deny tcp any any object-group SMTP_ALL log disable 
access-list OUTSIDE_access_out extended permit ip any any 
access-list OUTSIDE_access_out extended deny ip any any log debugging 
access-list DMZ_access_out extended permit ip any any log disable 
access-list DMZ_access_out extended deny ip any any log debugging 
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging asdm informational
logging debug-trace
mtu INSIDE 1500
mtu DMZ 1500
mtu CSC-SSM 1500
mtu OUTSIDE 1500
mtu management 1500
ip local pool vpnpool VPN_SUBNET-172.30.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
icmp permit any DMZ
icmp permit any CSC-SSM
icmp permit any OUTSIDE
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (INSIDE) 1 10.1.1.9 netmask 255.0.0.0
global (OUTSIDE) 1 10.1.1.13
nat (INSIDE) 0 access-list inside_nat0_outbound
nat (INSIDE) 1 10.0.0.0 255.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound outside
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound_1 outside
static (OUTSIDE,INSIDE) udp 10.1.1.4 sip 10.1.1.8 sip netmask 255.255.255.252 
static (DMZ,OUTSIDE) tcp 111.111.111.2 smtp SPF01 smtp netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.3 www SRRA01 www netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.3 ftp-data SRNASFTP ftp-data netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.3 ftp SRNASFTP ftp netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.4 www SRHD01 www netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.2 www SRES01 www netmask 255.255.255.255  norandomseq
static (DMZ,OUTSIDE) tcp 111.111.111.2 https SRES01 https netmask 255.255.255.255  norandomseq
static (DMZ,OUTSIDE) tcp 111.111.111.2 imap4 SRES01 imap4 netmask 255.255.255.255 
static (INSIDE,OUTSIDE) tcp 111.111.111.13 www SRSQLSB01 www netmask 255.255.255.255 
static (INSIDE,OUTSIDE) tcp 111.111.111.13 https SRSQLSB01 https netmask 255.255.255.255 
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group CSC-SSM_access_in in interface CSC-SSM
access-group OUTSIDE_access_in in interface OUTSIDE
access-group OUTSIDE_access_out out interface OUTSIDE
!
router rip
 network 10.0.0.0
 network PRODUCTION
 network QALAB
 network 172.18.0.0
 network 172.19.0.0
 network 172.29.0.0
 network VPN
 network DMZ
 redistribute connected metric transparent
 version 2
!
route OUTSIDE 0.0.0.0 0.0.0.0 10.1.1.10 1
route INSIDE PRODUCTION 255.255.0.0 10.1.1.5 1
route DMZ DMZ 255.255.0.0 172.31.255.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server MD_RAD_SVR-GRP protocol radius
aaa-server MD_RAD_SVR-GRP host 172.16.3.3
 key cisco
aaa-server MD_RAD_SVR_VPN protocol radius
aaa-server MD_RAD_SVR_VPN host 172.16.3.3
 key cisco
aaa authentication enable console MD_RAD_SVR-GRP LOCAL
aaa authentication http console MD_RAD_SVR-GRP LOCAL
aaa authentication serial console MD_RAD_SVR-GRP LOCAL
aaa authentication ssh console MD_RAD_SVR-GRP LOCAL
aaa authentication telnet console MD_RAD_SVR-GRP LOCAL
aaa authorization command LOCAL 
http server enable
http PRODUCTION 255.255.0.0 INSIDE
http 10.1.1.0 255.255.255.0 INSIDE
http 192.168.1.0 255.255.255.0 management
snmp-server host INSIDE 172.16.10.3 community MD911 version 2c
snmp-server location MD SERVER ROOM
snmp-server contact JXXXXXXXXXX
snmp-server community MD911
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface OUTSIDE
crypto isakmp identity address 
crypto isakmp enable CSC-SSM
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet PRODUCTION 255.255.0.0 INSIDE
telnet timeout 5
ssh PRODUCTION 255.255.0.0 INSIDE
ssh 208.153.78.0 255.255.255.0 OUTSIDE
ssh timeout 5
console timeout 0
management-access INSIDE
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay server 172.16.3.1 INSIDE
dhcprelay enable DMZ
dhcprelay timeout 60
vpn load-balancing 
 interface lbpublic CSC-SSM
 interface lbprivate CSC-SSM
threat-detection basic-threat
threat-detection statistics
tftp-server INSIDE 172.16.3.3 c:\tftp-root\
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol webvpn
group-policy DRXDRX internal
group-policy DRXDRX attributes
 dns-server value 172.16.3.1 172.16.3.3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DRXDRX_splitTunnelAcl
username admin password XXXXXXXXXXXX encrypted privilege 15
tunnel-group DRXDRX type remote-access
tunnel-group DRXDRX general-attributes
 address-pool vpnpool
 authentication-server-group MD_RAD_SVR_VPN LOCAL
 default-group-policy DRXDRX
tunnel-group DRXDRX ipsec-attributes
 pre-shared-key *
tunnel-group 170.222.91.2 type ipsec-l2l
tunnel-group 170.222.91.2 ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match access-list global_mpc
class-map INSPECTION_DEFAULT
 match default-inspection-traffic
!
!
policy-map global_policy
 class global-class
  csc fail-close
  inspect sip  
 class INSPECTION_DEFAULT
  inspect pptp 
  inspect ipsec-pass-thru 
  inspect ftp 
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context 
Cryptochecksum:be21da7360c86a7adca6afe8f743681c
: end
asdm image disk0:/asdm-611.bin
asdm location VERIZON_NETS 255.255.255.248 INSIDE
asdm location MPL911 255.255.255.0 INSIDE
asdm location PRODUCTION_WORKSTATIONS_OPS 255.255.255.0 INSIDE
asdm location QALAB 255.255.0.0 INSIDE
asdm location SRBES01 255.255.255.255 INSIDE
asdm location SRWEB08 255.255.255.255 INSIDE
no asdm history enable
********************************************************
END ASA CONFIG
*******************************************************

Open in new window

0
 
ciscoml320Commented:
***** BASED ON THESE *********
interface Ethernet0/3
 description CONNECTION_TO_VADER
 nameif OUTSIDE
 security-level 0
 ip address 10.1.1.9 255.255.255.252
!
!
interface Ethernet0/0
 description CONNECTION_TO_LUKE
 nameif INSIDE
 security-level 100
 ip address 10.1.1.6 255.255.255.252
!

*******************************
See comments.

global (INSIDE) 1 10.1.1.9 netmask 255.0.0.0
!Looks like you're Globaling your OUTSIDE IP on the INSIDE
!I'd remove this for starters.


global (OUTSIDE) 1 10.1.1.13
!The ABOVE is an incorrect Global - it should fall under the same range as the
!OUTSIDE interface (eth0/3)

!Changing that to perhaps, should yield some positive results
global (OUTSIDE) 1 10.1.1.9
0
 
jeremymjacksonAuthor Commented:
Thank you.  Those have been corrected.

On the router, I can see hits to my ip access-list 1, but no resulting translations.  I have escalated the issues to our Escalation Engineers and he is currently looking at why no translations are being made.
0
 
ciscoml320Commented:
please also remove this
ip route 111.111.111.2 255.255.255.255 10.1.1.9

can you confirm the following:
1. as you ping external host from FW, do "sh ip nat translations" also "sh ip nat statis"
2. as you ping external host from inside the FW, on fw do "sh xlate"
if you can post them, I can still take a crack at this.

0
 
wingateslCommented:
Based on the last config you posted this should do it. Please enter the commands one by one as I typed them from memory and I may be missing a space or hyphen. You can also check out my articles on this type of routing at http://www.inacom-sby.net/shawn

access-list 10 permit 10.1.1.0 0.0.0.255

route-map ISP1 permit 10
match ip address 10
match interface gi0/0

route-map ISP2 permit 10
match ip address 10
match interface fi 0/1


no ip nat pool FIBER_POOL 111.111.111.2 111.111.111.2 netmask 255.255.255.255
no ip nat inside source list 1 pool FIBER_POOL overload

ip nat inside source list route ISP1 interface gi 0/0
ip nat inside source list route ISP2 interface gi 0/1



ip access-list extended director
   permit tcp any any eq 80
   permit tcp any any eq 443


route-map director permit 10
   match ip address director
   set ip next-hop 2 222.222.222.2

int fa 0/3/0
ip policy route-map director
0
 
wingateslCommented:
the set ip next hop command  should read

set ip next-hop 222.222.222.2  <---replace with your isp2 gateway.


That being said this provides no failover for your web traffic if ISP2 goes down. the set ip next hop allows you to verify reachability based on a RTR. Lets get through the first bit and then deal with that.
0

Featured Post

Enhanced Intelligibility Without Cable Clutter

Challenge: The ESA office in Brussels wanted a reliable audio conference system for video conferences. Their requirement - No participant must be left out from the conference and the audio quality must not be compromised.

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now