Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

NAT on CISCO ASA 5510

Posted on 2009-03-30
9
Medium Priority
?
2,449 Views
Last Modified: 2013-11-16
I have a CISCO ASA 5510 that is firewalling and NATing for our network.  We have three DMZ servers on the DMZ interface of this ASA that host websites.  SRWEB08 hosts corporate web, SRES01 hosts OWA for Exchange, SRHD01 hosts helpdesk web.  Each of these sites work great from the inside of the network.  Only SRWEB08 and SRES01 work from outside the network.  The site on SRHD01 times out after approximately 5 minutes.
: Saved
:
ASA Version 8.0(3) 
!
hostname YODA
enable password XXXXXXXXXXXXXXXXXXXXX encrypted
multicast-routing
names
name 172.31.0.0 DMZ
name 172.16.0.0 PRODUCTION
name 172.30.0.0 VPN
name 172.31.3.33 SPF01
name 172.31.3.34 SRES01
name 172.31.3.40 SRHD01
name 172.31.3.13 SRNASFTP
name 172.31.3.36 SRRA01
name 172.31.3.6 SRTS02
name 172.30.1.0 VPN_SUBNET
name 192.192.192.0 PRODUCTION_WORKSTATIONS_GENERAL
name 192.192.191.0 PRODUCTION_WORKSTATIONS_OPS
name 172.17.0.0 QALAB
name 172.31.3.44 SRBES01
name 172.31.3.51 SRWEB08
name 172.16.3.15 XSTORE1
name 172.31.3.35 SRSQLSB01
name 10.1.1.0 INternal description internal network
name 172.31.3.10 SRPBX01
!
interface Ethernet0/0
 description CONNECTION_TO_LUKE
 nameif INSIDE
 security-level 100
 ip address 10.1.1.6 255.255.255.252 
!
interface Ethernet0/1
 description CONNECTION_TO_DMZ
 nameif DMZ
 security-level 50
 ip address 172.31.1.1 255.255.0.0 
!
interface Ethernet0/2
 description CONNECTION_TO_CSC-SSM
 nameif CSC-SSM
 security-level 0
 ip address 10.3.1.1 255.255.255.252 
!
interface Ethernet0/3
 description CONNECTION_TO_VADER
 nameif OUTSIDE
 security-level 0
 ip address 10.1.1.9 255.255.255.252 
!
interface Management0/0
 description MANAGEMENT
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd xxxxxxxxxxxxxx encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup INSIDE
dns domain-lookup DMZ
dns domain-lookup CSC-SSM
dns domain-lookup OUTSIDE
dns server-group DNS_SERVERS
 name-server 172.16.3.1
 name-server 172.16.3.3
 domain-name xxxx.xxxxxxxxxxxxx.com
dns-group DNS_SERVERS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group network VPNPOOL
 network-object VPN_SUBNET 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service dhcp tcp-udp
 port-object range 67 68
object-group service VPN tcp-udp
 port-object eq 500
 port-object eq 10000
 port-object eq 7777
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object gre 
 service-object esp 
 service-object udp eq isakmp 
 service-object ah 
object-group service DM_INLINE_SERVICE_2
 service-object gre 
 service-object esp 
 service-object udp eq isakmp 
 service-object ah 
object-group network DM_INLINE_NETWORK_7
 network-object PRODUCTION 255.255.0.0
 network-object VPN_SUBNET 255.255.255.0
object-group service ALTIGEN_TCP tcp
 port-object range 10025 10050
 port-object eq 10064
 port-object range 49152 49220
 port-object eq 69
 port-object eq h323
object-group service ALTIGEN_UDP udp
 port-object eq 10060
 port-object range 49152 49220
 port-object eq sip
object-group network INTERNAL_INSPECT_ADDRESSES
 network-object PRODUCTION_WORKSTATIONS_OPS 255.255.255.0
 network-object PRODUCTION_WORKSTATIONS_GENERAL 255.255.255.0
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group service SMTP_ALL tcp
 port-object eq 587
 port-object eq smtp
object-group network DM_INLINE_NETWORK_5
 network-object host SRES01
 network-object host SRWEB08
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_6 tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_3
 service-object tcp-udp eq www 
 service-object tcp eq www 
 service-object tcp eq https 
object-group service DM_INLINE_TCPUDP_1 tcp-udp
 port-object eq domain
 port-object eq kerberos
object-group service DM_INLINE_SERVICE_4
 service-object tcp eq 135 
 service-object tcp eq 137 
 service-object tcp eq 3268 
 service-object tcp eq 445 
 service-object tcp eq 88 
 service-object tcp eq ldap 
 service-object udp eq 389 
 service-object udp eq netbios-ns 
object-group service DM_INLINE_SERVICE_5
 service-object tcp eq www 
 service-object udp eq ntp 
object-group service UDP6001-6194 udp
 port-object range 6004 6194
object-group service DM_INLINE_TCP_7 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service DM_INLINE_TCP_8 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_9 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_10 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_11 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_12 tcp
 port-object eq www
 port-object eq https
object-group network SMTP_ALLOWED
 network-object host JJACKSON
object-group service DM_INLINE_TCP_13 tcp
 port-object eq www
 port-object eq https
access-list OUTSIDE_access_in extended deny ip any host XSTORE1 log debugging 
access-list OUTSIDE_access_in extended deny ip any host 172.17.1.29 log debugging 
access-list OUTSIDE_access_in extended permit ip any any 
access-list OUTSIDE_access_in remark ALLOW VPN SUBNET ANYWHERE
access-list OUTSIDE_access_in extended permit ip VPN_SUBNET 255.255.255.0 any 
access-list OUTSIDE_access_in remark ALLOW HTTP/HTTPS ACCESS FROM ANYWHERE TO NAT TO SRWEB08
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.2 object-group DM_INLINE_TCP_5 
access-list OUTSIDE_access_in remark ALLOW FTP ACCESS FROM ANYWHERE TO NAT TO SRNASFTP
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.3 object-group DM_INLINE_TCP_6 
access-list OUTSIDE_access_in remark ALLOW VPN ACCESS FROM ANYWHERE
access-list OUTSIDE_access_in extended permit object-group TCPUDP any host 111.111.111.10 object-group VPN 
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.2 object-group SMTP_ALL 
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.13 object-group DM_INLINE_TCP_8 
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.4 object-group DM_INLINE_TCP_11 
access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.5 object-group DM_INLINE_TCP_13 
access-list OUTSIDE_access_in extended permit tcp any host SRSQLSB01 object-group DM_INLINE_TCP_9 
access-list OUTSIDE_access_in extended permit tcp any host SRES01 object-group DM_INLINE_TCP_3 
access-list OUTSIDE_access_in extended permit tcp any host SRHD01 object-group DM_INLINE_TCP_10 
access-list OUTSIDE_access_in extended permit tcp any host SRWEB08 object-group DM_INLINE_TCP_4 
access-list OUTSIDE_access_in extended permit tcp any host SPF01 object-group SMTP_ALL 
access-list OUTSIDE_access_in extended permit tcp any host SRNASFTP object-group DM_INLINE_TCP_7 
access-list OUTSIDE_access_in extended permit icmp any any inactive 
access-list OUTSIDE_access_in extended permit object-group TCPUDP any any object-group VPN 
access-list OUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_2 any any 
access-list OUTSIDE_access_in extended deny ip any any log debugging 
access-list INSIDE_access_in extended permit tcp any host SRES01 eq smtp 
access-list INSIDE_access_in extended deny tcp any any eq smtp 
access-list INSIDE_access_in extended permit udp any any eq sip log debugging 
access-list INSIDE_access_in extended permit icmp any any 
access-list INSIDE_access_in extended permit object-group TCPUDP any any log debugging 
access-list INSIDE_access_in extended permit object-group TCPUDP any any object-group VPN 
access-list INSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 
access-list INSIDE_access_in extended permit ip object-group DM_INLINE_NETWORK_7 DMZ 255.255.0.0 
access-list INSIDE_nat0_outbound extended permit ip any 10.3.1.0 255.255.255.252 
access-list global_mpc extended permit tcp object-group INTERNAL_INSPECT_ADDRESSES any object-group DM_INLINE_TCP_1 inactive 
access-list DRXDRX_splitTunnelAcl standard permit PRODUCTION 255.255.0.0 
access-list DRXDRX_splitTunnelAcl standard permit DMZ 255.255.0.0 
access-list DRXDRX_splitTunnelAcl standard permit VPN_SUBNET 255.255.255.0 
access-list DRXDRX_splitTunnelAcl standard permit QALAB 255.255.0.0 
access-list inside_nat0_outbound extended permit ip PRODUCTION 255.255.0.0 VPN_SUBNET 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.1.1.4 255.255.255.252 10.3.1.0 255.255.255.252 
access-list inside_nat0_outbound extended permit ip any DMZ 255.255.0.0 
access-list inside_nat0_outbound extended permit ip VERIZON_NETS 255.255.255.248 10.1.1.8 255.255.255.252 
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 
access-list outside_cryptomap extended permit ip any VPN_SUBNET 255.255.255.0 
access-list outside_cryptomap_20.20 extended permit ip any object-group VPNPOOL 
access-list OUTSIDE_nat0_outbound extended permit ip any VERIZON_NETS 255.255.255.248 
access-list OUTSIDE_nat0_outbound extended permit ip 10.1.1.8 255.255.255.252 any 
access-list OUTSIDE_nat0_outbound extended permit ip VPN_SUBNET 255.255.255.0 DMZ 255.255.0.0 
access-list DMZ_nat0_outbound extended permit ip DMZ 255.255.0.0 PRODUCTION 255.255.0.0 
access-list DMZ_nat0_outbound extended permit ip DMZ 255.255.0.0 VPN_SUBNET 255.255.255.0 
access-list DMZ_access_in extended permit ip DMZ 255.255.0.0 VPN_SUBNET 255.255.255.0 log 
access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any eq smtp log debugging 
access-list DMZ_access_in extended deny tcp any any eq smtp log debugging 
access-list DMZ_access_in extended permit tcp host SRHD01 any object-group DM_INLINE_TCP_12 log debugging 
access-list DMZ_access_in remark ALLOW SRES01 SMTP ACCESS ANYWHERE
access-list DMZ_access_in extended permit tcp host SRES01 any eq smtp log inactive 
access-list DMZ_access_in extended permit ip DMZ 255.255.0.0 any 
access-list DMZ_access_in extended permit ip host SRSQLSB01 any log debugging 
access-list DMZ_access_in remark ALLOW ANYTHING FROM DMZ TO VPN_SUBNET
access-list DMZ_access_in remark ALLOW DHCP REQUESTS FROM DMZ TO PRODUCTION
access-list DMZ_access_in extended permit object-group TCPUDP DMZ 255.255.0.0 PRODUCTION 255.255.0.0 object-group dhcp log disable inactive 
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_5 host SPF01 any inactive 
access-list DMZ_access_in remark ALLOW SRES01 IP ACCESS ANYWHERE
access-list DMZ_access_in extended permit ip host SRES01 any log disable inactive 
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 DMZ 255.255.0.0 PRODUCTION 255.255.0.0 log disable inactive 
access-list DMZ_access_in remark ALOW DMZ DNS ACCESS ANYWHERE
access-list DMZ_access_in extended permit object-group TCPUDP DMZ 255.255.0.0 any object-group DM_INLINE_TCPUDP_1 log disable inactive 
access-list DMZ_access_in remark ALLOW SRES01 HTTP AND HTTPS ACCESS ANYWHERE
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_3 host SRES01 any log disable inactive 
access-list DMZ_access_in extended permit udp host SRES01 any object-group UDP6001-6194 inactive 
access-list DMZ_access_in extended permit udp host SRES01 any eq 1899 inactive 
access-list DMZ_access_in extended permit object-group TCPUDP host SRRA01 host 64.222.71.25 eq www inactive 
access-list DMZ_access_in extended permit tcp any DMZ 255.255.0.0 eq domain log disable inactive 
access-list DMZ_access_in extended permit object-group TCPUDP any host SRES01 eq www inactive 
access-list DMZ_access_in extended permit ip any host SRES01 inactive 
access-list DMZ_access_in remark DENY AND LOG
access-list DMZ_access_in extended deny ip any any log debugging 
access-list OUTSIDE_nat_static extended permit object-group TCPUDP host 111.111.111.10 object-group VPN any object-group VPN 
access-list acl-out extended permit object-group TCPUDP any object-group VPN host 111.111.111.10 object-group VPN 
access-list OUTSIDE_nat0_outbound_1 extended permit ip any host 111.111.111.14 
access-list CSC-SSM_access_in extended permit ip host 10.3.1.2 any 
access-list LAN2LAN_NAT0 extended permit ip PRODUCTION 255.255.0.0 object-group XXXXXXXXXX_SUBNETS 
access-list INSIDE_access_in_1 extended permit tcp any host SRES01 object-group SMTP_ALL log debugging 
access-list INSIDE_access_in_1 extended permit tcp object-group SMTP_ALLOWED any object-group SMTP_ALL log debugging 
access-list INSIDE_access_in_1 extended deny tcp any any object-group SMTP_ALL log debugging 
access-list INSIDE_access_in_1 extended permit ip any any 
access-list DMZ_access_out extended permit ip VPN_SUBNET 255.255.255.0 DMZ 255.255.0.0 
access-list DMZ_access_out extended permit ip any any log debugging 
access-list DMZ_access_out extended deny ip any any log debugging 
access-list OUTSIDE_access_in_1 extended permit ip host 10.1.1.10 any 
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm informational
logging mail informational
logging debug-trace
mtu INSIDE 1500
mtu DMZ 1500
mtu CSC-SSM 1500
mtu OUTSIDE 1500
mtu management 1500
ip local pool vpnpool VPN_SUBNET-172.30.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
icmp permit any DMZ
icmp permit any CSC-SSM
icmp permit any OUTSIDE
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 0 access-list inside_nat0_outbound
nat (INSIDE) 1 INternal 255.255.255.0
nat (INSIDE) 1 PRODUCTION 255.255.0.0
nat (INSIDE) 1 QALAB 255.255.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 1 DMZ 255.255.0.0
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound
nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound_1 outside
static (OUTSIDE,INSIDE) udp 10.1.1.4 sip 10.1.1.8 sip netmask 255.255.255.252 
static (DMZ,OUTSIDE) tcp 111.111.111.2 smtp SPF01 smtp netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.3 www SRWEB08 www netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.3 ftp-data SRNASFTP ftp-data netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.3 ftp SRNASFTP ftp netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.2 www SRES01 www netmask 255.255.255.255  norandomseq
static (DMZ,OUTSIDE) tcp 111.111.111.2 https SRES01 https netmask 255.255.255.255  norandomseq
static (DMZ,OUTSIDE) tcp 111.111.111.2 imap4 SRES01 imap4 netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.5 www SRHD01 www netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.5 https SRHD01 https netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.13 https SRSQLSB01 https netmask 255.255.255.255 
static (DMZ,OUTSIDE) tcp 111.111.111.13 www SRSQLSB01 www netmask 255.255.255.255 
access-group INSIDE_access_in_1 in interface INSIDE
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group CSC-SSM_access_in in interface CSC-SSM
access-group OUTSIDE_access_in in interface OUTSIDE
!
router rip
 network 10.0.0.0
 network PRODUCTION
 network QALAB
 network 172.18.0.0
 network 172.19.0.0
 network 172.29.0.0
 network VPN
 network DMZ
 redistribute connected metric transparent
 version 2
!
route OUTSIDE 0.0.0.0 0.0.0.0 10.1.1.10 1
route INSIDE PRODUCTION 255.255.0.0 10.1.1.5 1
route DMZ DMZ 255.255.0.0 172.31.255.254 1
route INSIDE 192.168.169.0 255.255.255.0 10.1.1.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server MD_RAD_SVR-GRP protocol radius
aaa-server MD_RAD_SVR-GRP host 172.16.3.3
 key cisco
aaa-server MD_RAD_SVR_VPN protocol radius
aaa-server MD_RAD_SVR_VPN host 172.16.3.3
 key cisco
aaa authentication enable console MD_RAD_SVR-GRP LOCAL
aaa authentication http console MD_RAD_SVR-GRP LOCAL
aaa authentication serial console MD_RAD_SVR-GRP LOCAL
aaa authentication ssh console MD_RAD_SVR-GRP LOCAL
aaa authentication telnet console MD_RAD_SVR-GRP LOCAL
aaa authorization command LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http INternal 255.255.255.0 INSIDE
http PRODUCTION 255.255.0.0 INSIDE
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface OUTSIDE
crypto isakmp identity address 
crypto isakmp enable CSC-SSM
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet PRODUCTION 255.255.0.0 INSIDE
telnet 10.1.1.10 255.255.255.255 OUTSIDE
telnet timeout 5
console timeout 0
management-access INSIDE
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay server 172.16.3.1 INSIDE
dhcprelay enable DMZ
dhcprelay timeout 60
vpn load-balancing 
 interface lbpublic CSC-SSM
 interface lbprivate CSC-SSM
threat-detection basic-threat
threat-detection statistics
tftp-server INSIDE 172.16.3.3 c:\tftp-root\
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol webvpn
group-policy DRXDRX internal
group-policy DRXDRX attributes
 dns-server value 172.16.3.1 172.16.3.3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec svc 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DRXDRX_splitTunnelAcl
username admin password EzWnaLdExFoNnglv encrypted privilege 15
tunnel-group DRXDRX type remote-access
tunnel-group DRXDRX general-attributes
 address-pool vpnpool
 authentication-server-group MD_RAD_SVR_VPN LOCAL
 default-group-policy DRXDRX
tunnel-group DRXDRX ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match access-list global_mpc
class-map INSPECTION_DEFAULT
 match default-inspection-traffic
!
!
policy-map global_policy
 class global-class
  csc fail-close
  inspect sip  
 class INSPECTION_DEFAULT
  inspect pptp 
  inspect ipsec-pass-thru 
  inspect sip  
  inspect ftp 
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context 
Cryptochecksum:64d40b67c73e5b36a9a8ab955f069a7b
: end
asdm image disk0:/asdm-611.bin
asdm location VERIZON_NETS 255.255.255.248 INSIDE
asdm location MPL911 255.255.255.0 INSIDE
asdm location PRODUCTION_WORKSTATIONS_OPS 255.255.255.0 INSIDE
asdm location QALAB 255.255.0.0 INSIDE
asdm location SRBES01 255.255.255.255 INSIDE
asdm location SRWEB08 255.255.255.255 INSIDE
asdm location XSTORE1 255.255.255.255 INSIDE
asdm location INternal 255.255.255.0 INSIDE
asdm location SRPBX01 255.255.255.255 INSIDE
no asdm history enable

Open in new window

0
Comment
Question by:jeremymjackson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24021998
The ASA config looks okay.

Is 10.1.1.10 port filtering at all?  It is routing 111.111.111.5 to 10.1.1.9, right?
0
 

Author Comment

by:jeremymjackson
ID: 24022110
The config on 10.1.1.10 is very basic.

Building configuration...
 
Current configuration : 6232 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VADER
!
boot-start-marker
boot-end-marker
!
logging buffered 16384
enable secret 5 XXXXXXXXXXXXXXXXXXX
enable password XXXXXXXXXX
!
no aaa new-model
dot11 syslog
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name XXX.XXXXXXXXXXXX.com
ip name-server 172.16.3.1
ip name-server 4.2.2.2
!
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 password 0 XXXXXXXXXX
archive
 log config
  hidekeys
! 
!
!
!
ip ssh source-interface FastEthernet0/3/0
!
!
!
interface GigabitEthernet0/0
 description FIBER WAN CONNECTION$ETH-WAN$
 ip address 111.111.111.14 255.255.255.240
 ip access-group 103 in
 ip mask-reply
 no ip redirects
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description CABLE WAN CONNECTION$ETH-WAN$
 ip address 222.222.222.253 255.255.255.248
 ip access-group 103 in
 ip nat outside
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/2/0
 shutdown
!
interface FastEthernet0/2/1
 shutdown
!
interface FastEthernet0/2/2
 shutdown
!
interface FastEthernet0/2/3
 shutdown
!
interface FastEthernet0/3/0
 description CONNECTION TO YODA$ETH-LAN$
 ip address 10.1.1.10 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed auto
 no mop enabled
!
interface Vlan1
 no ip address
 shutdown
!
router rip
 version 2
 passive-interface GigabitEthernet0/0
 passive-interface GigabitEthernet0/1
 network 10.0.0.0
 network 172.16.0.0
 network 172.17.0.0
 network 172.18.0.0
 network 172.19.0.0
 network 172.29.0.0
 network 172.30.0.0
 network 172.31.0.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 111.111.111.1 permanent
ip route 111.111.111.2 255.255.255.255 10.1.1.9
ip route 111.111.111.3 255.255.255.255 10.1.1.9
ip route 111.111.111.4 255.255.255.255 10.1.1.9
ip route 111.111.111.5 255.255.255.255 10.1.1.9
ip route 111.111.111.6 255.255.255.255 10.1.1.9
ip route 111.111.111.7 255.255.255.255 10.1.1.9
ip route 111.111.111.8 255.255.255.255 10.1.1.9
ip route 111.111.111.9 255.255.255.255 10.1.1.9
ip route 111.111.111.10 255.255.255.255 10.1.1.9
ip route 111.111.111.11 255.255.255.255 10.1.1.9
ip route 111.111.111.12 255.255.255.255 10.1.1.9
ip route 111.111.111.13 255.255.255.255 10.1.1.9
!
!
ip http server
no ip http secure-server
ip nat pool FIBER_POOL 111.111.111.2 111.111.111.9 netmask 255.255.255.240
ip nat inside source list 1 pool FIBER_POOL overload
ip nat inside source static 10.1.1.9 111.111.111.10
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.8 0.0.0.3
access-list 1 permit 172.0.0.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 172.16.0.0 0.0.255.255
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 172.16.0.0 0.0.255.255
access-list 4 remark Auto generated by SDM Management Access feature
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 172.16.0.0 0.0.255.255
access-list 5 remark Auto generated by SDM Management Access feature
access-list 5 remark SDM_ACL Category=1
access-list 5 permit 172.16.0.0 0.0.255.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 172.16.3.1 eq domain any
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq telnet
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 22
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq www
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 443
access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq cmd
access-list 100 deny   tcp any host 10.1.1.10 eq telnet
access-list 100 deny   tcp any host 10.1.1.10 eq 22
access-list 100 deny   tcp any host 10.1.1.10 eq www
access-list 100 deny   tcp any host 10.1.1.10 eq 443
access-list 100 deny   tcp any host 10.1.1.10 eq cmd
access-list 100 deny   udp any host 10.1.1.10 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host xxxxxxxxxxxx.1 any
access-list 101 permit ip host 222.222.222.250 any
access-list 101 permit ip 172.16.0.0 0.0.255.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq telnet
access-list 102 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 22
access-list 102 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq www
access-list 102 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 443
access-list 102 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq cmd
access-list 102 deny   tcp any host 10.1.1.10 eq telnet
access-list 102 deny   tcp any host 10.1.1.10 eq 22
access-list 102 deny   tcp any host 10.1.1.10 eq www
access-list 102 deny   tcp any host 10.1.1.10 eq 443
access-list 102 deny   tcp any host 10.1.1.10 eq cmd
access-list 102 deny   udp any host 10.1.1.10 eq snmp
access-list 102 permit ip any any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp host xxxxxxxxxxxxxx host 111.111.111.14 eq 22
access-list 103 permit tcp host 222.222.222.250 host 111.111.111.14 eq 22
access-list 103 deny   icmp any any
access-list 103 deny   tcp any host 111.111.111.14 eq telnet
access-list 103 deny   tcp any host 111.111.111.14 eq 22
access-list 103 deny   tcp any host 111.111.111.14 eq www
access-list 103 deny   tcp any host 111.111.111.14 eq 443
access-list 103 deny   tcp any host 111.111.111.14 eq cmd
access-list 103 deny   udp any host 111.111.111.14 eq snmp
access-list 103 permit ip any any
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 access-class 101 in
 password xxxxxxxxxxxx
 login local
 transport input telnet ssh
 transport output telnet ssh
!
scheduler allocate 20000 1000
!
end

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24022260
Have you tried connecting by IP address to rule out a DNS issue?

From a PC's command prompt on the Internet, does the following work:

telnet 111.111.111.5 80
telnet 111.111.111.5 443
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:jeremymjackson
ID: 24022361
Just tried both tests:

Connecting by IP address yields the same results as connecting by name.  111.111.111.3 website pops up instantly, 111.111.111.5 times out after 5 minutes or so.   It appears like its going to work because the webserver hosting the website that 111.111.111.5 points to has a redirect to a directory on that server and I can see the redirect happening in my browser.  This site and redirect works instantly from our internal network.

Connecting by telnet yields HTTP/1.1 400 bad request in command window.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24022374
Hmm, the site isn't hard coded with the internal IP address is it?  What does it redirect to?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24022386
By the way, the fact that you get an HTTP 400 message means 80 is open to the server so you can rule out the router and ASA config.  Seems like something with the website coding...
0
 

Author Comment

by:jeremymjackson
ID: 24022533
The default website in ISS redirects to a Virtual Directory below the default website.  For instance, entering www.111.com hits the default website and autmatically gets me to www.111.com/home/.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24022611
So, if you go direct to www.111.com/home/ does it make any difference?  Like I said, the ASA is fine but the issue appears to lie within the site setup.  Sorry, I don't even claim to be a web admin :-)
0
 

Author Closing Comment

by:jeremymjackson
ID: 31564474
No, its still not working.

I think I have narrowed it down to a problem with the site itself as the other sites on this web server work fine.

Thanks,
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question