Solved

NAT on CISCO ASA 5510

Posted on 2009-03-30
9
2,407 Views
Last Modified: 2013-11-16
I have a CISCO ASA 5510 that is firewalling and NATing for our network.  We have three DMZ servers on the DMZ interface of this ASA that host websites.  SRWEB08 hosts corporate web, SRES01 hosts OWA for Exchange, SRHD01 hosts helpdesk web.  Each of these sites work great from the inside of the network.  Only SRWEB08 and SRES01 work from outside the network.  The site on SRHD01 times out after approximately 5 minutes.
: Saved

:

ASA Version 8.0(3) 

!

hostname YODA

enable password XXXXXXXXXXXXXXXXXXXXX encrypted

multicast-routing

names

name 172.31.0.0 DMZ

name 172.16.0.0 PRODUCTION

name 172.30.0.0 VPN

name 172.31.3.33 SPF01

name 172.31.3.34 SRES01

name 172.31.3.40 SRHD01

name 172.31.3.13 SRNASFTP

name 172.31.3.36 SRRA01

name 172.31.3.6 SRTS02

name 172.30.1.0 VPN_SUBNET

name 192.192.192.0 PRODUCTION_WORKSTATIONS_GENERAL

name 192.192.191.0 PRODUCTION_WORKSTATIONS_OPS

name 172.17.0.0 QALAB

name 172.31.3.44 SRBES01

name 172.31.3.51 SRWEB08

name 172.16.3.15 XSTORE1

name 172.31.3.35 SRSQLSB01

name 10.1.1.0 INternal description internal network

name 172.31.3.10 SRPBX01

!

interface Ethernet0/0

 description CONNECTION_TO_LUKE

 nameif INSIDE

 security-level 100

 ip address 10.1.1.6 255.255.255.252 

!

interface Ethernet0/1

 description CONNECTION_TO_DMZ

 nameif DMZ

 security-level 50

 ip address 172.31.1.1 255.255.0.0 

!

interface Ethernet0/2

 description CONNECTION_TO_CSC-SSM

 nameif CSC-SSM

 security-level 0

 ip address 10.3.1.1 255.255.255.252 

!

interface Ethernet0/3

 description CONNECTION_TO_VADER

 nameif OUTSIDE

 security-level 0

 ip address 10.1.1.9 255.255.255.252 

!

interface Management0/0

 description MANAGEMENT

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

passwd xxxxxxxxxxxxxx encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup INSIDE

dns domain-lookup DMZ

dns domain-lookup CSC-SSM

dns domain-lookup OUTSIDE

dns server-group DNS_SERVERS

 name-server 172.16.3.1

 name-server 172.16.3.3

 domain-name xxxx.xxxxxxxxxxxxx.com

dns-group DNS_SERVERS

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

object-group network VPNPOOL

 network-object VPN_SUBNET 255.255.255.0

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service dhcp tcp-udp

 port-object range 67 68

object-group service VPN tcp-udp

 port-object eq 500

 port-object eq 10000

 port-object eq 7777

object-group service DM_INLINE_TCP_2 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_SERVICE_1

 service-object gre 

 service-object esp 

 service-object udp eq isakmp 

 service-object ah 

object-group service DM_INLINE_SERVICE_2

 service-object gre 

 service-object esp 

 service-object udp eq isakmp 

 service-object ah 

object-group network DM_INLINE_NETWORK_7

 network-object PRODUCTION 255.255.0.0

 network-object VPN_SUBNET 255.255.255.0

object-group service ALTIGEN_TCP tcp

 port-object range 10025 10050

 port-object eq 10064

 port-object range 49152 49220

 port-object eq 69

 port-object eq h323

object-group service ALTIGEN_UDP udp

 port-object eq 10060

 port-object range 49152 49220

 port-object eq sip

object-group network INTERNAL_INSPECT_ADDRESSES

 network-object PRODUCTION_WORKSTATIONS_OPS 255.255.255.0

 network-object PRODUCTION_WORKSTATIONS_GENERAL 255.255.255.0

object-group service DM_INLINE_TCP_3 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_4 tcp

 port-object eq www

 port-object eq https

object-group service SMTP_ALL tcp

 port-object eq 587

 port-object eq smtp

object-group network DM_INLINE_NETWORK_5

 network-object host SRES01

 network-object host SRWEB08

object-group service DM_INLINE_TCP_5 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_6 tcp

 port-object eq ftp

 port-object eq ftp-data

 port-object eq www

 port-object eq https

object-group service DM_INLINE_SERVICE_3

 service-object tcp-udp eq www 

 service-object tcp eq www 

 service-object tcp eq https 

object-group service DM_INLINE_TCPUDP_1 tcp-udp

 port-object eq domain

 port-object eq kerberos

object-group service DM_INLINE_SERVICE_4

 service-object tcp eq 135 

 service-object tcp eq 137 

 service-object tcp eq 3268 

 service-object tcp eq 445 

 service-object tcp eq 88 

 service-object tcp eq ldap 

 service-object udp eq 389 

 service-object udp eq netbios-ns 

object-group service DM_INLINE_SERVICE_5

 service-object tcp eq www 

 service-object udp eq ntp 

object-group service UDP6001-6194 udp

 port-object range 6004 6194

object-group service DM_INLINE_TCP_7 tcp

 port-object eq ftp

 port-object eq ftp-data

object-group service DM_INLINE_TCP_8 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_9 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_10 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_11 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_12 tcp

 port-object eq www

 port-object eq https

object-group network SMTP_ALLOWED

 network-object host JJACKSON

object-group service DM_INLINE_TCP_13 tcp

 port-object eq www

 port-object eq https

access-list OUTSIDE_access_in extended deny ip any host XSTORE1 log debugging 

access-list OUTSIDE_access_in extended deny ip any host 172.17.1.29 log debugging 

access-list OUTSIDE_access_in extended permit ip any any 

access-list OUTSIDE_access_in remark ALLOW VPN SUBNET ANYWHERE

access-list OUTSIDE_access_in extended permit ip VPN_SUBNET 255.255.255.0 any 

access-list OUTSIDE_access_in remark ALLOW HTTP/HTTPS ACCESS FROM ANYWHERE TO NAT TO SRWEB08

access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.2 object-group DM_INLINE_TCP_5 

access-list OUTSIDE_access_in remark ALLOW FTP ACCESS FROM ANYWHERE TO NAT TO SRNASFTP

access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.3 object-group DM_INLINE_TCP_6 

access-list OUTSIDE_access_in remark ALLOW VPN ACCESS FROM ANYWHERE

access-list OUTSIDE_access_in extended permit object-group TCPUDP any host 111.111.111.10 object-group VPN 

access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.2 object-group SMTP_ALL 

access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.13 object-group DM_INLINE_TCP_8 

access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.4 object-group DM_INLINE_TCP_11 

access-list OUTSIDE_access_in extended permit tcp any host 111.111.111.5 object-group DM_INLINE_TCP_13 

access-list OUTSIDE_access_in extended permit tcp any host SRSQLSB01 object-group DM_INLINE_TCP_9 

access-list OUTSIDE_access_in extended permit tcp any host SRES01 object-group DM_INLINE_TCP_3 

access-list OUTSIDE_access_in extended permit tcp any host SRHD01 object-group DM_INLINE_TCP_10 

access-list OUTSIDE_access_in extended permit tcp any host SRWEB08 object-group DM_INLINE_TCP_4 

access-list OUTSIDE_access_in extended permit tcp any host SPF01 object-group SMTP_ALL 

access-list OUTSIDE_access_in extended permit tcp any host SRNASFTP object-group DM_INLINE_TCP_7 

access-list OUTSIDE_access_in extended permit icmp any any inactive 

access-list OUTSIDE_access_in extended permit object-group TCPUDP any any object-group VPN 

access-list OUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_2 any any 

access-list OUTSIDE_access_in extended deny ip any any log debugging 

access-list INSIDE_access_in extended permit tcp any host SRES01 eq smtp 

access-list INSIDE_access_in extended deny tcp any any eq smtp 

access-list INSIDE_access_in extended permit udp any any eq sip log debugging 

access-list INSIDE_access_in extended permit icmp any any 

access-list INSIDE_access_in extended permit object-group TCPUDP any any log debugging 

access-list INSIDE_access_in extended permit object-group TCPUDP any any object-group VPN 

access-list INSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 any any 

access-list INSIDE_access_in extended permit ip object-group DM_INLINE_NETWORK_7 DMZ 255.255.0.0 

access-list INSIDE_nat0_outbound extended permit ip any 10.3.1.0 255.255.255.252 

access-list global_mpc extended permit tcp object-group INTERNAL_INSPECT_ADDRESSES any object-group DM_INLINE_TCP_1 inactive 

access-list DRXDRX_splitTunnelAcl standard permit PRODUCTION 255.255.0.0 

access-list DRXDRX_splitTunnelAcl standard permit DMZ 255.255.0.0 

access-list DRXDRX_splitTunnelAcl standard permit VPN_SUBNET 255.255.255.0 

access-list DRXDRX_splitTunnelAcl standard permit QALAB 255.255.0.0 

access-list inside_nat0_outbound extended permit ip PRODUCTION 255.255.0.0 VPN_SUBNET 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.1.1.4 255.255.255.252 10.3.1.0 255.255.255.252 

access-list inside_nat0_outbound extended permit ip any DMZ 255.255.0.0 

access-list inside_nat0_outbound extended permit ip VERIZON_NETS 255.255.255.248 10.1.1.8 255.255.255.252 

access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 

access-list outside_cryptomap extended permit ip any VPN_SUBNET 255.255.255.0 

access-list outside_cryptomap_20.20 extended permit ip any object-group VPNPOOL 

access-list OUTSIDE_nat0_outbound extended permit ip any VERIZON_NETS 255.255.255.248 

access-list OUTSIDE_nat0_outbound extended permit ip 10.1.1.8 255.255.255.252 any 

access-list OUTSIDE_nat0_outbound extended permit ip VPN_SUBNET 255.255.255.0 DMZ 255.255.0.0 

access-list DMZ_nat0_outbound extended permit ip DMZ 255.255.0.0 PRODUCTION 255.255.0.0 

access-list DMZ_nat0_outbound extended permit ip DMZ 255.255.0.0 VPN_SUBNET 255.255.255.0 

access-list DMZ_access_in extended permit ip DMZ 255.255.0.0 VPN_SUBNET 255.255.255.0 log 

access-list DMZ_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any eq smtp log debugging 

access-list DMZ_access_in extended deny tcp any any eq smtp log debugging 

access-list DMZ_access_in extended permit tcp host SRHD01 any object-group DM_INLINE_TCP_12 log debugging 

access-list DMZ_access_in remark ALLOW SRES01 SMTP ACCESS ANYWHERE

access-list DMZ_access_in extended permit tcp host SRES01 any eq smtp log inactive 

access-list DMZ_access_in extended permit ip DMZ 255.255.0.0 any 

access-list DMZ_access_in extended permit ip host SRSQLSB01 any log debugging 

access-list DMZ_access_in remark ALLOW ANYTHING FROM DMZ TO VPN_SUBNET

access-list DMZ_access_in remark ALLOW DHCP REQUESTS FROM DMZ TO PRODUCTION

access-list DMZ_access_in extended permit object-group TCPUDP DMZ 255.255.0.0 PRODUCTION 255.255.0.0 object-group dhcp log disable inactive 

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_5 host SPF01 any inactive 

access-list DMZ_access_in remark ALLOW SRES01 IP ACCESS ANYWHERE

access-list DMZ_access_in extended permit ip host SRES01 any log disable inactive 

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_4 DMZ 255.255.0.0 PRODUCTION 255.255.0.0 log disable inactive 

access-list DMZ_access_in remark ALOW DMZ DNS ACCESS ANYWHERE

access-list DMZ_access_in extended permit object-group TCPUDP DMZ 255.255.0.0 any object-group DM_INLINE_TCPUDP_1 log disable inactive 

access-list DMZ_access_in remark ALLOW SRES01 HTTP AND HTTPS ACCESS ANYWHERE

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_3 host SRES01 any log disable inactive 

access-list DMZ_access_in extended permit udp host SRES01 any object-group UDP6001-6194 inactive 

access-list DMZ_access_in extended permit udp host SRES01 any eq 1899 inactive 

access-list DMZ_access_in extended permit object-group TCPUDP host SRRA01 host 64.222.71.25 eq www inactive 

access-list DMZ_access_in extended permit tcp any DMZ 255.255.0.0 eq domain log disable inactive 

access-list DMZ_access_in extended permit object-group TCPUDP any host SRES01 eq www inactive 

access-list DMZ_access_in extended permit ip any host SRES01 inactive 

access-list DMZ_access_in remark DENY AND LOG

access-list DMZ_access_in extended deny ip any any log debugging 

access-list OUTSIDE_nat_static extended permit object-group TCPUDP host 111.111.111.10 object-group VPN any object-group VPN 

access-list acl-out extended permit object-group TCPUDP any object-group VPN host 111.111.111.10 object-group VPN 

access-list OUTSIDE_nat0_outbound_1 extended permit ip any host 111.111.111.14 

access-list CSC-SSM_access_in extended permit ip host 10.3.1.2 any 

access-list LAN2LAN_NAT0 extended permit ip PRODUCTION 255.255.0.0 object-group XXXXXXXXXX_SUBNETS 

access-list INSIDE_access_in_1 extended permit tcp any host SRES01 object-group SMTP_ALL log debugging 

access-list INSIDE_access_in_1 extended permit tcp object-group SMTP_ALLOWED any object-group SMTP_ALL log debugging 

access-list INSIDE_access_in_1 extended deny tcp any any object-group SMTP_ALL log debugging 

access-list INSIDE_access_in_1 extended permit ip any any 

access-list DMZ_access_out extended permit ip VPN_SUBNET 255.255.255.0 DMZ 255.255.0.0 

access-list DMZ_access_out extended permit ip any any log debugging 

access-list DMZ_access_out extended deny ip any any log debugging 

access-list OUTSIDE_access_in_1 extended permit ip host 10.1.1.10 any 

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging buffered debugging

logging trap debugging

logging asdm informational

logging mail informational

logging debug-trace

mtu INSIDE 1500

mtu DMZ 1500

mtu CSC-SSM 1500

mtu OUTSIDE 1500

mtu management 1500

ip local pool vpnpool VPN_SUBNET-172.30.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any INSIDE

icmp permit any DMZ

icmp permit any CSC-SSM

icmp permit any OUTSIDE

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (INSIDE) 0 access-list inside_nat0_outbound

nat (INSIDE) 1 INternal 255.255.255.0

nat (INSIDE) 1 PRODUCTION 255.255.0.0

nat (INSIDE) 1 QALAB 255.255.0.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (DMZ) 1 DMZ 255.255.0.0

nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound

nat (OUTSIDE) 0 access-list OUTSIDE_nat0_outbound_1 outside

static (OUTSIDE,INSIDE) udp 10.1.1.4 sip 10.1.1.8 sip netmask 255.255.255.252 

static (DMZ,OUTSIDE) tcp 111.111.111.2 smtp SPF01 smtp netmask 255.255.255.255 

static (DMZ,OUTSIDE) tcp 111.111.111.3 www SRWEB08 www netmask 255.255.255.255 

static (DMZ,OUTSIDE) tcp 111.111.111.3 ftp-data SRNASFTP ftp-data netmask 255.255.255.255 

static (DMZ,OUTSIDE) tcp 111.111.111.3 ftp SRNASFTP ftp netmask 255.255.255.255 

static (DMZ,OUTSIDE) tcp 111.111.111.2 www SRES01 www netmask 255.255.255.255  norandomseq

static (DMZ,OUTSIDE) tcp 111.111.111.2 https SRES01 https netmask 255.255.255.255  norandomseq

static (DMZ,OUTSIDE) tcp 111.111.111.2 imap4 SRES01 imap4 netmask 255.255.255.255 

static (DMZ,OUTSIDE) tcp 111.111.111.5 www SRHD01 www netmask 255.255.255.255 

static (DMZ,OUTSIDE) tcp 111.111.111.5 https SRHD01 https netmask 255.255.255.255 

static (DMZ,OUTSIDE) tcp 111.111.111.13 https SRSQLSB01 https netmask 255.255.255.255 

static (DMZ,OUTSIDE) tcp 111.111.111.13 www SRSQLSB01 www netmask 255.255.255.255 

access-group INSIDE_access_in_1 in interface INSIDE

access-group DMZ_access_in in interface DMZ

access-group DMZ_access_out out interface DMZ

access-group CSC-SSM_access_in in interface CSC-SSM

access-group OUTSIDE_access_in in interface OUTSIDE

!

router rip

 network 10.0.0.0

 network PRODUCTION

 network QALAB

 network 172.18.0.0

 network 172.19.0.0

 network 172.29.0.0

 network VPN

 network DMZ

 redistribute connected metric transparent

 version 2

!

route OUTSIDE 0.0.0.0 0.0.0.0 10.1.1.10 1

route INSIDE PRODUCTION 255.255.0.0 10.1.1.5 1

route DMZ DMZ 255.255.0.0 172.31.255.254 1

route INSIDE 192.168.169.0 255.255.255.0 10.1.1.5 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server MD_RAD_SVR-GRP protocol radius

aaa-server MD_RAD_SVR-GRP host 172.16.3.3

 key cisco

aaa-server MD_RAD_SVR_VPN protocol radius

aaa-server MD_RAD_SVR_VPN host 172.16.3.3

 key cisco

aaa authentication enable console MD_RAD_SVR-GRP LOCAL

aaa authentication http console MD_RAD_SVR-GRP LOCAL

aaa authentication serial console MD_RAD_SVR-GRP LOCAL

aaa authentication ssh console MD_RAD_SVR-GRP LOCAL

aaa authentication telnet console MD_RAD_SVR-GRP LOCAL

aaa authorization command LOCAL 

http server enable

http 192.168.1.0 255.255.255.0 management

http INternal 255.255.255.0 INSIDE

http PRODUCTION 255.255.0.0 INSIDE

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface OUTSIDE

crypto isakmp identity address 

crypto isakmp enable CSC-SSM

crypto isakmp enable OUTSIDE

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet PRODUCTION 255.255.0.0 INSIDE

telnet 10.1.1.10 255.255.255.255 OUTSIDE

telnet timeout 5

console timeout 0

management-access INSIDE

dhcpd address 192.168.1.2-192.168.1.254 management

!

dhcprelay server 172.16.3.1 INSIDE

dhcprelay enable DMZ

dhcprelay timeout 60

vpn load-balancing 

 interface lbpublic CSC-SSM

 interface lbprivate CSC-SSM

threat-detection basic-threat

threat-detection statistics

tftp-server INSIDE 172.16.3.3 c:\tftp-root\

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol webvpn

group-policy DRXDRX internal

group-policy DRXDRX attributes

 dns-server value 172.16.3.1 172.16.3.3

 vpn-idle-timeout none

 vpn-session-timeout none

 vpn-tunnel-protocol IPSec svc 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value DRXDRX_splitTunnelAcl

username admin password EzWnaLdExFoNnglv encrypted privilege 15

tunnel-group DRXDRX type remote-access

tunnel-group DRXDRX general-attributes

 address-pool vpnpool

 authentication-server-group MD_RAD_SVR_VPN LOCAL

 default-group-policy DRXDRX

tunnel-group DRXDRX ipsec-attributes

 pre-shared-key *

!

class-map global-class

 match access-list global_mpc

class-map INSPECTION_DEFAULT

 match default-inspection-traffic

!

!

policy-map global_policy

 class global-class

  csc fail-close

  inspect sip  

 class INSPECTION_DEFAULT

  inspect pptp 

  inspect ipsec-pass-thru 

  inspect sip  

  inspect ftp 

!

service-policy global_policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context 

Cryptochecksum:64d40b67c73e5b36a9a8ab955f069a7b

: end

asdm image disk0:/asdm-611.bin

asdm location VERIZON_NETS 255.255.255.248 INSIDE

asdm location MPL911 255.255.255.0 INSIDE

asdm location PRODUCTION_WORKSTATIONS_OPS 255.255.255.0 INSIDE

asdm location QALAB 255.255.0.0 INSIDE

asdm location SRBES01 255.255.255.255 INSIDE

asdm location SRWEB08 255.255.255.255 INSIDE

asdm location XSTORE1 255.255.255.255 INSIDE

asdm location INternal 255.255.255.0 INSIDE

asdm location SRPBX01 255.255.255.255 INSIDE

no asdm history enable

Open in new window

0
Comment
Question by:jeremymjackson
  • 5
  • 4
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24021998
The ASA config looks okay.

Is 10.1.1.10 port filtering at all?  It is routing 111.111.111.5 to 10.1.1.9, right?
0
 

Author Comment

by:jeremymjackson
ID: 24022110
The config on 10.1.1.10 is very basic.


Building configuration...
 

Current configuration : 6232 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname VADER

!

boot-start-marker

boot-end-marker

!

logging buffered 16384

enable secret 5 XXXXXXXXXXXXXXXXXXX

enable password XXXXXXXXXX

!

no aaa new-model

dot11 syslog

!

!

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip domain name XXX.XXXXXXXXXXXX.com

ip name-server 172.16.3.1

ip name-server 4.2.2.2

!

multilink bundle-name authenticated

!

!

!

!

!

username admin privilege 15 password 0 XXXXXXXXXX

archive

 log config

  hidekeys

! 

!

!

!

ip ssh source-interface FastEthernet0/3/0

!

!

!

interface GigabitEthernet0/0

 description FIBER WAN CONNECTION$ETH-WAN$

 ip address 111.111.111.14 255.255.255.240

 ip access-group 103 in

 ip mask-reply

 no ip redirects

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

!

interface GigabitEthernet0/1

 description CABLE WAN CONNECTION$ETH-WAN$

 ip address 222.222.222.253 255.255.255.248

 ip access-group 103 in

 ip nat outside

 ip virtual-reassembly

 shutdown

 duplex auto

 speed auto

!

interface FastEthernet0/2/0

 shutdown

!

interface FastEthernet0/2/1

 shutdown

!

interface FastEthernet0/2/2

 shutdown

!

interface FastEthernet0/2/3

 shutdown

!

interface FastEthernet0/3/0

 description CONNECTION TO YODA$ETH-LAN$

 ip address 10.1.1.10 255.255.255.252

 ip nat inside

 ip virtual-reassembly

 duplex full

 speed auto

 no mop enabled

!

interface Vlan1

 no ip address

 shutdown

!

router rip

 version 2

 passive-interface GigabitEthernet0/0

 passive-interface GigabitEthernet0/1

 network 10.0.0.0

 network 172.16.0.0

 network 172.17.0.0

 network 172.18.0.0

 network 172.19.0.0

 network 172.29.0.0

 network 172.30.0.0

 network 172.31.0.0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 111.111.111.1 permanent

ip route 111.111.111.2 255.255.255.255 10.1.1.9

ip route 111.111.111.3 255.255.255.255 10.1.1.9

ip route 111.111.111.4 255.255.255.255 10.1.1.9

ip route 111.111.111.5 255.255.255.255 10.1.1.9

ip route 111.111.111.6 255.255.255.255 10.1.1.9

ip route 111.111.111.7 255.255.255.255 10.1.1.9

ip route 111.111.111.8 255.255.255.255 10.1.1.9

ip route 111.111.111.9 255.255.255.255 10.1.1.9

ip route 111.111.111.10 255.255.255.255 10.1.1.9

ip route 111.111.111.11 255.255.255.255 10.1.1.9

ip route 111.111.111.12 255.255.255.255 10.1.1.9

ip route 111.111.111.13 255.255.255.255 10.1.1.9

!

!

ip http server

no ip http secure-server

ip nat pool FIBER_POOL 111.111.111.2 111.111.111.9 netmask 255.255.255.240

ip nat inside source list 1 pool FIBER_POOL overload

ip nat inside source static 10.1.1.9 111.111.111.10

!

logging trap debugging

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.1.1.8 0.0.0.3

access-list 1 permit 172.0.0.0 0.0.0.255

access-list 2 remark Auto generated by SDM Management Access feature

access-list 2 remark SDM_ACL Category=1

access-list 2 permit 172.16.0.0 0.0.255.255

access-list 3 remark Auto generated by SDM Management Access feature

access-list 3 remark SDM_ACL Category=1

access-list 3 permit 172.16.0.0 0.0.255.255

access-list 4 remark Auto generated by SDM Management Access feature

access-list 4 remark SDM_ACL Category=1

access-list 4 permit 172.16.0.0 0.0.255.255

access-list 5 remark Auto generated by SDM Management Access feature

access-list 5 remark SDM_ACL Category=1

access-list 5 permit 172.16.0.0 0.0.255.255

access-list 100 remark Auto generated by SDM Management Access feature

access-list 100 remark SDM_ACL Category=1

access-list 100 permit udp host 172.16.3.1 eq domain any

access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq telnet

access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 22

access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq www

access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 443

access-list 100 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq cmd

access-list 100 deny   tcp any host 10.1.1.10 eq telnet

access-list 100 deny   tcp any host 10.1.1.10 eq 22

access-list 100 deny   tcp any host 10.1.1.10 eq www

access-list 100 deny   tcp any host 10.1.1.10 eq 443

access-list 100 deny   tcp any host 10.1.1.10 eq cmd

access-list 100 deny   udp any host 10.1.1.10 eq snmp

access-list 100 permit ip any any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host xxxxxxxxxxxx.1 any

access-list 101 permit ip host 222.222.222.250 any

access-list 101 permit ip 172.16.0.0 0.0.255.255 any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=1

access-list 102 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq telnet

access-list 102 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 22

access-list 102 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq www

access-list 102 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq 443

access-list 102 permit tcp 172.16.0.0 0.0.255.255 host 10.1.1.10 eq cmd

access-list 102 deny   tcp any host 10.1.1.10 eq telnet

access-list 102 deny   tcp any host 10.1.1.10 eq 22

access-list 102 deny   tcp any host 10.1.1.10 eq www

access-list 102 deny   tcp any host 10.1.1.10 eq 443

access-list 102 deny   tcp any host 10.1.1.10 eq cmd

access-list 102 deny   udp any host 10.1.1.10 eq snmp

access-list 102 permit ip any any

access-list 103 remark Auto generated by SDM Management Access feature

access-list 103 remark SDM_ACL Category=1

access-list 103 permit tcp host xxxxxxxxxxxxxx host 111.111.111.14 eq 22

access-list 103 permit tcp host 222.222.222.250 host 111.111.111.14 eq 22

access-list 103 deny   icmp any any

access-list 103 deny   tcp any host 111.111.111.14 eq telnet

access-list 103 deny   tcp any host 111.111.111.14 eq 22

access-list 103 deny   tcp any host 111.111.111.14 eq www

access-list 103 deny   tcp any host 111.111.111.14 eq 443

access-list 103 deny   tcp any host 111.111.111.14 eq cmd

access-list 103 deny   udp any host 111.111.111.14 eq snmp

access-list 103 permit ip any any

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

 access-class 101 in

 password xxxxxxxxxxxx

 login local

 transport input telnet ssh

 transport output telnet ssh

!

scheduler allocate 20000 1000

!

end

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24022260
Have you tried connecting by IP address to rule out a DNS issue?

From a PC's command prompt on the Internet, does the following work:

telnet 111.111.111.5 80
telnet 111.111.111.5 443
0
 

Author Comment

by:jeremymjackson
ID: 24022361
Just tried both tests:

Connecting by IP address yields the same results as connecting by name.  111.111.111.3 website pops up instantly, 111.111.111.5 times out after 5 minutes or so.   It appears like its going to work because the webserver hosting the website that 111.111.111.5 points to has a redirect to a directory on that server and I can see the redirect happening in my browser.  This site and redirect works instantly from our internal network.

Connecting by telnet yields HTTP/1.1 400 bad request in command window.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24022374
Hmm, the site isn't hard coded with the internal IP address is it?  What does it redirect to?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24022386
By the way, the fact that you get an HTTP 400 message means 80 is open to the server so you can rule out the router and ASA config.  Seems like something with the website coding...
0
 

Author Comment

by:jeremymjackson
ID: 24022533
The default website in ISS redirects to a Virtual Directory below the default website.  For instance, entering www.111.com hits the default website and autmatically gets me to www.111.com/home/.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24022611
So, if you go direct to www.111.com/home/ does it make any difference?  Like I said, the ASA is fine but the issue appears to lie within the site setup.  Sorry, I don't even claim to be a web admin :-)
0
 

Author Closing Comment

by:jeremymjackson
ID: 31564474
No, its still not working.

I think I have narrowed it down to a problem with the site itself as the other sites on this web server work fine.

Thanks,
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now