VoyagerHealthCare
asked on
ASA 5510 question
Lets say that one of my inside interfaces is set to 10.0.0.1 and my mail server is 10.0.0.254
Lets also say that I create a static map to allow traffic in from outside interface to go to mail server.
Suppose the outside interface is set to 64.64.64.64. Is there a way to config the ASA to allow a client at 10.0.0.50 to connect to 64.64.64.64? It would be like going at and back in again. (sort of).
Lets also say that I create a static map to allow traffic in from outside interface to go to mail server.
Suppose the outside interface is set to 64.64.64.64. Is there a way to config the ASA to allow a client at 10.0.0.50 to connect to 64.64.64.64? It would be like going at and back in again. (sort of).
ASKER
Can you tell me how to do this? Here is my shortened sanitized config.
: Saved
:
ASA Version 7.0 (8)
!
hostname DTC-FireWall
domain-name VHC.com
enable password wNjTjDTuGIWhG9bl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 IDCnet
name 192.168.254.0 Voyager-net
name 192.168.225.0 RemoteAccess-net
name 10.254.254.0 DMZnet
name 192.168.3.0 StLouis-net
name 192.168.0.0 HillSide-net
name 10.2.7.0 Cleburne-net
name 10.2.9.0 Conroe-net
name 10.2.3.0 Houston-net
name 10.2.2.0 Dallas-net
name 10.2.10.0 McKinney-net
name 10.2.4.0 Denton-net
name 10.2.6.0 Pasadena-net
name 10.3.3.0 Newton-net
name 10.3.4.0 Parsons-net
name 10.3.5.0 Lenexa-net
name 10.3.6.0 KCMO-net
name 10.3.7.0 Hutchinson-net
name 10.3.8.0 ElDorado-net
name 10.3.9.0 McPherson-net
name 10.3.10.0 Winfield-net
name 10.3.11.0 Wellington-net
name 10.3.13.0 Salina-net
name 10.2.1.0 FTWorth-net
name 10.2.8.0 WhichitaFalls-net
name 192.168.70.0 KansasAdmin-net
name 192.168.35.0 Troy-net
name 10.2.5.0 Jacksboro-net
name 10.3.12.0 Topeka-net
name 10.7.1.0 Birmingham-net
name 10.9.1.0 SanDiego-net
name 10.10.1.0 VHH-Houston
name 192.168.30.0 Farmington-net
name 10.5.1.0 Johnston-net
name 10.20.30.0 ShadowVentures_2
name 192.168.200.0 ShadowVentures_1
dns-guard
!
interface Ethernet0/0
nameif Outside-0
security-level 0
ip address 64.143.xxx.xxx 255.255.255.224
!
interface Ethernet0/1
nameif Inside-1
security-level 100
ip address 10.0.0.254 255.255.254.0
!
interface Ethernet0/2
shutdown
nameif Inside-2
security-level 100
ip address 10.0.3.254 255.255.255.0
!
interface Ethernet0/3
nameif DMZ
security-level 50
ip address 10.254.254.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 172.31.254.254 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list IPS extended permit ip any any
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 IDCnet 255.255.254.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Voyager-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 192.168.222.0 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Houston-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 StLouis-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 HillSide-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Dallas-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 172.25.200.0 255.255.254.0
access-list Shadow_1_CryptoMap extended permit ip IDCnet 255.255.254.0 ShadowVentures_1 255.255.255.0
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq smtp
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq imap4
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq www
access-list split_tunnel standard permit IDCnet 255.0.0.0
access-list split_tunnel standard permit HillSide-net 255.255.0.0
access-list Johnston_CryptoMap extended permit ip IDCnet 255.255.254.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip RemoteAccess-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip Voyager-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip HillSide-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip KansasAdmin-net 255.255.255.0 Johnston-net 255.255.255.0
access-list dmz_access_in extended permit ip any host 10.0.0.90
access-list dmz_access_in extended permit ip any host 10.0.0.10
access-list dmz_access_in extended permit ip any host 10.0.0.30
access-list dmz_access_in extended permit ip any host 10.0.0.50
access-list dmz_access_in extended permit tcp any any eq www
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in extended permit udp any any eq dnsix
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit ip host 10.254.254.1 any
access-list dmz_access_in extended permit ip any host 10.0.1.100
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Voyager-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Houston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 DMZnet 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 StLouis-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 HillSide-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 FTWorth-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Voyager-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip FTWorth-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip StLouis-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Houston-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip WhichitaFalls-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip KansasAdmin-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Houston-net 255.255.255.0 IDCnet 255.255.254.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ShadowVentures_1 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ShadowVentures_2 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip KansasAdmin-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 KCMO-net 255.255.255.0
pager lines 24
logging asdm informational
mtu Outside-0 1500
mtu Inside-1 1500
mtu Inside-2 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Client-Pool 192.168.225.1-192.168.225. 254 mask 255.255.255.0
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Outside-0) 1 interface
nat (Inside-1) 0 access-list inside-1_nonat_outbound
nat (Inside-1) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list dmz_nonat_outbound
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,Outside-0) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255
static (Inside-1,Outside-0) 64.143.xxx.xxx 192.168.254.1 netmask 255.255.255.255
access-group outside_access_in in interface Outside-0
access-group dmz_access_in in interface DMZ
route Outside-0 0.0.0.0 0.0.0.0 64.143.xxx.xxx 1
route Inside-1 HillSide-net 255.255.255.0 10.0.0.1 2
route Inside-1 Voyager-net 255.255.255.0 10.0.0.1 1
route Inside-1 WhichitaFalls-net 255.255.255.0 10.0.0.1 1
route Inside-1 StLouis-net 255.255.255.0 10.0.0.1 1
route Inside-1 KansasAdmin-net 255.255.255.0 10.0.0.1 1
route Inside-1 FTWorth-net 255.255.255.0 10.0.0.1 1
route Inside-1 Houston-net 255.255.255.0 10.0.0.1 1
route Inside-1 Dallas-net 255.255.255.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpnusers protocol radius
aaa-server vpnusers (Inside-1) host 10.0.1.210
key Qwerty18436572!
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server value 10.0.0.150
dns-server value 192.168.254.249
vpn-idle-timeout 20
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value ah-corporate.com
webvpn
!
class-map inspection_default
match default-inspection-traffic
class-map My-IPS-Class
match access-list IPS
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class My-IPS-Class
ips inline fail-open
!
service-policy global_policy global
Cryptochecksum:0a779e5e66f ff2031e9cf ff470ce570 8
: end
: Saved
:
ASA Version 7.0 (8)
!
hostname DTC-FireWall
domain-name VHC.com
enable password wNjTjDTuGIWhG9bl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.0 IDCnet
name 192.168.254.0 Voyager-net
name 192.168.225.0 RemoteAccess-net
name 10.254.254.0 DMZnet
name 192.168.3.0 StLouis-net
name 192.168.0.0 HillSide-net
name 10.2.7.0 Cleburne-net
name 10.2.9.0 Conroe-net
name 10.2.3.0 Houston-net
name 10.2.2.0 Dallas-net
name 10.2.10.0 McKinney-net
name 10.2.4.0 Denton-net
name 10.2.6.0 Pasadena-net
name 10.3.3.0 Newton-net
name 10.3.4.0 Parsons-net
name 10.3.5.0 Lenexa-net
name 10.3.6.0 KCMO-net
name 10.3.7.0 Hutchinson-net
name 10.3.8.0 ElDorado-net
name 10.3.9.0 McPherson-net
name 10.3.10.0 Winfield-net
name 10.3.11.0 Wellington-net
name 10.3.13.0 Salina-net
name 10.2.1.0 FTWorth-net
name 10.2.8.0 WhichitaFalls-net
name 192.168.70.0 KansasAdmin-net
name 192.168.35.0 Troy-net
name 10.2.5.0 Jacksboro-net
name 10.3.12.0 Topeka-net
name 10.7.1.0 Birmingham-net
name 10.9.1.0 SanDiego-net
name 10.10.1.0 VHH-Houston
name 192.168.30.0 Farmington-net
name 10.5.1.0 Johnston-net
name 10.20.30.0 ShadowVentures_2
name 192.168.200.0 ShadowVentures_1
dns-guard
!
interface Ethernet0/0
nameif Outside-0
security-level 0
ip address 64.143.xxx.xxx 255.255.255.224
!
interface Ethernet0/1
nameif Inside-1
security-level 100
ip address 10.0.0.254 255.255.254.0
!
interface Ethernet0/2
shutdown
nameif Inside-2
security-level 100
ip address 10.0.3.254 255.255.255.0
!
interface Ethernet0/3
nameif DMZ
security-level 50
ip address 10.254.254.254 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 172.31.254.254 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list IPS extended permit ip any any
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 IDCnet 255.255.254.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Voyager-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 192.168.222.0 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Houston-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 StLouis-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 HillSide-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 Dallas-net 255.255.255.0
access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 172.25.200.0 255.255.254.0
access-list Shadow_1_CryptoMap extended permit ip IDCnet 255.255.254.0 ShadowVentures_1 255.255.255.0
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq https
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq smtp
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq imap4
access-list outside_access_in extended permit tcp any host 64.143.xxx.xxx eq www
access-list split_tunnel standard permit IDCnet 255.0.0.0
access-list split_tunnel standard permit HillSide-net 255.255.0.0
access-list Johnston_CryptoMap extended permit ip IDCnet 255.255.254.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip RemoteAccess-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip Voyager-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip HillSide-net 255.255.255.0 Johnston-net 255.255.255.0
access-list Johnston_CryptoMap extended permit ip KansasAdmin-net 255.255.255.0 Johnston-net 255.255.255.0
access-list dmz_access_in extended permit ip any host 10.0.0.90
access-list dmz_access_in extended permit ip any host 10.0.0.10
access-list dmz_access_in extended permit ip any host 10.0.0.30
access-list dmz_access_in extended permit ip any host 10.0.0.50
access-list dmz_access_in extended permit tcp any any eq www
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in extended permit udp any any eq dnsix
access-list dmz_access_in extended permit icmp any any
access-list dmz_access_in extended permit ip host 10.254.254.1 any
access-list dmz_access_in extended permit ip any host 10.0.1.100
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Voyager-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Houston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 DMZnet 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 StLouis-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 HillSide-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 FTWorth-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Conroe-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Denton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Jacksboro-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Cleburne-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 McKinney-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Farmington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Troy-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 KCMO-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Voyager-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip FTWorth-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip StLouis-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Houston-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip WhichitaFalls-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip KansasAdmin-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 RemoteAccess-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 SanDiego-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Houston-net 255.255.255.0 IDCnet 255.255.254.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Birmingham-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.255.0 Pasadena-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Parsons-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 VHH-Houston 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ShadowVentures_1 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 ShadowVentures_2 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip IDCnet 255.255.254.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip RemoteAccess-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip Voyager-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip KansasAdmin-net 255.255.255.0 Johnston-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Hutchinson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 ElDorado-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Topeka-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Winfield-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Newton-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Wellington-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 McPherson-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Salina-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 Lenexa-net 255.255.255.0
access-list inside-1_nonat_outbound extended permit ip HillSide-net 255.255.255.0 KCMO-net 255.255.255.0
pager lines 24
logging asdm informational
mtu Outside-0 1500
mtu Inside-1 1500
mtu Inside-2 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN-Client-Pool 192.168.225.1-192.168.225.
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Outside-0) 1 interface
nat (Inside-1) 0 access-list inside-1_nonat_outbound
nat (Inside-1) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list dmz_nonat_outbound
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,Outside-0) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255
static (Inside-1,Outside-0) 64.143.xxx.xxx 192.168.254.1 netmask 255.255.255.255
access-group outside_access_in in interface Outside-0
access-group dmz_access_in in interface DMZ
route Outside-0 0.0.0.0 0.0.0.0 64.143.xxx.xxx 1
route Inside-1 HillSide-net 255.255.255.0 10.0.0.1 2
route Inside-1 Voyager-net 255.255.255.0 10.0.0.1 1
route Inside-1 WhichitaFalls-net 255.255.255.0 10.0.0.1 1
route Inside-1 StLouis-net 255.255.255.0 10.0.0.1 1
route Inside-1 KansasAdmin-net 255.255.255.0 10.0.0.1 1
route Inside-1 FTWorth-net 255.255.255.0 10.0.0.1 1
route Inside-1 Houston-net 255.255.255.0 10.0.0.1 1
route Inside-1 Dallas-net 255.255.255.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpnusers protocol radius
aaa-server vpnusers (Inside-1) host 10.0.1.210
key Qwerty18436572!
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server value 10.0.0.150
dns-server value 192.168.254.249
vpn-idle-timeout 20
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value ah-corporate.com
webvpn
!
class-map inspection_default
match default-inspection-traffic
class-map My-IPS-Class
match access-list IPS
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class My-IPS-Class
ips inline fail-open
!
service-policy global_policy global
Cryptochecksum:0a779e5e66f
: end
ASKER
If I did something like the following, would it work?
static (Outside-0,DMZ) 10.254.254.1 64.143.xxx.xxx netmask 255.255.255.255
BTW, this is actually to get access for inside clients to WebPortal on DMZ interface. I cant connect on inside IP, because it is HTTPS with cert tied to outside ip.
static (Outside-0,DMZ) 10.254.254.1 64.143.xxx.xxx netmask 255.255.255.255
BTW, this is actually to get access for inside clients to WebPortal on DMZ interface. I cant connect on inside IP, because it is HTTPS with cert tied to outside ip.
ASKER
Anybody Know how to do this?
Give this a shot:
conf t
access-list inside-1_nonat_outbound extended permit ip any 10.254.254.0 255.255.255.0
static (DMZ,Inside-1) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255
conf t
access-list inside-1_nonat_outbound extended permit ip any 10.254.254.0 255.255.255.0
static (DMZ,Inside-1) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255
Actually, add this instead:
static (Inside-1,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (Inside-1,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (DMZ,Inside-1) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255
static (Inside-1,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (Inside-1,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (DMZ,Inside-1) 64.143.xxx.xxx 10.254.254.1 netmask 255.255.255.255
ASKER
Hi ,I tried the second 1 and the only thing that happened was the inside network lost connectivity with 10.254.254.1 and the inside still could not talk to 64.140.xxx.xxx. I then removed the 3 lines and trid the 1st config you posted. It had the same end result as 2nd posted config change.
You will no longer be able to communicate to the DMZ server using the 10.254.254.1 IP. You will have to use the public 64.140.x.x IP. You used the correct 64.140.x.x IP for the DMZ server, right? With the second config (don't use the first), you couldn't ping the DMZ server using 64.140.x.x from an inside host? Try a "telnet 64.140.x.x 80" from a command prompt on an inside host. Double check you used the correct public IP. Also, the interface names in the static commands are case sensitive so make sure you typed them correctly (with the proper case) if not copying and pasting mine.
All you need from the 2nd version above is the 3rd statement. The first statement is particularlay bad, don't go there..
But your NAT exemptions are a horror to behold, you should really simplify things some.. but down to business.
In addition to that static, you'll want to kill this statement:
no access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 IDCnet 255.255.254.0
You should now be able to access the server on 64.143.x.x, but as JF said only that. You can't use 10.254.254.1 anymore.
---
I haven't scanned the details of the networks, this post only aimed at the directly connected network 10.0.0.0/23
If you have more that needs this access, check if those 2 are'nt being NAT exempted from the DMZ.
(Truth is you probably don't need a single NAT exemption from the DMZ, beyond remote access - but I haven't proofread them).
But your NAT exemptions are a horror to behold, you should really simplify things some.. but down to business.
In addition to that static, you'll want to kill this statement:
no access-list dmz_nonat_outbound extended permit ip DMZnet 255.255.255.0 IDCnet 255.255.254.0
You should now be able to access the server on 64.143.x.x, but as JF said only that. You can't use 10.254.254.1 anymore.
---
I haven't scanned the details of the networks, this post only aimed at the directly connected network 10.0.0.0/23
If you have more that needs this access, check if those 2 are'nt being NAT exempted from the DMZ.
(Truth is you probably don't need a single NAT exemption from the DMZ, beyond remote access - but I haven't proofread them).
ASKER
Hello Voltz, trying it with just the 1 statement you suggested worked. But like you and Fred said, the server will no longer answer on 10.254.254.1. When needing to access this server for administrative purposes, I can comment out the Static mapping. However, this server is a member of the domain(not a DC), it will not be able to communicate with AD any longer. Is there a way to overcome this limitation?
BTW: Voltz, you mentioned the NAT exemptions being a nightmare. Can you elaborate? I know there are a bunch of them, but we have a lot of field sites comming in thru VPN's.
BTW: Voltz, you mentioned the NAT exemptions being a nightmare. Can you elaborate? I know there are a bunch of them, but we have a lot of field sites comming in thru VPN's.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Fred. I decided to go with your last suggestion. It is working well. Thanks again.
You will need split tunneling enable though, that way, LAN client will go out to 64.64.64.64 and back to mail server.
Personally, I would prefer using 10.0.0.254 address for internal clients..
Hope this helps..