Wyandotte
asked on
Cisco ASA Firewall problems. VERY URGENT
We are having problems with our firewall. It was working this morning and then recently just quit. Everything works great except for internet access. We have a site to site VPN that works. We are able to email outside the network and receive email from outside the network. The live log on the firewall is constantly getting a deny by the access group External_asccess_out.
I can't seem to find where that is or how to change it. Outside the firewall everything works
My running config is below:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(6)
!
hostname ASA
domain-name tribe.wyandotte-nation.net
enable password jd4m1tdnEHA/1huU encrypted
names
name 200.200.200.241 GATEWAY description ISP Router
name 100.100.3.0 KC
name 600.20.0.0 VPN_CLIENTS
name 600.600.47.0 VGT
dns-guard
!
interface Ethernet0/0
nameif Internal
security-level 100
ip address 100.100.0.1 255.255.254.0
!
interface Ethernet0/1
nameif External
security-level 0
ip address 200.200.200.243 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif manage
security-level 0
ip address 10.10.10.10 255.255.255.0
management-only
!
passwd jd4m1tdnEHA/1huU encrypted
!
time-range Anytime
!
banner exec The admin session has started
banner login Welcome to Network. You have successfully logged in.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit intra-interface
object-group service VPN udp
port-object range 62515 62515
access-list VPN extended permit udp interface External object-group VPN interface Internal object-group VPN
access-list VPN extended permit tcp KC 255.255.255.0 interface Internal
access-list VPN extended permit tcp interface Internal KC 255.255.255.0
access-list VPN extended permit icmp VPN_CLIENTS 255.255.254.0 100.100.0.0 255.255.254.0 time-range Anytime
access-list VPN extended permit icmp 100.100.0.0 255.255.254.0 VPN_CLIENTS 255.255.254.0
access-list Internal_access_in extended permit tcp host 100.100.0.3 eq domain interface External eq domain
access-list Internal_access_in extended permit tcp interface Internal 200.200.200.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 100.100.0.0 255.255.254.0
access-list SPLIT_TUNNEL standard permit KC 255.255.255.0
access-list Internal_nat0_outbound_V1 extended permit ip 100.100.0.0 255.255.254.0 interface External
access-list Internal_nat0_outbound_V1 extended permit ip 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list Internal_nat0_outbound_V1 extended permit ip any VPN_CLIENTS 255.255.255.0
access-list Internal_nat0_outbound_V1 extended permit ip 100.100.0.0 255.255.254.0 VPN_CLIENTS 255.255.255.0
access-list Internal_nat0_outbound extended permit ip any VPN_CLIENTS 255.255.255.0
access-list Internal_nat0_outbound extended permit ip 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list Internal_nat0_outbound extended permit ip 100.100.0.0 255.255.254.0 10.88.0.0 255.255.240.0
access-list Internal_nat0_outbound extended permit ip 100.100.0.0 255.255.254.0 VGT 255.255.255.0
access-list external2internal extended permit tcp any eq 6881 any eq 6881
access-list external2internal extended permit tcp KC 255.255.255.0 interface Internal
access-list external2internal extended permit tcp KC 255.255.255.0 any
access-list external2internal extended permit tcp any any
access-list external2internal extended permit tcp any eq 3101 host 200.200.200.243 eq 3101
access-list external2internal extended permit udp any interface External eq netbios-ns
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 135 100.100.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 135 100.100.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq netbios-ns 100.100.0.0 255.255.255.0 eq netbios-ns
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 137 100.100.0.0 255.255.255.0 eq 137
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq netbios-dgm 100.100.0.0 255.255.255.0 eq netbios-dgm
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq netbios-ssn 100.100.0.0 255.255.255.0 eq netbios-ssn
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 445 100.100.0.0 255.255.255.0 eq 445
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 445 100.100.0.0 255.255.255.0 eq 445
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq ldap 100.100.0.0 255.255.255.0 eq ldap
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 389 100.100.0.0 255.255.255.0 eq 389
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq ldaps 100.100.0.0 255.255.255.0 eq ldaps
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 3268 100.100.0.0 255.255.255.0 eq 3268
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 88 100.100.0.0 255.255.255.0 eq 88
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 88 100.100.0.0 255.255.255.0 eq 88
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq domain 100.100.0.0 255.255.255.0 eq domain
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq domain 100.100.0.0 255.255.255.0 eq domain
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 1512 100.100.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 1512 100.100.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 42 100.100.0.0 255.255.255.0 eq 42
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq nameserver 100.100.0.0 255.255.255.0 eq nameserver
access-list external2internal extended permit tcp KC 255.255.255.0 eq 135 100.100.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp KC 255.255.255.0 eq 135 100.100.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp KC 255.255.255.0 eq netbios-ns 100.100.0.0 255.255.255.0 eq netbios-ns
access-list external2internal extended permit tcp KC 255.255.255.0 eq 137 100.100.0.0 255.255.255.0 eq 137
access-list external2internal extended permit udp KC 255.255.255.0 eq netbios-dgm 100.100.0.0 255.255.255.0 eq netbios-dgm
access-list external2internal extended permit tcp KC 255.255.255.0 eq netbios-ssn 100.100.0.0 255.255.255.0 eq netbios-ssn
access-list external2internal extended permit tcp KC 255.255.255.0 eq 445 100.100.0.0 255.255.255.0 eq 445
access-list external2internal extended permit udp KC 255.255.255.0 eq 445 100.100.0.0 255.255.255.0 eq 445
access-list external2internal extended permit tcp KC 255.255.255.0 eq ldap 100.100.0.0 255.255.255.0 eq ldap
access-list external2internal extended permit udp KC 255.255.255.0 eq 389 100.100.0.0 255.255.255.0 eq 389
access-list external2internal extended permit tcp KC 255.255.255.0 eq ldaps 100.100.0.0 255.255.255.0 eq ldaps
access-list external2internal extended permit tcp KC 255.255.255.0 eq 3268 100.100.0.0 255.255.255.0 eq 3268
access-list external2internal extended permit tcp KC 255.255.255.0 eq 88 100.100.0.0 255.255.255.0 eq 88
access-list external2internal extended permit udp KC 255.255.255.0 eq 88 100.100.0.0 255.255.255.0 eq 88
access-list external2internal extended permit tcp KC 255.255.255.0 eq domain 100.100.0.0 255.255.255.0 eq domain
access-list external2internal extended permit udp KC 255.255.255.0 eq domain 100.100.0.0 255.255.255.0 eq domain
access-list external2internal extended permit tcp KC 255.255.255.0 eq 1512 100.100.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit udp KC 255.255.255.0 eq 1512 100.100.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit tcp KC 255.255.255.0 eq 42 100.100.0.0 255.255.255.0 eq 42
access-list external2internal extended permit udp KC 255.255.255.0 eq nameserver 100.100.0.0 255.255.255.0 eq nameserver
access-list external2internal extended permit tcp KC 255.255.255.0 eq 1025 100.100.0.0 255.255.255.0 eq 1025
access-list external2internal extended permit tcp KC 255.255.255.0 eq 1026 100.100.0.0 255.255.255.0 eq 1026
access-list external2internal extended permit tcp KC 255.255.255.0 eq 464 100.100.0.0 255.255.255.0 eq 464
access-list external2internal extended permit tcp KC 255.255.255.0 100.100.0.0 255.255.254.0
access-list external2internal extended permit tcp 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list external2internal extended permit udp any eq ntp 100.100.0.0 255.255.254.0 eq ntp
access-list external2internal extended permit tcp KC 255.255.255.0 range 1433 1433 100.100.0.0 255.255.254.0 range 1433 1433
access-list external2internal extended permit udp KC 255.255.255.0 range 1434 1434 100.100.0.0 255.255.254.0 range 1434 1434
access-list External_cryptomap_40 extended permit ip 200.200.200.0 255.255.254.0 KC 255.255.255.0
access-list Internal_access_in_V1 extended permit tcp 100.100.0.0 255.255.254.0 200.200.200.240 255.255.255.240 time-range Anytime
access-list Internal_access_in_V1 extended permit tcp any any eq https
access-list Internal_access_in_V1 extended permit tcp any any eq pop3
access-list Internal_access_in_V1 extended permit tcp any any eq smtp
access-list Internal_access_in_V1 extended permit udp any any eq domain
access-list Internal_access_in_V1 extended permit icmp any any
access-list Internal_access_in_V1 extended permit esp any any
access-list Internal_access_in_V1 extended permit gre any any
access-list Internal_access_in_V1 extended permit udp any any eq isakmp
access-list Internal_access_in_V1 extended permit udp any any eq 4500
access-list Internal_access_in_V1 extended permit tcp any any eq ftp-data
access-list Internal_access_in_V1 extended permit tcp any any eq ftp
access-list Internal_access_in_V1 extended permit udp any any eq ntp
access-list Internal_access_in_V1 extended permit tcp any KC 255.255.255.0
access-list Internal_access_in_V1 extended permit tcp host 100.100.0.6 eq 3101 any eq 3101
access-list Internal_access_in_V1 extended permit tcp any any
access-list Internal_access_in_V1 extended permit tcp any any eq 3389
access-list Internal_access_in_V1 extended permit tcp any any eq 3301
access-list Internal_access_in_V1 extended permit udp 100.100.0.0 255.255.254.0 eq ntp any eq ntp
access-list Internal_access_in_V1 extended permit ip any any
access-list Internal_access_in_V1 extended permit tcp host 100.100.0.86 range 19000 19999 any
access-list Internal_access_in_V1 extended permit udp any object-group VPN any
access-list Internal_access_in_V1 extended permit tcp 100.100.0.0 255.255.254.0 range 1433 1433 KC 255.255.255.0 range 1433 1433
access-list external_access_out_V1 extended permit tcp any any eq telnet
access-list User_splitTunnelAcl standard permit any
access-list External_cryptomap_60 extended permit ip 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list External_cryptomap_60 extended permit ip 100.100.0.0 255.255.254.0 10.88.0.0 255.255.240.0
access-list External_cryptomap_60 extended permit ip 100.100.0.0 255.255.254.0 VGT 255.255.255.0
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 135 KC 255.255.255.0 eq 135
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq 135 KC 255.255.255.0 eq 135
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq netbios-dgm KC 255.255.255.0 eq netbios-dgm
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq netbios-ssn KC 255.255.255.0 eq netbios-ssn
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 445 KC 255.255.255.0 eq 445
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq 445 KC 255.255.255.0 eq 445
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq ldap KC 255.255.255.0 eq ldap
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq 389 KC 255.255.255.0 eq 389
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq ldaps KC 255.255.255.0 eq ldaps
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 3268 KC 255.255.255.0 eq 3268
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 3269 KC 255.255.255.0 eq 3269
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 88 KC 255.255.255.0 eq 88
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq 88 KC 255.255.255.0 eq 88
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq domain KC 255.255.255.0 eq domain
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq domain KC 255.255.255.0 eq domain
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 1512 KC 255.255.255.0 eq 1512
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq 1512 KC 255.255.255.0 eq 1512
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 42 KC 255.255.255.0 eq 42
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq nameserver KC 255.255.255.0 eq nameserver
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 1025 KC 255.255.255.0 eq 1025
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 1026 KC 255.255.255.0 eq 1026
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 464 KC 255.255.255.0 eq 464
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list internal2external extended permit udp KC 255.255.255.0 100.100.0.0 255.255.254.0
access-list internal2external extended permit ip 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list internal2external extended permit ip KC 255.255.255.0 100.100.0.0 255.255.254.0
access-list External_access_out extended permit tcp any any inactive
access-list Internal_access_out extended permit tcp any any inactive
pager lines 24
logging enable
logging asdm informational
mtu Internal 1500
mtu External 1500
mtu manage 1500
ip local pool VPNTEST 600.20.0.100-600.20.0.250 mask 255.255.255.0
no failover
monitor-interface Internal
monitor-interface External
monitor-interface manage
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 10 100.100.0.0 255.255.254.0
nat (manage) 0 0.0.0.0 0.0.0.0
static (Internal,External) udp interface netbios-ns 100.100.0.1 netbios-ns netmask 255.255.255.255
static (Internal,External) tcp 200.200.200.243 3101 100.100.0.6 3101 netmask 255.255.255.255 dns
access-group Internal_access_in_V1 in interface Internal
access-group Internal_access_out out interface Internal
access-group external2internal in interface External
access-group External_access_out out interface External
route External 0.0.0.0 0.0.0.0 GATEWAY 1
route External 10.80.0.0 255.255.240.0 400.400.400.130 1
route External VGT 255.255.255.0 400.400.400.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server value 100.100.0.3
dns-server value 100.100.0.3 100.100.0.5
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-t imeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy User_1 internal
group-policy User_1 attributes
wins-server value 100.100.0.3 100.100.3.254
dns-server value 100.100.0.3 100.100.0.5
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value tribe.wyandotte-nation.net
webvpn
group-policy User internal
group-policy User attributes
wins-server value 100.100.0.3 100.100.3.254
dns-server value 100.100.0.3 100.100.0.5
split-tunnel-policy tunnelspecified
split-tunnel-network-list value User_splitTunnelAcl
default-domain value tribe.wyandotte-nation.net
webvpn
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 100.100.0.30 255.255.255.255 Internal
http 100.100.0.31 255.255.255.255 Internal
http 100.100.0.52 255.255.255.255 Internal
http 100.100.0.45 255.255.255.255 Internal
http 72.24.209.158 255.255.255.255 External
http 10.10.10.0 255.255.255.0 manage
snmp-server host Internal 100.100.0.30 community tribe
snmp-server location Server Room
snmp-server contact Jared Johnson
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Internal
sysopt noproxyarp External
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 20 set pfs
crypto dynamic-map External_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map External_map 60 match address External_cryptomap_60
crypto map External_map 60 set peer 206.229.24.130
crypto map External_map 60 set transform-set ESP-3DES-SHA
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map External_map interface External
crypto map outside_map 40 match address External_cryptomap_60
isakmp identity address
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group User type ipsec-ra
tunnel-group User general-attributes
address-pool VPNTEST
default-group-policy User
tunnel-group User ipsec-attributes
pre-shared-key *
tunnel-group 400.400.400.130 type ipsec-l2l
tunnel-group 400.400.400.130 ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 100.100.0.30 255.255.255.255 Internal
telnet timeout 5
ssh 100.100.0.30 255.255.255.255 Internal
ssh 500.500.500.158 255.255.255.255 External
ssh timeout 10
console timeout 0
management-access Internal
dhcpd lease 3600
dhcpd ping_timeout 50
ntp server 100.100.0.3 source Internal prefer
pop3s
enable Internal
server 100.100.0.29
default-group-policy DfltGrpPolicy
smtps
enable Internal
server 100.100.0.29
default-group-policy DfltGrpPolicy
smtp-server 100.100.0.29
Cryptochecksum:84cbc4926c4 f199cfef68 5ba707e609 2
: end
I can't seem to find where that is or how to change it. Outside the firewall everything works
My running config is below:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(6)
!
hostname ASA
domain-name tribe.wyandotte-nation.net
enable password jd4m1tdnEHA/1huU encrypted
names
name 200.200.200.241 GATEWAY description ISP Router
name 100.100.3.0 KC
name 600.20.0.0 VPN_CLIENTS
name 600.600.47.0 VGT
dns-guard
!
interface Ethernet0/0
nameif Internal
security-level 100
ip address 100.100.0.1 255.255.254.0
!
interface Ethernet0/1
nameif External
security-level 0
ip address 200.200.200.243 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif manage
security-level 0
ip address 10.10.10.10 255.255.255.0
management-only
!
passwd jd4m1tdnEHA/1huU encrypted
!
time-range Anytime
!
banner exec The admin session has started
banner login Welcome to Network. You have successfully logged in.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit intra-interface
object-group service VPN udp
port-object range 62515 62515
access-list VPN extended permit udp interface External object-group VPN interface Internal object-group VPN
access-list VPN extended permit tcp KC 255.255.255.0 interface Internal
access-list VPN extended permit tcp interface Internal KC 255.255.255.0
access-list VPN extended permit icmp VPN_CLIENTS 255.255.254.0 100.100.0.0 255.255.254.0 time-range Anytime
access-list VPN extended permit icmp 100.100.0.0 255.255.254.0 VPN_CLIENTS 255.255.254.0
access-list Internal_access_in extended permit tcp host 100.100.0.3 eq domain interface External eq domain
access-list Internal_access_in extended permit tcp interface Internal 200.200.200.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 100.100.0.0 255.255.254.0
access-list SPLIT_TUNNEL standard permit KC 255.255.255.0
access-list Internal_nat0_outbound_V1 extended permit ip 100.100.0.0 255.255.254.0 interface External
access-list Internal_nat0_outbound_V1 extended permit ip 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list Internal_nat0_outbound_V1 extended permit ip any VPN_CLIENTS 255.255.255.0
access-list Internal_nat0_outbound_V1 extended permit ip 100.100.0.0 255.255.254.0 VPN_CLIENTS 255.255.255.0
access-list Internal_nat0_outbound extended permit ip any VPN_CLIENTS 255.255.255.0
access-list Internal_nat0_outbound extended permit ip 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list Internal_nat0_outbound extended permit ip 100.100.0.0 255.255.254.0 10.88.0.0 255.255.240.0
access-list Internal_nat0_outbound extended permit ip 100.100.0.0 255.255.254.0 VGT 255.255.255.0
access-list external2internal extended permit tcp any eq 6881 any eq 6881
access-list external2internal extended permit tcp KC 255.255.255.0 interface Internal
access-list external2internal extended permit tcp KC 255.255.255.0 any
access-list external2internal extended permit tcp any any
access-list external2internal extended permit tcp any eq 3101 host 200.200.200.243 eq 3101
access-list external2internal extended permit udp any interface External eq netbios-ns
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 135 100.100.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 135 100.100.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq netbios-ns 100.100.0.0 255.255.255.0 eq netbios-ns
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 137 100.100.0.0 255.255.255.0 eq 137
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq netbios-dgm 100.100.0.0 255.255.255.0 eq netbios-dgm
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq netbios-ssn 100.100.0.0 255.255.255.0 eq netbios-ssn
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 445 100.100.0.0 255.255.255.0 eq 445
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 445 100.100.0.0 255.255.255.0 eq 445
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq ldap 100.100.0.0 255.255.255.0 eq ldap
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 389 100.100.0.0 255.255.255.0 eq 389
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq ldaps 100.100.0.0 255.255.255.0 eq ldaps
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 3268 100.100.0.0 255.255.255.0 eq 3268
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 88 100.100.0.0 255.255.255.0 eq 88
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 88 100.100.0.0 255.255.255.0 eq 88
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq domain 100.100.0.0 255.255.255.0 eq domain
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq domain 100.100.0.0 255.255.255.0 eq domain
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 1512 100.100.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 1512 100.100.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 42 100.100.0.0 255.255.255.0 eq 42
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq nameserver 100.100.0.0 255.255.255.0 eq nameserver
access-list external2internal extended permit tcp KC 255.255.255.0 eq 135 100.100.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp KC 255.255.255.0 eq 135 100.100.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp KC 255.255.255.0 eq netbios-ns 100.100.0.0 255.255.255.0 eq netbios-ns
access-list external2internal extended permit tcp KC 255.255.255.0 eq 137 100.100.0.0 255.255.255.0 eq 137
access-list external2internal extended permit udp KC 255.255.255.0 eq netbios-dgm 100.100.0.0 255.255.255.0 eq netbios-dgm
access-list external2internal extended permit tcp KC 255.255.255.0 eq netbios-ssn 100.100.0.0 255.255.255.0 eq netbios-ssn
access-list external2internal extended permit tcp KC 255.255.255.0 eq 445 100.100.0.0 255.255.255.0 eq 445
access-list external2internal extended permit udp KC 255.255.255.0 eq 445 100.100.0.0 255.255.255.0 eq 445
access-list external2internal extended permit tcp KC 255.255.255.0 eq ldap 100.100.0.0 255.255.255.0 eq ldap
access-list external2internal extended permit udp KC 255.255.255.0 eq 389 100.100.0.0 255.255.255.0 eq 389
access-list external2internal extended permit tcp KC 255.255.255.0 eq ldaps 100.100.0.0 255.255.255.0 eq ldaps
access-list external2internal extended permit tcp KC 255.255.255.0 eq 3268 100.100.0.0 255.255.255.0 eq 3268
access-list external2internal extended permit tcp KC 255.255.255.0 eq 88 100.100.0.0 255.255.255.0 eq 88
access-list external2internal extended permit udp KC 255.255.255.0 eq 88 100.100.0.0 255.255.255.0 eq 88
access-list external2internal extended permit tcp KC 255.255.255.0 eq domain 100.100.0.0 255.255.255.0 eq domain
access-list external2internal extended permit udp KC 255.255.255.0 eq domain 100.100.0.0 255.255.255.0 eq domain
access-list external2internal extended permit tcp KC 255.255.255.0 eq 1512 100.100.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit udp KC 255.255.255.0 eq 1512 100.100.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit tcp KC 255.255.255.0 eq 42 100.100.0.0 255.255.255.0 eq 42
access-list external2internal extended permit udp KC 255.255.255.0 eq nameserver 100.100.0.0 255.255.255.0 eq nameserver
access-list external2internal extended permit tcp KC 255.255.255.0 eq 1025 100.100.0.0 255.255.255.0 eq 1025
access-list external2internal extended permit tcp KC 255.255.255.0 eq 1026 100.100.0.0 255.255.255.0 eq 1026
access-list external2internal extended permit tcp KC 255.255.255.0 eq 464 100.100.0.0 255.255.255.0 eq 464
access-list external2internal extended permit tcp KC 255.255.255.0 100.100.0.0 255.255.254.0
access-list external2internal extended permit tcp 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list external2internal extended permit udp any eq ntp 100.100.0.0 255.255.254.0 eq ntp
access-list external2internal extended permit tcp KC 255.255.255.0 range 1433 1433 100.100.0.0 255.255.254.0 range 1433 1433
access-list external2internal extended permit udp KC 255.255.255.0 range 1434 1434 100.100.0.0 255.255.254.0 range 1434 1434
access-list External_cryptomap_40 extended permit ip 200.200.200.0 255.255.254.0 KC 255.255.255.0
access-list Internal_access_in_V1 extended permit tcp 100.100.0.0 255.255.254.0 200.200.200.240 255.255.255.240 time-range Anytime
access-list Internal_access_in_V1 extended permit tcp any any eq https
access-list Internal_access_in_V1 extended permit tcp any any eq pop3
access-list Internal_access_in_V1 extended permit tcp any any eq smtp
access-list Internal_access_in_V1 extended permit udp any any eq domain
access-list Internal_access_in_V1 extended permit icmp any any
access-list Internal_access_in_V1 extended permit esp any any
access-list Internal_access_in_V1 extended permit gre any any
access-list Internal_access_in_V1 extended permit udp any any eq isakmp
access-list Internal_access_in_V1 extended permit udp any any eq 4500
access-list Internal_access_in_V1 extended permit tcp any any eq ftp-data
access-list Internal_access_in_V1 extended permit tcp any any eq ftp
access-list Internal_access_in_V1 extended permit udp any any eq ntp
access-list Internal_access_in_V1 extended permit tcp any KC 255.255.255.0
access-list Internal_access_in_V1 extended permit tcp host 100.100.0.6 eq 3101 any eq 3101
access-list Internal_access_in_V1 extended permit tcp any any
access-list Internal_access_in_V1 extended permit tcp any any eq 3389
access-list Internal_access_in_V1 extended permit tcp any any eq 3301
access-list Internal_access_in_V1 extended permit udp 100.100.0.0 255.255.254.0 eq ntp any eq ntp
access-list Internal_access_in_V1 extended permit ip any any
access-list Internal_access_in_V1 extended permit tcp host 100.100.0.86 range 19000 19999 any
access-list Internal_access_in_V1 extended permit udp any object-group VPN any
access-list Internal_access_in_V1 extended permit tcp 100.100.0.0 255.255.254.0 range 1433 1433 KC 255.255.255.0 range 1433 1433
access-list external_access_out_V1 extended permit tcp any any eq telnet
access-list User_splitTunnelAcl standard permit any
access-list External_cryptomap_60 extended permit ip 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list External_cryptomap_60 extended permit ip 100.100.0.0 255.255.254.0 10.88.0.0 255.255.240.0
access-list External_cryptomap_60 extended permit ip 100.100.0.0 255.255.254.0 VGT 255.255.255.0
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 135 KC 255.255.255.0 eq 135
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq 135 KC 255.255.255.0 eq 135
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq netbios-dgm KC 255.255.255.0 eq netbios-dgm
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq netbios-ssn KC 255.255.255.0 eq netbios-ssn
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 445 KC 255.255.255.0 eq 445
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq 445 KC 255.255.255.0 eq 445
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq ldap KC 255.255.255.0 eq ldap
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq 389 KC 255.255.255.0 eq 389
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq ldaps KC 255.255.255.0 eq ldaps
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 3268 KC 255.255.255.0 eq 3268
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 3269 KC 255.255.255.0 eq 3269
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 88 KC 255.255.255.0 eq 88
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq 88 KC 255.255.255.0 eq 88
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq domain KC 255.255.255.0 eq domain
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq domain KC 255.255.255.0 eq domain
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 1512 KC 255.255.255.0 eq 1512
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq 1512 KC 255.255.255.0 eq 1512
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 42 KC 255.255.255.0 eq 42
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 eq nameserver KC 255.255.255.0 eq nameserver
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 1025 KC 255.255.255.0 eq 1025
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 1026 KC 255.255.255.0 eq 1026
access-list internal2external extended permit tcp 100.100.0.0 255.255.254.0 eq 464 KC 255.255.255.0 eq 464
access-list internal2external extended permit udp 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list internal2external extended permit udp KC 255.255.255.0 100.100.0.0 255.255.254.0
access-list internal2external extended permit ip 100.100.0.0 255.255.254.0 KC 255.255.255.0
access-list internal2external extended permit ip KC 255.255.255.0 100.100.0.0 255.255.254.0
access-list External_access_out extended permit tcp any any inactive
access-list Internal_access_out extended permit tcp any any inactive
pager lines 24
logging enable
logging asdm informational
mtu Internal 1500
mtu External 1500
mtu manage 1500
ip local pool VPNTEST 600.20.0.100-600.20.0.250 mask 255.255.255.0
no failover
monitor-interface Internal
monitor-interface External
monitor-interface manage
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 10 100.100.0.0 255.255.254.0
nat (manage) 0 0.0.0.0 0.0.0.0
static (Internal,External) udp interface netbios-ns 100.100.0.1 netbios-ns netmask 255.255.255.255
static (Internal,External) tcp 200.200.200.243 3101 100.100.0.6 3101 netmask 255.255.255.255 dns
access-group Internal_access_in_V1 in interface Internal
access-group Internal_access_out out interface Internal
access-group external2internal in interface External
access-group External_access_out out interface External
route External 0.0.0.0 0.0.0.0 GATEWAY 1
route External 10.80.0.0 255.255.240.0 400.400.400.130 1
route External VGT 255.255.255.0 400.400.400.130 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server value 100.100.0.3
dns-server value 100.100.0.3 100.100.0.5
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy User_1 internal
group-policy User_1 attributes
wins-server value 100.100.0.3 100.100.3.254
dns-server value 100.100.0.3 100.100.0.5
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value tribe.wyandotte-nation.net
webvpn
group-policy User internal
group-policy User attributes
wins-server value 100.100.0.3 100.100.3.254
dns-server value 100.100.0.3 100.100.0.5
split-tunnel-policy tunnelspecified
split-tunnel-network-list value User_splitTunnelAcl
default-domain value tribe.wyandotte-nation.net
webvpn
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 100.100.0.30 255.255.255.255 Internal
http 100.100.0.31 255.255.255.255 Internal
http 100.100.0.52 255.255.255.255 Internal
http 100.100.0.45 255.255.255.255 Internal
http 72.24.209.158 255.255.255.255 External
http 10.10.10.0 255.255.255.0 manage
snmp-server host Internal 100.100.0.30 community tribe
snmp-server location Server Room
snmp-server contact Jared Johnson
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Internal
sysopt noproxyarp External
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 20 set pfs
crypto dynamic-map External_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map External_map 60 match address External_cryptomap_60
crypto map External_map 60 set peer 206.229.24.130
crypto map External_map 60 set transform-set ESP-3DES-SHA
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map External_map interface External
crypto map outside_map 40 match address External_cryptomap_60
isakmp identity address
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group User type ipsec-ra
tunnel-group User general-attributes
address-pool VPNTEST
default-group-policy User
tunnel-group User ipsec-attributes
pre-shared-key *
tunnel-group 400.400.400.130 type ipsec-l2l
tunnel-group 400.400.400.130 ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 100.100.0.30 255.255.255.255 Internal
telnet timeout 5
ssh 100.100.0.30 255.255.255.255 Internal
ssh 500.500.500.158 255.255.255.255 External
ssh timeout 10
console timeout 0
management-access Internal
dhcpd lease 3600
dhcpd ping_timeout 50
ntp server 100.100.0.3 source Internal prefer
pop3s
enable Internal
server 100.100.0.29
default-group-policy DfltGrpPolicy
smtps
enable Internal
server 100.100.0.29
default-group-policy DfltGrpPolicy
smtp-server 100.100.0.29
Cryptochecksum:84cbc4926c4
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
also your problem ACL appears to be doing nothing other than allowing Telnet outbound? remove it
no access-list external_access_out_V1 extended permit tcp any any eq telnet
no access-list External_access_out extended permit tcp any any inactive
no access-group External_access_out out interface External
then to allow Telnet ouybounf add the following
access-list Internal_access_out extended permit tcp any any eq telnet
no access-list external_access_out_V1 extended permit tcp any any eq telnet
no access-list External_access_out extended permit tcp any any inactive
no access-group External_access_out out interface External
then to allow Telnet ouybounf add the following
access-list Internal_access_out extended permit tcp any any eq telnet
ASKER
still no internet access
ASKER
Internal_access_out is the group causing the denial now.
ASKER
I getthis line on the running config now, do i need to fix it, if so how.
access-list Internal_access_out extended permit tcp any any inactive
access-list Internal_access_out extended permit tcp any any inactive
ASKER
i got the inactive removed and still no change.
ASKER
i got it up and running, i added the line
access-list Internal_access_out extended permit udp any any
Still not for sure what happened. It had been running fine and then just quit. Thank you for your help.
access-list Internal_access_out extended permit udp any any
Still not for sure what happened. It had been running fine and then just quit. Thank you for your help.
- Nice one
If you needed UDP out then it was probably DNS and NOT web traffic that failed :)
If you needed UDP out then it was probably DNS and NOT web traffic that failed :)
ThanQ
no access-group Internal_access_out out interface Internal
no access-group Internal_access_out ininterface Internal
write mem