• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 911
  • Last Modified:

Cicso ASA 5500 Not routing to internal ip and ports

Hi.

I have a Cisco ASA 5500 that was successfully routing outside address to an inside static IP at port 3301.  I added two changes last week to allow TPC and UPD port 2307 to pass from insdie to outside and allowed multicasting between subnets.  That all works fine.

If someone tries to put in our static IP to get to our local network device, no go.  
If we're inside the firewall and put in the static IP, we CAN get to the device.

I am not really super with hyperterminal and the Cisco box but I can connect to it and if someone can give me the command to show you all the settings I can get them and copy paste here.

Can someone help out?  Thanks so much!
0
Skol2u
Asked:
Skol2u
  • 18
  • 6
  • 5
2 Solutions
 
MikeKaneCommented:
What static ip are you using on the outside and what are you using on the inside. ?  

On the unit, do a "show run" and lets have a look at the sanitized config here.
0
 
Skol2uAuthor Commented:
Hi there.  The outside ip is 208.122.115.218 and inside is 192.168.2.1
I am showing an error or block on my log files with access group "10" as blocking incoming ip addresses.  The Access Rules Advanced Options show Outside interface - Inboungd ACL name = "10" and Per User Override as NOT checked.  I have no idea whaat that is for.
 
Show run below:
 
 
 

ESSI-FtMyers-ASA5505# sho run
: Saved
:
ASA Version 7.2(2)
!
hostname ESSI-FtMyers-ASA5505
domain-name essi.local
enable password lXpNH/p4GMa0gaY5 encrypted
multicast-routing
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
  pim bidir-neighbor-filter inside_multicast
 igmp join-group 224.23.0.7
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 208.122.115.218 255.255.255.248
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd lXpNH/p4GMa0gaY5 encrypted
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name essi.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service LanTalk tcp
 description LanTalk Port Group
 port-object range 2307 2307
object-group service LanTalkUDP udp
 description Lan Talk UDP
 port-object range 2307 2307
access-list inside_multicast standard permit host 192.168.2.1
access-list inside_multicast standard permit host 192.168.1.1
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.16.0 255.25
5.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255
.255.0
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp any any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq 8080
access-list 10 extended permit tcp any any eq pptp
access-list 10 extended permit tcp any any eq www
access-list 10 extended permit tcp any any eq 3011
access-list 10 extended permit tcp any any eq 1911
access-list 10 extended permit tcp any any eq 3390
access-list 10 extended permit gre any any
access-list 10 remark ESSICameras  Located in Server Room Halifax Ave, Fort Myer
s.
access-list 10 extended permit tcp any any eq 8081 log
access-list 10 extended permit tcp any interface inside eq hostname
access-list 10 remark Lan Talk Incoming TCP Port
access-list 10 extended permit tcp any eq 2307 any eq 2307
access-list 10 remark Lan Talk UDP Contact List Incoming Port
access-list 10 extended permit udp any eq 2307 any eq 2307
access-list 110 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255
.255.0
access-list 111 extended permit ip 192.168.2.0 255.255.255.0 192.168.16.0 255.25
5.255.0
access-list outside_20_cryptomap extended permit ip 192.168.2.0 255.255.255.0 19
2.168.1.0 255.255.255.0
access-list inside_20_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192
.168.1.0 255.255.255.0
access-list inside_access_out extended permit ip any any
access-list inside_access_out remark Lan Talk UDP Outgoing Port Contact List
access-list inside_access_out extended permit udp any eq 2307 any eq 2307
access-list inside_access_out extended permit tcp any eq 2307 any eq 2307
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational
logging from-address EssiSwirch@essicontrols.com
logging recipient-address ITadmin@essicontrols.com level errors
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.16.5-192.168.16.10
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
mroute 192.168.2.1 255.255.255.255 inside dense outside
mroute 192.168.1.1 255.255.255.255 outside dense inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.2.10 3389 netmask 255.255.255
.255
static (inside,outside) tcp interface https 192.168.2.10 https netmask 255.255.2
55.255
static (inside,outside) tcp interface pptp 192.168.2.10 pptp netmask 255.255.255
.255
static (inside,outside) tcp interface www 192.168.2.145 www netmask 255.255.255.
255
static (inside,outside) tcp interface 3011 192.168.2.145 3011 netmask 255.255.25
5.255
static (inside,outside) tcp interface 1911 192.168.2.145 1911 netmask 255.255.25
5.255
static (inside,outside) tcp interface 3390 192.168.2.99 3390 netmask 255.255.255
.255
static (inside,outside) tcp interface 8081 192.168.2.157 8081 netmask 255.255.25
5.255
access-group inside_access_out out interface inside
access-group 10 in interface outside per-user-override
route outside 0.0.0.0 0.0.0.0 208.122.115.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpn protocol radius
aaa-server vpn host 192.168.2.10
 key E$$ir@d1us
group-policy ESSIVPN internal
group-policy ESSIVPN attributes
 wins-server value 192.168.2.10
 dns-server value 192.168.2.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 111
 default-domain value essi.local
username cstech password QqyOlTv.ojdmD8Yx encrypted privilege 15
username admin password LhuO2Dze3RmIhXJw encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 8282
http 0.0.0.0 0.0.0.0 outside
http 192.168.2.0 255.255.255.0 inside
snmp-server host inside 192.168.2.10 community rbtvq2bh version 2c
no snmp-server location
no snmp-server contact
snmp-server community rbtvq2bh
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set strong
crypto map ESSIVPN 15 ipsec-isakmp dynamic Outside_dyn_map
crypto map ESSIVPN 20 match address outside_20_cryptomap
crypto map ESSIVPN 20 set pfs
crypto map ESSIVPN 20 set peer 74.164.77.83
crypto map ESSIVPN 20 set transform-set strong
crypto map ESSIVPN interface outside
crypto map inside_map 20 match address inside_20_cryptomap
crypto map inside_map 20 set pfs
crypto map inside_map 20 set peer 192.168.1.1
crypto map inside_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group ESSIVPN type ipsec-ra
tunnel-group ESSIVPN general-attributes
 address-pool vpnpool
 authentication-server-group vpn
 default-group-policy ESSIVPN
tunnel-group ESSIVPN ipsec-attributes
 pre-shared-key *
tunnel-group 75.147.217.85 type ipsec-l2l
tunnel-group 75.147.217.85 ipsec-attributes
 pre-shared-key *
tunnel-group 74.164.77.83 type ipsec-l2l
tunnel-group 74.164.77.83 general-attributes
 default-group-policy ESSIVPN
tunnel-group 74.164.77.83 ipsec-attributes
 pre-shared-key *
tunnel-group 192.168.1.1 type ipsec-l2l
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet 192.168.16.0 255.255.255.0 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
prompt hostname context
Cryptochecksum:e94d53262f5ca9d50723d4692cf5ce88
: end
0
 
Skol2uAuthor Commented:
Trying to get to 192.168.2.145:3011 from the outside.  Just can't seem to get it to work.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
Skol2uAuthor Commented:
One more added issue - VPN Clients cannot connect either.  Getting a Error 500.  Think something is off in my configurations above.  
 
Any help is GREATLY appreciated!
0
 
Pro4iaCommented:
you're accessing 208.122.115.218:3011 from outside and not 192.168.2.145:3011 , correct?
0
 
Skol2uAuthor Commented:
Yes.  Also just found out that no one can connent to our VPN either.  Don't know if this is related or not.  
Thanks.
0
 
Pro4iaCommented:
are your other port fwding working?

static (inside,outside) tcp interface 3389 192.168.2.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.2.10 https netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.2.10 pptp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.2.145 www netmask 255.255.255.255
static (inside,outside) tcp interface 3011 192.168.2.145 3011 netmask 255.255.255.255
static (inside,outside) tcp interface 1911 192.168.2.145 1911 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.2.99 3390 netmask 255.255.255.255
static (inside,outside) tcp interface 8081 192.168.2.157 8081 netmask 255.255.255.255
0
 
Skol2uAuthor Commented:
Nope.  None of them from the outside.
0
 
Skol2uAuthor Commented:
Honestly, the only thing I added (changed) was the TCP and UDP ports of 2307.  I also enabled the multirouting.  Other  than that I am stuck.
0
 
MikeKaneCommented:
1st, can you make sure your ASA is connected to the public net...  from the CLI ping 4.2.2.2.   You should get a reply.   On the inside interface, ping on e of the internal servers and look for the reply.

2nd, Your port forwards might not work because of the following ACL:
access-group 10 in interface outside per-user-override

The per-user-override allows a downloadable acl to override the applied acl.   I've never used it myself, but to test, you may want to remvoe this and apply the normal
access-group 10 in interface outside.

3rd, immediately after an access attempt, check the log to see if anything is recorded.   "SHOW LOGGING" in the console or use the ASDM to see current messages.   Is anything showing up there?  

0
 
Skol2uAuthor Commented:
I am connected to the public net as I am using that connection to get to the internet now.  What's does CLI stand for?  Cisco something Interface?  Yes?  I can run a command prompt on my machine and ping the router inside and it hits it.  
The ACL - how do I change the per-user-override?  I see that it's listed in the Advanced area of the NAT section but the checkbox for Per User OVerride is NOT selected.  Do I select that?
How to remove and apply the normal access-group 10- interface outside?

I am currently connected to the box and looking as the ASDM now.  When I try to connect using the Static IP (Public) Iam getting the blocked per the "10" setting.  
How to ping from the CLI?
0
 
Pro4iaCommented:
ping x.x.x.x
0
 
MikeKaneCommented:
The CLI = Command line interface... access it via Telnet/SSH/Console.  You'll need this to run commands.  


To ping from CLI is simply:
ping outside 4.2.2.2
ping inside 192.168..x.x



To remove and re-add, use

      no access-group 10 in interface outside per-user-override
      access-group 10 in interface outside



If the ASDM is showing a block due to 10, then the ACL is at fault.   Can you copy/paste the error message here ...
0
 
Skol2uAuthor Commented:
Can ping from inside to 4.2.2.2 just fine.
0
 
Skol2uAuthor Commented:
Ok, the ping "outside" and the "Inside" are to be run from a command promt?  I can run ping and 4.2.2.2 and get a reply.  Typing in ping outside 4.2.2.2 gives me an error.  I've never heard of using the word "outside" ina ping command from a command prompt.  
 
ALso, where to add the lines of instructions you gave me to the device?  Can I put that in the ASDM and hit save and it'll save it automatically?
0
 
Skol2uAuthor Commented:
3 Apr 27 2010 15:56:35 710003 192.168.2.123 208.122.115.218 TCP access denied by ACL from 192.168.2.123/3970 to inside:208.122.115.218/80
 
This is what happened when I tried to access the outside IP address in INternet explorer from my workstation.  This is from the ASDM.
0
 
Skol2uAuthor Commented:
Oh, I did add your code line to the box. Saved it as well.
0
 
Pro4iaCommented:
it should be done in CLI not your windows command prompt.

as MikeKane mentions, you should be either 1. consoled in 2. telnet/ssh 3. run from ASDM
0
 
Skol2uAuthor Commented:
I ran your configuration from the ASDM and saved it.  

Telneted to box and ran ping outside 4.2.2.2 and got a success rate is 0 percent.  Not good I am guessing.
PIng inside 192.168.2.10 success rate is 100%
Now what?  THANKS for helping!

0
 
Skol2uAuthor Commented:
3 Apr 27 2010 16:08:32 313001 4.2.2.2 Denied ICMP type=0, code=0 from 4.2.2.2 on interface outside
 
That was in my log when I tried to ping outside from telnet.
0
 
MikeKaneCommented:
Try to ping the 1st hop gateway from the ASA.  

From the ASA CLI run:

ping outside  208.122.115.217


That is your external gateway.  If you can't hit that, then the ASA is not connected properly or there is some other issue with the gateway.  




Next thing:
>>>      3 Apr 27 2010 15:56:35 710003 192.168.2.123 208.122.115.218 TCP access denied by ACL from 192.168.2.123/3970 to inside:208.122.115.218/80
>>>   This is what happened when I tried to access the outside IP address in INternet explorer from my workstation

You can't hit the outside IP from an inside workstation, the ASA can't do that...    To test this, you will need to be outside the network hitting the outside interface directly.

0
 
Skol2uAuthor Commented:

ESSI-FtMyers-ASA5505# show run
: Saved
:
ASA Version 7.2(2)
!
hostname ESSI-FtMyers-ASA5505
domain-name essi.local
enable password lXpNH/p4GMa0gaY5 encrypted
multicast-routing
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
  pim bidir-neighbor-filter inside_multicast
 igmp join-group 224.23.0.7
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 208.122.115.218 255.255.255.248
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd lXpNH/p4GMa0gaY5 encrypted
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name essi.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service LanTalk tcp
 description LanTalk Port Group
 port-object range 2307 2307
object-group service LanTalkUDP udp
 description Lan Talk UDP
 port-object range 2307 2307
access-list inside_multicast standard permit host 192.168.2.1
access-list inside_multicast standard permit host 192.168.1.1
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.16.0 255.25
5.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255
.255.0
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp any any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq 8080
access-list 10 extended permit tcp any any eq pptp
access-list 10 extended permit tcp any any eq www
access-list 10 extended permit tcp any any eq 3011
access-list 10 extended permit tcp any any eq 1911
access-list 10 extended permit tcp any any eq 3390
access-list 10 extended permit gre any any
access-list 10 remark ESSICameras  Located in Server Room Halifax Ave, Fort Myer
s.
access-list 10 extended permit tcp any any eq 8081 log
access-list 10 extended permit tcp any interface inside eq hostname
access-list 10 remark Lan Talk Incoming TCP Port
access-list 10 extended permit tcp any eq 2307 any eq 2307
access-list 10 remark Lan Talk UDP Contact List Incoming Port
access-list 10 extended permit udp any eq 2307 any eq 2307
access-list 110 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255
.255.0
access-list 111 extended permit ip 192.168.2.0 255.255.255.0 192.168.16.0 255.25
5.255.0
access-list outside_20_cryptomap extended permit ip 192.168.2.0 255.255.255.0 19
2.168.1.0 255.255.255.0
access-list inside_20_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192
.168.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational
logging from-address EssiSwirch@essicontrols.com
logging recipient-address ITadmin@essicontrols.com level errors
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.16.5-192.168.16.10
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
mroute 192.168.2.1 255.255.255.255 inside dense outside
mroute 192.168.1.1 255.255.255.255 outside dense inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.2.10 3389 netmask 255.255.255
.255
static (inside,outside) tcp interface https 192.168.2.10 https netmask 255.255.2
55.255
static (inside,outside) tcp interface pptp 192.168.2.10 pptp netmask 255.255.255
.255
static (inside,outside) tcp interface www 192.168.2.145 www netmask 255.255.255.
255
static (inside,outside) tcp interface 3011 192.168.2.145 3011 netmask 255.255.25
5.255
static (inside,outside) tcp interface 1911 192.168.2.145 1911 netmask 255.255.25
5.255
static (inside,outside) tcp interface 3390 192.168.2.99 3390 netmask 255.255.255
.255
static (inside,outside) tcp interface 8081 192.168.2.157 8081 netmask 255.255.25
5.255
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 208.122.115.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpn protocol radius
aaa-server vpn host 192.168.2.10
 key E$$ir@d1us
group-policy ESSIVPN internal
group-policy ESSIVPN attributes
 wins-server value 192.168.2.10
 dns-server value 192.168.2.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 111
 default-domain value essi.local
username cstech password QqyOlTv.ojdmD8Yx encrypted privilege 15
username admin password LhuO2Dze3RmIhXJw encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 8282
http 0.0.0.0 0.0.0.0 outside
http 192.168.2.0 255.255.255.0 inside
snmp-server host inside 192.168.2.10 community rbtvq2bh version 2c
no snmp-server location
no snmp-server contact
snmp-server community rbtvq2bh
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 10 set transform-set strong
crypto map ESSIVPN 15 ipsec-isakmp dynamic Outside_dyn_map
crypto map ESSIVPN 20 match address outside_20_cryptomap
crypto map ESSIVPN 20 set pfs
crypto map ESSIVPN 20 set peer 74.164.77.83
crypto map ESSIVPN 20 set transform-set strong
crypto map ESSIVPN interface outside
crypto map inside_map 20 match address inside_20_cryptomap
crypto map inside_map 20 set pfs
crypto map inside_map 20 set peer 192.168.1.1
crypto map inside_map 20 set transform-set ESP-3DES-SHA
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group ESSIVPN type ipsec-ra
tunnel-group ESSIVPN general-attributes
 address-pool vpnpool
 authentication-server-group vpn
 default-group-policy ESSIVPN
tunnel-group ESSIVPN ipsec-attributes
 pre-shared-key *
tunnel-group 75.147.217.85 type ipsec-l2l
tunnel-group 75.147.217.85 ipsec-attributes
 pre-shared-key *
tunnel-group 74.164.77.83 type ipsec-l2l
tunnel-group 74.164.77.83 general-attributes
 default-group-policy ESSIVPN
tunnel-group 74.164.77.83 ipsec-attributes
 pre-shared-key *
tunnel-group 192.168.1.1 type ipsec-l2l
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet 192.168.16.0 255.255.255.0 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
prompt hostname context
Cryptochecksum:e94d53262f5ca9d50723d4692cf5ce88
: end
0
 
Skol2uAuthor Commented:
"Try to ping the 1st hop gateway from the ASA.  

From the ASA CLI run:

ping outside  208.122.115.217


That is your external gateway.  If you can't hit that, then the ASA is not connected properly or there is some other issue with the gateway. "
 
Tried that ping from telnet - 0 success rate.
Question though- I can connect out to just about everything. Internet, the other office etc. and all internal POP3 etc. is working just fine.  

I put the most current Show Run above.  Just still can't connect to anything inside.  
How can I disable the ACLper user override setting?  Or get rid of it perhaps?  (Anyway to back up the system before doing that just incase?)
0
 
MikeKaneCommented:
According to this latest code, the 'user override' is gone....  

Lets just try this, lets make sure you are using the ASA for outbound traffic.  Are there any other gateways on the subnet?     From your workstation dos prompt do a "ping 4.2.2.2"   then a "traceroute 4.2.2.2".    The traceroute should show the 208.122.115.217 as one of the 1st hops.    

From the CLI, run a SHOW XLATE.   This should have the ports forward listed.....   Do you see that?  

From outside the lan, try to access one of your ports that you have forwarded.   Then immediately check the logging and/or asdm log and see if you get any drops.  
0
 
Skol2uAuthor Commented:
Ok.  
Ping from workstation 4.2.2.2 OK
Tracert from workstation GATEWAY hit first is .217
Show Xlate:
ESSI-FtMyers-ASA5505# show xlate
47 in use, 399 most used
PAT Global 208.122.115.218(3389) Local 192.168.2.10(3389)
PAT Global 208.122.115.218(443) Local 192.168.2.10(443)
PAT Global 208.122.115.218(1723) Local 192.168.2.10(1723)
PAT Global 208.122.115.218(80) Local 192.168.2.145(80)
PAT Global 208.122.115.218(3011) Local 192.168.2.145(3011)
PAT Global 208.122.115.218(1911) Local 192.168.2.145(1911)
PAT Global 208.122.115.218(3390) Local 192.168.2.99(3390)
PAT Global 208.122.115.218(8081) Local 192.168.2.157(8081)
PAT Global 208.122.115.218(58542) Local 192.168.2.7(3379)
PAT Global 208.122.115.218(56185) Local 192.168.2.7(2202)
PAT Global 208.122.115.218(16793) Local 192.168.2.121(27146)
PAT Global 208.122.115.218(11604) Local 192.168.2.121(1149)
PAT Global 208.122.115.218(11541) Local 192.168.2.121(1043)
PAT Global 208.122.115.218(6990) Local 192.168.2.131(2638)
PAT Global 208.122.115.218(2) Local 192.168.2.118(1723)
PAT Global 208.122.115.218(1) Local 192.168.2.118(16384)
PAT Global 208.122.115.218(14516) Local 192.168.2.118(2285)
PAT Global 208.122.115.218(16821) Local 192.168.2.10(48719)
PAT Global 208.122.115.218(14657) Local 192.168.2.10(39568)
PAT Global 208.122.115.218(14656) Local 192.168.2.10(39567)
PAT Global 208.122.115.218(14655) Local 192.168.2.10(39566)
PAT Global 208.122.115.218(63266) Local 192.168.2.10(31111)
PAT Global 208.122.115.218(16441) Local 192.168.2.10(1105)
PAT Global 208.122.115.218(11599) Local 192.168.2.122(4508)
PAT Global 208.122.115.218(9734) Local 192.168.2.122(4405)
PAT Global 208.122.115.218(9681) Local 192.168.2.122(4401)
PAT Global 208.122.115.218(14658) Local 192.168.2.111(65393)
PAT Global 208.122.115.218(16617) Local 192.168.2.111(64493)
PAT Global 208.122.115.218(14659) Local 192.168.2.9(1186)
PAT Global 208.122.115.218(62859) Local 192.168.2.9(2016)
PAT Global 208.122.115.218(16448) Local 192.168.2.9(2779)
PAT Global 208.122.115.218(11139) Local 192.168.2.129(4696)
PAT Global 208.122.115.218(14651) Local 192.168.2.125(1989)
PAT Global 208.122.115.218(14650) Local 192.168.2.125(1988)
PAT Global 208.122.115.218(14648) Local 192.168.2.125(1986)
PAT Global 208.122.115.218(14634) Local 192.168.2.125(1972)
PAT Global 208.122.115.218(61045) Local 192.168.2.125(1037)
PAT Global 208.122.115.218(13493) Local 192.168.2.119(1636)
PAT Global 208.122.115.218(14569) Local 192.168.2.123(2429)
PAT Global 208.122.115.218(14568) Local 192.168.2.123(2427)
PAT Global 208.122.115.218(14562) Local 192.168.2.123(2422)
PAT Global 208.122.115.218(14546) Local 192.168.2.123(2412)
PAT Global 208.122.115.218(14530) Local 192.168.2.123(2406)
PAT Global 208.122.115.218(14529) Local 192.168.2.123(2405)
PAT Global 208.122.115.218(14524) Local 192.168.2.123(2400)
PAT Global 208.122.115.218(14518) Local 192.168.2.123(2398)
PAT Global 208.122.115.218(12601) Local 192.168.2.123(1038)
 
Can't access it from outside LAN at this time.  Will try when I get home.  
Thanks for your help so far - I'll follw up more later or tomorrow am when I get in.
0
 
MikeKaneCommented:
Everything looks like its in place...   just need to test it from outside the network.  From outside, hit the outside ip on the port and see if the service is up  (http, htps, 8081... try all of them).   It would be ideal if you could check the logs at the time if the connection fails.
0
 
Skol2uAuthor Commented:
Both guys were able to help walk me through this configuration and now better undestand why it didn't work and why it does work now.  Thanks so much.
0
 
Skol2uAuthor Commented:
Just tested everything from an outside connection and all is working just great.  Thanks for your help and patience!
0
 
Pro4iaCommented:
glad it's working!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

  • 18
  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now