Allow new subnet Internet Access through Cisco ASA
I had 3 subnets 192.168.1.0 - 192.168.2.0 - 192.168.3.0 all routed through the iSeries. Today I added subnet 10.x.x.0. Everything works internally but I can not get out to the Internet on subnet 10.x.x.0. I know there is something I need to put in the ASA. It is a 5510. I just do not know what I am missing.
Normally you would do the following:
add this statement to allow the new network to NAT to the public address:
nat (inside) 1 10.x.x.0 255.255.255.0
and then you would need a route statement so the ASA can get to the 10 net
route inside 10.x.x.0 255.255.255.0 z.z.z.z (z.z.z.z is the next hop)
Then you "might" need to update an ACL if you have one applied on your inside interface.
add this statement to allow the new network to NAT to the public address:
nat (inside) 1 10.x.x.0 255.255.255.0
and then you would need a route statement so the ASA can get to the 10 net
route inside 10.x.x.0 255.255.255.0 z.z.z.z (z.z.z.z is the next hop)
Then you "might" need to update an ACL if you have one applied on your inside interface.
ASKER
hostname namefw1
domain-name nameclamps.com
enable password Nun3UcVqW2rfvjTT encrypted
names
name 192.168.1.9 xxx
name 192.168.1.7 xxx
name 192.168.1.101 xxx
name 192.168.2.3 xxx
name 192.168.3.3 rxxx
name 192.168.1.10 xxx
name 192.168.1.x xxx
dns-guard
interface Ethernet0/0
description Internet Interface
nameif Outside
security-level 0
ip address xx.x.1x.x7 255.255.255.224
ospf cost 10
!
interface Ethernet0/1
description Inside LAN Interface
nameif Inside
security-level 100
ip address 192.168.1.x 255.255.255.0
ospf cost 10
!
<--- More --->
interface Ethernet0/2
description DMZ interface
nameif DMZ
security-level 50
ip address x.x.16.106 255.255.255.248
ospf cost 10
!
interface Ethernet0/3
shutdown
nameif ANX
security-level 15
no ip address
ospf cost 10
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ospf cost 10
management-only
!
passwd Nun3UcVqW2rfvjTT encrypted
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.1.248
domain-name nameclamps.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
<--- More --->
object-group network og_ip_nat_ANX
network-object host 1x.57.19.x4
object-group network outside-NAT
network-object x.x.177.250 255.255.255.255
network-object x.x.177.251 255.255.255.255
network-object x.x.177.252 255.255.255.255
network-object x.x.177.253 255.255.255.255
object-group network crypto_map_142_src
network-object 192.168.2.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group network crypto_map_142_dest
network-object 10.191.0.0 255.255.0.0
access-list internet extended permit gre host 208.39.171.201 object-group outside-NAT
access-list internet extended permit icmp any any
access-list internet extended permit ip any host x.x.177.230 inactive
access-list internet extended permit tcp any host 19.5.1x.28 eq ftp
access-list internet extended permit tcp any host 19.59.1x.44 eq ftp
access-list internet extended permit tcp x.x.136.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp x.x.188.16 255.255.255.240 any eq smtp
access-list internet extended deny tcp any any eq smtp
access-list internet extended permit tcp host x.x.136.242 host x.x.177.228
access-list internet extended permit tcp host x.x.136.242 host x.x.177.229
access-list internet extended permit tcp host x.x.136.242 host x.x.177.230
access-list internet extended permit tcp any host x.x.177.226 eq 5632
access-list internet extended permit tcp any host x.x.177.226 eq www
access-list internet extended permit tcp any host x.x.177.226 eq pcanywhere-data
access-list internet extended permit tcp any host x.x.177.226 eq lotusnotes
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.x8
access-list any extended permit tcp any host x.x.177.226 eq www
access-list outside extended permit tcp any host x.x.177.226 eq www
access-list inside extended permit tcp any host x.x.177.226 eq www
access-list nonat extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 2.0.167.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat extended permit ip any 192.168.0.0 255.255.255.0
access-list posnet extended permit ip 192.168.0.0 255.255.0.0 2.0.167.0 255.255.255.0
access-list mexico extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list OUT_IN extended permit udp any any eq 2061
access-list OUT_IN extended permit udp any any eq 2062
access-list IN_OUT extended permit udp any any eq 2070
access-list IN_OUT extended permit tcp any any eq 1443
access-list IN_OUT extended permit udp any any eq 443
access-list IN_OUT extended permit tcp any any eq https
access-list IN_OUT extended permit udp any any eq 433
access-list IN_OUT extended permit tcp any any eq 433
access-list Name extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list inside_out extended permit gre any host 208.39.171.201
access-list inside_out extended permit ip any any
access-list outside_cryptomap_142 extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
pager lines 30
<--- More --->
logging enable
logging timestamp
logging buffered warnings
logging trap debugging
logging asdm informational
logging device-id ipaddress Inside
logging host Inside 192.168.1.50
logging permit-hostdown
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu ANX 1500
mtu management 1500
ip local pool name_vpn 192.168.0.1-192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 x.x.177.253
global (Outside) 2 x.x.177.234
global (Outside) 3 x.x.177.235
global (Outside) 4 x.x.177.236
global (DMZ) 1 1x.57.16.107-1x.57.16.110 netmask 255.255.255.248
global (DMZ) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 192.168.1.0 255.255.255.0
nat (Inside) 2 192.168.2.0 255.255.255.0
nat (Inside) 3 192.168.3.0 255.255.255.0
nat (Inside) 4 192.168.8.0 255.255.255.0
static (Inside,Outside) 68.250.60.229 192.168.2.10 netmask 255.255.255.255
<--- More --->
static (Inside,Outside) x.x.177.229 nameas4-2 netmask 255.255.255.255
static (Inside,Outside) x.x.177.226 RGRBGMAIL netmask 255.255.255.255
static (Inside,Outside) x.x.177.230 192.168.3.10 netmask 255.255.255.255
access-group internet in interface Outside
access-group inside_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 x.x.177.225 1
route Outside 192.168.4.0 255.255.255.0 x.67.91.x 254
route Inside 192.168.0.0 255.255.248.0 name4 1
route Inside 192.168.8.0 255.255.255.0 192.168.1.254 1
!
router rip
network 192.168.1.0
version 2
no auto-summary
!
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
<--- More --->
crypto ipsec transform-set namecorp esp-3des esp-sha-hmac
crypto ipsec transform-set positive esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set esp-3des-md5
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set namecorp
crypto map outside_map 1 match address mexico
crypto map outside_map 1 set peer x.67.91.52
crypto map outside_map 1 set transform-set positive
crypto map outside_map 40 match address posnet
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer 204.13.x1.9
crypto map outside_map 40 set transform-set positive
crypto map outside_map 50 match address covisint
crypto map outside_map 50 set peer 64.37.198.169
crypto map outside_map 50 set transform-set esp-3des-md5
crypto map outside_map 80 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 142 match address outside_cryptomap_142
crypto map outside_map 142 set peer 80.150.99.5
crypto map outside_map 142 set transform-set positive
crypto map outside_map 142 set security-association lifetime kilobytes 86400
crypto map outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
<--- More --->
authentication pre-share
encryption 3des
hash md5
group 2
telnet 192.168.1.0 255.255.255.0 Inside
telnet 192.168.0.0 255.255.0.0 Inside
telnet 192.168.3.0 255.255.255.0 Inside
telnet timeout 5
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 5x
<--- More --->
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect pptp
!
service-policy global_policy global
tftp-server ANX 192.168.3.13 /bgasa
webvpn
enable Outside
url-list Test "Test URL" http://www.google.com 1
port-forward Test_TELNET 23999 192.168.1.21 telnet Telnet to 21
group-policy DfltGrpPolicy attributes
banner none
wins-server value 192.168.1.101
dns-server value 192.168.1.248 192.168.1.101
dhcp-network-scope none
vpn-access-hours none
<--- More --->
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
<--- More --->
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconne
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy name_vpn internal
group-policy name_vpn attributes
dns-server value 192.168.1.248 192.168.1.101
<--- More --->
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value corp.nameclamps.com
group-policy namevpn internal
group-policy namevpn attributes
wins-server value 192.168.1.101
dns-server value 192.168.1.248 192.168.1.101
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value namevpn_splitTunnelAcl
default-domain value corp.nameclamps.com
domain-name nameclamps.com
enable password Nun3UcVqW2rfvjTT encrypted
names
name 192.168.1.9 xxx
name 192.168.1.7 xxx
name 192.168.1.101 xxx
name 192.168.2.3 xxx
name 192.168.3.3 rxxx
name 192.168.1.10 xxx
name 192.168.1.x xxx
dns-guard
interface Ethernet0/0
description Internet Interface
nameif Outside
security-level 0
ip address xx.x.1x.x7 255.255.255.224
ospf cost 10
!
interface Ethernet0/1
description Inside LAN Interface
nameif Inside
security-level 100
ip address 192.168.1.x 255.255.255.0
ospf cost 10
!
<--- More --->
interface Ethernet0/2
description DMZ interface
nameif DMZ
security-level 50
ip address x.x.16.106 255.255.255.248
ospf cost 10
!
interface Ethernet0/3
shutdown
nameif ANX
security-level 15
no ip address
ospf cost 10
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ospf cost 10
management-only
!
passwd Nun3UcVqW2rfvjTT encrypted
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.1.248
domain-name nameclamps.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
<--- More --->
object-group network og_ip_nat_ANX
network-object host 1x.57.19.x4
object-group network outside-NAT
network-object x.x.177.250 255.255.255.255
network-object x.x.177.251 255.255.255.255
network-object x.x.177.252 255.255.255.255
network-object x.x.177.253 255.255.255.255
object-group network crypto_map_142_src
network-object 192.168.2.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group network crypto_map_142_dest
network-object 10.191.0.0 255.255.0.0
access-list internet extended permit gre host 208.39.171.201 object-group outside-NAT
access-list internet extended permit icmp any any
access-list internet extended permit ip any host x.x.177.230 inactive
access-list internet extended permit tcp any host 19.5.1x.28 eq ftp
access-list internet extended permit tcp any host 19.59.1x.44 eq ftp
access-list internet extended permit tcp x.x.136.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp x.x.188.16 255.255.255.240 any eq smtp
access-list internet extended deny tcp any any eq smtp
access-list internet extended permit tcp host x.x.136.242 host x.x.177.228
access-list internet extended permit tcp host x.x.136.242 host x.x.177.229
access-list internet extended permit tcp host x.x.136.242 host x.x.177.230
access-list internet extended permit tcp any host x.x.177.226 eq 5632
access-list internet extended permit tcp any host x.x.177.226 eq www
access-list internet extended permit tcp any host x.x.177.226 eq pcanywhere-data
access-list internet extended permit tcp any host x.x.177.226 eq lotusnotes
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.x8
access-list any extended permit tcp any host x.x.177.226 eq www
access-list outside extended permit tcp any host x.x.177.226 eq www
access-list inside extended permit tcp any host x.x.177.226 eq www
access-list nonat extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 2.0.167.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat extended permit ip any 192.168.0.0 255.255.255.0
access-list posnet extended permit ip 192.168.0.0 255.255.0.0 2.0.167.0 255.255.255.0
access-list mexico extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list OUT_IN extended permit udp any any eq 2061
access-list OUT_IN extended permit udp any any eq 2062
access-list IN_OUT extended permit udp any any eq 2070
access-list IN_OUT extended permit tcp any any eq 1443
access-list IN_OUT extended permit udp any any eq 443
access-list IN_OUT extended permit tcp any any eq https
access-list IN_OUT extended permit udp any any eq 433
access-list IN_OUT extended permit tcp any any eq 433
access-list Name extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list inside_out extended permit gre any host 208.39.171.201
access-list inside_out extended permit ip any any
access-list outside_cryptomap_142 extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
pager lines 30
<--- More --->
logging enable
logging timestamp
logging buffered warnings
logging trap debugging
logging asdm informational
logging device-id ipaddress Inside
logging host Inside 192.168.1.50
logging permit-hostdown
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu ANX 1500
mtu management 1500
ip local pool name_vpn 192.168.0.1-192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 x.x.177.253
global (Outside) 2 x.x.177.234
global (Outside) 3 x.x.177.235
global (Outside) 4 x.x.177.236
global (DMZ) 1 1x.57.16.107-1x.57.16.110 netmask 255.255.255.248
global (DMZ) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 192.168.1.0 255.255.255.0
nat (Inside) 2 192.168.2.0 255.255.255.0
nat (Inside) 3 192.168.3.0 255.255.255.0
nat (Inside) 4 192.168.8.0 255.255.255.0
static (Inside,Outside) 68.250.60.229 192.168.2.10 netmask 255.255.255.255
<--- More --->
static (Inside,Outside) x.x.177.229 nameas4-2 netmask 255.255.255.255
static (Inside,Outside) x.x.177.226 RGRBGMAIL netmask 255.255.255.255
static (Inside,Outside) x.x.177.230 192.168.3.10 netmask 255.255.255.255
access-group internet in interface Outside
access-group inside_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 x.x.177.225 1
route Outside 192.168.4.0 255.255.255.0 x.67.91.x 254
route Inside 192.168.0.0 255.255.248.0 name4 1
route Inside 192.168.8.0 255.255.255.0 192.168.1.254 1
!
router rip
network 192.168.1.0
version 2
no auto-summary
!
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
<--- More --->
crypto ipsec transform-set namecorp esp-3des esp-sha-hmac
crypto ipsec transform-set positive esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set esp-3des-md5
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set namecorp
crypto map outside_map 1 match address mexico
crypto map outside_map 1 set peer x.67.91.52
crypto map outside_map 1 set transform-set positive
crypto map outside_map 40 match address posnet
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer 204.13.x1.9
crypto map outside_map 40 set transform-set positive
crypto map outside_map 50 match address covisint
crypto map outside_map 50 set peer 64.37.198.169
crypto map outside_map 50 set transform-set esp-3des-md5
crypto map outside_map 80 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 142 match address outside_cryptomap_142
crypto map outside_map 142 set peer 80.150.99.5
crypto map outside_map 142 set transform-set positive
crypto map outside_map 142 set security-association lifetime kilobytes 86400
crypto map outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
<--- More --->
authentication pre-share
encryption 3des
hash md5
group 2
telnet 192.168.1.0 255.255.255.0 Inside
telnet 192.168.0.0 255.255.0.0 Inside
telnet 192.168.3.0 255.255.255.0 Inside
telnet timeout 5
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 5x
<--- More --->
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect pptp
!
service-policy global_policy global
tftp-server ANX 192.168.3.13 /bgasa
webvpn
enable Outside
url-list Test "Test URL" http://www.google.com 1
port-forward Test_TELNET 23999 192.168.1.21 telnet Telnet to 21
group-policy DfltGrpPolicy attributes
banner none
wins-server value 192.168.1.101
dns-server value 192.168.1.248 192.168.1.101
dhcp-network-scope none
vpn-access-hours none
<--- More --->
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
<--- More --->
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconne
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy name_vpn internal
group-policy name_vpn attributes
dns-server value 192.168.1.248 192.168.1.101
<--- More --->
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value corp.nameclamps.com
group-policy namevpn internal
group-policy namevpn attributes
wins-server value 192.168.1.101
dns-server value 192.168.1.248 192.168.1.101
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value namevpn_splitTunnelAcl
default-domain value corp.nameclamps.com
global (Outside) 1 x.x.177.253
global (Outside) 2 x.x.177.234
global (Outside) 3 x.x.177.235
global (Outside) 4 x.x.177.236
nat (Inside) 1 192.168.1.0 255.255.255.0
nat (Inside) 2 192.168.2.0 255.255.255.0
nat (Inside) 3 192.168.3.0 255.255.255.0
nat (Inside) 4 192.168.8.0 255.255.255.0
Given your scenario here you can do the same thing:
global (Outside) 5 x.x.177.237 - assuming you have that address free
nat (Inside) 5 10.x.x.0 255.255.255.0
Then just like you had routes to:
route Inside 192.168.8.0 255.255.255.0 192.168.1.254 1
you would need a route to the 10 network
route Inside 10.x.x.0 255.255.255.0 x.x.x.x
global (Outside) 2 x.x.177.234
global (Outside) 3 x.x.177.235
global (Outside) 4 x.x.177.236
nat (Inside) 1 192.168.1.0 255.255.255.0
nat (Inside) 2 192.168.2.0 255.255.255.0
nat (Inside) 3 192.168.3.0 255.255.255.0
nat (Inside) 4 192.168.8.0 255.255.255.0
Given your scenario here you can do the same thing:
global (Outside) 5 x.x.177.237 - assuming you have that address free
nat (Inside) 5 10.x.x.0 255.255.255.0
Then just like you had routes to:
route Inside 192.168.8.0 255.255.255.0 192.168.1.254 1
you would need a route to the 10 network
route Inside 10.x.x.0 255.255.255.0 x.x.x.x
If you don't want to use ANOTHER public IP address, you can consolidate it all into one using NAT overload. It'll use the firewall's public IP address for outbound traffic.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Yes and what galtar99 said is what I prefer as well.. Just didn't know if you were trying to at least track the subnets usages or abuses by the public ip address that you mapped it to
ASKER
Sorry it took me so long to get back. I just put those commands in the ASA and I still can not reach the internet. I know there is somethin I am missing and I can not figure out what. Don't I have to configure network or something?
ASKER
And don't I have to put some kind of access list in?
No you do not need an access list because you have this access list applied on the inside interface:
access-group inside_out in interface Inside
That access-list allows all ip traffic to go through. Post your config now that you have made those changes and lets see what you have in there.
Make sure you added the route statement to get back to the new network.
access-group inside_out in interface Inside
That access-list allows all ip traffic to go through. Post your config now that you have made those changes and lets see what you have in there.
Make sure you added the route statement to get back to the new network.
ASKER
!
hostname namefw1
domain-name nameclamps.com
enable password Nun3UcVqW2rfvjTT encrypted
names
name 192.168.1.9 MAIL
name 192.168.1.7 nameAS4
name 192.168.1.101 nameBG01
name 192.168.2.3 nameas4-2
name 192.168.3.3 nameas4-3
name 192.168.1.10 EMEETINGS
name 192.168.1.12 COLLABORATE
dns-guard
!
interface Ethernet0/0
description Internet Interface
nameif Outside
security-level 0
ip address x.x.177.227 255.255.255.224
ospf cost 10
!
interface Ethernet0/1
description Inside LAN Interface
nameif Inside
security-level 100
ip address 192.168.1.20 255.255.255.0
ospf cost 10
!
<--- More --->
interface Ethernet0/2
description DMZ interface
nameif DMZ
security-level 50
ip address 166.57.16.106 255.255.255.248
ospf cost 10
!
interface Ethernet0/3
shutdown
nameif ANX
security-level 15
no ip address
ospf cost 10
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ospf cost 10
management-only
!
passwd Nun3UcVqW2rfvjTT encrypted
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.1.248
domain-name nameclamps.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
<--- More --->
object-group network og_ip_nat_ANX
network-object host 166.57.19.124
object-group network outside-NAT
network-object x.x.177.234 255.255.255.255
network-object x.x.177.235 255.255.255.255
network-object x.x.177.236 255.255.255.255
network-object x.x.177.237 255.255.255.255
network-object x.x.177.238 255.255.255.255
network-object x.x.177.239 255.255.255.255
network-object x.x.177.240 255.255.255.255
network-object x.x.177.241 255.255.255.255
network-object x.x.177.242 255.255.255.255
network-object x.x.177.243 255.255.255.255
network-object x.x.177.244 255.255.255.255
network-object x.x.177.245 255.255.255.255
network-object x.x.177.246 255.255.255.255
network-object x.x.177.247 255.255.255.255
network-object x.x.177.248 255.255.255.255
network-object x.x.177.249 255.255.255.255
network-object x.x.177.250 255.255.255.255
network-object x.x.177.251 255.255.255.255
network-object x.x.177.252 255.255.255.255
network-object x.x.177.253 255.255.255.255
object-group network crypto_map_142_src
network-object 192.168.2.0 255.255.255.0
network-object 192.168.8.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group network crypto_map_142_dest
<--- More --->
network-object 10.191.0.0 255.255.0.0
access-list internet extended permit gre host 208.39.171.201 object-group outside-NAT
access-list internet extended permit icmp any any
access-list internet extended permit ip any host x.x.177.230 inactive
access-list internet extended permit tcp any host 19.5.112.28 eq ftp
access-list internet extended permit tcp any host 19.59.112.44 eq ftp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended deny tcp any any eq smtp
access-list internet extended permit tcp host 66.147.136.242 host x.x.177.228
access-list internet extended permit tcp host 66.147.136.242 host x.x.177.229
access-list internet extended permit tcp host 66.147.136.242 host x.x.177.230
access-list internet extended permit tcp any host x.x.177.226 eq 5632
access-list internet extended permit tcp any host x.x.177.226 eq www
access-list internet extended permit tcp any host x.x.177.226 eq pcanywhere-data
access-list internet extended permit tcp any host x.x.177.226 eq lotusnotes
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.128
access-list any extended permit tcp any host x.x.177.226 eq www
access-list outside extended permit tcp any host x.x.177.226 eq www
access-list inside extended permit tcp any host x.x.177.226 eq www
access-list nonat extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 2.0.167.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat extended permit ip any 192.168.0.0 255.255.255.0
access-list posnet extended permit ip 192.168.0.0 255.255.0.0 2.0.167.0 255.255.255.0
access-list mexico extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list covisint extended permit ip host 68.250.60.229 host 64.37.249.63
access-list OUT_IN extended permit udp any any eq 2061
access-list OUT_IN extended permit udp any any eq 2062
<--- More --->
access-list OUT_IN extended permit udp any any eq 2063
access-list OUT_IN extended permit udp any any eq 2064
access-list OUT_IN extended permit udp any any eq 2065
access-list OUT_IN extended permit udp any any eq 535
access-list OUT_IN extended permit udp any any eq isakmp
access-list OUT_IN extended permit udp any any eq 4500
access-list OUT_IN extended permit udp any any eq 2070
access-list OUT_IN extended permit tcp any any eq 1443
access-list IN_OUT extended permit udp any any eq 2060
access-list IN_OUT extended permit udp any any eq 2061
access-list IN_OUT extended permit udp any any eq 2062
access-list IN_OUT extended permit udp any any eq 2063
access-list IN_OUT extended permit udp any any eq 2064
access-list IN_OUT extended permit udp any any eq 2065
access-list IN_OUT extended permit udp any any eq 535
access-list IN_OUT extended permit udp any any eq isakmp
access-list IN_OUT extended permit udp any any eq 4500
access-list IN_OUT extended permit udp any any eq 2070
access-list IN_OUT extended permit tcp any any eq 1443
access-list IN_OUT extended permit udp any any eq 443
access-list IN_OUT extended permit tcp any any eq https
access-list IN_OUT extended permit udp any any eq 433
access-list IN_OUT extended permit tcp any any eq 433
access-list Brokers extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list namevpn_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list Outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_out extended permit gre any host 208.39.171.201
access-list inside_out extended permit ip any any
access-list outside_cryptomap_142 extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
pager lines 30
<--- More --->
logging enable
logging timestamp
logging buffered warnings
logging trap debugging
logging asdm informational
logging device-id ipaddress Inside
logging host Inside 192.168.1.50
logging permit-hostdown
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu ANX 1500
mtu management 1500
ip local pool name_vpn 192.168.0.1-192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 x.x.177.253
global (Outside) 2 x.x.177.234
global (Outside) 3 x.x.177.235
global (Outside) 4 x.x.177.236
global (Outside) 5 x.x.177.237
global (DMZ) 1 166.57.16.107-166.57.16.11
global (DMZ) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 5 10.153.65.0 255.255.255.0
nat (Inside) 1 192.168.1.0 255.255.255.0
nat (Inside) 2 192.168.2.0 255.255.255.0
nat (Inside) 3 192.168.3.0 255.255.255.0
nat (Inside) 4 192.168.8.0 255.255.255.0
static (Inside,Outside) 68.250.60.229 192.168.2.10 netmask 255.255.255.255
static (Inside,Outside) x.x.177.229 nameas4-2 netmask 255.255.255.255
static (Inside,Outside) x.x.177.226 RGRBGMAIL netmask 255.255.255.255
static (Inside,Outside) x.x.177.230 192.168.3.10 netmask 255.255.255.255
access-group internet in interface Outside
access-group inside_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 x.x.177.225 1
route Outside 192.168.4.0 255.255.255.0 200.67.91.52 254
route Inside 192.168.0.0 255.255.248.0 nameAS4 1
route Inside 192.168.8.0 255.255.255.0 192.168.1.254 1
route Inside 10.153.65.0 255.255.255.0 10.153.65.3 1
router rip
network 192.168.1.0
version 2
no auto-summary
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto map outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 67.167.38.146 255.255.255.255 Outside
ssh 196.40.16.140 255.255.255.255 Outside
ssh 192.168.0.0 255.255.248.0 Inside
ssh timeout 60
console timeout 0
l2tp tunnel hello 300
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect pptp
service-policy global_policy global
tftp-server ANX 192.168.3.13 /bgasa
webvpn
enable Outside
url-list Test "Test URL" http://www.google.com 1
port-forward Test_TELNET 23999 192.168.1.21 telnet Telnet to 21
group-policy DfltGrpPolicy attributes
banner none
wins-server value 192.168.1.101
dns-server value 192.168.1.248 192.168.1.101
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconne
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy name_vpn internal
group-policy name_vpn attributes
dns-server value x
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value corp.nameclamps.com
group-policy namevpn internal
group-policy namevpn attributes
wins-server value x
dns-server value x
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value namevpn_splitTunnelAcl
default-domain value corp.nameclamps.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you very much. I could not have done this without you. You saved my job.
Can you post a sanitized config?