Solved

Allow new subnet Internet Access through Cisco ASA

Posted on 2010-08-20
12
1,119 Views
Last Modified: 2012-06-21
I had 3 subnets 192.168.1.0 - 192.168.2.0 - 192.168.3.0 all routed through the iSeries.  Today I added subnet 10.x.x.0.  Everything works internally but I can not get out to the Internet on subnet 10.x.x.0.  I know there is something I need to put in the ASA.  It is a 5510.  I just do not know what I am missing.  
0
Comment
Question by:jtennyson
  • 5
  • 5
  • 2
12 Comments
 
LVL 6

Expert Comment

by:Galtar99
ID: 33488477
Is that new subnet part of your global nat statement to allow it out?
 
Can you post a sanitized config?
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 33488565
Normally you would do the following:

add this statement to allow the new network to NAT to the public address:

nat (inside) 1 10.x.x.0 255.255.255.0

and then you would need a route statement so the ASA can get to the 10 net

route inside 10.x.x.0 255.255.255.0 z.z.z.z   (z.z.z.z is the next hop)

Then you "might" need to update an ACL if you have one applied on your inside interface.
0
 

Author Comment

by:jtennyson
ID: 33488579
hostname namefw1
domain-name nameclamps.com
enable password Nun3UcVqW2rfvjTT encrypted
names
name 192.168.1.9 xxx
name 192.168.1.7 xxx
name 192.168.1.101 xxx
name 192.168.2.3 xxx
name 192.168.3.3 rxxx
name 192.168.1.10 xxx
name 192.168.1.x xxx
dns-guard

interface Ethernet0/0
 description Internet Interface
 nameif Outside
 security-level 0
 ip address xx.x.1x.x7 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 description Inside LAN Interface
 nameif Inside
 security-level 100
 ip address 192.168.1.x 255.255.255.0
 ospf cost 10
!
<--- More --->
               
 interface Ethernet0/2
 description DMZ interface
 nameif DMZ
 security-level 50
 ip address x.x.16.106 255.255.255.248
 ospf cost 10
!
interface Ethernet0/3
 shutdown
 nameif ANX
 security-level 15
 no ip address
 ospf cost 10
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 ospf cost 10
 management-only
!
passwd Nun3UcVqW2rfvjTT encrypted
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 192.168.1.248
 domain-name nameclamps.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
<--- More --->
               
 object-group network og_ip_nat_ANX
 network-object host 1x.57.19.x4
object-group network outside-NAT
 
 network-object x.x.177.250 255.255.255.255
 network-object x.x.177.251 255.255.255.255
 network-object x.x.177.252 255.255.255.255
 network-object x.x.177.253 255.255.255.255
object-group network crypto_map_142_src
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.8.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
object-group network crypto_map_142_dest

  network-object 10.191.0.0 255.255.0.0
access-list internet extended permit gre host 208.39.171.201 object-group outside-NAT
access-list internet extended permit icmp any any
access-list internet extended permit ip any host x.x.177.230 inactive
access-list internet extended permit tcp any host 19.5.1x.28 eq ftp
access-list internet extended permit tcp any host 19.59.1x.44 eq ftp
access-list internet extended permit tcp x.x.136.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp x.x.188.16 255.255.255.240 any eq smtp
access-list internet extended deny tcp any any eq smtp
access-list internet extended permit tcp host x.x.136.242 host x.x.177.228
access-list internet extended permit tcp host x.x.136.242 host x.x.177.229
access-list internet extended permit tcp host x.x.136.242 host x.x.177.230
access-list internet extended permit tcp any host x.x.177.226 eq 5632
access-list internet extended permit tcp any host x.x.177.226 eq www
access-list internet extended permit tcp any host x.x.177.226 eq pcanywhere-data
access-list internet extended permit tcp any host x.x.177.226 eq lotusnotes
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.x8
access-list any extended permit tcp any host x.x.177.226 eq www
access-list outside extended permit tcp any host x.x.177.226 eq www
access-list inside extended permit tcp any host x.x.177.226 eq www
access-list nonat extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 2.0.167.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat extended permit ip any 192.168.0.0 255.255.255.0
access-list posnet extended permit ip 192.168.0.0 255.255.0.0 2.0.167.0 255.255.255.0
access-list mexico extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list OUT_IN extended permit udp any any eq 2061
access-list OUT_IN extended permit udp any any eq 2062

access-list IN_OUT extended permit udp any any eq 2070
access-list IN_OUT extended permit tcp any any eq 1443
access-list IN_OUT extended permit udp any any eq 443
access-list IN_OUT extended permit tcp any any eq https
access-list IN_OUT extended permit udp any any eq 433
access-list IN_OUT extended permit tcp any any eq 433
access-list Name extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list inside_out extended permit gre any host 208.39.171.201
access-list inside_out extended permit ip any any
access-list outside_cryptomap_142 extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
pager lines 30
<--- More --->
               
 logging enable
logging timestamp
logging buffered warnings
logging trap debugging
logging asdm informational
logging device-id ipaddress Inside
logging host Inside 192.168.1.50
logging permit-hostdown
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu ANX 1500
mtu management 1500
ip local pool name_vpn 192.168.0.1-192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 x.x.177.253
global (Outside) 2 x.x.177.234
global (Outside) 3 x.x.177.235
global (Outside) 4 x.x.177.236
global (DMZ) 1 1x.57.16.107-1x.57.16.110 netmask 255.255.255.248
global (DMZ) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 192.168.1.0 255.255.255.0
nat (Inside) 2 192.168.2.0 255.255.255.0
nat (Inside) 3 192.168.3.0 255.255.255.0
nat (Inside) 4 192.168.8.0 255.255.255.0
static (Inside,Outside) 68.250.60.229 192.168.2.10 netmask 255.255.255.255
<--- More --->
               
 static (Inside,Outside) x.x.177.229 nameas4-2 netmask 255.255.255.255
static (Inside,Outside) x.x.177.226 RGRBGMAIL netmask 255.255.255.255
static (Inside,Outside) x.x.177.230 192.168.3.10 netmask 255.255.255.255
access-group internet in interface Outside
access-group inside_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 x.x.177.225 1
route Outside 192.168.4.0 255.255.255.0 x.67.91.x 254
route Inside 192.168.0.0 255.255.248.0 name4 1
route Inside 192.168.8.0 255.255.255.0 192.168.1.254 1
!
router rip
 network 192.168.1.0
 version 2
 no auto-summary
!
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
<--- More --->
               
 crypto ipsec transform-set namecorp esp-3des esp-sha-hmac
crypto ipsec transform-set positive esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set esp-3des-md5
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set namecorp
crypto map outside_map 1 match address mexico
crypto map outside_map 1 set peer x.67.91.52
crypto map outside_map 1 set transform-set positive
crypto map outside_map 40 match address posnet
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer 204.13.x1.9
crypto map outside_map 40 set transform-set positive
crypto map outside_map 50 match address covisint
crypto map outside_map 50 set peer 64.37.198.169
crypto map outside_map 50 set transform-set esp-3des-md5
crypto map outside_map 80 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 142 match address outside_cryptomap_142
crypto map outside_map 142 set peer 80.150.99.5
crypto map outside_map 142 set transform-set positive
crypto map outside_map 142 set security-association lifetime kilobytes 86400
crypto map outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 20
<--- More --->
               
  authentication pre-share
 encryption 3des
 hash md5
 group 2

telnet 192.168.1.0 255.255.255.0 Inside
telnet 192.168.0.0 255.255.0.0 Inside
telnet 192.168.3.0 255.255.255.0 Inside
telnet timeout 5
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 5x
<--- More --->
               
 policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
  inspect pptp
!
service-policy global_policy global
tftp-server ANX 192.168.3.13 /bgasa
webvpn
 enable Outside
 url-list Test "Test URL" http://www.google.com 1
 port-forward Test_TELNET 23999 192.168.1.21 telnet Telnet to 21
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value 192.168.1.101
 dns-server value 192.168.1.248 192.168.1.101
 dhcp-network-scope none
 vpn-access-hours none
<--- More --->
               
  vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
<--- More --->
               
  nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
   svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy name_vpn internal
group-policy name_vpn attributes
 dns-server value 192.168.1.248 192.168.1.101
<--- More --->
               
  vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value corp.nameclamps.com
group-policy namevpn internal
group-policy namevpn attributes
 wins-server value 192.168.1.101
 dns-server value 192.168.1.248 192.168.1.101
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value namevpn_splitTunnelAcl
 default-domain value corp.nameclamps.com
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 33488611
global (Outside) 1 x.x.177.253
global (Outside) 2 x.x.177.234
global (Outside) 3 x.x.177.235
global (Outside) 4 x.x.177.236

nat (Inside) 1 192.168.1.0 255.255.255.0
nat (Inside) 2 192.168.2.0 255.255.255.0
nat (Inside) 3 192.168.3.0 255.255.255.0
nat (Inside) 4 192.168.8.0 255.255.255.0

Given your scenario here you can do the same thing:

global (Outside) 5 x.x.177.237  - assuming you have that address free
nat (Inside) 5 10.x.x.0 255.255.255.0

Then just like you had routes to:
route Inside 192.168.8.0 255.255.255.0 192.168.1.254 1

you would need a route to the 10 network
route Inside 10.x.x.0 255.255.255.0 x.x.x.x

0
 
LVL 6

Expert Comment

by:Galtar99
ID: 33488921
If you don't want to use ANOTHER public IP address, you can consolidate it all into one using NAT overload.  It'll use the firewall's public IP address for outbound traffic.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 33488946
Yes and what galtar99 said is what I prefer as well.. Just didn't know if you were trying to at least track the subnets usages or abuses by the public ip address that you mapped it to
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:jtennyson
ID: 33500682
Sorry it took me so long to get back.  I just put those commands in the ASA and I still can not reach the internet.  I know there is somethin I am missing and I can not figure out what.  Don't I have to configure network or something?
0
 

Author Comment

by:jtennyson
ID: 33500701
And don't I have to put some kind of access list in?
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 33501374
No you do not need an access list because you have this access list applied on the inside interface:
access-group inside_out in interface Inside

That access-list allows all ip traffic to go through.   Post your config now that you have made those changes and lets see what you have in there.

Make sure you added the route statement to get back to the new network.
0
 

Author Comment

by:jtennyson
ID: 33501879

!
hostname namefw1
domain-name nameclamps.com
enable password Nun3UcVqW2rfvjTT encrypted
names
name 192.168.1.9 MAIL
name 192.168.1.7 nameAS4
name 192.168.1.101 nameBG01
name 192.168.2.3 nameas4-2
name 192.168.3.3 nameas4-3
name 192.168.1.10 EMEETINGS
name 192.168.1.12 COLLABORATE
dns-guard
!
interface Ethernet0/0
 description Internet Interface
 nameif Outside
 security-level 0
 ip address x.x.177.227 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 description Inside LAN Interface
 nameif Inside
 security-level 100
 ip address 192.168.1.20 255.255.255.0
 ospf cost 10
!
<--- More --->
               
 interface Ethernet0/2
 description DMZ interface
 nameif DMZ
 security-level 50
 ip address 166.57.16.106 255.255.255.248
 ospf cost 10
!
interface Ethernet0/3
 shutdown
 nameif ANX
 security-level 15
 no ip address
 ospf cost 10
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 ospf cost 10
 management-only
!
passwd Nun3UcVqW2rfvjTT encrypted
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 192.168.1.248
 domain-name nameclamps.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
<--- More --->
               
 object-group network og_ip_nat_ANX
 network-object host 166.57.19.124
object-group network outside-NAT
 network-object x.x.177.234 255.255.255.255
 network-object x.x.177.235 255.255.255.255
 network-object x.x.177.236 255.255.255.255
 network-object x.x.177.237 255.255.255.255
 network-object x.x.177.238 255.255.255.255
 network-object x.x.177.239 255.255.255.255
 network-object x.x.177.240 255.255.255.255
 network-object x.x.177.241 255.255.255.255
 network-object x.x.177.242 255.255.255.255
 network-object x.x.177.243 255.255.255.255
 network-object x.x.177.244 255.255.255.255
 network-object x.x.177.245 255.255.255.255
 network-object x.x.177.246 255.255.255.255
 network-object x.x.177.247 255.255.255.255
 network-object x.x.177.248 255.255.255.255
 network-object x.x.177.249 255.255.255.255
 network-object x.x.177.250 255.255.255.255
 network-object x.x.177.251 255.255.255.255
 network-object x.x.177.252 255.255.255.255
 network-object x.x.177.253 255.255.255.255
object-group network crypto_map_142_src
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.8.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
object-group network crypto_map_142_dest
<--- More --->
               
  network-object 10.191.0.0 255.255.0.0
access-list internet extended permit gre host 208.39.171.201 object-group outside-NAT
access-list internet extended permit icmp any any
access-list internet extended permit ip any host x.x.177.230 inactive
access-list internet extended permit tcp any host 19.5.112.28 eq ftp
access-list internet extended permit tcp any host 19.59.112.44 eq ftp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended deny tcp any any eq smtp
access-list internet extended permit tcp host 66.147.136.242 host x.x.177.228
access-list internet extended permit tcp host 66.147.136.242 host x.x.177.229
access-list internet extended permit tcp host 66.147.136.242 host x.x.177.230
access-list internet extended permit tcp any host x.x.177.226 eq 5632
access-list internet extended permit tcp any host x.x.177.226 eq www
access-list internet extended permit tcp any host x.x.177.226 eq pcanywhere-data
access-list internet extended permit tcp any host x.x.177.226 eq lotusnotes
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.128
access-list any extended permit tcp any host x.x.177.226 eq www
access-list outside extended permit tcp any host x.x.177.226 eq www
access-list inside extended permit tcp any host x.x.177.226 eq www
access-list nonat extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
access-list nonat extended permit ip 192.168.0.0 255.255.0.0 2.0.167.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat extended permit ip any 192.168.0.0 255.255.255.0
access-list posnet extended permit ip 192.168.0.0 255.255.0.0 2.0.167.0 255.255.255.0
access-list mexico extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list covisint extended permit ip host 68.250.60.229 host 64.37.249.63
access-list OUT_IN extended permit udp any any eq 2061
access-list OUT_IN extended permit udp any any eq 2062
<--- More --->
               
 access-list OUT_IN extended permit udp any any eq 2063
access-list OUT_IN extended permit udp any any eq 2064
access-list OUT_IN extended permit udp any any eq 2065
access-list OUT_IN extended permit udp any any eq 535
access-list OUT_IN extended permit udp any any eq isakmp
access-list OUT_IN extended permit udp any any eq 4500
access-list OUT_IN extended permit udp any any eq 2070
access-list OUT_IN extended permit tcp any any eq 1443
access-list IN_OUT extended permit udp any any eq 2060
access-list IN_OUT extended permit udp any any eq 2061
access-list IN_OUT extended permit udp any any eq 2062
access-list IN_OUT extended permit udp any any eq 2063
access-list IN_OUT extended permit udp any any eq 2064
access-list IN_OUT extended permit udp any any eq 2065
access-list IN_OUT extended permit udp any any eq 535
access-list IN_OUT extended permit udp any any eq isakmp
access-list IN_OUT extended permit udp any any eq 4500
access-list IN_OUT extended permit udp any any eq 2070
access-list IN_OUT extended permit tcp any any eq 1443
access-list IN_OUT extended permit udp any any eq 443
access-list IN_OUT extended permit tcp any any eq https
access-list IN_OUT extended permit udp any any eq 433
access-list IN_OUT extended permit tcp any any eq 433
access-list Brokers extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list namevpn_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list Outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_out extended permit gre any host 208.39.171.201
access-list inside_out extended permit ip any any
access-list outside_cryptomap_142 extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
pager lines 30
<--- More --->
               
 logging enable
logging timestamp
logging buffered warnings
logging trap debugging
logging asdm informational
logging device-id ipaddress Inside
logging host Inside 192.168.1.50
logging permit-hostdown
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu ANX 1500
mtu management 1500
ip local pool name_vpn 192.168.0.1-192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 x.x.177.253
global (Outside) 2 x.x.177.234
global (Outside) 3 x.x.177.235
global (Outside) 4 x.x.177.236
global (Outside) 5 x.x.177.237
global (DMZ) 1 166.57.16.107-166.57.16.110 netmask 255.255.255.248
global (DMZ) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 5 10.153.65.0 255.255.255.0
nat (Inside) 1 192.168.1.0 255.255.255.0
nat (Inside) 2 192.168.2.0 255.255.255.0
nat (Inside) 3 192.168.3.0 255.255.255.0
nat (Inside) 4 192.168.8.0 255.255.255.0
static (Inside,Outside) 68.250.60.229 192.168.2.10 netmask 255.255.255.255
static (Inside,Outside) x.x.177.229 nameas4-2 netmask 255.255.255.255
static (Inside,Outside) x.x.177.226 RGRBGMAIL netmask 255.255.255.255
static (Inside,Outside) x.x.177.230 192.168.3.10 netmask 255.255.255.255
access-group internet in interface Outside
access-group inside_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 x.x.177.225 1
route Outside 192.168.4.0 255.255.255.0 200.67.91.52 254
route Inside 192.168.0.0 255.255.248.0 nameAS4 1
route Inside 192.168.8.0 255.255.255.0 192.168.1.254 1
route Inside 10.153.65.0 255.255.255.0 10.153.65.3 1
router rip
 network 192.168.1.0
 version 2
 no auto-summary
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto map outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh 67.167.38.146 255.255.255.255 Outside
ssh 196.40.16.140 255.255.255.255 Outside
ssh 192.168.0.0 255.255.248.0 Inside
ssh timeout 60
console timeout 0
l2tp tunnel hello 300
class-map inspection_default
 match default-inspection-traffic
 policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
  inspect pptp
service-policy global_policy global
tftp-server ANX 192.168.3.13 /bgasa
webvpn
 enable Outside
 url-list Test "Test URL" http://www.google.com 1
 port-forward Test_TELNET 23999 192.168.1.21 telnet Telnet to 21
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value 192.168.1.101
 dns-server value 192.168.1.248 192.168.1.101
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy name_vpn internal
group-policy name_vpn attributes
 dns-server value x
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value corp.nameclamps.com
group-policy namevpn internal
group-policy namevpn attributes
 wins-server value x
 dns-server value x
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value namevpn_splitTunnelAcl
 default-domain value corp.nameclamps.com
0
 
LVL 24

Accepted Solution

by:
Ken Boone earned 500 total points
ID: 33501943
Ok so look at this:

route Inside 192.168.0.0 255.255.248.0 nameAS4 1
route Inside 192.168.8.0 255.255.255.0 192.168.1.254 1
route Inside 10.153.65.0 255.255.255.0 10.153.65.3 1

and look at this:

interface Ethernet0/1
 description Inside LAN Interface
 nameif Inside
 security-level 100
 ip address 192.168.1.20 255.255.255.0


The inside of the ASA is physically on the 192.168.1.0 network.  Therefore in order for him to reach any other network he will need to route to the other networks by going to his next hop router to reach the other network.  The ASA will need an ip address of a next hop router that is on the network that the ASA is connected to.  The next hop router always has to be on the local network.  In your route to the 10.x network you pointed the ASA to 10.153.65.3.  This address is not local to the ASA.  The ASA needs to route to the 192.168.1.x device that will get him to the 10.x network.  
0
 

Author Closing Comment

by:jtennyson
ID: 33502009
Thank you very much.  I could not have done this without you.  You saved my job.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSH commands for Nas4free 21 306
Copy files flash files using tftp 6 23
DHCP on ASA 3 26
How computer Arp Table gets populated. 21 36
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now