Marka Mekapse
asked on
Cisco ASA 5505 Version 8.3(1)
Hi Experts!
i have an ASA that is working like a charm with all of its nat rules in place however, all clients that are behind the ASA are unable to browse the internet with the excpetion of the server with its nat rules.
This new method of natting has me perplexed to say the least :)
Help!
thanks a bunch
i have an ASA that is working like a charm with all of its nat rules in place however, all clients that are behind the ASA are unable to browse the internet with the excpetion of the server with its nat rules.
This new method of natting has me perplexed to say the least :)
Help!
thanks a bunch
: Saved
:
ASA Version 8.3(1)
!
hostname HATCH-ASA
domain-name xxxxxxxxxxxx
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DSL
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.3
name-server 4.2.2.2
domain-name thehatchgroup.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network OWA
host 192.168.1.3
object network inside-network
subnet 192.0.0.0 255.255.255.0
object network Hatch-One-Email
host 192.168.1.3
object network Hatch-One-OWA
host 192.168.1.3
object network Hatch-One-RDP
host 192.168.1.3
object network Hatch-One-Web
host 192.168.1.3
object network OWA-6001
host 192.168.1.3
object network OWA-6002
host 192.168.1.3
object network OWA-6003
host 192.168.1.3
object network OWA-6004
host 192.168.1.3
object network OWA-HTTPS
host 192.168.1.3
object network Hatch-PPTP
host 192.168.1.3
object network Hatch-One-HTTPS
host 192.168.1.3
object-group service DM_INLINE_TCP_4 tcp
port-object eq ftp
port-object eq www
port-object eq https
port-object eq 3389
object-group service DM_INLINE_TCP_5 tcp
port-object eq https
port-object eq smtp
port-object eq 3389
object-group service DM_INLINE_TCP_6 tcp
port-object eq 3389
port-object eq ftp
object-group service DM_INLINE_TCP_7 tcp
port-object eq 3101
port-object eq 3389
object-group service DM_INLINE_UDP_2 udp
port-object eq snmp
port-object eq snmptrap
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service tcp_data tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service tcp_udp_data tcp-udp
port-object eq www
object-group service tcp_ica tcp
port-object eq 2598
port-object eq citrix-ica
access-list global_access extended permit ip any any
access-list global_access extended permit icmp any any
access-list global_access extended permit tcp any host xxx.xxx.xxx.xxx range 6001 6004
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any object-group DM_INLINE_UDP_2
access-list acl_in_out extended permit tcp any any eq www
access-list acl_in_out extended permit tcp any any eq https
access-list acl_in_out extended permit tcp any any eq domain
access-list acl_in_out extended permit tcp any any eq smtp
access-list outside_access_in_1 extended permit ip any any
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host xxx.xxx.xxx.xxx eq www
access-list inbound extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list inbound extended permit tcp any host xxx.xxx.xxx.xxx eq https
access-list inbound extended permit tcp any host xxx.xxx.xxx.xxx eq pptp
access-list inbound extended permit tcp any host xxx.xxx.xxx.xxx eq 3389
access-list inbound extended permit ip any any
pager lines 24
logging enable
logging monitor informational
logging asdm informational
logging mail informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network Hatch-One-Email
nat (inside,outside) static interface service tcp smtp smtp
object network Hatch-One-RDP
nat (inside,outside) static interface service tcp 3389 3389
object network Hatch-One-Web
nat (inside,outside) static interface service tcp www www
object network OWA-6001
nat (inside,outside) static interface service tcp 6001 6001
object network OWA-6002
nat (inside,outside) static interface service tcp 6002 6002
object network OWA-6003
nat (inside,outside) static interface service tcp 6003 6003
object network OWA-6004
nat (inside,outside) static interface service tcp 6004 6004
object network Hatch-PPTP
nat (inside,outside) static interface service tcp pptp pptp
object network Hatch-One-HTTPS
nat (inside,outside) static interface service tcp https https
access-group inside_access_in in interface inside
access-group inbound in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group DSL request dialout pppoe
vpdn group DSL localname hatch621@sbcglobal.net
vpdn group DSL ppp authentication pap
vpdn username hatch621@sbcglobal.net password ***** store-local
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 4.2.2.2 4.2.2.3 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username xxxxxx password xxxxxxxxxxxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
hpm topN enable
Cryptochecksum:dea981717c80xx53ae2cce61xxf088d92112
: end
no asdm history enable
ASKER
Hi lrmoore
thanks for responding to my question
i added the the global commands and see no change. from the server located at 192.168.1.3 i am able to browse the internet however all of the other clients that are behind this ASA are unable to get out. (sorry if this sounds like i am repeating myself)
thanks for responding to my question
i added the the global commands and see no change. from the server located at 192.168.1.3 i am able to browse the internet however all of the other clients that are behind this ASA are unable to get out. (sorry if this sounds like i am repeating myself)
ASKER
i did a show version for your viewing pleasures :)
is this correct? a 10 limit on hosts?
is this correct? a 10 limit on hosts?
HATCH-ASA# show ver
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)
Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"
HATCH-ASA up 2 days 12 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
0: Int: Internal-Data0/0 : address is e05f.b948.3609, irq 11
1: Ext: Ethernet0/0 : address is e05f.b948.3601, irq 255
2: Ext: Ethernet0/1 : address is e05f.b948.3602, irq 255
3: Ext: Ethernet0/2 : address is e05f.b948.3603, irq 255
4: Ext: Ethernet0/3 : address is e05f.b948.3604, irq 255
5: Ext: Ethernet0/4 : address is e05f.b948.3605, irq 255
6: Ext: Ethernet0/5 : address is e05f.b948.3606, irq 255
7: Ext: Ethernet0/6 : address is e05f.b948.3607, irq 255
8: Ext: Ethernet0/7 : address is e05f.b948.3608, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
SSL VPN Peers : 2 perpetual
Total VPN Peers : 10 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
AnyConnect Essentials : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1452Z018
Running Permanent Activation Key: 0x3103cc7a 0x205b8342 0x5443a580 0x9ae8c4b8 0x
c4172d83
Configuration register is 0x1
Configuration last modified by enable_15 at 09:05:44.275 PST Mon Feb 14 2011
HATCH-ASA#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One other thing that you must keep in mind is that the ASA tracks inside MAC addresses and once that number exceeds 10 you will begin to see dropped traffic and messages in the event log that say the maximum number of user licenses has been exceeded. This is because your license only allows for 10 inside hosts as is shown in the sh ver output.
If the license is being exceeded you will need to purchase a license upgrade. The unlimited inside hosts license isn't too bad, it's like $300 USD.
You should be aware of this as well as it can lead to dropped traffic and other initially inexplicable errors, especially if you have virtualized servers or workstations using VMware or an equivalent.
Cheers!
If the license is being exceeded you will need to purchase a license upgrade. The unlimited inside hosts license isn't too bad, it's like $300 USD.
You should be aware of this as well as it can lead to dropped traffic and other initially inexplicable errors, especially if you have virtualized servers or workstations using VMware or an equivalent.
Cheers!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks guys, ill give this a shot!
also i have never run into an ASA with restricted DHCP licensing on the inside
Hasnt it always been on the number of SSL, Site 2 Site VPNS, and client VPNS?
John
also i have never run into an ASA with restricted DHCP licensing on the inside
Hasnt it always been on the number of SSL, Site 2 Site VPNS, and client VPNS?
John
that is the case on all ASA platforms, except on the 5505 you also have an inside user license to watch out for. All ASAs other than the 5505 are unlimited inside, and of course you can buy the unlimited 5505 license.
Cheers!
Cheers!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
lrmoore, puggle
thank you for your responses - much appreciated.
if i get a 5510, will i still run into the same DHCP issue or is the device unlimited ?
thanks again
thank you for your responses - much appreciated.
if i get a 5510, will i still run into the same DHCP issue or is the device unlimited ?
thanks again
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you for the prompt responses
policy-map global_policy
class inspection_default
inspect icmp