Solved

Odd Port Translation issue

Posted on 2011-03-02
7
1,536 Views
Last Modified: 2012-06-27
Hey Guys,

Have an ASA in use with Multiple subinterfaces and VLANs trunked to a 2960 Switch.

One host Timeserver is on the Server VLAN and has lost connectivity with other hosts in its VLAN.

I am getting the following error:

 
305006 10.10.104.3 53 portmap translation creation failed for udp src Servers:TimeServer/49964 dst Servers:10.10.104.3/53

Open in new window


It seems odd to me because I dont see how the firewall would try to inspect data on the same sub interface. (Same collision space, I would think that it would stay on the switch).

Been working this for a while and have run out of steam. I must be missing something. Not sure what globals i may be missing but the following snapshot of the packet trace may help:

PacketTrace
Anyhoo, here is my config (I know its a mess):

 
: Saved
:
ASA Version 8.0(4) 
!
hostname utcfw01
domain-name utc.net
enable password kr6r7aboT5x2AZrj encrypted
passwd 741YpRBhS1OOvzpR encrypted
names
name 10.10.104.10 mailserver
name X.X.63.99 OldOutside (Not Used)
name 10.10.104.4 TEMPDNS
name 10.10.104.6 webserver
name 10.10.104.2 UTCDNS
name 10.10.104.70 supportserver
name 10.10.104.20 sipserver
name 10.10.104.120 NagiosServer description The Nagios Server
name 10.10.104.18 ftpserver-private
name X.X.149.104 ftpserver-public
name X.X.149.5 Self
name X.X.149.145 DIMDIM-PUBLIC description DIMDIM Public
name 10.10.104.140 DevWebPrivate description JoomlaDev
name X.X.149.140 DevwebPublic description Joomla Dev
name X.X.149.145 DIMDIM-Private description WebConferencing Server DEV
name X.X.149.102 Exch2003Public
name X.X.19.146 Time-Server-Public description TimeServerpublic
name 10.10.104.21 TimeServer description Time Server
name X.X.210.144 SupportClient01 description Offsite  remote client access for emergencies
name X.X.96.181 SupportClient02 description Remote Support agent for emergency access to firewall
!
interface GigabitEthernet0/0
 description Old Circuit connection
 shutdown
 nameif OldOutside (Not Used)
 security-level 0
 ip address OldOutside (Not Used) 255.255.255.248 
!
interface GigabitEthernet0/1
 speed 1000
 duplex full
 nameif Inside_Physical
 security-level 100
 no ip address
!
interface GigabitEthernet0/1.1
 vlan 101
 nameif Workstation
 security-level 100
 ip address 10.10.101.1 255.255.255.0 
!
interface GigabitEthernet0/1.2
 vlan 102
 nameif Voice
 security-level 100
 ip address 10.10.102.1 255.255.255.0 
!
interface GigabitEthernet0/1.3
 vlan 103
 nameif Wireless
 security-level 100
 ip address 10.10.103.1 255.255.255.0 
!
interface GigabitEthernet0/1.4
 vlan 104
 nameif Servers
 security-level 100
 ip address 10.10.104.1 255.255.255.0 
!
interface GigabitEthernet0/1.5
 vlan 105
 nameif WLANGUEST
 security-level 100
 ip address 10.10.105.1 255.255.255.0 
!
interface GigabitEthernet0/1.6
 vlan 206
 nameif SIPGATEWAY
 security-level 0
 no ip address
!
interface GigabitEthernet0/1.7
 vlan 107
 nameif techlab
 security-level 100
 ip address 10.10.107.1 255.255.255.0 
!
interface GigabitEthernet0/1.9
 description VLAN to talk to UC520
 vlan 109
 nameif UC520
 security-level 100
 ip address 10.10.109.1 255.255.255.0 
!
interface GigabitEthernet0/2
 speed 1000
 duplex full
 nameif dmz
 security-level 50
 no ip address
!
interface GigabitEthernet0/3
 description New OldOutside (Not Used) interface on WBS Connect
 nameif NEWOUTSIDE
 security-level 0
 ip address Self 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
 management-only
!

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside_Physical
dns server-group DefaultDNS
 name-server UTCDNS
 name-server 10.10.104.3
 domain-name utc.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq pop3
object-group service DM_INLINE_TCP_2 tcp
 port-object eq 5721
 port-object eq www
object-group service SupportServer
 service-object tcp eq 5721 
object-group network DM_INLINE_NETWORK_1
 network-object host 10.10.108.3
 network-object 10.10.109.0 255.255.255.0
 network-object 10.1.10.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 10.1.10.0 255.255.255.0
 network-object 10.10.109.0 255.255.255.0
 network-object host 10.10.108.3
object-group network DM_INLINE_NETWORK_3
 network-object 10.10.108.0 255.255.255.0
 network-object 10.10.109.0 255.255.255.0
object-group service DM_INLINE_TCP_3 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq 3000 
 service-object tcp eq www 
 service-object tcp eq https 
 service-object udp eq 3000 
object-group service DIMDIM-Ports tcp-udp
 description DIMDIM Web Conferencing Server Ports
 port-object eq 1935
 port-object eq 3000
 port-object eq 3478
 port-object range 40000 40001
 port-object eq 5080
 port-object eq 60100
 port-object eq 8009
 port-object eq 8080
 port-object eq 8443
 port-object eq 9999
 port-object eq www
 port-object eq 443
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_4 tcp
 group-object DIMDIM-Ports
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object tcp-udp eq www 
 service-object tcp eq https 
object-group service DM_INLINE_SERVICE_3
 service-object icmp echo-reply
 service-object tcp eq www 
object-group network Firewall_Support_Clients
 network-object host SupportClient02
 network-object host DIMDIM-Private
object-group network DM_INLINE_NETWORK_5
 network-object host SupportClient01
 group-object Firewall_Support_Clients
object-group network DM_INLINE_NETWORK_4
 network-object 10.10.108.0 255.255.255.0
 network-object 10.10.109.0 255.255.255.0
object-group network DM_INLINE_NETWORK_10
 network-object 10.10.101.0 255.255.255.0
 network-object 10.10.102.0 255.255.255.0
 network-object 10.10.103.0 255.255.255.0
 network-object 10.10.104.0 255.255.255.0
 network-object 10.10.109.0 255.255.255.0
object-group network DM_INLINE_NETWORK_11
 network-object 10.10.101.0 255.255.255.0
 network-object 10.10.103.0 255.255.255.0
 network-object 10.10.104.0 255.255.255.0
 network-object 10.10.107.0 255.255.255.0
 network-object 10.10.109.0 255.255.255.0
object-group network DM_INLINE_NETWORK_12
 network-object 10.10.108.0 255.255.255.0
 network-object 10.10.109.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
 network-object 10.10.101.0 255.255.255.0
 network-object 10.10.102.0 255.255.255.0
 network-object 10.10.103.0 255.255.255.0
 network-object 10.10.107.0 255.255.255.0
 network-object 10.10.109.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
 network-object 10.10.102.0 255.255.255.0
 network-object 10.10.103.0 255.255.255.0
 network-object 10.10.104.0 255.255.255.0
 network-object 10.10.107.0 255.255.255.0
 network-object 10.10.109.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
 network-object 10.10.101.0 255.255.255.0
 network-object 10.10.102.0 255.255.255.0
 network-object 10.10.104.0 255.255.255.0
 network-object 10.10.107.0 255.255.255.0
 network-object 10.10.109.0 255.255.255.0
object-group network DM_INLINE_NETWORK_9
 network-object 10.10.101.0 255.255.255.0
 network-object 10.10.102.0 255.255.255.0
 network-object 10.10.103.0 255.255.255.0
 network-object 10.10.104.0 255.255.255.0
 network-object 10.10.107.0 255.255.255.0

access-list VPN-Split extended permit ip 10.10.101.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list VPN-Split extended permit ip 10.10.102.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list VPN-Split extended permit ip 10.10.103.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list VPN-Split extended permit ip 10.10.104.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list VPN-Split extended permit ip 10.10.105.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list VPN-Split extended permit ip object-group DM_INLINE_NETWORK_3 10.10.10.0 255.255.255.0 
access-list VPN-Split extended permit ip object-group DM_INLINE_NETWORK_4 any 
access-list VPN-Split extended permit ip 10.1.10.0 255.255.255.0 any 
access-list VPN-Split extended permit ip 10.10.101.0 255.255.255.0 10.1.10.0 255.255.255.0 
access-list VPN-Split extended permit ip 10.10.10.0 255.255.255.0 any 
access-list VPN-Split extended permit ip 10.10.101.0 255.255.255.0 10.10.109.0 255.255.255.0 
access-list VPN-Split extended permit ip 10.10.104.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list VPN-Split extended permit ip 10.10.103.0 255.255.255.0 object-group DM_INLINE_NETWORK_2 
access-list 102 extended permit ip 192.168.1.0 255.255.255.0 any 
access-list workstation extended permit ip any any 
access-list voice extended permit ip any any 
access-list servers extended permit ip any any 
access-list wireless extended permit ip any any 
access-list dmz extended permit ip any any 
access-list WLANGUEST extended permit ip any any 
access-list WLANDNS extended permit tcp host UTCDNS 10.10.105.0 255.255.255.0 eq domain 
access-list techlab extended permit ip any any 
access-list 107 extended permit ip 10.10.107.0 255.255.255.0 10.10.10.0 255.255.255.0 
access-list UC520_access_in extended permit ip any any 
access-list NEWOUTSIDE_access_in extended permit ip object-group DM_INLINE_NETWORK_5 any 
access-list NEWOUTSIDE_access_in extended permit icmp any any 
access-list NEWOUTSIDE_access_in extended permit tcp any host Self eq https 
access-list NEWOUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_3 any host X.X.149.100 
access-list NEWOUTSIDE_access_in remark time server
access-list NEWOUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_1 any host X.X.149.146 
access-list NEWOUTSIDE_access_in extended permit tcp any host X.X.149.101 object-group DM_INLINE_TCP_2 
access-list NEWOUTSIDE_access_in remark Joomla Dev Web
access-list NEWOUTSIDE_access_in extended permit object-group DM_INLINE_SERVICE_2 any host DevwebPublic 
access-list NEWOUTSIDE_access_in extended permit tcp any host Exch2003Public object-group DM_INLINE_TCP_1 
access-list NEWOUTSIDE_access_in extended permit tcp any host X.X.149.103 eq www 
access-list NEWOUTSIDE_access_in extended permit tcp any host ftpserver-public object-group DM_INLINE_TCP_3 
access-list NEWOUTSIDE_access_in remark DIM DIM WebConference Beta
access-list NEWOUTSIDE_access_in extended permit object-group TCPUDP any host DIMDIM-PUBLIC object-group DIMDIM-Ports 
access-list NEWOUTSIDE_access_in remark DIM DIM WebConference Beta
access-list NEWOUTSIDE_access_in extended permit ip any host DIMDIM-PUBLIC inactive 
access-list NEWOUTSIDE_access_in extended permit ip 10.10.10.0 255.255.255.0 10.10.109.0 255.255.255.0 inactive 
access-list NO_NAT extended permit ip 10.10.10.0 255.255.255.0 10.10.0.0 255.255.0.0 
access-list NO_NAT extended permit ip object-group DM_INLINE_NETWORK_6 10.10.104.0 255.255.255.0 
access-list NO_NAT extended permit ip object-group DM_INLINE_NETWORK_7 10.10.101.0 255.255.255.0 
access-list NO_NAT extended permit ip object-group DM_INLINE_NETWORK_8 10.10.103.0 255.255.255.0 
access-list NO_NAT extended permit ip object-group DM_INLINE_NETWORK_9 10.10.109.0 255.255.255.0 
access-list NO_NAT extended permit ip object-group DM_INLINE_NETWORK_10 10.10.107.0 255.255.255.0 
access-list NO_NAT extended permit ip object-group DM_INLINE_NETWORK_11 10.10.102.0 255.255.255.0 
access-list NO_NAT extended permit ip 10.1.10.0 255.255.255.0 any 
access-list NO_NAT extended permit ip 10.10.10.0 255.255.255.0 any 
access-list NO_NAT extended permit ip object-group DM_INLINE_NETWORK_12 any 
access-list NEWOUTSIDE_cryptomap extended permit ip 10.10.0.0 255.255.0.0 10.10.3.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging emblem
logging buffered warnings
logging trap debugging
logging asdm debugging
logging mail emergencies
logging from-address ASA@UTC.NET
logging recipient-address paco@utc.net level emergencies
logging host Inside_Physical 10.10.101.54
logging host Servers 10.10.104.16
logging class auth mail emergencies 
mtu OldOutside (Not Used) 1500
mtu Inside_Physical 1500
mtu Workstation 1500
mtu Voice 1500
mtu Wireless 1500
mtu Servers 1500
mtu WLANGUEST 1500
mtu SIPGATEWAY 1500
mtu techlab 1500
mtu UC520 1500
mtu dmz 1500
mtu NEWOUTSIDE 1500
mtu management 1500
ip local pool VPNPOOL 10.10.10.1-10.10.10.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
nat-control
global (OldOutside (Not Used)) 1 interface
global (NEWOUTSIDE) 1 interface
global (NEWOUTSIDE) 2 Exch2003Public netmask 255.0.0.0
nat (Inside_Physical) 0 access-list VPN-Split
nat (Inside_Physical) 1 0.0.0.0 0.0.0.0
nat (Workstation) 0 access-list VPN-Split
nat (Workstation) 1 0.0.0.0 0.0.0.0
nat (Voice) 0 access-list VPN-Split
nat (Voice) 1 0.0.0.0 0.0.0.0
nat (Wireless) 0 access-list VPN-Split
nat (Wireless) 1 0.0.0.0 0.0.0.0
nat (Servers) 0 access-list VPN-Split
nat (Servers) 2 mailserver 255.255.255.255
nat (Servers) 1 0.0.0.0 0.0.0.0
nat (WLANGUEST) 0 access-list VPN-Split
nat (WLANGUEST) 1 0.0.0.0 0.0.0.0
nat (techlab) 0 access-list 107
nat (techlab) 1 0.0.0.0 0.0.0.0
nat (UC520) 0 access-list VPN-Split
nat (UC520) 1 0.0.0.0 0.0.0.0
static (Servers,NEWOUTSIDE) tcp Exch2003Public www mailserver www netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp Exch2003Public smtp mailserver smtp netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp Exch2003Public pop3 mailserver pop3 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp Exch2003Public https mailserver https netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp X.X.149.100 www webserver www netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DevwebPublic www DevWebPrivate www netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DevwebPublic 3000 DevWebPrivate 3000 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DevwebPublic https DevWebPrivate https netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp X.X.149.146 www TimeServer www netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp X.X.149.146 https TimeServer https netmask 255.255.255.255 
static (Servers,WLANGUEST) tcp interface domain UTCDNS domain netmask 255.255.255.255 
static (Servers,WLANGUEST) udp interface domain UTCDNS domain netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp ftpserver-public ftp 10.10.104.14 ftp netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp ftpserver-public ftp-data 10.10.104.14 ftp-data netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp X.X.149.101 www supportserver www netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp X.X.149.101 5721 supportserver 5721 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp X.X.149.103 www NagiosServer www netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC www DIMDIM-Private www netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC https DIMDIM-Private https netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC ssh DIMDIM-Private ssh netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 3000 DIMDIM-Private 3000 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 3748 DIMDIM-Private 3478 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 5222 DIMDIM-Private 5222 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 40000 DIMDIM-Private 40000 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 40001 DIMDIM-Private 40001 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 60100 DIMDIM-Private 60100 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 8009 DIMDIM-Private 8009 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 1935 DIMDIM-Private 1935 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 9999 DIMDIM-Private 9999 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 8080 DIMDIM-Private 8080 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 5080 DIMDIM-Private 5080 netmask 255.255.255.255 
static (Servers,NEWOUTSIDE) tcp DIMDIM-PUBLIC 8443 DIMDIM-Private 8443 netmask 255.255.255.255 
static (Workstation,Voice) 10.10.101.0 10.10.101.0 netmask 255.255.255.0 
static (Workstation,Wireless) 10.10.101.0 10.10.101.0 netmask 255.255.255.0 
static (Workstation,Servers) 10.10.101.0 10.10.101.0 netmask 255.255.255.0 
static (Workstation,dmz) 10.10.101.0 10.10.101.0 netmask 255.255.255.0 
static (Voice,Workstation) 10.10.102.0 10.10.102.0 netmask 255.255.255.0 
static (Voice,Wireless) 10.10.102.0 10.10.102.0 netmask 255.255.255.0 
static (Voice,Servers) 10.10.102.0 10.10.102.0 netmask 255.255.255.0 
static (Voice,dmz) 10.10.102.0 10.10.102.0 netmask 255.255.255.0 
static (Wireless,Workstation) 10.10.103.0 10.10.103.0 netmask 255.255.255.0 
static (Wireless,Voice) 10.10.103.0 10.10.103.0 netmask 255.255.255.0 
static (Wireless,Servers) 10.10.103.0 10.10.103.0 netmask 255.255.255.0 
static (Wireless,dmz) 10.10.103.0 10.10.103.0 netmask 255.255.255.0 
static (WLANGUEST,Workstation) 10.10.105.0 10.10.105.0 netmask 255.255.255.0 
static (WLANGUEST,Voice) 10.10.105.0 10.10.105.0 netmask 255.255.255.0 
static (WLANGUEST,dmz) 10.10.105.0 10.10.105.0 netmask 255.255.255.0 
static (WLANGUEST,Wireless) 10.10.105.0 10.10.105.0 netmask 255.255.255.0 
static (WLANGUEST,Servers) 10.10.105.0 10.10.105.0 netmask 255.255.255.0 
static (techlab,Servers) 10.10.107.0 10.10.107.0 netmask 255.255.255.0 
static (techlab,dmz) 10.10.107.0 10.10.107.0 netmask 255.255.255.0 
static (Servers,Workstation) 10.10.104.0 10.10.104.0 netmask 255.255.255.0 
static (Servers,Voice) 10.10.104.0 10.10.104.0 netmask 255.255.255.0 
static (Servers,Wireless) 10.10.104.0 10.10.104.0 netmask 255.255.255.0 
static (Servers,dmz) 10.10.104.0 10.10.104.0 netmask 255.255.255.0 
access-group mailserver in interface OldOutside (Not Used)
access-group workstation in interface Workstation
access-group voice in interface Voice
access-group wireless in interface Wireless
access-group servers in interface Servers
access-group WLANGUEST in interface WLANGUEST
access-group techlab in interface techlab
access-group UC520_access_in in interface UC520
access-group dmz in interface dmz
access-group NEWOUTSIDE_access_in in interface NEWOUTSIDE
route NEWOUTSIDE 0.0.0.0 0.0.0.0 X.X.149.1 2
route OldOutside (Not Used) 0.0.0.0 0.0.0.0 X.X.63.97 3
route UC520 10.1.10.0 255.255.255.0 10.10.109.3 1
route UC520 10.10.108.0 255.255.255.0 10.10.109.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
 reactivation-mode depletion deadtime 2
 max-failed-attempts 5
aaa-server RADIUS (Servers) host 10.10.104.14
 key *****************
aaa-server partnerauth protocol radius
 reactivation-mode depletion deadtime 2
 max-failed-attempts 5
aaa-server partnerauth (Inside_Physical) host 10.10.104.14
 key *****************
eou clientless password *****************
http server enable
http 38.125.91.105 255.255.255.255 NEWOUTSIDE
http 38.105.213.105 255.255.255.255 NEWOUTSIDE
http SupportClient01 255.255.255.255 NEWOUTSIDE
http 10.10.104.0 255.255.255.0 Servers
http 10.10.101.0 255.255.255.0 Workstation
snmp-server host Servers NagiosServer poll community utcread version 2c
snmp-server host Servers 10.10.104.17 poll community utcread
snmp-server location UTC Main Office
no snmp-server contact
snmp-server community utcread
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
auth-prompt prompt You are entering a United Telecomp Protected zone. You may be monitored for security purposes. 
auth-prompt accept I Accept 
auth-prompt reject I Do Not Accept 
crypto ipsec transform-set myset esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map NEWOUTSIDE_map 1 match address NEWOUTSIDE_cryptomap
crypto map NEWOUTSIDE_map 1 set peer SupportClient01 
crypto map NEWOUTSIDE_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map NEWOUTSIDE_map 1 set security-association lifetime seconds 28800
crypto map NEWOUTSIDE_map 1 set security-association lifetime kilobytes 4608000
crypto map NEWOUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map NEWOUTSIDE_map interface NEWOUTSIDE
crypto ca server 
 shutdown
crypto ca certificate map UTCANY 10
crypto isakmp identity hostname 
crypto isakmp enable NEWOUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.10.101.0 255.255.255.0 Workstation
telnet 10.10.104.0 255.255.255.0 Servers
telnet timeout 5
ssh 10.10.101.0 255.255.255.0 Workstation
ssh 10.10.104.0 255.255.255.0 Servers
ssh SupportClient01 255.255.255.255 NEWOUTSIDE
ssh 38.105.213.105 255.255.255.255 NEWOUTSIDE
ssh 38.125.91.105 255.255.255.255 NEWOUTSIDE
ssh timeout 60
console timeout 0
dhcprelay server UTCDNS Servers
dhcprelay enable Workstation
dhcprelay enable Voice
dhcprelay enable Wireless
dhcprelay enable WLANGUEST
dhcprelay enable techlab
dhcprelay timeout 60
priority-queue Inside_Physical
no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 250 burst-rate 1200 average-rate 600
ntp server UTCDNS source Servers prefer
webvpn
 enable NEWOUTSIDE
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc enable
 tunnel-group-list enable
 certificate-group-map UTCANY 10 UTCANY
group-policy RADVPN internal
group-policy RADVPN attributes
 wins-server value 10.10.104.2
 dns-server value 10.10.104.2
 vpn-idle-timeout 20
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 group-lock value RADVPN
 ipsec-udp enable
 ipsec-udp-port 12300
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NO_NAT
 default-domain value corp.utc.net
 webvpn
  homepage none
  svc rekey time none
  svc rekey method ssl
  svc ask none default svc
  customization value DfltCustomization
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
group-policy ANYVPN internal
group-policy ANYVPN attributes
 wins-server value 10.10.104.2 10.10.104.3
 dns-server value 10.10.104.2 10.10.104.3
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout 600
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NO_NAT
 backup-servers keep-client-config
 msie-proxy method no-modify
 address-pools value VPNPOOL
 client-firewall none
 client-access-rule none
 webvpn
  homepage none
  svc dtls enable
  svc mtu 1406
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client 30
  svc dpd-interval gateway 30
  svc compression deflate
  svc modules value vpngina
  svc profiles none
  svc ask none default svc
  customization value DfltCustomization
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
username paco password CVykUmeH7hQftEt6 encrypted privilege 15
username paco attributes
 vpn-group-policy RADVPN
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 password-storage enable
 group-lock none
 webvpn
  file-browsing enable
  file-entry enable
  hidden-shares none
  svc ask enable default webvpn
tunnel-group DefaultRAGroup general-attributes
 address-pool (OldOutside (Not Used)) VPNPOOL
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group RADIUS
tunnel-group RADVPN type remote-access
tunnel-group RADVPN general-attributes
 address-pool VPNPOOL
 authentication-server-group RADIUS
 default-group-policy ANYVPN
tunnel-group RADVPN ipsec-attributes
 pre-shared-key *
tunnel-group UTCANY type remote-access
tunnel-group UTCANY general-attributes
 address-pool (Inside_Physical) VPNPOOL
 address-pool VPNPOOL
 authentication-server-group RADIUS
 authentication-server-group (Servers) RADIUS
 authorization-server-group RADIUS
 default-group-policy RADVPN
 override-account-disable
tunnel-group UTCANY webvpn-attributes
 group-alias ANYVPN enable
tunnel-group X.X.210.144 type ipsec-l2l
tunnel-group X.X.210.144 ipsec-attributes
 pre-shared-key *
!
class-map voip
 match port udp eq sip
class-map type regex match-any DomainBlockList
 match regex BlockedDomainList1
 match regex BlockedDomainList2
class-map type inspect http match-all asdm_medium_security_methods
 match not request method head
 match not request method post
 match not request method get
class-map type inspect http match-all BlockDomainClass
 match request header host regex class DomainBlockList
class-map inspection_default
 match default-inspection-traffic
class-map pptp-port
 match port tcp eq pptp
class-map type inspect http match-all AppHeaderClass
 match response header regex contenttype regex applicationheader
class-map type inspect http match-all asdm_high_security_methods
 match not request method head
 match not request method get
!
!
policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
 match request method connect
  drop-connection log
 class AppHeaderClass
  drop-connection log
 class BlockDomainClass
  reset log
policy-map type inspect dns MY_DNS_INSPECT_MAP
 parameters
  message-length maximum 1024
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect dns MY_DNS_INSPECT_MAP 
policy-map pptp-policy
 class pptp-port
  inspect pptp 
policy-map default
policy-map qos
 class voip
  priority
 class pptp-port
  inspect pptp 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map default-inspect-traffic
policy-map map
 class inspection_default
  inspect pptp 
!
service-policy global_policy global
service-policy qos interface Workstation
service-policy qos interface Voice
service-policy qos interface Wireless
service-policy qos interface WLANGUEST
smtp-server 10.10.104.10
prompt hostname context 
Cryptochecksum:cd0c6850f51515efc8ec725304f9654a
: end
asdm image disk0:/asdm-61551.bin
asdm location 10.10.10.0 255.255.255.0 OldOutside (Not Used)
asdm location NagiosServer 255.255.255.255 Inside_Physical
asdm location ftpserver-private 255.255.255.255 Inside_Physical
asdm location ftpserver-public 255.255.255.255 Inside_Physical
asdm location Self 255.255.255.255 Inside_Physical
asdm location DIMDIM-PUBLIC 255.255.255.255 Inside_Physical
asdm location DevWebPrivate 255.255.255.255 Inside_Physical
asdm location DevwebPublic 255.255.255.255 Inside_Physical
asdm location DIMDIM-Private 255.255.255.255 Inside_Physical
asdm location TimeServer 255.255.255.255 Inside_Physical
asdm location Time-Server-Public 255.255.255.255 Inside_Physical
asdm location SupportClient02 255.255.255.255 Inside_Physical
no asdm history enable

Open in new window


Appreciate your help..

Best,

P
0
Comment
Question by:pacman_d
  • 4
  • 2
7 Comments
 
LVL 5

Expert Comment

by:torvir
ID: 35025689
You are right about that this traffic should never be seen by the firewall at all.
I can see a few hypothetical reasons for the packet arriving at the firewall. And that's because of routing it there or because the firewall answers arp for the destination address.
1) There could be a static-statement about 10.10.104.3 that is turned the wrong way and that would cause the firewall to answer on arp about that IP. (I have looked at the config, but not found any)
2) The time server could have the wrong subnetmask that not includes 10.10.104.3. (That theory fails because the time server seems to use 10.10.104.1 as the default gateway and that range also includes 10.10.104.3)
3) The time server has an explicit route to host 10.10.104.3 that points to next-hop 10.10.104.1 (I don't know why that should be, but that should be investigated anyway)

Can't think of anything else at the moment.
0
 

Author Comment

by:pacman_d
ID: 35027034
Hey Torvir,

Thanks for chiming in. One thing worth to note is that the time server cannot see anything on the x.104 subnet EXCEPT for the x.1 address.

You mentioned the following:

3) The time server has an explicit route to host 10.10.104.3 that points to next-hop 10.10.104.1 (I don't know why that should be, but that should be investigated anyway)

I am not sure where you saw that explicit route. Could you point that out to me? Could be my problem but for the life of me I can't seem to find what you are seeing.

Best,

P
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 250 total points
ID: 35027924
The Firewall should never see this packet.   This should be handled at layer 2 not layer 3.    I think the problem may reside in your switch not the ASA.    Follow my reasoning that the 10.10.104.21 would broadcast the ARP packet out for a "Who Has 10.10.104.3" and the .3 host would answer with the ARP entry going into the .21 host's arp cache.    The Firewall is never involved.  

I would start with a look at the .21 arp table (in windows its "arp -a").   Does the MAC for the .3 host show up correctly or is it another MAC?    

Look at the switch' mac addresses (show mac address-table).    The mac for the.3 host should show on the proper port.   The ports for both these hosts should belong to the same VLAN as well.  

I would clear arp cache everywhere, look for static arp entries and remove if needed.    

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 5

Assisted Solution

by:torvir
torvir earned 250 total points
ID: 35028133
I did't see such a route. It is just a theory that would explain the symptom.
What I mean is that the problem more likley is in the time server it self.
Jump into the server and check the routing with "netstat -nr" and arp as MikeKane explains.
It's a good start.
0
 

Author Comment

by:pacman_d
ID: 35028587
good Points on both.

I will take a look at the ARP cache and see if i can enumerate anything.

This host was operating without issue for some time.

I have ruled out virus/malware..

I will get back to you today.

Best,

P
0
 

Author Comment

by:pacman_d
ID: 35029485
Hey guys,

So the arp table basically shows the ASA VLAN GW address as the only entry.

I looked at the routing table and it looks like one of the "yahoos" on the server team dropped a bunch of static routes to the 10.10.x.x subnets while providing a different gateway for internet access.

The statics were to ensure proper routing back to the other subnets. For one moment the server was set to DHCP while allocating another NIC so the routes provided from DHCP remained persistent even after re-establishing the static settings pointing back to the gateway.

So there were redundant local routes that were causing the issue.

I am a little embarrassed that i did not catch that earlier.. I guess I am just spent.

You were both on point and i am glad to see that I am not completely crazy.

You split the points as you both put me back on point.

Best,

P
0
 

Author Closing Comment

by:pacman_d
ID: 35029499
Great help...

Thanks!!!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now