Solved

How do I allow RDP though the ASA

Posted on 2011-03-22
14
519 Views
Last Modified: 2012-05-11
Here's the problem.  I hired someone to configure my ASA and they left half of the configuration out.  I am trying to restore some things.  I need to allow rdp back and forth from my network to a network 10.190.0.0.
I think I have the first command

access-list outside_access_in extended permit tcp any interface outside eq 3389

I don't know where I'm going from there.

I'm not sure if I am explaining this correctly.  The other network has the Server.  My people want to connect to it.  We always could until the consultant put in the new firewall three days ago.  I also need to all the people on the 10.190 network to use a Rumba client to access our AS/400.
0
Comment
Question by:jtennyson
  • 7
  • 7
14 Comments
 

Author Comment

by:jtennyson
ID: 35193126
By the way, the TS server is not on my network.  It is onb the 10.190.0.0 network.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35193667
Hi again :)

So still some issues? Lets see.

Where is the 10.190.0.0 network? Looking at the access-list its on the outside (?) But it is a private ip range so it cannot be routed over the internet. And as I look at you configuration (from your previous question) I cannot see a VPN setup to go to such a network. So I think we are missing a lot more here :-~
0
 

Author Comment

by:jtennyson
ID: 35194372
Can I post my old config and my new config?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35194400
Sure, but I'm afraid I won't be looking into that tonight (it's already way past my bedtime overhere :)
0
 

Author Comment

by:jtennyson
ID: 35194476
That's fine.  I'm really grgrateful for your help.  Here they are.  We have a Cisco router from the corporate office that is hooked up with our ASA.  We are not allowed to get in to their router and see the config.  Last week we could RDP and they could connect to the AS/400.  Now we can do neither.  I can ping and trace route their servers.

Old Config

sh run
: Saved
:
ASA Version 7.2(3)
!
terminal width 175
hostname rgrayfw1
domain-name rgrayclamps.com
enable password Nun3UcVqW2rfvjTT encrypted
names
name 192.168.2.3 Rgrayas4-2
name 192.168.3.3 rgrayas4-3
dns-guard
!
interface Ethernet0/0
 description Internet Interface
 nameif Outside
 security-level 0
 ip address 12.164.177.227 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 description Inside LAN Interface
 nameif Inside
 security-level 100
 ip address 10.153.49.20 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 description DMZ interface
 nameif DMZ
 security-level 50
 ip address 166.57.16.106 255.255.255.248
 ospf cost 10
!
interface Ethernet0/3
 shutdown
 nameif ANX
 security-level 15
 no ip address
 ospf cost 10
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 ospf cost 10
 management-only
!
passwd Nun3UcVqW2rfvjTT encrypted
ftp mode passive
clock timezone CST -6
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 10.153.49.248
 domain-name rgrayclamps.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network og_ip_nat_ANX
 network-object host 166.57.19.124
object-group network outside-NAT
 network-object 12.164.177.234 255.255.255.255
 network-object 12.164.177.235 255.255.255.255

object-group network crypto_map_142_src
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.8.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 10.153.65.0 255.255.255.0
 network-object 10.153.49.0 255.255.255.0
object-group network crypto_map_142_dest
 network-object 10.191.0.0 255.255.0.0
access-list internet extended permit gre host 208.39.171.201 object-group outside-NAT
access-list internet extended permit icmp any any
access-list internet extended permit ip any host 12.164.177.230 inactive
access-list internet extended permit tcp any host 19.5.112.28 eq ftp
access-list internet extended permit tcp any host 19.59.112.44 eq ftp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp host 66.147.136.242 host 12.164.177.228
access-list internet extended permit tcp host 66.147.136.242 host 12.164.177.229
access-list internet extended permit tcp host 66.147.136.242 host 12.164.177.230
access-list internet extended permit tcp any host 12.164.177.226 eq 5632
access-list internet extended permit tcp any host 12.164.177.226 eq www
access-list internet extended permit tcp any host 12.164.177.226 eq pcanywhere-data
access-list internet extended permit tcp any host 12.164.177.226 eq lotusnotes
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 any eq smtp
access-list internet extended deny tcp any any eq smtp
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.128
access-list any extended permit tcp any host 12.164.177.226 eq www
access-list outside extended permit tcp any host 12.164.177.226 eq www
access-list inside extended permit tcp any host 12.164.177.226 eq www
access-list nonat extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
access-list nonat extended permit ip 10.153.49.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list nonat extended permit ip 10.153.49.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list nonat extended permit ip 10.153.49.0 255.255.255.0 10.155.17.0 255.255.255.0
access-list nonat extended permit ip any 192.168.0.0 255.255.255.0
access-list mexico extended permit ip 10.153.49.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list mexico extended permit ip 10.153.49.0 255.255.255.0 10.155.17.0 255.255.255.0
access-list covisint extended permit ip host 68.250.60.229 host 64.37.249.63
access-list OUT_IN extended permit udp any any eq 2061
access-list OUT_IN extended permit udp any any eq 2062
access-list OUT_IN extended permit udp any any eq 2063
access-list OUT_IN extended permit udp any any eq 2064
access-list OUT_IN extended permit udp any any eq 2065
access-list OUT_IN extended permit udp any any eq 535
access-list OUT_IN extended permit udp any any eq isakmp
access-list OUT_IN extended permit udp any any eq 4500
access-list OUT_IN extended permit udp any any eq 2070
access-list OUT_IN extended permit tcp any any eq 1443
access-list IN_OUT extended permit udp any any eq 2060
access-list IN_OUT extended permit udp any any eq 2061
access-list IN_OUT extended permit udp any any eq 2062
access-list IN_OUT extended permit udp any any eq 2063
access-list IN_OUT extended permit udp any any eq 2064
access-list IN_OUT extended permit udp any any eq 2065
access-list IN_OUT extended permit udp any any eq 535
access-list IN_OUT extended permit udp any any eq isakmp
access-list IN_OUT extended permit udp any any eq 4500
access-list IN_OUT extended permit udp any any eq 2070
access-list IN_OUT extended permit tcp any any eq 1443
access-list IN_OUT extended permit udp any any eq 443
access-list IN_OUT extended permit tcp any any eq https
access-list IN_OUT extended permit udp any any eq 433
access-list IN_OUT extended permit tcp any any eq 433
access-list rgrayvpn_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list rgrayvpn_splitTunnelAcl standard permit 10.153.49.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_out extended permit gre any host 208.39.171.201
access-list inside_out extended permit ip any any
access-list outside_cryptomap_142 extended permit ip object-group crypto_map_142_src object-group crypto_map_142_dest
access-list cap1 extended permit ip any 10.190.0.0 255.255.0.0
access-list cap1 extended permit ip 10.190.0.0 255.255.0.0 any
access-list cap1 extended permit ip 192.168.8.0 255.255.255.0 any
access-list cap1 extended permit ip any 192.168.8.0 255.255.255.0
pager lines 30
logging enable
logging timestamp
logging buffered warnings
logging trap debugging
logging asdm informational
logging device-id ipaddress Inside
logging permit-hostdown
mtu Outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu ANX 1500
mtu management 1500
ip local pool rgray_vpn 192.168.0.1-192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 12.164.177.253
global (Outside) 2 12.164.177.234
global (Outside) 3 12.164.177.235
global (Outside) 4 12.164.177.236
global (Outside) 5 12.164.177.237
global (DMZ) 1 166.57.16.107-166.57.16.110 netmask 255.255.255.248
global (DMZ) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 10.153.49.0 255.255.255.0
nat (Inside) 2 192.168.2.0 255.255.255.0
nat (Inside) 3 192.168.3.0 255.255.255.0
nat (Inside) 4 192.168.8.0 255.255.255.0
static (Inside,Outside) 68.250.60.229 192.168.2.10 netmask 255.255.255.255
static (Inside,Outside) 12.164.177.229 Rgrayas4-2 netmask 255.255.255.255
static (Inside,Outside) 12.164.177.226 192.168.1.9 netmask 255.255.255.255
static (Inside,Outside) 12.164.177.230 192.168.3.10 netmask 255.255.255.255
access-group internet in interface Outside
access-group inside_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 12.164.177.225 1
route Outside 192.168.4.0 255.255.255.0 200.67.91.52 254
route Inside 192.168.4.5 255.255.255.255 10.153.49.150 1
route Inside 192.168.3.0 255.255.255.0 10.153.49.5 1
route Inside 192.168.1.0 255.255.255.0 10.153.49.5 1
route Inside 10.153.65.0 255.255.255.0 10.153.49.151 1
route Inside 192.168.8.0 255.255.255.0 10.153.49.151 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.0.0 Inside
http 10.153.49.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set rgraycorp esp-3des esp-sha-hmac
crypto ipsec transform-set positive esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set esp-3des-md5
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set rgraycorp
crypto map outside_map 1 match address mexico
crypto map outside_map 1 set peer 200.67.91.52
crypto map outside_map 1 set transform-set positive
crypto map outside_map 50 match address covisint
crypto map outside_map 50 set peer 64.37.198.169
crypto map outside_map 50 set transform-set esp-3des-md5
crypto map outside_map 80 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 142 match address outside_cryptomap_142
crypto map outside_map 142 set peer 80.150.99.5
crypto map outside_map 142 set transform-set positive
crypto map outside_map 142 set security-association lifetime kilobytes 86400
crypto map outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.0.0 255.255.0.0 Inside
telnet 192.168.3.0 255.255.255.0 Inside
telnet 10.153.49.0 255.255.255.0 Inside
telnet timeout 5
ssh 67.167.38.146 255.255.255.255 Outside
ssh 196.40.16.140 255.255.255.255 Outside
ssh 72.15.59.0 255.255.255.0 Outside
ssh 192.168.0.0 255.255.248.0 Inside
ssh 10.153.49.0 255.255.255.0 Inside
ssh timeout 60
console timeout 0
management-access Inside
l2tp tunnel hello 300
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
  inspect pptp
!
service-policy global_policy global
ntp server 67.205.85.196
ntp server 204.9.136.253
tftp-server ANX 192.168.3.13 /bgasa
webvpn
 enable Outside
 url-list Test "Test URL" http://www.google.com 1
 port-forward Test_TELNET 23999 192.168.1.21 telnet Telnet to 21
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value 10.153.49.101
 dns-server value 10.153.49.248 10.153.49.101
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
 vpn-group-policy rgrayvpn
tunnel-group DefaultWEBVPNGroup general-attributes
 authorization-server-group LOCAL
tunnel-group 69.150.244.66 type ipsec-l2l
tunnel-group 69.150.244.66 ipsec-attributes
 pre-shared-key *
tunnel-group 64.37.198.169 type ipsec-l2l
tunnel-group 64.37.198.169 ipsec-attributes
 pre-shared-key *
tunnel-group 204.13.121.9 type ipsec-l2l
tunnel-group 204.13.121.9 ipsec-attributes
 pre-shared-key *
tunnel-group rgray_vpn type ipsec-ra
tunnel-group rgray_vpn general-attributes
 address-pool rgray_vpn
 default-group-policy rgray_vpn
tunnel-group rgray_vpn ipsec-attributes
 pre-shared-key *
tunnel-group rgrayvpn type ipsec-ra
tunnel-group rgrayvpn general-attributes
 address-pool rgray_vpn
 default-group-policy rgrayvpn
tunnel-group rgrayvpn ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group 200.67.91.52 type ipsec-l2l
tunnel-group 200.67.91.52 ipsec-attributes
 pre-shared-key *
tunnel-group 80.150.99.5 type ipsec-l2l
tunnel-group 80.150.99.5 ipsec-attributes
 pre-shared-key *
prompt hostname context

New Config

sh run
: Saved
:
ASA Version 8.2(4)
!
terminal width 160
hostname ArlingtonHeights-ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 12.204.121.2 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.153.49.20 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa824-k8.bin
ftp mode passive
access-list vpn1 extended permit ip 10.153.50.0 255.255.255.0 10.153.49.0 255.255.255.0
access-list nonat extended permit ip 10.153.49.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list juarez_vpn extended permit ip 10.153.49.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list juarez_vpn extended permit ip 10.153.49.0 255.255.255.0 10.155.17.0 255.255.255.0
access-list rgrayvpn_splitTunnelAcl standard permit 10.153.50.0 255.255.255.0
access-list rgrayvpn_splitTunnelAcl standard permit 192.168.0.0 255.255.248.0
access-list rgrayvpn_splitTunnelAcl standard permit 10.153.49.0 255.255.255.0
access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 any eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp any host 12.204.121.3 eq lotusnotes
access-list internet extended permit tcp any host 12.204.121.3 eq www
access-list any extended permit tcp any host 12.204.121.3 eq www
access-list outside extended permit tcp any host 12.204.121.3 eq www
access-list inside extended permit tcp any host 12.204.121.3 eq www
pager lines 40
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool rgray_vpn 192.168.0.1-192.168.0.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 12.204.121.3 10.153.49.9 netmask 255.255.255.255
access-group internet in interface outside
route outside 0.0.0.0 0.0.0.0 12.204.121.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.153.50.0 255.255.255.0 inside
http 10.153.49.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set set1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set set1
crypto map map1 10 match address vpn1
crypto map map1 10 set peer 12.164.177.227
crypto map map1 10 set transform-set set1
crypto map map1 20 match address juarez_vpn
crypto map map1 20 set peer 200.67.91.52
crypto map map1 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map map1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet 10.153.50.0 255.255.255.0 inside
telnet 10.153.49.0 255.255.255.0 inside
telnet timeout 30
ssh 12.164.177.253 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.153.49.248 10.153.49.101
dhcpd domain corp.rgrayclamps.com
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 wins-server value 10.153.49.101
 dns-server value 10.153.49.248 10.153.49.101
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  customization value DfltCustomization
group-policy rgrayvpn internal
group-policy rgrayvpn attributes
 wins-server value 10.153.49.101
 dns-server value 10.153.49.248 10.153.49.101
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value rgrayvpn_splitTunnelAcl
 default-domain value corp.rgrayclamps.com
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35196835
Are you sure it's the 10.190.0.0 network? I can't find any reference in both of the configs, except for an access list that isn't used (?)
0
 

Author Comment

by:jtennyson
ID: 35198002
Maybe it is not a problem in the firewall then.  Maybe the problem is with the configuration on their VPN router that we are not allowed to look at?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35198079
Well the thing is that as I said, I can't find anything in your config. And there has to be (one way or another).
Because the range 10.190.0.0 can't be routed over the internet I assume there should be a VPN setup in your firewall for accessing that network OR a route to the inside (just like we resolved your previous question).
So to get this working we need to know where the network is and how we are supposed to get to it (routing, vpn, etc.)
0
 

Author Comment

by:jtennyson
ID: 35198252
If you can't see anything in the old config, then I have to believe it is their VPN router that is moving the traffic.  I don't think we did anything to the asa when they sent that router to be set up.  Here is how it is set up.
new2.pdf
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35198532
Ehr, looking at the pdf and the configs I have a question.

You were talking about an old and new config, but it looks to me that those are configurations of two different ASAs (?)
one: hostname ArlingtonHeights-ASA, and two: hostname rgrayfw1

Could you check that?
0
 

Author Comment

by:jtennyson
ID: 35199654
We just moved our office. The old config is from the ASA we used before the move.  The new config is from the ASA we are using at the new office.  It was supposed to be configured to do everything the other ASA did .
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35201803
I think we need a lot more information here. Looking at the ip addresses in the pdf it seems that those are from the old situation. So we need to figure out what they are now.
The Cisco router has been reconfigured for you new location I assume? So what is it supposed to do, where does it connect to and from what addresses should it do that? Did they give you any info/docs regarding that?
The dell switch is also still in place? Any specific setup on that (routes, vlans, etc)?

We first need to figure out how everyting is connected now before we can start fixing things.

So try to get as much info as you can and post as much as possible or as much as you are willing/able to (sanitized of course).
0
 

Author Closing Comment

by:jtennyson
ID: 35203468
You are the best.  You helped me through all of this.  This last problem, I had a cable in the wrong place.  I may be posting more questions.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35204729
Good job! (again ;)
More challenges?  Keep em coming :)
I'll look out for them and see if I can assist you again.

0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now