Multiple on IPs ASA 5505

Posted on 2011-04-25
Medium Priority
Last Modified: 2012-06-21
Hello, yesterday I ran into my first Cisco ASA router. Wow! this thing is different than standard Cisco routers. I need to assign another IP address to the wan interface. I've read online that ASA appliances don't support multiple IP address on a single ethernet port so whoever set up this router initially did something magical. From the outside I can only ping the single IP address that is assigned to the interface but it passes traffic on 7 IP address.

I did the smart thing and just duplicated the settings from the other working ip addresses in the running config but I still can't telnet through that IP on port 80. I can telnet in on all addresses except 191 which is the new address I'm trying to configure. Do you have an idea why I'm not able to pass traffic on the new IP address?

Here is my running config off of the router:

cldwll-idea# sho run
: Saved
ASA Version 8.0(2)
hostname cldwll-idea
domain-name relyonidea.local
enable password sLGA68k9DwGKe7jC encrypted
name idea-mail description idea-mail
name CE-Email-Filter description CE-Email-Filter
name idea-alpha description
name construction.solesource.com description construction.solesourc                                                                             e.com
name idea-webserver description idea-webserver
name ideaautobody.com description ideaautobody.com
name ideaautorepair.com description ideaautorepair.com
name trucks.solesource.com description trucks.solesource.com
name vets.solesource.com description vets.solesource.com
name idea-iowa-inside description idea iowa
name idea-caldwell-vpn
name Craig-Home
name Loretta-Home
name hp3000 description hp3000
name Derek-Home description Derek-Home
name Bryan-Home
name test.ideaautobody.com
interface Ethernet0/0
 nameif filter
 security-level 100
 ip address
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address
interface Management0/0
 no nameif
 security-level 0
 no ip address
passwd sLGA68k9DwGKe7jC encrypted
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name relyonidea.local
object-group service rdp tcp
 port-object eq 3389
object-group network DM_INLINE_NETWORK_1
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
 network-object host
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group network DirectEcometryAccess
 description DirectEcometryAccess
 network-object host
 network-object host Craig-Home
 network-object host Loretta-Home
 network-object host Derek-Home
object-group service EcometryTCP tcp
 port-object range 1537 1570
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service PaymentProcessesing tcp-udp
 port-object eq 4500
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inside_nat_outbound extended permit ip any
access-list CLDWLL_IDEA_VPN_splitTunnelAcl standard permit
access-list outside_1_cryptomap extended permit ip idea-iowa-inside
access-list outside_access_in extended permit icmp any any timestamp-reply
access-list outside_access_in extended permit icmp any any timestamp-request
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit ip CE-Email-Filter host
access-list outside_access_in remark TEMPORARY SMTP
access-list outside_access_in extended permit tcp any host object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip object-group DirectEcometryAccess host
access-list outside_access_in extended permit ip CE-Email-Filter host
access-list outside_access_in remark TEMPORARY SMTP
access-list outside_access_in extended permit object-group TCPUDP any any object-group PaymentProcessesing
access-list outside_access_in remark TEMPORARY SMTP
access-list Inside_nat0_outbound extended permit ip idea-caldwell-vpn
access-list Inside_nat0_outbound extended permit ip idea-iowa-inside
access-list inside_access_in extended permit ip any any
access-list filter_access_in extended permit ip any
access-list filter_nat_outbound extended permit ip any
access-list outside_cryptomap extended permit ip idea-iowa-inside
pager lines 24
logging enable
logging buffered warnings
logging asdm warnings
mtu filter 1500
mtu inside 1500
mtu outside 1500
ip local pool VPN-POOL idea-caldwell-vpn- mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (filter) 1 access-list filter_nat_outbound
nat (inside) 0 access-list Inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound
static (inside,outside) ideaautobody.com netmask
static (inside,outside) idea-mail netmask
static (inside,outside) ideaautorepair.com netmask
static (inside,outside) vets.solesource.com netmask
static (inside,outside) trucks.solesource.com netmask
static (inside,outside) construction.solesource.com netmask
static (inside,outside) idea-webserver netmask
static (inside,outside) hp3000 netmask
static (inside,outside) idea-alpha netmask
static (inside,outside) test.ideaautobody.com netmask
access-group filter_access_in in interface filter
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http idea-caldwell-vpn inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map newmap 100 set transform-set ESP-3DES
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 60
crypto isakmp ipsec-over-tcp port 10000
telnet inside
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
service-policy global_policy global
ntp server idea-alpha source inside prefer
ntp server source inside prefer
group-policy DfltGrpPolicy attributes
 dns-server value
 vpn-idle-timeout none
 split-tunnel-network-list value CLDWLL_IDEA_VPN_splitTunnelAcl
group-policy CLDWLL_IDEA_VPN internal
group-policy CLDWLL_IDEA_VPN attributes
 dns-server value
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CLDWLL_IDEA_VPN_splitTunnelAcl
 default-domain value relyonidea.local
username sbrown password YvTsu9Q7hZPk0ACP encrypted
username sbrown attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username sallen password 5f8OMqoVGh7Us0mH encrypted
username sallen attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username dposton password rAOLc0iK8y6XyiJF encrypted
username pduncan password 0oWEidRdSztOOvOD encrypted
username pduncan attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username cfuelling password KrtQ5fVeb/38Skx5 encrypted
username cfuelling attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username ecometry password or5A7JBP8Xw2jWuE encrypted
username ecometry attributes
 vpn-group-policy CLDWLL_IDEA_VPN
username ecomgerry password E5FqJ/usOdMz9Vna encrypted
username ecomgerry attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username gp-julie password BB8AxcWKn4VnSqt6 encrypted
username gp-julie attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username jmcconnell password 1riayY1x0rV67JJm encrypted
username jmcconnell attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username jbrinker password WaeXaQr/FODhzU2W encrypted
username jbrinker attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username dleavitt password zO3MMbSAo50sAF1g encrypted
username dleavitt attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 vpn-idle-timeout none
 vpn-session-timeout none
 service-type remote-access
username rhunter password 7VsTw02XFZJCe4jX encrypted
username rhunter attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username akrebsbach password FlpmfC.HJLJEGVIU encrypted
username akrebsbach attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username akiser password Xm21Zolm069OhTVe encrypted
username akiser attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username snapshot password iAdWR0Op5JaacXPo encrypted
username snapshot attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username mpfohl password KMO37pxZwt9nk/oK encrypted
username mpfohl attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username blehr password Xfk6IBL2p0Z0fzcL encrypted
username blehr attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username lstanwood password RYvxEnN/L/V7kYnn encrypted
username lstanwood attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username clehr password iMT3LSLmqbXpRdys encrypted
username clehr attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username clalley password 424QeynfgiIj8nE8 encrypted
username clalley attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
username ghowser password kHZ52VeipXTjH080 encrypted
username ghowser attributes
 vpn-group-policy CLDWLL_IDEA_VPN
 service-type remote-access
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 4
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 4
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 4
tunnel-group CLDWLL_IDEA_VPN type remote-access
tunnel-group CLDWLL_IDEA_VPN general-attributes
 address-pool VPN-POOL
 authorization-server-group LOCAL
 default-group-policy CLDWLL_IDEA_VPN
tunnel-group CLDWLL_IDEA_VPN ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 4
tunnel-group type ipsec-l2l
tunnel-group general-attributes
 default-group-policy CLDWLL_IDEA_VPN
tunnel-group ipsec-attributes
 pre-shared-key *
prompt hostname context
: end
Question by:David11011
  • 3
  • 2
LVL 35

Expert Comment

by:Ernie Beek
ID: 35461024
First thing, and sorry for this but I'm going to shout:

AN ASA IS NOT A ROUTER!!!!!!!!!!!!!!!!!!!!!!!

It's a firewall. It doesn't run IOS but Finese (or now just known as ASA OS).
So please do not ever make the mistake to see a firewall as a router. The two have quite different sets of functionality.

Ok, now to your question.

The static looks ok but it looks you need another access list entry.

Try adding:
access-list outside_access_in extended permit tcp any host eq 80

That should open up port 80 to the machine on the inside.
LVL 35

Expert Comment

by:Ernie Beek
ID: 35461030

Sorry for shouting at you ;)

Author Comment

ID: 35461249
Lol. No hard feelings about the shouting. Thanks for the clarification.

If you look at DM_INLINE_NETWORK_1 you'll see that is included in the list.
And the object group DM_INLINE_TCP_2 contains the port objects www and https.

"access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_2"
This line is allowing incoming traffic on all the IPs included in the DM_INLINE_NETWORK object group. It is working for all the objects in the group except the 191 address.

This may sound like a stupid question, but, while I'm not new to Cisco routers and switches, these ASA firewalls are a whole new beast to tackle. I don't need to restart to apply the changes or do something ridiculous like that do I?
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

LVL 35

Expert Comment

by:Ernie Beek
ID: 35461938
Well, no restart. Changes are effective immediatly.
You might want to issue a clear xlate and see if that helps.
(Sorry, haven't got the time to go through the config again at the moment)

Accepted Solution

kellemann earned 2000 total points
ID: 35465563
Your config looks solid, but just to make sure please use the command below to verify that the firewall itself isn't blocking the traffic:

packet-tracer input outside tcp 8888 80 detailed

You should end up with an "allowed" action. If not, please post the output of the packet-tracer command.

Btw if you are new to the ASA, that command is your new best friend. It does a simulation of the stated traffic and shows what it would have done with it. In this test we send traffic from the outside from ip source port 8888 to your problematic ip on port 80.

Author Comment

ID: 35467603
Thanks for all of your help folks. I got the problem resolved. I used the packet-tracer utility which, by the way, is amazing! All of the steps in the trace returned as "Allowed".

I thought that this seemed really odd, so I broke down and restarted the firewall. ugh... everyone's disconnected from the VPN, websites are down, blah blah blah.. here comes the emails...*ring ring* David says, "no everything is fine, just regular maintenance"... ...  anyway, all of that aside. when it finished restarting it worked fine.

Must have just been bugged this whole time. Apparently restarts fix everything.

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question