ditobot
asked on
Cisco ASA 5515X basic configuration problems ASA 8.6(1)
I am upgrading an old PIX 515E firewall to an ASA 5515X and the new IOS is giving me some problems. I know the changes aren't that earth shattering but I am having trouble getting the device to pass internet traffic at all. My only concern as that I added a VPN setup and with it there were some group policies added which may or may not effect my other NAT settings. I usually use the CLI for everything but I was thumbing around in the GUI to try and get this to work so if my config looks sloppy its probably because the GUI added the verbiage.
This is almost embarrassing because I'm sure I'm missing one line or have added a counterproductive line to my config but I am not seeing it.
My outside gateway is X.Y.2.1 in this case and my inside network is 10.0.0.0 255.0.0.0 (or 10.1.19.x for most of my business network). I also have a block of 100 static IPs on the X.Y.2.1 scheme.
The commands below are the ones that I think are necessary for outside access but obviously something is wrong and below that I will post my entire config in case I am killing my NAT elsewhere by accident. Any help would be greatly appreciated
Pertinent Config info:
ASA Version 8.6(1)
object network inside-net
subnet 10.0.0.0 255.0.0.0
object network inside-net
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.Y.2.1 1
route inside 10.0.0.0 255.0.0.0 10.1.19.1 1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 10.1.19.0
255.255.255.0 any
access-list inside_access_in extended permit tcp object phorad-mail-server-1 any eq smtp
access-list inside_access_in extended deny tcp 10.1.19.0 255.255.255.0 any eq smtp
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit tcp any host X.Y.2.2 eq https
access-list outside_in extended permit tcp any host X.Y.2.2 eq www
access-list outside_in extended permit tcp any host X.Y.2.2 eq 993
access-list outside_in extended permit tcp any host X.Y.2.2 eq 465
access-list outside_in extended permit tcp any host X.Y.2.2 eq smtp
access-list outside_in extended permit tcp any host X.Y.2.22 eq 3389
access-list outside_in extended permit udp any host X.Y.2.22 eq 3389
access-list outside_in extended permit tcp any host X.Y.2.5 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.7
access-list outside_in extended permit tcp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.9
access-list outside_in extended permit udp any host X.Y.2.9
access-list outside_in extended permit tcp any host X.Y.2.10 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.11 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.23
access-list outside_in extended permit udp any host X.Y.2.23
access-list outside_in extended permit tcp any host X.Y.2.3 eq ftp
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5900
access-list outside_in extended permit udp any host X.Y.2.7
access-list outside_in extended permit udp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.13
access-list outside_in extended permit udp any host X.Y.2.13
access-list outside_in extended permit tcp any host X.Y.2.15
access-list outside_in extended permit udp any host X.Y.2.15
access-list outside_in extended deny icmp any any
Entire Configuration:
ASA Version 8.6(1)
!
hostname Company-5515x-mdf1
domain-name DOMAIN_A
enable password XCbZD7hp/.NcVa5C encrypted
passwd XCbZD7hp/.NcVa5C encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.1.19.75 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address X.Y.2.50 255.255.255.128
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa861-smp-k8.bin
ftp mode passive
clock timezone MST -7
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.1.19.2
domain-name DOMAIN_A
object network Company-mail-server-1
host 10.1.19.6
description Exchange Server
object network external-mail-ip-address
host X.Y.2.2
description External IP address for Mail Server
object network Company-ftp-server-1
host 10.1.19.3
description Primary FTP server
object network Company-terminal-server-1
host 10.1.19.8
description Primary CITY Terminal Server
object network Company_A-Omnia-Processor
host 10.11.19.49
description Company_A Omnia Processor at TX site
object network Company_B-Omnia-Processor
host 10.11.19.39
description Company_B Omnia Processor at TX site
object network Company_C-Omnia-Processor
host 10.11.19.48
description Company_C Omnia Processor at TX site
object network Company-ftp-pub-app-server -1
host 10.1.19.9
description Server 2008 ftp - published application server
object network Business-IP-Range
range 10.1.19.0 10.1.19.254
object network Company_A-Stream-PC
host 10.1.19.18
object network Company_B-Stream-PC
host 10.1.19.19
object network Company_C-Stream-PC
host 10.1.19.17
object network external-Company_A-stream- address
host X.Y.2.6
description External Address for Company_A Stream PC
object network external-Company_B-stream- address
host X.Y.2.5
description External Address for Company_B Stream PC
object network external-Company_C-stream- address
host X.Y.2.14
description External Address for Company_C Stream PC
object network Company_C-studio-IP-camera
host 10.1.19.43
description Company_C Air Studio IP camera
object network VOIP-IP-Range
range 10.21.19.0 10.21.19.254
description VOIP IP Address Range
object network external-Company_A-omnia-i p-address
host 62.234.2.11
description External IP for Company_A Omnia processor at TX site
object network external-Company_B-omnia-i p-address
host X.Y.2.10
description External IP for Company_B Omnia processor at TX site
object network Company-audio-server-1
host 10.11.19.2
description CITY primary audio server
object network Company-audio-server-2
host 10.11.19.100
description CITY secondary audio server
object network NETWORK_OBJ_10.7.7.128_26
subnet 10.7.7.128 255.255.255.192
object network inside-net
subnet 10.0.0.0 255.0.0.0
object-group network outbound-allowable-ports
network-object object Business-IP-Range
network-object object VOIP-IP-Range
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq 3389
service-object tcp destination eq 4002
service-object tcp destination eq 4009
service-object tcp destination eq 4010
service-object tcp destination eq 4011
service-object tcp destination eq 8000
service-object tcp destination eq 8443
service-object tcp destination eq 8800
service-object tcp destination eq 9901
service-object tcp destination eq 9902
service-object tcp destination eq 9903
service-object tcp destination eq citrix-ica
service-object tcp destination eq echo
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq nntp
service-object tcp destination eq ssh
service-object udp destination eq ntp
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 10.1.19.0 255.255.255.0
any
access-list inside_access_in extended permit tcp object Company-mail-server-1 any eq smtp
access-list inside_access_in extended deny tcp 10.1.19.0 255.255.255.0 any eq smtp
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit tcp any host X.Y.2.2 eq https
access-list outside_in extended permit tcp any host X.Y.2.2 eq www
access-list outside_in extended permit tcp any host X.Y.2.2 eq 993
access-list outside_in extended permit tcp any host X.Y.2.2 eq 465
access-list outside_in extended permit tcp any host X.Y.2.2 eq smtp
access-list outside_in extended permit tcp any host X.Y.2.22 eq 3389
access-list outside_in extended permit udp any host X.Y.2.22 eq 3389
access-list outside_in extended permit tcp any host X.Y.2.5 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.7
access-list outside_in extended permit tcp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.9
access-list outside_in extended permit udp any host X.Y.2.9
access-list outside_in extended permit tcp any host X.Y.2.10 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.11 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.23
access-list outside_in extended permit udp any host X.Y.2.23
access-list outside_in extended permit tcp any host X.Y.2.3 eq ftp
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5900
access-list outside_in extended permit udp any host X.Y.2.7
access-list outside_in extended permit udp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.13
access-list outside_in extended permit udp any host X.Y.2.13
access-list outside_in extended permit tcp any host X.Y.2.15
access-list outside_in extended permit udp any host X.Y.2.15
access-list outside_in extended deny icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool vpn-pool 10.7.7.151-10.7.7.175 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
!
object network Company-mail-server-1
nat (inside,outside) static external-mail-ip-address
object network Company_A-Omnia-Processor
nat (any,any) static external-Company_A-omnia-i p-address
object network Company_B-Omnia-Processor
nat (any,any) static external-Company_A-omnia-i p-address
object network inside-net
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.Y.2.1 1
route inside 10.0.0.0 255.0.0.0 10.1.19.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map ACCESSMAP
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server LDAP_SRV_GROUP protocol ldap
aaa-server LDAP_SRV_GROUP (inside) host 10.1.19.2
ldap-base-dn dc=DOMAIN_A, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN="Administrator",OU="Adm inistrator ",DC="DOMA IN_A",DC=" local"
sasl-mechanism digest-md5
server-type microsoft
ldap-attribute-map ACCESSMAP
aaa-server LDAP_SRV_GROUP (inside) host 10.1.19.3
ldap-base-dn dc=DOMAIN_A, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN="Administrator",OU="Adm inistrator ",DC="DOMA IN_A",DC=" local"
server-type microsoft
ldap-attribute-map ACCESSMAP
user-identity default-domain LOCAL
http server enable
http 10.1.19.0 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA
ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA
ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 43200
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.1.19.0 255.255.255.224 inside
telnet timeout 5
ssh 10.1.19.0 255.255.255.224 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 132.163.4.101 source outside
ntp server 132.163.4.102 source outside
ntp server 132.163.4.103 source outside
ssl encryption des-sha1
webvpn
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-macosx-i 386-2.5.20 14-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2. 5.2014-k9. pkg 2
anyconnect image disk0:/anyconnect-win-2.5. 2014-k9.pk g 3
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client
webvpn
anyconnect ask none default anyconnect
group-policy vpn-ipsec-client internal
group-policy vpn-ipsec-client attributes
dns-server value 10.1.19.2 10.1.19.3
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelspecified
default-domain value DOMAIN_A
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner value This is the ALLOWACCESS Policy
vpn-tunnel-protocol ikev1 ssl-client
webvpn
anyconnect ask none default anyconnect
username User_A password ptL2GtG1qXXbDeUg encrypted privilege 15
username admin password O68Yn/LPDoD3PiBu encrypted privilege 15
tunnel-group remote-1 type remote-access
tunnel-group remote-1 general-attributes
authentication-server-grou p LDAP_SRV_GROUP
authorization-server-group LDAP_SRV_GROUP
tunnel-group vpn-ipsec-client type remote-access
tunnel-group vpn-ipsec-client general-attributes
address-pool vpn-pool
authentication-server-grou p LDAP_SRV_GROUP LOCAL
default-group-policy vpn-ipsec-client
tunnel-group vpn-ipsec-client ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 10
subscribe-to-alert-group configuration periodic monthly 10
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0bd81c02f23 42c7aa14ab 6ce016393c 4
: end
[OK]
Company-5515x-mdf1#
This is almost embarrassing because I'm sure I'm missing one line or have added a counterproductive line to my config but I am not seeing it.
My outside gateway is X.Y.2.1 in this case and my inside network is 10.0.0.0 255.0.0.0 (or 10.1.19.x for most of my business network). I also have a block of 100 static IPs on the X.Y.2.1 scheme.
The commands below are the ones that I think are necessary for outside access but obviously something is wrong and below that I will post my entire config in case I am killing my NAT elsewhere by accident. Any help would be greatly appreciated
Pertinent Config info:
ASA Version 8.6(1)
object network inside-net
subnet 10.0.0.0 255.0.0.0
object network inside-net
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.Y.2.1 1
route inside 10.0.0.0 255.0.0.0 10.1.19.1 1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 10.1.19.0
255.255.255.0 any
access-list inside_access_in extended permit tcp object phorad-mail-server-1 any eq smtp
access-list inside_access_in extended deny tcp 10.1.19.0 255.255.255.0 any eq smtp
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit tcp any host X.Y.2.2 eq https
access-list outside_in extended permit tcp any host X.Y.2.2 eq www
access-list outside_in extended permit tcp any host X.Y.2.2 eq 993
access-list outside_in extended permit tcp any host X.Y.2.2 eq 465
access-list outside_in extended permit tcp any host X.Y.2.2 eq smtp
access-list outside_in extended permit tcp any host X.Y.2.22 eq 3389
access-list outside_in extended permit udp any host X.Y.2.22 eq 3389
access-list outside_in extended permit tcp any host X.Y.2.5 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.7
access-list outside_in extended permit tcp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.9
access-list outside_in extended permit udp any host X.Y.2.9
access-list outside_in extended permit tcp any host X.Y.2.10 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.11 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.23
access-list outside_in extended permit udp any host X.Y.2.23
access-list outside_in extended permit tcp any host X.Y.2.3 eq ftp
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5900
access-list outside_in extended permit udp any host X.Y.2.7
access-list outside_in extended permit udp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.13
access-list outside_in extended permit udp any host X.Y.2.13
access-list outside_in extended permit tcp any host X.Y.2.15
access-list outside_in extended permit udp any host X.Y.2.15
access-list outside_in extended deny icmp any any
Entire Configuration:
ASA Version 8.6(1)
!
hostname Company-5515x-mdf1
domain-name DOMAIN_A
enable password XCbZD7hp/.NcVa5C encrypted
passwd XCbZD7hp/.NcVa5C encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.1.19.75 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address X.Y.2.50 255.255.255.128
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa861-smp-k8.bin
ftp mode passive
clock timezone MST -7
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.1.19.2
domain-name DOMAIN_A
object network Company-mail-server-1
host 10.1.19.6
description Exchange Server
object network external-mail-ip-address
host X.Y.2.2
description External IP address for Mail Server
object network Company-ftp-server-1
host 10.1.19.3
description Primary FTP server
object network Company-terminal-server-1
host 10.1.19.8
description Primary CITY Terminal Server
object network Company_A-Omnia-Processor
host 10.11.19.49
description Company_A Omnia Processor at TX site
object network Company_B-Omnia-Processor
host 10.11.19.39
description Company_B Omnia Processor at TX site
object network Company_C-Omnia-Processor
host 10.11.19.48
description Company_C Omnia Processor at TX site
object network Company-ftp-pub-app-server
host 10.1.19.9
description Server 2008 ftp - published application server
object network Business-IP-Range
range 10.1.19.0 10.1.19.254
object network Company_A-Stream-PC
host 10.1.19.18
object network Company_B-Stream-PC
host 10.1.19.19
object network Company_C-Stream-PC
host 10.1.19.17
object network external-Company_A-stream-
host X.Y.2.6
description External Address for Company_A Stream PC
object network external-Company_B-stream-
host X.Y.2.5
description External Address for Company_B Stream PC
object network external-Company_C-stream-
host X.Y.2.14
description External Address for Company_C Stream PC
object network Company_C-studio-IP-camera
host 10.1.19.43
description Company_C Air Studio IP camera
object network VOIP-IP-Range
range 10.21.19.0 10.21.19.254
description VOIP IP Address Range
object network external-Company_A-omnia-i
host 62.234.2.11
description External IP for Company_A Omnia processor at TX site
object network external-Company_B-omnia-i
host X.Y.2.10
description External IP for Company_B Omnia processor at TX site
object network Company-audio-server-1
host 10.11.19.2
description CITY primary audio server
object network Company-audio-server-2
host 10.11.19.100
description CITY secondary audio server
object network NETWORK_OBJ_10.7.7.128_26
subnet 10.7.7.128 255.255.255.192
object network inside-net
subnet 10.0.0.0 255.0.0.0
object-group network outbound-allowable-ports
network-object object Business-IP-Range
network-object object VOIP-IP-Range
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq 3389
service-object tcp destination eq 4002
service-object tcp destination eq 4009
service-object tcp destination eq 4010
service-object tcp destination eq 4011
service-object tcp destination eq 8000
service-object tcp destination eq 8443
service-object tcp destination eq 8800
service-object tcp destination eq 9901
service-object tcp destination eq 9902
service-object tcp destination eq 9903
service-object tcp destination eq citrix-ica
service-object tcp destination eq echo
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq nntp
service-object tcp destination eq ssh
service-object udp destination eq ntp
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 10.1.19.0 255.255.255.0
any
access-list inside_access_in extended permit tcp object Company-mail-server-1 any eq smtp
access-list inside_access_in extended deny tcp 10.1.19.0 255.255.255.0 any eq smtp
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit tcp any host X.Y.2.2 eq https
access-list outside_in extended permit tcp any host X.Y.2.2 eq www
access-list outside_in extended permit tcp any host X.Y.2.2 eq 993
access-list outside_in extended permit tcp any host X.Y.2.2 eq 465
access-list outside_in extended permit tcp any host X.Y.2.2 eq smtp
access-list outside_in extended permit tcp any host X.Y.2.22 eq 3389
access-list outside_in extended permit udp any host X.Y.2.22 eq 3389
access-list outside_in extended permit tcp any host X.Y.2.5 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5900
access-list outside_in extended permit tcp any host X.Y.2.6 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.7
access-list outside_in extended permit tcp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.9
access-list outside_in extended permit udp any host X.Y.2.9
access-list outside_in extended permit tcp any host X.Y.2.10 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.11 eq telnet
access-list outside_in extended permit tcp any host X.Y.2.23
access-list outside_in extended permit udp any host X.Y.2.23
access-list outside_in extended permit tcp any host X.Y.2.3 eq ftp
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5800
access-list outside_in extended permit tcp any host X.Y.2.14 eq 5900
access-list outside_in extended permit udp any host X.Y.2.7
access-list outside_in extended permit udp any host X.Y.2.8
access-list outside_in extended permit tcp any host X.Y.2.13
access-list outside_in extended permit udp any host X.Y.2.13
access-list outside_in extended permit tcp any host X.Y.2.15
access-list outside_in extended permit udp any host X.Y.2.15
access-list outside_in extended deny icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool vpn-pool 10.7.7.151-10.7.7.175 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
!
object network Company-mail-server-1
nat (inside,outside) static external-mail-ip-address
object network Company_A-Omnia-Processor
nat (any,any) static external-Company_A-omnia-i
object network Company_B-Omnia-Processor
nat (any,any) static external-Company_A-omnia-i
object network inside-net
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.Y.2.1 1
route inside 10.0.0.0 255.0.0.0 10.1.19.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map ACCESSMAP
map-name msNPAllowDialin IETF-Radius-Class
map-value msNPAllowDialin FALSE NOACCESS
map-value msNPAllowDialin TRUE ALLOWACCESS
dynamic-access-policy-reco
aaa-server LDAP_SRV_GROUP protocol ldap
aaa-server LDAP_SRV_GROUP (inside) host 10.1.19.2
ldap-base-dn dc=DOMAIN_A, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN="Administrator",OU="Adm
sasl-mechanism digest-md5
server-type microsoft
ldap-attribute-map ACCESSMAP
aaa-server LDAP_SRV_GROUP (inside) host 10.1.19.3
ldap-base-dn dc=DOMAIN_A, dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN="Administrator",OU="Adm
server-type microsoft
ldap-attribute-map ACCESSMAP
user-identity default-domain LOCAL
http server enable
http 10.1.19.0 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA
ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA
ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 43200
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.1.19.0 255.255.255.224 inside
telnet timeout 5
ssh 10.1.19.0 255.255.255.224 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 132.163.4.101 source outside
ntp server 132.163.4.102 source outside
ntp server 132.163.4.103 source outside
ssl encryption des-sha1
webvpn
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-macosx-i
anyconnect image disk0:/anyconnect-linux-2.
anyconnect image disk0:/anyconnect-win-2.5.
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client
webvpn
anyconnect ask none default anyconnect
group-policy vpn-ipsec-client internal
group-policy vpn-ipsec-client attributes
dns-server value 10.1.19.2 10.1.19.3
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelspecified
default-domain value DOMAIN_A
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
banner value This is the ALLOWACCESS Policy
vpn-tunnel-protocol ikev1 ssl-client
webvpn
anyconnect ask none default anyconnect
username User_A password ptL2GtG1qXXbDeUg encrypted privilege 15
username admin password O68Yn/LPDoD3PiBu encrypted privilege 15
tunnel-group remote-1 type remote-access
tunnel-group remote-1 general-attributes
authentication-server-grou
authorization-server-group
tunnel-group vpn-ipsec-client type remote-access
tunnel-group vpn-ipsec-client general-attributes
address-pool vpn-pool
authentication-server-grou
default-group-policy vpn-ipsec-client
tunnel-group vpn-ipsec-client ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 10
subscribe-to-alert-group configuration periodic monthly 10
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0bd81c02f23
: end
[OK]
Company-5515x-mdf1#
not sure but i think in outside access lists statements you need to enter inside ip addresses not public ones. this was introdused from asa version 8.3
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
And like fgasimzade said (good catch, should have seen that ;) the outside access list now uses the inside ip addresses.
Have a look at:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
It shows the differences between the old and the new NAT methods.
Have a look at:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
It shows the differences between the old and the new NAT methods.
ASKER
Thanks, the change to the IOS in the ASA with version 8.4 really through me for a loop.