Solved

ASA routed subnet only main ip reacting on NAT

Posted on 2013-01-08
11
391 Views
Last Modified: 2014-05-04
Hello Experts,

we have a routed subnet from our ISP connected to the outside interface of our ASA 5500 series.
When we use the ASA's IP in the nat to access our internal mail server everything is working.
When trying to use another public IP we dont see any traffic.
Somehow the NAT isnt working.
Every help will be appreciated.
Thanks in advance!
: Saved
:
ASA Version 9.1(1) 
!
hostname asa1
domain-name customer.local
enable password wewrwrdDuyjDtr encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbN2rr2 encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.130 255.255.255.240 
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description Switch Routing network
 nameif inside
 security-level 100
 ip address 192.168.247.1 255.255.255.0 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 nameif DMZ
 security-level 50
 ip address 192.168.233.1 255.255.255.0 
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 0
 ip address 192.168.246.1 255.255.255.0 
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server x.x.x.3
 name-server x.x.x.3
 domain-name customer.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WAN
 range x.x.x.131 x.x.x.142
object network Insideout
 subnet 192.168.247.0 255.255.255.0
object network insideout
 subnet 192.168.247.0 255.255.255.0
object network Switch1_ge1_1_4_IP
 host 192.168.247.2
object network Management_Segment
 subnet 192.168.253.0 255.255.255.0
object network Data_Segment
 subnet 192.168.254.0 255.255.255.0
object network NETWORK_OBJ_192.168.247.0_24
 subnet 192.168.247.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.0_24
 subnet 192.168.5.0 255.255.255.0
object network outside-ip-132
 host x.x.x.132
object network dc01.customer.local
 host 192.168.254.10
object network egress.canit.ca
 fqdn v4 egress.canit.ca
object network NETWORK_OBJ_10.252.150.0_24
 subnet 10.252.150.0 255.255.255.0
object network VPN_LAN
 subnet 192.168.30.0 255.255.255.0
object service ssl
 service tcp destination eq https 
object network Portal
 host 192.168.247.1
object network outside-ip-133
 host x.x.x.133
object network outside-ip-134
 host x.x.x.134
object network mail01.customer.local
 host 192.168.254.20
object network mail01-smtp.customer.local
 host 192.168.254.20
object network outside-ip-130
 host x.x.x.130
object network portal
 host 192.168.233.1
object service rdp
 service tcp destination eq 3389 
object service ASA_MGMT_HTTPSALT
 service tcp destination eq 4433 
object network Management
 host 192.168.247.1
 description mgmtxs
object network HTTPSExtern
 host 192.168.247.1
object network test
 host 192.168.247.1
object network mangmt
 subnet 192.168.253.0 255.255.255.0
object network mgmtsegment
 subnet 192.168.253.0 255.255.255.0
object network test2
 subnet 192.168.253.0 255.255.255.0
object network datasegmt
 subnet 192.168.254.0 255.255.255.0
object network inside-net
 subnet 192.168.247.0 255.255.255.0
object network vpn-subnets
 host 192.168.1.0
object network man01
 host 192.168.253.20
object network mansegmnt
 host 192.168.253.0
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 1
 host 192.168.1.1
object network RDP_MAN01
 host 192.168.253.20
 description MAN01 RDP XS
object network Man01rdp
 host 192.168.253.20
object network 192.168.30.0
 subnet 192.168.30.0 255.255.255.0
 description VPN_LAN
object-group network DM_INLINE_NETWORK_1
 network-object object Data_Segment
 network-object object Management_Segment
object-group service mail01-group tcp
 port-object eq https
 port-object eq smtp
object-group service DM_INLINE_TCP_1 tcp
 port-object eq https
 port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq https
 port-object eq smtp
object-group network DM_INLINE_NETWORK_3
 network-object object ALG_Segment
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object icmp
 protocol-object icmp6
object-group network DM_INLINE_NETWORK_2
 network-object 192.168.247.0 255.255.255.0
 network-object object mangmt
access-list outside_cryptomap extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_access_in extended permit tcp object egress.canit.ca object dc01.customer.local eq ldap 
access-list outside_access_in extended permit tcp object egress.canit.ca object mail01.customer.local object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit tcp any object mail01.customer.local object-group DM_INLINE_TCP_2 
access-list outside_access_in extended permit object rdp object x.x.x.117 object man01 
access-list outside_cryptomap_1 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_2 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_3 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_4 extended permit ip 192.168.247.0 255.255.255.0 object Wolfgang_Private 
access-list inside_access_in extended deny tcp object-group DM_INLINE_NETWORK_3 any object-group DM_INLINE_TCP_3 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any 
access-list outside_cryptomap_5 extended permit ip object-group DM_INLINE_NETWORK_2 object 192.168.30.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-net inside-net destination static vpn-subnets vpn-subnets
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static 192.168.30.0 192.168.30.0 no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
object network Man01rdp
 nat (outside,inside) static outside-ip-132 service tcp 3389 3389 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route inside 192.168.249.0 255.255.255.0 192.168.247.2 1
route inside 192.168.250.0 255.255.255.0 192.168.247.2 1
route inside 192.168.251.0 255.255.255.0 192.168.247.2 1
route inside 192.168.252.0 255.255.255.0 192.168.247.2 1
route inside 192.168.253.0 255.255.255.0 192.168.247.2 1
route inside 192.168.254.0 255.255.255.0 192.168.247.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4433
http 192.168.248.0 255.255.255.0 inside
http 192.168.246.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 inside
http x.x.x.117 255.255.255.255 outside
http redirect inside 80
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp outside
sysopt noproxyarp DMZ
sysopt noproxyarp management
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_4
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer x.x.x.117 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 2 match address outside_cryptomap_5
crypto map outside_map 2 set pfs 
crypto map outside_map 2 set peer x.x.79.243 
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.248.0 255.255.255.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 enable inside
 enable DMZ
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_x.x.x.117 internal
group-policy GroupPolicy_x.x.x.117 attributes
 vpn-tunnel-protocol ikev1 
group-policy GroupPolicy_x.x.79.243 internal
group-policy GroupPolicy_x.x.79.243 attributes
 vpn-tunnel-protocol ikev1 
username test password 71BvR7vkjFka7tcA encrypted
username test attributes
 service-type remote-access
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias testvpn enable
tunnel-group x.x.x.117 type ipsec-l2l
tunnel-group x.x.x.117 general-attributes
 default-group-policy GroupPolicy_x.x.x.117
tunnel-group 82.29.110.117 ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
tunnel-group x.x.79.243 type ipsec-l2l
tunnel-group x.x.79.243 general-attributes
 default-group-policy GroupPolicy_x.x.79.243
tunnel-group x.x.79.243 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 22
  subscribe-to-alert-group configuration periodic monthly 22
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aaa164dc6123a6d1b8454ff32ca17cfc
: end
asdm image disk0:/asdm-711.bin
no asdm history enable

Open in new window



These are my latest NAT entries:

Result of the command: "sh run nat"

nat (inside,outside) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 no-proxy-arp route-lookup
!
object network mail01-smtp.cust-connect.lcl
 nat (inside,outside) static outside-ip-134
!
nat (any,outside) after-auto source dynamic any interface
0
Comment
Question by:penthese
  • 6
  • 5
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38754304
I took the liberty of hiding your public ip's.
Now to have a look at your config.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38754309
Ok, I'm missing the NAT statements to allow the ports through to the mailserver (from out- to inside). At the moment I only see port 3389 open to 192.168.253.20.
0
 

Author Comment

by:penthese
ID: 38754997
I'm sorry, here is the latest running config:

Result of the command: "sh run"

: Saved
:
ASA Version 9.1(1) 
!
hostname asa1
domain-name customer.lcl
enable password oWR5ilgutr encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNId encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.130 255.255.255.240 
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description Switch Routing network
 nameif inside
 security-level 100
 ip address 192.168.247.1 255.255.255.0 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 nameif DMZ
 security-level 50
 ip address 192.168.233.1 255.255.255.0 
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 0
 ip address 192.168.246.1 255.255.255.0 
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group Customer-connect-DNSServers
 timeout 5
 name-server 192.168.254.10
 name-server 192.168.254.11
 domain-name customer.lcl
dns server-group DefaultDNS
 name-server x.x.x.3
 name-server x.x.x.3
 domain-name customer.lcl
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WAN
 range x.x.x.131 x.x.x.142
object network Management_Segment
 subnet 192.168.253.0 255.255.255.0
object network Data_Segment
 subnet 192.168.254.0 255.255.255.0
object network Koppel_Segment
 subnet 192.168.247.0 255.255.255.0
object network outside-ip-132
 host x.x.x.132
object network dc01-ldap.customer.lcl
 host 192.168.254.10
object network egress.canit.ca
 fqdn v4 egress.canit.ca
object network NETWORK_OBJ_10.252.150.0_24
 subnet 10.252.150.0 255.255.255.0
object service ssl
 service tcp destination eq https 
object network x.x.x.117
 host x.x.x.117
object network outside-ip-133
 host x.x.x.133
object network outside-ip-134
 host x.x.x.134
object network mail01-https.customer.lcl
 host 192.168.254.20
object network mail01-smtp.customer.lcl
 host 192.168.254.20
object network outside-ip-130
 host x.x.x.130
object network portal
 host 192.168.233.1
object service rdp
 service tcp destination eq 3389 
object service ASA_MGMT_HTTPSALT
 service tcp destination eq 4433 
object network HTTPSExtern
 host 192.168.247.1
object network mgmtsegment
 subnet 192.168.253.0 255.255.255.0
object network vpn-subnets
 host 192.168.1.0
object network man01-rdp.customer.lcl
 host 192.168.253.20
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network 1
 host 192.168.1.1
object network 192.168.30.0
 subnet 192.168.30.0 255.255.255.0
 description Our_LAN
object network NETWORK_OBJ_10.2.6.0_24
 subnet 10.2.6.0 255.255.255.0
object network mailhttps
 host 192.168.254.20
object-group network DM_INLINE_NETWORK_1
 network-object object Data_Segment
 network-object object Management_Segment
object-group service mail01-group tcp
 port-object eq https
 port-object eq smtp
object-group service DM_INLINE_TCP_1 tcp
 port-object eq https
 port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_4
 network-object object Data_Segment
object-group network DM_INLINE_NETWORK_3
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object icmp
 protocol-object icmp6
object-group network DM_INLINE_NETWORK_2
 network-object object mail01-https.customer.lcl
 network-object object mail01-smtp.customer.lcl
object-group network DM_INLINE_NETWORK_5
 network-object 192.168.247.0 255.255.255.0
 network-object object mgmtsegment
object-group service DM_INLINE_TCP_4 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_6
 network-object 192.168.247.0 255.255.255.0
 network-object object Management_Segment
object-group network DM_INLINE_NETWORK_8
 network-object object Data_Segment
 network-object object Management_Segment
object-group network DM_INLINE_NETWORK_9
 network-object object Data_Segment
 network-object object Management_Segment
access-list outside_cryptomap extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_access_in extended permit tcp host x.x.87.160 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_1 inactive 
access-list outside_access_in extended permit object rdp host x.x.87.160 object man01-rdp.customer.lcl inactive 
access-list outside_access_in extended permit tcp object egress.canit.ca object dc01-ldap.customer.lcl eq ldap 
access-list outside_access_in extended permit tcp object egress.canit.ca object mail01-smtp.customer.lcl eq smtp 
access-list outside_access_in extended permit tcp any object mail01-https.customer.lcl eq https 
access-list outside_access_in extended permit tcp any object outside-ip-134 eq https inactive 
access-list outside_cryptomap_1 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_2 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_3 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_5 object user1_Private 
access-list inside_access_in extended permit tcp any object monitoring.customer.nl object-group DM_INLINE_TCP_4 
access-list inside_access_in extended deny tcp object-group DM_INLINE_NETWORK_3 any object-group DM_INLINE_TCP_3 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any inactive 
access-list outside_cryptomap_5 extended permit ip 192.168.247.0 255.255.255.0 object 192.168.30.0 
access-list outside_cryptomap_6 extended permit ip object-group DM_INLINE_NETWORK_7 object LeaseQuality-lan 
access-list outside_cryptomap_7 extended permit ip 192.168.247.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside_cryptomap_9 extended permit ip 192.168.247.0 255.255.255.0 object PouwGroningen 
access-list outside_cryptomap_10 extended permit ip object-group DM_INLINE_NETWORK_4 object PouwJK-LAN 
access-list outside_cryptomap_8 extended permit ip object-group DM_INLINE_NETWORK_6 object NETWORK_OBJ_10.252.150.0_24 
access-list outside_cryptomap_11 extended permit ip object-group DM_INLINE_NETWORK_9 object customer-lan 
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 no-proxy-arp route-lookup
!
object network dc01-ldap.customer.lcl
 nat (inside,outside) static interface service tcp ldap ldap 
object network mail01-smtp.customer.lcl
 nat (inside,outside) static interface service tcp smtp smtp 
object network mailhttps
 nat (inside,outside) static outside-ip-134 service tcp smtp smtp 
!
nat (any,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1
route inside 10.65.71.0 255.255.255.0 188.203.221.83 1
route inside 192.168.30.0 255.255.255.0 92.64.79.243 1
route inside 192.168.249.0 255.255.255.0 192.168.247.2 1
route inside 192.168.250.0 255.255.255.0 192.168.247.2 1
route inside 192.168.251.0 255.255.255.0 192.168.247.2 1
route inside 192.168.252.0 255.255.255.0 192.168.247.2 1
route inside 192.168.253.0 255.255.255.0 192.168.247.2 1
route inside 192.168.254.0 255.255.255.0 192.168.247.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Customer-Connect protocol radius
aaa-server Customer-Connect (inside) host 192.168.253.10
 key *****
 authentication-port 1812
 accounting-port 1813
user-identity default-domain LOCAL
http server enable 4433
http 192.168.248.0 255.255.255.0 inside
http 192.168.246.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 inside
http redirect inside 80
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp outside
sysopt noproxyarp DMZ
sysopt noproxyarp management
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
telnet timeout 5
ssh 192.168.248.0 255.255.255.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 enable inside
 enable DMZ
 tunnel-group-list enable

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:8cb93c9da7f8a48f110c146211a81299
: end

Open in new window



Thanks in advance.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38755072
Ok, I first removed you public IP addresse again. Be carefull with just posting those.

Is it correct you're only allowing smtp from one address?
access-list outside_access_in extended permit tcp object egress.canit.ca object mail01-smtp.customer.lcl eq smtp

And when testing, anything showing in the logs?
0
 

Author Comment

by:penthese
ID: 38755132
Hello,

thanks for the cleanup and the response :)
The pub ips are fake so no problem :)


It's not about the SMTP (thats working fine because its going to our outside interfaces IP).
This one is causing the problem, so we want to enable OWA through https to our internal mail server on another ip than the primary ASA's public ip. (the .134 instead of .130).

object network mailhttps
 nat (inside,outside) static outside-ip-134 service tcp smtp smtp
!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38755190
Cool, been cleaning fake IP's ;)

Right, looking at:

object network mailhttps
 nat (inside,outside) static outside-ip-134 service tcp smtp smtp


Why are you using port 25? Https is like:

object network mailhttps
 nat (inside,outside) static outside-ip-134 service tcp 443 443
0
 

Author Comment

by:penthese
ID: 38755923
Hello Erniebeek,

thats right but thanks for noticing about it :)

You're absolutly right, i made a mind mistake.
But changed it to 443 didnt resolve it.
Nothing appears in the log when trying to connect to the outside .134 address.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38755946
Nothing in the logs?
.....
Might want to double check with your ISP to see if that subnet is correctly routed.
0
 

Accepted Solution

by:
penthese earned 0 total points
ID: 38755962
Hello

it actually is, it has worked before. Also when connecting an extra ASA with that ip everything is fine for its outside interface.
I also asked the ISP to check everything who states that its ok.
Another expert told me that maybe my dynamic nat rule answers these requests as well.
But i dont know why it's giving just nothing, somehow the NAT setup is wrong i bet.
Thanks.


edit:

I also gave the outside interface .134 instead of .130 to test if the ISP is doing the right thing.
Thats working, we can access the internet without any problems and everything is responding on the .134 address.
I changed it back to .130 since the ISP isnt our problem.

Any other suggestions? it must be the address translation if you ask me...
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 40029592
And a big shame on me :(

Though it's sometimes hard to keep track of open questions, I'm trying to not make a habit of stopping the responses all of a sudden.

So it's never been resolved.... Would like to have another look at it? If not, we'll leave it like this and let the question get closed.
0
 

Author Closing Comment

by:penthese
ID: 40040135
It has never been resolved.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Setup router as access point - no internet 5 25
shrewsoft VPN client and DNS 6 46
Cisco Layer 2 Switches 6 52
cisco 2911 8 23
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now