Solved

Cisco ASA 5510 access rule/nat issue

Posted on 2013-01-15
9
1,373 Views
Last Modified: 2013-09-01
Our company has an external site with a camera system setup for security.  We used to be able to view it remotely but after I upgraded the ASA to version 8.4(4)1 it doesn't seem to work anymore.

The external site has a DSL modem that is setup in Static Pass through mode.  it has an ip of 71.xxx.xxx.162.  When the static pass through was setup the provider informed me that on their static pass through setups they use a lower MTU (1428) instead of the normal 1500.

So from our main office which is behind our firewall I cannot connect to the site and view the cameras with the software (Digiop Remote Manager.)

If i disable my network connection and use a cellular card plugged into my PC I am able to connect to and view the cameras no problem so the issue must lie with our firewall.

I have allowed all TCP traffic from 71.xxx.xxx.162 into our network and created a static nat rule.

If i run the packet tracer in the ASDM tools using MY computers IP address it seems to imply that the packet should go through fine both incoming and outgoing.

Here is the tracer output using the source of 71.xxx.xxx.162 and destination of 150.50.1.221 (my internal IP) using TCP port 7000 (the live view port for the software) coming in on the outside interface.

Inside INF is the inside interface and DMZ is the outside interface (its named incorrectly I know)

Type -
ROUTE-LOOKUP
Action -
ALLOW

Info
in 150.50.1.0 255.255.255.0 Inside_INF

Type -
ACCESS-LIST
Action -
ALLOW
Show rule in Access Rules table.
Config
access-group DMZ_access_in in interface DMZ access-list DMZ_access_in extended permit tcp host 71.xxx.xxx.162 any

Type -
NAT
Action -
ALLOW
Show rule in NAT Rules table.
Config
nat (DMZ,Inside_INF) source static Cameras Cameras
Info
Static translate 71.xxx.xxx.162/7000 to 71.xxx.xxx.162/7000

Type -
ACCESS-LIST
Action -
ALLOW
Show rule in Access Rules table.
Config
access-group Inside_INF_access_out out interface Inside_INF access-list Inside_INF_access_out extended permit ip any any

Type -
NAT
Subtype -
rpf-check
Action -
ALLOW
Show rule in NAT Rules table.
Config
object network obj_any nat (Inside_INF,DMZ) dynamic interface

Type -
FLOW-CREATION
Action -
ALLOW

Info
New flow created with id 17255041, packet dispatched to next module

RESULT - The packet is allowed.

everything seems to look ok here.

Here is the trace going from the inside to the outside.

Type -
ACCESS-LIST
Action -
ALLOW
Show rule in Access Rules table.
Config
Implicit Rule
Info
MAC Access list

Type -
UN-NAT
Subtype -
static
Action -
ALLOW
Show rule in NAT Rules table.
Config
nat (DMZ,Inside_INF) source static Cameras Cameras
Info
NAT divert to egress interface DMZ Untranslate 71.xxx.xxx.162/7000 to 71.xxx.xxx.162/7000

Type -
ACCESS-LIST
Action -
ALLOW
Show rule in Access Rules table.
Config
access-group inside_inf_access_out in interface Inside_INF access-list inside_inf_access_out extended permit ip any any

Type -
NAT
Action -
ALLOW
Show rule in NAT Rules table.
Config
object network obj_any nat (Inside_INF,DMZ) dynamic interface

Type -
ACCESS-LIST
Action -
ALLOW
Show rule in Access Rules table.
Config
access-group DMZ_access_out out interface DMZ access-list DMZ_access_out extended permit ip any any

Type -
NAT
Subtype -
rpf-check
Action -
ALLOW
Show rule in NAT Rules table.
Config
nat (DMZ,Inside_INF) source static Cameras Cameras

Type -
FLOW-CREATION
Action -
ALLOW

Info
New flow created with id 17256520, packet dispatched to next module

RESULT - The packet is allowed

It seems to look ok going outbound as well no problems there.

Do you think that it could be that the MTU we have here of 1500 is mismatched with the MTU at the site of 1428 and this could be causing the issues of not being able to connect and view the cameras.

The odd thing is if I go to 71.xxx.xxx.162 in a browser I can actually get to the web management interface on the camera system and it comes up but when I try to view the cameras they again will not connect.

Is there a way that you can assign a different MTU to connections with a particular IP but nothing else?
0
Comment
Question by:gedruspax
  • 6
  • 3
9 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38781297
Unlikely to be the MTU, more likely to be something else in the config on the ASA.

It would be useful if you could post per and post upgrade ASA configs.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38781299
That should be pre and post.

Autocorrect on iPhone...
0
 

Author Comment

by:gedruspax
ID: 38783356
Here is the config as of right now.  I don't have a before one the only thing that changed is that I upgraded from 7.1 to 8.4.  Do you think something in the new 8.x features is what is causing the issue like the threat protection?

: Saved
: Written by enable_15 at 11:08:53.647 EST Wed Jan 16 2013
!
ASA Version 8.4(4)1
!
hostname ASA
!
interface Ethernet0/0
!
interface Ethernet0/1
 nameif Inside_INF
 security-level 100
 ip address 150.50.1.29 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 0
 ip address 12.248.30.178 255.255.255.252
!
interface Ethernet0/3
 nameif InetServers
 security-level 50
 ip address 192.168.2.1 255.255.255.0
!
interface Management0/0
!
boot system disk0:/asa844-1-k8.bin
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside_INF
dns domain-lookup DMZ
dns domain-lookup InetServers
dns server-group DefaultDNS
 domain-name admin.sws-sssd.com
dns server-group teleplex
 name-server 150.50.1.15
 name-server 150.50.2.15
 name-server 150.50.5.15
 name-server 150.50.1.19
 domain-name admin.sws-sssd.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-150.50.1.0
 subnet 150.50.1.0 255.255.255.0
object network obj-150.50.2.0
 subnet 150.50.2.0 255.255.255.0
object network obj-150.50.3.0
 subnet 150.50.3.0 255.255.255.0
object network obj-150.50.4.0
 subnet 150.50.4.0 255.255.255.0
object network obj-150.50.5.0
 subnet 150.50.5.0 255.255.255.0
object network obj-150.50.1.192
 subnet 150.50.1.192 255.255.255.192
object network obj-150.50.10.0
 subnet 150.50.10.0 255.255.255.0
object network obj-150.50.11.0
 subnet 150.50.11.0 255.255.255.0
object network obj-150.50.12.0
 subnet 150.50.12.0 255.255.255.0
object network obj-150.50.1.33
 host 150.50.1.33
object network obj-192.168.51.16
 host 192.168.51.16
object network obj-192.168.51.13
 host 192.168.51.13
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj_any-01
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.10
 host 192.168.2.10
object network obj-192.168.2.10-01
 host 192.168.2.10
object network VPN-POOL
 range 150.50.1.231 150.50.1.239
 description VPN POOL
object network LandrumVPN
 host 150.50.1.231
object network Nick
 host 150.50.1.221
object network obj-pool2
 subnet 192.168.10.0 255.255.255.0
object network obj-150.50.1.18
 host 150.50.1.18
object network Vaughn
 host 71.30.119.162
object-group protocol ip_all
 protocol-object ip
 protocol-object pim
 protocol-object pcp
 protocol-object snp
 protocol-object igmp
 protocol-object ipinip
 protocol-object gre
 protocol-object esp
 protocol-object ah
 protocol-object eigrp
 protocol-object ospf
 protocol-object igrp
 protocol-object nos
object-group service Webserver tcp
 description TCP Blocked Ports
 port-object range 1025 1026
 port-object range netbios-ssn netbios-ssn
 port-object range https 445
 port-object range domain domain
 port-object range 593 691
 port-object range www www
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list ASA-VPN_splitTunnelAcl standard permit any
access-list management_nat0_outbound extended permit ip any 150.50.1.192 255.255.255.192
access-list Outside_cryptomap extended permit ip any 150.50.1.192 255.255.255.192
access-list Inside_INF_access_in extended permit ip any any
access-list Inside_INF_access_in extended permit tcp any any
access-list Inside_INF_access_in extended permit udp any any
access-list Inside_INF_access_in extended permit tcp 150.50.3.0
access-list Inside_INF_access_in extended permit icmp any any
access-list Inside_INF_access_out extended permit ip any any
access-list Inside_INF_access_out extended permit tcp any any
access-list Inside_INF_access_out extended permit udp any any
access-list Inside_INF_access_out extended permit ip interface
access-list Inside_INF_access_out extended permit tcp host
access-list Inside_INF_nat0_outbound extended permit ip 150.50.1.0 255.255.255.0 150.50.2.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.1.0 255.255.255.0 150.50.3.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.1.0 255.255.255.0 150.50.4.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.1.0 255.255.255.0 150.50.5.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.1.0 255.255.255.0 150.50.1.192 255.255.255.192
access-list Inside_INF_nat0_outbound extended permit ip 150.50.1.0 255.255.255.0 150.50.10.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.1.0 255.255.255.0 150.50.11.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.1.0 255.255.255.0 150.50.12.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.2.0 255.255.255.0 150.50.1.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.3.0 255.255.255.0 150.50.1.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.4.0 255.255.255.0 150.50.1.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.5.0 255.255.255.0 150.50.1.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.11.0 255.255.255.0 150.50.1.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.12.0 255.255.255.0 150.50.1.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.1.0 255.255.255.0 150.50.1.0 255.255.255.0
access-list Inside_INF_nat0_outbound extended permit ip 150.50.10.0 255.255.255.0 150.50.1.0 255.255.255.0
access-list sws-vpn_splitTunnelAcl standard permit 150.50.1.0 255.255.255.0
access-list DMZ_cryptomap extended permit ip any 150.50.1.192 255.255.255.192
access-list DMZ_access_in extended permit ip any any inactive
access-list DMZ_access_in extended permit tcp any any inactive
access-list DMZ_access_in extended permit tcp any host 150.50.1.18 eq pop3
access-list DMZ_access_in extended permit tcp any host 192.168.2.10 eq www
access-list DMZ_access_in extended permit tcp any host 192.168.2.10 eq https
access-list DMZ_access_in extended permit tcp any host 150.50.1.18 eq www
access-list DMZ_access_in extended permit tcp any host 150.50.1.18 eq https
access-list DMZ_access_in extended permit tcp any host 150.50.1.18 eq smtp
access-list DMZ_access_in extended permit tcp host 71.30.119.162 any
access-list DMZ_access_out extended permit tcp host 192.168.51.16 host 216.191.234.91
access-list DMZ_access_out extended permit udp any any
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_out extended permit ip any host 71.30.119.162
access-list inside_inf_access_out extended permit ip any any
access-list VPN-access extended permit ip 150.50.1.0 255.255.255.0 150.50.2.0 255.255.255.0
access-list 100 extended permit ip 150.50.1.0 255.255.255.0 150.50.2.0 255.255.255.0
access-list 100 extended permit ip 150.50.1.0 255.255.255.0 150.50.3.0 255.255.255.0
access-list 100 extended permit ip 150.50.1.0 255.255.255.0 150.50.4.0 255.255.255.0
access-list 100 extended permit ip 150.50.1.0 255.255.255.0 150.50.5.0 255.255.255.0
access-list 100 extended permit ip 150.50.1.0 255.255.255.0 150.50.10.0 255.255.255.0
access-list 100 extended permit ip 150.50.1.0 255.255.255.0 150.50.11.0 255.255.255.0
access-list 100 extended permit ip 150.50.1.0 255.255.255.0 150.50.12.0 255.255.255.0
access-list inside_INF_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 150.50.1.0 255.255.255.0
access-list inside_INF_nat0_outbound extended permit ip 150.50.0.0 255.255.0.0 150.50.1.0 255.255.255.0
access-list inside_INF_nat0_outbound extended permit icmp 150.50.0.0 255.255.0.0 150.50.1.0 255.255.255.0 inactive
access-list inside_INF_nat0_outbound extended permit tcp 150.50.0.0 255.255.0.0 150.50.1.0 255.255.255.0
access-list inside_INF_nat0_outbound extended permit udp 150.50.0.0 255.255.0.0 150.50.1.0 255.255.255.0 inactive
access-list inside_INF_nat0_outbound extended permit ip 150.50.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_INF_nat0_outbound extended permit tcp 150.50.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list InetServers_In extended permit ip 192.168.2.0 255.255.255.0 any
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list capture extended permit ip host 192.168.10.1 host 150.50.1.36
access-list capture extended permit ip host 150.50.1.36 host 192.168.10.1
access-list outside_vpn extended permit ip 192.168.10.0 255.255.255.0 host 150.50.1.36
pager lines 24
logging enable
logging buffer-size 20000
logging asdm-buffer-size 512
logging console alerts
logging buffered warnings
logging asdm informational
mtu Outside 1500
mtu Inside_INF 1500
mtu DMZ 1500
mtu InetServers 1500
mtu management 1500
ip local pool Pool1 150.50.1.231-150.50.1.239 mask 255.255.255.0
ip local pool pool2 192.168.10.1-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
icmp deny any DMZ
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
nat (Inside_INF,DMZ) source static obj-150.50.1.0 obj-150.50.1.0 destination static obj-pool2 obj-pool2 no-proxy-arp route-lookup
nat (DMZ,Inside_INF) source static Vaughn Vaughn
nat (Inside_INF,any) source static obj-150.50.1.0 obj-150.50.1.0 destination static obj-150.50.2.0 obj-150.50.2.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.1.0 obj-150.50.1.0 destination static obj-150.50.3.0 obj-150.50.3.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.1.0 obj-150.50.1.0 destination static obj-150.50.4.0 obj-150.50.4.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.1.0 obj-150.50.1.0 destination static obj-150.50.5.0 obj-150.50.5.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.1.0 obj-150.50.1.0 destination static obj-150.50.1.192 obj-150.50.1.192 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.1.0 obj-150.50.1.0 destination static obj-150.50.10.0 obj-150.50.10.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.1.0 obj-150.50.1.0 destination static obj-150.50.11.0 obj-150.50.11.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.1.0 obj-150.50.1.0 destination static obj-150.50.12.0 obj-150.50.12.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.2.0 obj-150.50.2.0 destination static obj-150.50.1.0 obj-150.50.1.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.3.0 obj-150.50.3.0 destination static obj-150.50.1.0 obj-150.50.1.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.4.0 obj-150.50.4.0 destination static obj-150.50.1.0 obj-150.50.1.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.5.0 obj-150.50.5.0 destination static obj-150.50.1.0 obj-150.50.1.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.11.0 obj-150.50.11.0 destination static obj-150.50.1.0 obj-150.50.1.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.12.0 obj-150.50.12.0 destination static obj-150.50.1.0 obj-150.50.1.0 no-proxy-arp
nat (Inside_INF,any) source static obj-150.50.10.0 obj-150.50.10.0 destination static obj-150.50.1.0 obj-150.50.1.0 no-proxy-arp
nat (management,Outside) source static any any destination static obj-150.50.1.192 obj-150.50.1.192 no-proxy-arp route-lookup
nat (management,Inside_INF) source static any any destination static obj-150.50.1.192 obj-150.50.1.192 no-proxy-arp route-lookup
nat (management,DMZ) source static any any destination static obj-150.50.1.192 obj-150.50.1.192 no-proxy-arp route-lookup
nat (management,InetServers) source static any any destination static obj-150.50.1.192 obj-150.50.1.192 no-proxy-arp route-lookup
nat (management,management) source static any any destination static obj-150.50.1.192 obj-150.50.1.192 no-proxy-arp route-lookup
nat (Inside_INF,DMZ) source static obj-150.50.1.0 obj-150.50.1.0 destination static obj-150.50.1.0 obj-150.50.1.0 no-proxy-arp route-lookup
!
object network obj-150.50.1.0
 nat (Inside_INF,InetServers) static 150.50.1.0
object network obj-150.50.1.33
 nat (Inside_INF,DMZ) static 12.202.164.30
object network obj-192.168.51.16
 nat (Inside_INF,DMZ) static 12.202.164.11
object network obj-192.168.51.13
 nat (Inside_INF,DMZ) static 12.202.164.10
object network obj_any
 nat (Inside_INF,DMZ) dynamic interface
object network obj_any-01
 nat (DMZ,DMZ) dynamic interface dns
object network obj-192.168.2.10
 nat (InetServers,DMZ) static 12.202.164.1
object network obj-192.168.2.10-01
 nat (InetServers,Inside_INF) static 12.202.164.1
object network obj-150.50.1.18
 nat (Inside_INF,DMZ) static 12.202.164.5
access-group Outside_access_in in interface Outside
access-group inside_inf_access_out in interface Inside_INF
access-group Inside_INF_access_out out interface Inside_INF
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
access-group InetServers_In in interface InetServers
!
router rip
 version 1
!
route DMZ 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route Inside_INF 150.50.0.0 255.255.0.0 150.50.1.1 1
route Inside_INF 192.168.0.0 255.255.0.0 150.50.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record SWSVPN
http server enable
http 192.168.1.0 255.255.255.0 management
http 150.50.1.175 255.255.255.255 Inside_INF
http 150.50.1.221 255.255.255.255 Inside_INF
http 150.50.1.114 255.255.255.255 Inside_INF
http 150.50.1.138 255.255.255.255 Inside_INF
http 150.50.1.12 255.255.255.255 Inside_INF
http 192.168.10.0 255.255.255.255 Inside_INF
http 150.50.1.254 255.255.255.255 Inside_INF
snmp-server location DC
snmp-server contact NG
snmp-server community public
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto dynamic-map Outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map DMZ_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map DMZ_dyn_map 20 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 20 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto map DMZ_map 20 ipsec-isakmp dynamic DMZ_dyn_map
crypto map DMZ_map interface DMZ
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 crl configure
crypto ca certificate chain ASDM_TrustPoint1

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable DMZ client-services port 443
crypto ikev1 enable Outside
crypto ikev1 enable DMZ
crypto ikev1 am-disable
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 150.50.1.175 255.255.255.255 Inside_INF
telnet 150.50.1.221 255.255.255.255 Inside_INF
telnet 192.168.10.0 255.255.255.255 Inside_INF
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Inside_INF
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 150.50.1.26 source Inside_INF prefer
tftp-server Inside_INF 150.50.1.114 /asa.cfg
ssl encryption rc4-sha1 rc4-md5
ssl trust-point ASDM_TrustPoint1 DMZ
webvpn
 enable Inside_INF
 enable DMZ
 default-idle-timeout 86400
 anyconnect image disk0:/anyconnect-win-2.5.0217-k9.pkg 1
 anyconnect profiles Landrum disk0:/landrum.xml
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
group-policy WEBVPNPolicy internal
group-policy WEBVPNPolicy attributes
 wins-server none
 dns-server value 150.50.1.30
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
 default-domain value admin.sws-sssd.com
 webvpn
  url-list value Servers
  anyconnect ssl keepalive 300
  anyconnect dpd-interval client none
  anyconnect dpd-interval gateway none
group-policy ASA-VPN internal
group-policy ASA-VPN attributes
 dns-server value 150.50.1.30 150.50.1.33
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ASA-VPN_splitTunnelAcl
 default-domain value admin.sws-sssd.com
group-policy sws-vpn2 internal
group-policy sws-vpn2 attributes
 dns-server value 150.50.1.30 150.50.1.33
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ikev1
 group-lock none
 split-tunnel-policy tunnelall
 split-tunnel-network-list value DMZ_cryptomap
 default-domain value admin.sws-sssd.com
group-policy sws-vpn internal
group-policy sws-vpn attributes
 wins-server none
 dns-server value 150.50.1.15
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Inside_INF_nat0_outbound
 default-domain value admin.sws-sssd.com
 address-pools value pool2
 webvpn
  anyconnect mtu 1300
  anyconnect ssl keepalive 15
  anyconnect dpd-interval client none
  anyconnect dpd-interval gateway none
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool Pool1
 default-group-policy sws-vpn
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 150.50.1.30 master timeout 2 retry 2
 group-alias Group-Selection enable
tunnel-group sws-vpn type remote-access
tunnel-group sws-vpn general-attributes
 address-pool pool2
 default-group-policy sws-vpn
 password-management
tunnel-group sws-vpn webvpn-attributes
 group-alias vpn enable
 dns-group teleplex
tunnel-group sws-vpn ipsec-attributes
 ikev1 pre-shared-key dsr5805630
 isakmp keepalive threshold infinite
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 description Traffic
 class inspection_default
  inspect ftp
  inspect rsh
  inspect skinny  
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect dns
 class class-default
  police input 8250000 8000000
  user-statistics accounting
!
service-policy global_policy global
smtp-server 150.50.1.33
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:8d25e2a27d00ec7f44ac8af367cf5016
: end
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38783811
The 150.x.x.x addresses, are public addresses, but you appear to be using them as private addresses.

There should be no requirement for a static  NAT rule for you to access an external site, if you were only allowing port 80 & 443 traffic outbound, but the site used a different port, you would need an additional dynamic NAT rule...
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:gedruspax
ID: 38784074
I believe the live view portion that lets you view the camera feed is port 7000.

So what would the dynamic nat rule look like for that?

I know that when i upgraded the asa to 8.x they did change a lot of the NAT syntax and how it works.

Yeah i know they are public it was setup like that before I got here and we have not been able to change it.
0
 

Author Comment

by:gedruspax
ID: 38784158
would it be

object network Vaughn
 nat (Inside_INF,DMZ) dynamic interface

where "Vaughn" is the external IP of the camera system

I looked up the exact ports its needs btw they are 7000, 8000, 8001, 8002, 9000, 9001
0
 

Accepted Solution

by:
gedruspax earned 0 total points
ID: 39442624
I was never able to get this working but we have since switched to a completely different firewall (Palo Alto) and it is working now so this question can be closed.
0
 

Author Comment

by:gedruspax
ID: 39442627
I was never able to get this working but we have since switched to a completely different firewall (Palo Alto) and it is working now so this question can be closed.
0
 

Author Closing Comment

by:gedruspax
ID: 39456050
I was never able to get this working but we have since switched to a completely different firewall (Palo Alto) and it is working now so this question can be closed.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now