Solved

Route VLAN through Cisco ASA

Posted on 2013-01-29
12
852 Views
Last Modified: 2013-01-30
I have created a Vlan on our vmware virtual switch. I have created a server VM1 and added it to that vlan and given it an IP address. I have created a windows virtual router as well and placed one nic on the Vlan and one nic on the main network and gave a static IP on both. The gateway of VM1 is the IP of the vlan network interface on the router. I can ping the vlan IP on the router. I then was not able to ping SERVER1 on the main network. I created a static route on SERVER1 for the vlan and was able to ping SERVER1 from VM1. So I can now successfully ping from one network to another as long as the static route is on the machine. VM1 does not have internet access though. The router has internet access because it has a nic on the main network. The internet gateway for the main network is a Cisco ASA. The router and SERVER1 can ping the ASA but the VM1 can't ping the ASA and the ASA can't ping VM1. I created a subinterface on the Internal interface on the ASA and set it up on the same vlan ID but no such luck. I ran packet tracer on the ASA on the subinterface, from the IP of the subinterface to the IP of VM1 and it says that it fails at the access rules. I went to the access rules and created a rule for any any IP permit with no change. What am I missing?
0
Comment
Question by:Wyandotte
  • 7
  • 4
12 Comments
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38832510
Have you created a static route on Cisco ASA for the vlan like you just did for Server1?
0
 

Author Comment

by:Wyandotte
ID: 38832625
I tried that, it says that it cannot add route because the connected route exists. There is nothing in the static route list but when I look up the routes in the monitoring section, the routes for all the the vlans that I created are there and were put there automatically. The thing is that all the gateways are blank and since it was automatic then I don't know where I'm supposed to go to add the gateway.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 38832729
you have to remove the interface you added on the ASA and add a static route on the "inside" interface to VM1 via the windows router.

The same as you did on SERVER1.

Please note that you may have to add the subnet of VM1 to your NAT statement to make internet work!
0
 

Author Comment

by:Wyandotte
ID: 38833127
do you know what exactly i need to add to the nat statement?
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 38833135
can you post your sanitzed ASA config and let me know what your subnet is which you use at the VM1 side?
0
 

Author Comment

by:Wyandotte
ID: 38835322
Result of the command: "show run"

: Saved
:
ASA Version 7.2(5)
!
hostname ASA
domain-name (domain)
enable password ******* encrypted
passwd ******** encrypted
names
name 100.100.100.241 GATEWAY description ISP Router
name 192.168.3.0 KC
name 10.20.0.0 VPN_CLIENTS
name 10.60.47.0 VGT
name 10.255.132.0 PDSNetwork description PDS
name 192.168.4.0 WPP
dns-guard
!
interface Ethernet0/0
 nameif Internal
 security-level 100
 ip address 192.168.0.1 255.255.254.0
 ospf cost 10
!
interface Ethernet0/0.204
 vlan 204
 nameif WNC
 security-level 0
 ip address 10.2.1.254 255.255.254.0
 ospf cost 10
!
interface Ethernet0/0.205
 vlan 205
 nameif WN
 security-level 0
 ip address 10.1.1.254 255.255.254.0
 ospf cost 10
!
interface Ethernet0/0.206
 vlan 206
 nameif 7SC
 security-level 0
 ip address 10.3.1.254 255.255.254.0
 ospf cost 10
!
interface Ethernet0/0.207
 vlan 207
 nameif WPP
 security-level 0
 ip address 10.4.1.254 255.255.254.0
 ospf cost 10
!
interface Ethernet0/1
 nameif External
 security-level 0
 ip address 100.100.100.243 255.255.255.240
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif manage
 security-level 0
 ip address 172.16.0.1 255.255.255.0
 ospf cost 10
 management-only
!
!
time-range Anytime
!
banner exec The admin session has started
boot system disk0:/asa725-k8.bin
boot system disk0:/asa706-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name (domain)
same-security-traffic permit intra-interface
object-group service VPN udp
 port-object range 62515 62515
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq imap4
access-list VPN extended permit udp interface External object-group VPN interface Internal object-group VPN
access-list VPN extended permit tcp KC 255.255.255.0 interface Internal
access-list VPN extended permit tcp interface Internal KC 255.255.255.0
access-list VPN extended permit icmp VPN_CLIENTS 255.255.254.0 192.168.0.0 255.255.254.0 time-range Anytime
access-list VPN extended permit icmp 192.168.0.0 255.255.254.0 VPN_CLIENTS 255.255.254.0
access-list Internal_access_in extended permit tcp host 192.168.0.3 eq domain interface External eq domain
access-list Internal_access_in extended permit tcp interface Internal 100.100.100.0 255.255.255.0
access-list SPLIT_TUNNEL standard permit 192.168.0.0 255.255.254.0
access-list SPLIT_TUNNEL standard permit KC 255.255.255.0
access-list Internal_nat0_outbound_V1 extended permit ip 192.168.0.0 255.255.254.0 interface External
access-list Internal_nat0_outbound_V1 extended permit ip 192.168.0.0 255.255.254.0 KC 255.255.255.0
access-list Internal_nat0_outbound_V1 extended permit ip any VPN_CLIENTS 255.255.255.0
access-list Internal_nat0_outbound_V1 extended permit ip 192.168.0.0 255.255.254.0 VPN_CLIENTS 255.255.255.0
access-list Internal_nat0_outbound extended permit ip any VPN_CLIENTS 255.255.255.0
access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.254.0 KC 255.255.255.0
access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.254.0 10.88.0.0 255.255.240.0
access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.254.0 VGT 255.255.255.0
access-list Internal_nat0_outbound remark To prevent NAT'ing when accessing the PDS Hosting Network
access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.254.0 PDSNetwork 255.255.255.0
access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.254.0 WPP 255.255.255.0
access-list external2internal extended permit tcp any eq 6881 any eq 6881
access-list external2internal extended permit tcp KC 255.255.255.0 interface Internal
access-list external2internal extended permit tcp KC 255.255.255.0 any
access-list external2internal extended permit tcp any any
access-list external2internal extended permit tcp any eq 3101 host 100.100.100.243 eq 3101
access-list external2internal extended permit udp any interface External eq netbios-ns
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 135 192.168.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 135 192.168.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq netbios-ns 192.168.0.0 255.255.255.0 eq netbios-ns
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 137 192.168.0.0 255.255.255.0 eq 137
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq netbios-dgm 192.168.0.0 255.255.255.0 eq netbios-dgm
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq netbios-ssn 192.168.0.0 255.255.255.0 eq netbios-ssn
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 445 192.168.0.0 255.255.255.0 eq 445
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 445 192.168.0.0 255.255.255.0 eq 445
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq ldap 192.168.0.0 255.255.255.0 eq ldap
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 389 192.168.0.0 255.255.255.0 eq 389
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq ldaps 192.168.0.0 255.255.255.0 eq ldaps
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 3268 192.168.0.0 255.255.255.0 eq 3268
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 88 192.168.0.0 255.255.255.0 eq 88
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 88 192.168.0.0 255.255.255.0 eq 88
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq domain 192.168.0.0 255.255.255.0 eq domain
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq domain 192.168.0.0 255.255.255.0 eq domain
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 1512 192.168.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq 1512 192.168.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit tcp VPN_CLIENTS 255.255.255.0 eq 42 192.168.0.0 255.255.255.0 eq 42
access-list external2internal extended permit udp VPN_CLIENTS 255.255.255.0 eq nameserver 192.168.0.0 255.255.255.0 eq nameserver
access-list external2internal extended permit tcp KC 255.255.255.0 eq 135 192.168.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp KC 255.255.255.0 eq 135 192.168.0.0 255.255.255.0 eq 135
access-list external2internal extended permit udp KC 255.255.255.0 eq netbios-ns 192.168.0.0 255.255.255.0 eq netbios-ns
access-list external2internal extended permit tcp KC 255.255.255.0 eq 137 192.168.0.0 255.255.255.0 eq 137
access-list external2internal extended permit udp KC 255.255.255.0 eq netbios-dgm 192.168.0.0 255.255.255.0 eq netbios-dgm
access-list external2internal extended permit tcp KC 255.255.255.0 eq netbios-ssn 192.168.0.0 255.255.255.0 eq netbios-ssn
access-list external2internal extended permit tcp KC 255.255.255.0 eq 445 192.168.0.0 255.255.255.0 eq 445
access-list external2internal extended permit udp KC 255.255.255.0 eq 445 192.168.0.0 255.255.255.0 eq 445
access-list external2internal extended permit tcp KC 255.255.255.0 eq ldap 192.168.0.0 255.255.255.0 eq ldap
access-list external2internal extended permit udp KC 255.255.255.0 eq 389 192.168.0.0 255.255.255.0 eq 389
access-list external2internal extended permit tcp KC 255.255.255.0 eq ldaps 192.168.0.0 255.255.255.0 eq ldaps
access-list external2internal extended permit tcp KC 255.255.255.0 eq 3268 192.168.0.0 255.255.255.0 eq 3268
access-list external2internal extended permit tcp KC 255.255.255.0 eq 88 192.168.0.0 255.255.255.0 eq 88
access-list external2internal extended permit udp KC 255.255.255.0 eq 88 192.168.0.0 255.255.255.0 eq 88
access-list external2internal extended permit tcp KC 255.255.255.0 eq domain 192.168.0.0 255.255.255.0 eq domain
access-list external2internal extended permit udp KC 255.255.255.0 eq domain 192.168.0.0 255.255.255.0 eq domain
access-list external2internal extended permit tcp KC 255.255.255.0 eq 1512 192.168.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit udp KC 255.255.255.0 eq 1512 192.168.0.0 255.255.255.0 eq 1512
access-list external2internal extended permit tcp KC 255.255.255.0 eq 42 192.168.0.0 255.255.255.0 eq 42
access-list external2internal extended permit udp KC 255.255.255.0 eq nameserver 192.168.0.0 255.255.255.0 eq nameserver
access-list external2internal extended permit tcp KC 255.255.255.0 eq 1025 192.168.0.0 255.255.255.0 eq 1025
access-list external2internal extended permit tcp KC 255.255.255.0 eq 1026 192.168.0.0 255.255.255.0 eq 1026
access-list external2internal extended permit tcp KC 255.255.255.0 eq 464 192.168.0.0 255.255.255.0 eq 464
access-list external2internal extended permit tcp KC 255.255.255.0 192.168.0.0 255.255.254.0
access-list external2internal extended permit tcp 192.168.0.0 255.255.254.0 KC 255.255.255.0
access-list external2internal extended permit udp any eq ntp 192.168.0.0 255.255.254.0 eq ntp
access-list external2internal extended permit tcp KC 255.255.255.0 range 1433 1433 192.168.0.0 255.255.254.0 range 1433 1433 inactive
access-list external2internal extended permit udp KC 255.255.255.0 range 1434 1434 192.168.0.0 255.255.254.0 range 1434 1434 inactive
access-list external2internal extended permit tcp any eq www any eq www
access-list external2internal extended permit udp any any
access-list external2internal extended permit tcp KC 255.255.255.0 eq 1433 192.168.0.0 255.255.254.0 eq 1433
access-list external2internal extended permit tcp host 200.200.200.165 host 192.168.0.5 eq ftp
access-list external2internal extended permit tcp host 200.200.200.165 host 192.168.0.5 eq ftp-data
access-list external2internal extended permit tcp host 192.168.0.5 host 200.200.200.165 eq ftp
access-list external2internal extended permit tcp host 192.168.0.5 host 200.200.200.165 eq ftp-data
access-list external2internal extended permit tcp any eq 3085 any eq 3085
access-list external2internal extended permit tcp any eq 5405 any eq 5405
access-list external2internal extended permit tcp PDSNetwork 255.255.255.0 any eq www
access-list external2internal extended permit tcp KC 255.255.255.0 eq 9010 192.168.0.0 255.255.255.0 eq 9010
access-list external2internal extended permit icmp KC 255.255.255.0 any echo-reply
access-list external2internal extended permit icmp any any echo-reply
access-list external2internal extended permit icmp any any
access-list external2internal extended permit icmp any any echo
access-list external2internal extended permit icmp any host 192.168.0.0 echo
access-list external2internal extended permit icmp any host 192.168.0.0 echo-reply
access-list External_cryptomap_40 extended permit ip 200.200.200.0 255.255.254.0 KC 255.255.255.0
access-list Internal_access_in_V1 extended permit tcp 192.168.0.0 255.255.254.0 100.100.100.240 255.255.255.240 time-range Anytime
access-list Internal_access_in_V1 extended permit tcp any any eq https
access-list Internal_access_in_V1 extended permit tcp any any eq pop3
access-list Internal_access_in_V1 extended permit tcp any any eq smtp
access-list Internal_access_in_V1 extended permit udp any any eq domain
access-list Internal_access_in_V1 extended permit icmp any any
access-list Internal_access_in_V1 extended permit esp any any
access-list Internal_access_in_V1 extended permit gre any any
access-list Internal_access_in_V1 extended permit udp any any eq isakmp
access-list Internal_access_in_V1 extended permit udp any any eq 4500
access-list Internal_access_in_V1 extended permit tcp any any eq ftp-data
access-list Internal_access_in_V1 extended permit tcp any any eq ftp
access-list Internal_access_in_V1 extended permit udp any any eq ntp
access-list Internal_access_in_V1 extended permit tcp any KC 255.255.255.0
access-list Internal_access_in_V1 extended permit tcp host 192.168.0.6 eq 3101 any eq 3101
access-list Internal_access_in_V1 extended permit tcp any any
access-list Internal_access_in_V1 extended permit tcp any any eq 3389
access-list Internal_access_in_V1 extended permit tcp any any eq 3301
access-list Internal_access_in_V1 extended permit udp 192.168.0.0 255.255.254.0 eq ntp any eq ntp
access-list Internal_access_in_V1 extended permit ip any any
access-list Internal_access_in_V1 extended permit tcp host 192.168.0.86 range 19000 19999 any
access-list Internal_access_in_V1 extended permit udp any object-group VPN any
access-list Internal_access_in_V1 extended permit tcp 192.168.0.0 255.255.254.0 range 1433 1433 KC 255.255.255.0 range 1433 1433 inactive
access-list User_splitTunnelAcl standard permit any
access-list External_cryptomap_60 extended permit ip 192.168.0.0 255.255.254.0 KC 255.255.255.0
access-list External_cryptomap_60 extended permit ip 192.168.0.0 255.255.254.0 10.88.0.0 255.255.240.0
access-list External_cryptomap_60 extended permit ip 192.168.0.0 255.255.254.0 VGT 255.255.255.0
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq 135 KC 255.255.255.0 eq 135
access-list internal2external extended permit udp 192.168.0.0 255.255.254.0 eq 135 KC 255.255.255.0 eq 135
access-list internal2external extended permit udp 192.168.0.0 255.255.254.0 eq netbios-dgm KC 255.255.255.0 eq netbios-dgm
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq netbios-ssn KC 255.255.255.0 eq netbios-ssn
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq 445 KC 255.255.255.0 eq 445
access-list internal2external extended permit udp 192.168.0.0 255.255.254.0 eq 445 KC 255.255.255.0 eq 445
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq ldap KC 255.255.255.0 eq ldap
access-list internal2external extended permit udp 192.168.0.0 255.255.254.0 eq 389 KC 255.255.255.0 eq 389
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq ldaps KC 255.255.255.0 eq ldaps
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq 3268 KC 255.255.255.0 eq 3268
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq 3269 KC 255.255.255.0 eq 3269
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq 88 KC 255.255.255.0 eq 88
access-list internal2external extended permit udp 192.168.0.0 255.255.254.0 eq 88 KC 255.255.255.0 eq 88
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq domain KC 255.255.255.0 eq domain
access-list internal2external extended permit udp 192.168.0.0 255.255.254.0 eq domain KC 255.255.255.0 eq domain
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq 1512 KC 255.255.255.0 eq 1512
access-list internal2external extended permit udp 192.168.0.0 255.255.254.0 eq 1512 KC 255.255.255.0 eq 1512
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq 42 KC 255.255.255.0 eq 42
access-list internal2external extended permit udp 192.168.0.0 255.255.254.0 eq nameserver KC 255.255.255.0 eq nameserver
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq 1025 KC 255.255.255.0 eq 1025
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq 1026 KC 255.255.255.0 eq 1026
access-list internal2external extended permit tcp 192.168.0.0 255.255.254.0 eq 464 KC 255.255.255.0 eq 464
access-list internal2external extended permit udp 192.168.0.0 255.255.254.0 KC 255.255.255.0
access-list internal2external extended permit udp KC 255.255.255.0 192.168.0.0 255.255.254.0
access-list internal2external extended permit ip 192.168.0.0 255.255.254.0 KC 255.255.255.0
access-list internal2external extended permit ip KC 255.255.255.0 192.168.0.0 255.255.254.0
access-list internal2external extended permit tcp host 200.200.200.165 host 192.168.0.5 eq ftp
access-list internal2external extended permit tcp host 200.200.200.165 host 192.168.0.5 eq ftp-data
access-list internal2external extended permit tcp host 192.168.0.5 host 200.200.200.165 eq ftp
access-list internal2external extended permit tcp host 192.168.0.5 host 200.200.200.165 eq ftp-data
access-list internal2external extended permit tcp any eq 5405 any eq 5405
access-list internal2external extended permit tcp any eq 3085 any eq 3085
access-list internal2external extended permit icmp any any
access-list internal2external extended permit icmp 192.168.0.0 255.255.254.0 any echo-reply
access-list internal2external extended permit icmp any any echo-reply
access-list internal2external extended permit icmp any any echo
access-list internal2external extended permit icmp any host 192.168.0.0 echo
access-list internal2external extended permit icmp any host 192.168.0.0 echo-reply
access-list External_access_out extended permit tcp any eq www any eq www
access-list External_access_out extended permit udp any any
access-list Internal_access_out extended permit tcp any any
access-list Internal_access_out extended permit udp any any
access-list Internal_access_out extended permit tcp 192.168.0.0 255.255.254.0 eq 1433 KC 255.255.255.0 eq 1433
access-list Internal_access_out remark Allow access to the PDS Hosting Network
access-list Internal_access_out extended permit tcp any PDSNetwork 255.255.255.0 eq www
access-list Internal_access_out extended permit ip PDSNetwork 255.255.255.0 any
access-list Internal_access_out extended permit udp any any eq ntp
access-list external_access_out extended permit tcp any any
access-list internal_access-out extended permit icmp any any echo-reply
access-list internal_access_out extended permit icmp any any
access-list internal_access_out extended permit icmp any any echo-reply
access-list internal_access_out extended permit icmp 192.168.0.0 255.255.254.0 KC 255.255.255.0
access-list internal_access_out extended permit icmp any any echo
access-list internal_access_out extended permit icmp any host 192.168.0.0 echo
access-list internal_access_out extended permit icmp any host 192.168.0.0 echo-reply
access-list inbound remark Allow Inbound Email and Webmail
access-list inbound extended permit tcp any host 100.100.100.242 object-group DM_INLINE_TCP_1
access-list inbound extended permit udp any any eq ntp
access-list external extended permit tcp any host 192.168.0.29 eq https
access-list external extended permit tcp any host 192.168.0.29 eq 993
access-list external_access_in extended permit icmp any any echo-reply
access-list external_access_in extended permit icmp any any
access-list external_access_in extended permit icmp any any echo
access-list external_access_in extended permit icmp any host 192.158.0.0 echo
access-list external_access_in extended permit icmp any host 192.158.0.0 echo-reply
access-list lanout extended permit icmp any any
access-list lanout extended permit icmp any any echo-reply
access-list lanout extended permit icmp any any echo
access-list Internal_1_cryptomap extended permit ip 192.168.0.0 255.255.254.0 WPP 255.255.255.0
access-list External_cryptomap_1 extended permit ip 192.168.0.0 255.255.254.0 WPP 255.255.255.0
access-list WTOK_access_in extended permit ip any any time-range Anytime
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap warnings
logging asdm informational
mtu Internal 1500
mtu External 1500
mtu manage 1500
mtu WNC 1500
mtu WN 1500
mtu 7SC 1500
mtu WPP 1500
ip local pool VPNTEST 10.20.0.100-10.20.0.250 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Internal
icmp permit KC 255.255.255.0 Internal
icmp permit any echo Internal
icmp permit any echo-reply Internal
icmp permit KC 255.255.255.0 External
icmp permit any External
icmp permit any echo External
icmp permit any echo-reply External
asdm image disk0:/asdm-525.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 10 192.168.0.0 255.255.254.0
nat (manage) 0 0.0.0.0 0.0.0.0
static (Internal,External) udp interface netbios-ns 192.168.0.1 netbios-ns netmask 255.255.255.255
static (Internal,External) 100.100.100.242 192.168.0.29 netmask 255.255.255.255
static (Internal,Internal) 10.0.0.0 10.0.0.0 netmask 255.255.254.0
no threat-detection statistics tcp-intercept
access-group inbound in interface External
route Internal PDSNetwork 255.255.255.0 192.168.0.16 1
route Internal 10.0.0.0 255.255.254.0 192.168.0.11 1
route External 0.0.0.0 0.0.0.0 GATEWAY 1
route External VGT 255.255.255.0 300.300.300.138 1
route External 10.88.0.0 255.255.240.0 300.300.300.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.30 255.255.255.255 Internal
http 192.168.0.31 255.255.255.255 Internal
http 10.10.10.0 255.255.255.0 manage
http 192.168.1.16 255.255.255.255 Internal
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp Internal
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map External_dyn_map 20 set pfs
crypto dynamic-map External_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map External_map 1 match address External_cryptomap_1
crypto map External_map 1 set pfs
crypto map External_map 1 set peer 400.400.400.254
crypto map External_map 1 set transform-set ESP-3DES-SHA
crypto map External_map 60 match address External_cryptomap_60
crypto map External_map 60 set peer 300.300.300.138
crypto map External_map 60 set transform-set ESP-3DES-SHA
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map External_map interface External
crypto map outside_map 40 match address External_cryptomap_60
crypto map Internal_map 1 match address Internal_1_cryptomap
crypto map Internal_map 1 set pfs
crypto map Internal_map 1 set peer 400.400.400.254
crypto map Internal_map 1 set transform-set ESP-3DES-SHA
crypto map Internal_map interface Internal
crypto isakmp identity address
crypto isakmp enable Internal
crypto isakmp enable External
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.0.30 255.255.255.255 Internal
telnet 192.168.0.31 255.255.255.255 Internal
telnet 192.168.1.16 255.255.255.255 Internal
telnet timeout 15
ssh 192.168.0.30 255.255.255.255 Internal
ssh 192.168.0.31 255.255.255.255 Internal
ssh 192.168.1.16 255.255.255.255 Internal
ssh timeout 15
console timeout 0
management-access Internal
ntp server 192.168.0.3 source Internal prefer
webvpn
 enable External
 url-list OWA "OWA" cifs://192.168.0.29 1
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value 192.168.0.3
 dns-server value 192.168.0.3 192.168.0.5
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 webvpn
  functions url-entry file-access file-entry file-browsing
group-policy User_1 internal
group-policy User_1 attributes
 wins-server value 192.168.0.3 192.168.3.254
 dns-server value 192.168.0.3 192.168.0.5
 vpn-filter none
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
 default-domain value (domain)
group-policy User internal
group-policy User attributes
 wins-server value 192.168.0.3 192.168.3.254
 dns-server value 192.168.0.3 192.168.0.5
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value User_splitTunnelAcl
 default-domain value (domain)
tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy GroupPolicy1
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 192.168.0.3 timeout 2 retry 2
tunnel-group User type ipsec-ra
tunnel-group User general-attributes
 address-pool VPNTEST
 default-group-policy User
tunnel-group User ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group 300.300.300.138 type ipsec-l2l
tunnel-group 300.300.300.138 ipsec-attributes
 pre-shared-key *
tunnel-group 400.400.400.254 type ipsec-l2l
tunnel-group 400.400.400.254 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ipsec-pass-thru
!
service-policy global_policy global
pop3s
 enable Internal
 server 192.168.0.29
 default-group-policy DfltGrpPolicy
smtps
 enable Internal
 server 192.168.0.29
 default-group-policy DfltGrpPolicy
smtp-server 192.168.0.29
prompt hostname context
Cryptochecksum:4a91c6184a10df609bd0b181740f59e7
: end
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:Wyandotte
ID: 38835329
primary network is 192 and new subnet that I am testing is 10.0.0.0/23. I am also creating 10.1.0.0./23, 10.2, 10.3 and 10.4
0
 

Author Comment

by:Wyandotte
ID: 38835338
currently VM1 can ping the ASA and DNS resolves. Complete network access short of Internet.
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 38835454
try:

nat (Internal) 20 10.0.0.0 255.255.254.0
0
 

Author Comment

by:Wyandotte
ID: 38835496
no dice. command was accepted but didn't get Internet access
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 38835526
I am sorry, I misread the config.

Please enter:

no nat (Internal) 20 10.0.0.0 255.255.254.0
nat (Internal) 10 10.0.0.0 255.255.254.0

you use the old style nat:

https://supportforums.cisco.com/docs/DOC-9129
0
 

Author Comment

by:Wyandotte
ID: 38836363
awesome, that did it. thank you very much.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

VM backup deduplication is a method of reducing the amount of storage space needed to save VM backups. In most organizations, VMs contain many duplicate copies of data, such as VMs deployed from the same template, VMs with the same OS, or VMs that h…
When we have a dead host and we lose all connections to the ESXi, and we need to find a way to move all VMs from that dead ESXi host.
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now