Jon345
asked on
ASA 5510 HELP NEEDED PLS.....
Hello Experts I need you help after 2 days of changing the conifg trying to get this to work, I have decided to ask for help I am sure that this is so simple for you Cisco experts but I am honestly not one...as you will probably see lol !!!
Ok,,,I have a BT ADSL connection which goes in a BT Router (192.168.0.30,255.255.255. 224), this is then plugged in to my 5510 in socket 0 (BTOutside), I then have my inside network (192.168.1.24 255.255.255.224) going from socket 0/1 on the asa to a switch which hosts my pcs servers and AP.
All I want to be able to do, is the traffic to flow through so I can connect my clients to the wireless AP, I also want to be able to RDP into the servers via my dyndns account..
Could someone post the config please to achieve the above I have included screenshots of asdm too
So then I will have a split network a clean and dirty side! Config below
.Result of the command: "sh run"
: Saved
:
ASA Version 8.2(5)
!
hostname Network1
domain-name
enable password atnRH8XWA15pl7BQ encrypted
passwd atnRH8XWA15pl7BQ encrypted
names
name 192.168.0.30 natpublicip
name 86.174.211.205 A description outbound
name 192.168.1.56 Windows7
name 192.168.1.41 EsxiServer
name 192.168.1.46 Server2012
name 192.168.1.47 ResServer
ddns update method dns
ddns both
interval maximum 2 0 0 0
!
!
interface Ethernet0/0
description Connection to Netgear
nameif Outside-BT
security-level 0
ip address natpublicip 255.255.255.224
!
interface Ethernet0/1
description Connection to Switch
nameif Inside
security-level 100
ddns update dns
dhcp client update dns
ip address 192.168.1.33 255.255.255.224
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside-BT
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 62.6.40.178
name-server 62.6.40.162
name-server 194.72.9.34
name-server EsxiServer
domain-name
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
port-object eq 3389
object-group service https tcp
port-object eq https
object-group service test
service-object tcp
object-group service tt
service-object tcp eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
access-list Inside_access_in extended permit ip interface Inside any
access-list Inside_access_in extended permit ip any 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static remark udp vpn
access-list Outside-BT_nat_static extended permit udp host 192.168.0.1 eq isakmp 192.168.1.32 255.255.255.224
access-list Outside-BT_nat_static_1 extended permit udp host 192.168.0.1 eq isakmp 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static_2 extended permit udp host 192.168.0.1 eq isakmp any
access-list Outside-BT_access_in extended permit tcp any any eq 3389
access-list Outside-BT_access_in remark spiceworks
access-list Outside-BT_access_in extended permit tcp any host natpublicip object-group https
access-list outside-bt_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside-BT 1500
mtu Inside 1500
ip local pool Pool 10.0.0.1-10.0.0.2 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
nat (Inside) 101 0.0.0.0 0.0.0.0 dns
static (Inside,Outside-BT) interface Server2012 netmask 255.255.255.255
access-group Outside-BT_access_in in interface Outside-BT
access-group Inside_access_in in interface Inside
route Outside-BT 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside-BT_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside-BT_map interface Outside-BT
crypto isakmp enable Outside-BT
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
dhcp-client update dns server both
dhcpd update dns interface Inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.35.252.7 source Outside-BT prefer
webvpn
enable Outside-BT
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy CiscoRemote internal
group-policy CiscoRemote attributes
dns-server value 192.168.1.41 8.8.8.8
vpn-tunnel-protocol IPSec svc webvpn
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
dns-server value 192.168.1.41 8.8.8.8
vpn-tunnel-protocol IPSec webvpn
username *** password GFDFvLOsuuGuTQnt encrypted privilege 0
username *** attributes
vpn-group-policy CiscoVPN
tunnel-group CiscoVPN type remote-access
tunnel-group HometestVPN type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:748c51b6d17 7ee23c52c9 3df77bc32b 9
: end
image1.jpg
image2.jpg
Ok,,,I have a BT ADSL connection which goes in a BT Router (192.168.0.30,255.255.255.
All I want to be able to do, is the traffic to flow through so I can connect my clients to the wireless AP, I also want to be able to RDP into the servers via my dyndns account..
Could someone post the config please to achieve the above I have included screenshots of asdm too
So then I will have a split network a clean and dirty side! Config below
.Result of the command: "sh run"
: Saved
:
ASA Version 8.2(5)
!
hostname Network1
domain-name
enable password atnRH8XWA15pl7BQ encrypted
passwd atnRH8XWA15pl7BQ encrypted
names
name 192.168.0.30 natpublicip
name 86.174.211.205 A description outbound
name 192.168.1.56 Windows7
name 192.168.1.41 EsxiServer
name 192.168.1.46 Server2012
name 192.168.1.47 ResServer
ddns update method dns
ddns both
interval maximum 2 0 0 0
!
!
interface Ethernet0/0
description Connection to Netgear
nameif Outside-BT
security-level 0
ip address natpublicip 255.255.255.224
!
interface Ethernet0/1
description Connection to Switch
nameif Inside
security-level 100
ddns update dns
dhcp client update dns
ip address 192.168.1.33 255.255.255.224
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside-BT
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 62.6.40.178
name-server 62.6.40.162
name-server 194.72.9.34
name-server EsxiServer
domain-name
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
port-object eq 3389
object-group service https tcp
port-object eq https
object-group service test
service-object tcp
object-group service tt
service-object tcp eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
access-list Inside_access_in extended permit ip interface Inside any
access-list Inside_access_in extended permit ip any 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static remark udp vpn
access-list Outside-BT_nat_static extended permit udp host 192.168.0.1 eq isakmp 192.168.1.32 255.255.255.224
access-list Outside-BT_nat_static_1 extended permit udp host 192.168.0.1 eq isakmp 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static_2 extended permit udp host 192.168.0.1 eq isakmp any
access-list Outside-BT_access_in extended permit tcp any any eq 3389
access-list Outside-BT_access_in remark spiceworks
access-list Outside-BT_access_in extended permit tcp any host natpublicip object-group https
access-list outside-bt_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside-BT 1500
mtu Inside 1500
ip local pool Pool 10.0.0.1-10.0.0.2 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
nat (Inside) 101 0.0.0.0 0.0.0.0 dns
static (Inside,Outside-BT) interface Server2012 netmask 255.255.255.255
access-group Outside-BT_access_in in interface Outside-BT
access-group Inside_access_in in interface Inside
route Outside-BT 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside-BT_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside-BT_map interface Outside-BT
crypto isakmp enable Outside-BT
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
dhcp-client update dns server both
dhcpd update dns interface Inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.35.252.7 source Outside-BT prefer
webvpn
enable Outside-BT
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy CiscoRemote internal
group-policy CiscoRemote attributes
dns-server value 192.168.1.41 8.8.8.8
vpn-tunnel-protocol IPSec svc webvpn
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
dns-server value 192.168.1.41 8.8.8.8
vpn-tunnel-protocol IPSec webvpn
username *** password GFDFvLOsuuGuTQnt encrypted privilege 0
username *** attributes
vpn-group-policy CiscoVPN
tunnel-group CiscoVPN type remote-access
tunnel-group HometestVPN type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:748c51b6d17
: end
image1.jpg
image2.jpg
ASKER
Two internals the BT hub is port forwarding 3389 to 192.168.0.30 that range is the guest network the one behind the Asa is the private but the private accesses the guest for Internet access
Is the BT router performing NAT?
ASKER
No
Then why is the BT (is it a hub or a router) "port forwarding"?
ASKER
For rdp connection on port 3389
ASKER
To access the servers behind firewall
ASKER
It's a BT home hub 3
If the BT is not performing NAT, then there is no need to forward traffic. Forwarding only needs to be done on devices that have NAT enabled.
But whatever. To create a second internal network on the ASA, define one of the other interfaces on the ASA and give it a security level higher than 0 (You can make it the same as the existing inside interface).
For example:
Then add an entry (or modify the existing one) to allow the new network access.
But whatever. To create a second internal network on the ASA, define one of the other interfaces on the ASA and give it a security level higher than 0 (You can make it the same as the existing inside interface).
For example:
interface Ethernet0/2
nameif newnet
security-level 90
ip address 192.168.2.1 255.255.255.0
Then add an entry (or modify the existing one) to allow the new network access.
ASKER
Thanks one to try however the Asa was doing nating this was working last week my colleague changed one of the rules and all I get now is deny s have you looked at the screen shots of asdm
No. I don't use ASDM. I do everything from the CLI.
What was changed?
What was changed?
ASKER
I think the Nat Rule on screen grab 2
The second rule (dynamic) needs a translated interface. Click on the interface column and make it "outside".
ASKER
ok I have done that see attached file getting errors attached too not working yet....
Capture.JPG
Capture1.JPG
Capture.JPG
Capture1.JPG
Please post your current config.
ASKER
:
ASA Version 8.2(5)
!
hostname Home-Net
domain-name main
enable password atnRH8XWA15pl7BQ encrypted
passwd atnRH8XWA15pl7BQ encrypted
names
name 192.168.0.30 natpublicip
name 86.174.211.205 A description outbound
name 192.168.1.56 Windows7
name 192.168.1.41 EsxiServer
name 192.168.1.46 Server2012
name 192.168.1.47 ResServer
ddns update method dns
ddns both
interval maximum 2 0 0 0
!
!
interface Ethernet0/0
description Connection to Netgear
nameif Outside-BT
security-level 0
ip address natpublicip 255.255.255.224
!
interface Ethernet0/1
description Connection to Switch
nameif Inside
security-level 100
ddns update dns
dhcp client update dns
ip address 192.168.1.33 255.255.255.224
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside-BT
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 62.6.40.178
name-server 62.6.40.162
name-server 194.72.9.34
name-server EsxiServer
domain-name Main
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
port-object eq 3389
object-group service https tcp
port-object eq https
object-group service test
service-object tcp
object-group service tt
service-object tcp eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
access-list Inside_access_in extended permit ip interface Inside any
access-list Inside_access_in extended permit ip any 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static remark udp vpn
access-list Outside-BT_nat_static extended permit udp host 192.168.0.1 eq isakmp 192.168.1.32 255.255.255.224
access-list Outside-BT_nat_static_1 extended permit udp host 192.168.0.1 eq isak mp 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static_2 extended permit udp host 192.168.0.1 eq isak mp any
access-list Outside-BT_access_in extended permit tcp any any eq 3389
access-list Outside-BT_access_in extended permit tcp any host natpublicip object -group https
access-list outside-bt_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside-BT 1500
mtu Inside 1500
ip local pool Pool 10.0.0.1-10.0.0.2 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (Outside-BT) 1 interface
global (Inside) 1 192.168.1.34-192.168.1.55 netmask 255.0.0.0
global (Inside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside-BT) interface Server2012 netmask 255.255.255.255
access-group Outside-BT_access_in in interface Outside-BT
access-group Inside_access_in in interface Inside
route Outside-BT 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128 -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256 -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside-BT_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside-BT_map interface Outside-BT
crypto isakmp enable Outside-BT
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
dhcp-client update dns server both
dhcpd address 192.168.1.45-192.168.1.55 Inside
dhcpd dns 213.120.234.46 194.72.0.114 interface Inside
dhcpd lease 30000 interface Inside
dhcpd enable Inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag e-rate 200
ntp server 194.35.252.7 source Outside-BT prefer
webvpn
enable Outside-BT
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy CiscoRemote internal
group-policy CiscoRemote attributes
dns-server value 192.168.1.41 8.8.8.8
vpn-tunnel-protocol IPSec svc webvpn
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
dns-server value 192.168.1.41 8.8.8.8
vpn-tunnel-protocol IPSec webvpn
username **** password GFDFvLOsuuGuTQnt encrypted privilege 0
username **** attributes
vpn-group-policy CiscoVPN
tunnel-group CiscoVPN type remote-access
tunnel-group HomenetVPN type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b1583d8d969b3692192a27ba7637c447
: end
Home-Net# $
ASKER
Thanks "Don" your help is really appreciated....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
All you have to do is try configuring Policy on ASA as below :
ASA(Config-t)#policy_map Global-policy
ASA(Config-t)#Class Inspection_default
ASA(Config-t)#Inspect ICMP
Once the above configuration is done with try this command on ASA as below :
ASA(Config-t)#debug icmp
it will give continuous ping to destination .
All you have to do is try configuring Policy on ASA as below :
ASA(Config-t)#policy_map Global-policy
ASA(Config-t)#Class Inspection_default
ASA(Config-t)#Inspect ICMP
Once the above configuration is done with try this command on ASA as below :
ASA(Config-t)#debug icmp
it will give continuous ping to destination .
ASKER
Superb Assistance!!
Is the BT router performing NAT?
And please use the code feature when posting configs.