jonathanduane2010
asked on
urgent...Cisco firewall issue
Hi Guys,
I am having a problem with a cisco firewall i basically cant get out on the internet with it, it was working fine a short while ago but now its not..I spoke to my ISP and i have ran some tests with them and it seems fine that end
Basically the cisco has 3 interfaces, the inside outside new and outside, (inside is connected to the LAN) Outside new is connected to a microtik router and then connected to the ISPs fibre and i dont know where Outside is supposed to go, I wonder if its a cable issue or its a rules issue
thank you so much
I am having a problem with a cisco firewall i basically cant get out on the internet with it, it was working fine a short while ago but now its not..I spoke to my ISP and i have ran some tests with them and it seems fine that end
Basically the cisco has 3 interfaces, the inside outside new and outside, (inside is connected to the LAN) Outside new is connected to a microtik router and then connected to the ISPs fibre and i dont know where Outside is supposed to go, I wonder if its a cable issue or its a rules issue
thank you so much
where is NAT happening, on microtik or on your firewewall
Aside from just the interfaces you will need a number of other commands. Such as a GLOBAL statement, NAT statements and a ROUTE OUTSIDE statement. Can we get a look at your config? Be sure you remove any public IPs/confidential information.
ASKER
hi guys
will this do
will this do
: Saved
:
ASA Version 8.0(4)
!
hostname test
domain-name default.domain.invalid
enable password password encrypted
passwd password encrypted
names
name 192.168.20.90 Cam
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 95.45.254.82 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif OutsideNew
security-level 0
ip address 99.140.211.206 255.255.255.240
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
!
time-range inter
periodic daily 19:12 to 19:14
!
time-range li
periodic daily 19:26 to 19:29
!
time-range newstime
periodic daily 16:50 to 16:58
periodic weekdays 9:50 to 9:58
periodic daily 13:50 to 13:58
periodic daily 14:50 to 14:58
periodic daily 15:50 to 15:58
periodic daily 9:50 to 9:58
periodic daily 11:50 to 23:58
periodic daily 8:50 to 8:58
periodic daily 10:50 to 10:58
periodic daily 20:12 to 20:15
periodic daily 19:50 to 19:58
periodic daily 12:50 to 12:58
periodic daily 18:50 to 18:58
!
time-range test
periodic daily 18:32 to 18:35
!
time-range uy
periodic daily 18:40 to 18:43
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network mailserver
network-object host 192.168.20.1
object-group service SERVICES tcp
port-object eq www
port-object eq smtp
port-object eq pop3
port-object eq 3000
port-object eq 3389
port-object eq imap4
object-group service UDPSERVICES udp
port-object eq 3389
object-group network LAN
network-object 192.168.20.0 255.255.255.0
object-group service WWW tcp
port-object eq www
object-group service TIELINE tcp-udp
port-object eq 9000
port-object eq 9002
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object host 192.168.20.189
object-group service cam tcp
port-object eq 8081
access-list WAN_LAN extended permit tcp any host 95.45.254.84 object-group SERVICES log
access-list WAN_LAN extended permit udp any host 95.45.254.84 object-group UDPSERVICES log
access-list WAN_LAN extended permit tcp any host 95.45.254.85 object-group WWW log
access-list WAN_LAN extended permit tcp any host 95.45.254.86 object-group TIELINE log
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.16.8.0 255.255.255.0
access-list LAN-WAN extended permit tcp object-group LAN any object-group SERVICES
access-list LAN-WAN extended permit ip object-group mailserver any
access-list split standard permit 192.168.20.0 255.255.255.0
access-list OutsideNew_access_in extended permit tcp any host 99.140.211.194 object-group SERVICES
access-list OutsideNew_access_in extended permit udp any host 99.140.211.194 object-group UDPSERVICES
access-list OutsideNew_access_in extended permit tcp any host 99.140.211.195 object-group WWW
access-list OutsideNew_access_in extended permit tcp any host 99.140.211.199 object-group TIELINE
access-list OutsideNew_access_in extended permit tcp 62.190.143.32 255.255.255.224 host 99.140.211.195 eq 3389
access-list OutsideNew_access_in remark telnet
access-list OutsideNew_access_in extended permit tcp any host 99.140.211.194 eq telnet
access-list OutsideNew_access_in extended permit tcp any host 99.140.211.194 object-group cam
access-list inside_access_in extended permit ip any any inactive
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host 95.131.90.85 object-group WWW
access-list inside_access_in extended deny tcp host 192.168.20.231 any object-group WWW time-range newstime inactive
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu OutsideNew 1500
mtu management 1500
ip local pool vpnpool 192.16.8.2-192.16.8.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (OutsideNew) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) 95.45.254.85 192.168.20.2 netmask 255.255.255.255
static (inside,outside) 95.45.254.86 192.168.20.52 netmask 255.255.255.255
static (inside,outside) 95.45.254.84 192.168.20.1 netmask 255.255.255.255 dns
static (inside,OutsideNew) 99.140.211.194 192.168.20.1 netmask 255.255.255.255
static (inside,OutsideNew) 99.140.211.195 192.168.20.2 netmask 255.255.255.255
static (inside,OutsideNew) 99.140.211.199 192.168.20.52 netmask 255.255.255.255
static (inside,OutsideNew) 99.140.211.196 192.168.20.53 netmask 255.255.255.255
static (inside,OutsideNew) 99.140.211.198 192.168.20.60 netmask 255.255.255.255
static (inside,OutsideNew) 99.140.211.199 192.168.20.61 netmask 255.255.255.255
static (inside,OutsideNew) 99.140.211.200 192.168.20.62 netmask 255.255.255.255
access-group WAN_LAN in interface outside
access-group inside_access_in in interface inside
access-group OutsideNew_access_in in interface OutsideNew
route outside 0.0.0.0 0.0.0.0 95.45.254.81 1
route OutsideNew 0.0.0.0 0.0.0.0 99.140.211.193 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 213.94.194.99 255.255.255.255 outside
http 192.168.20.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http 62.190.143.32 255.255.255.224 OutsideNew
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start
crypto ipsec transform-set vpnsettings esp-3des esp-md5-hmac
crypto ipsec transform-set remotesettings esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map remoteclient 20 set transform-set remotesettings
crypto dynamic-map remoteclient 20 set security-association lifetime seconds 28800
crypto dynamic-map remoteclient 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map OutsideNew_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideNew_map interface OutsideNew
crypto isakmp identity address
crypto isakmp enable OutsideNew
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 159.134.222.0 255.255.254.0 outside
ssh 86.49.126.54 255.255.255.255 outside
ssh 213.94.194.99 255.255.255.255 outside
ssh 192.168.20.0 255.255.255.0 inside
ssh 62.190.43.32 255.255.255.224 OutsideNew
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpn3000 internal
group-policy vpn3000 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value test.ie
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group vpn3000 type remote-access
tunnel-group vpn3000 general-attributes
address-pool vpnpool
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
isakmp ikev1-user-authentication none
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:42c999b269413f69b984f6158afc114d
: end
[OK]
ASKER
Hi Guys,
From THE ADSM launcher if i try to ping 8.8.8.8 from outside new interface it works, but none of the machines on the network are getting internet access?
From THE ADSM launcher if i try to ping 8.8.8.8 from outside new interface it works, but none of the machines on the network are getting internet access?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Miftaul how do i get get the NAT config?
ASKER
i also think the outside interface is an old one? not in use
ASKER
hiya,
Icouldnt see the nat config so i tried show running config? under show running config was show startup config
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(4)
!
hostname IRadio
domain-name default.domain.invalid
enable password 4wFk0gVzH/NYZlGa encrypted
passwd sz5KGsLFNRWtU97z encrypted
names
name 192.168.20.90 Cam
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 95.45.254.82 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif OutsideNew
security-level 0
ip address 79.140.211.206 255.255.255.240
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
!
time-range inter
periodic daily 19:12 to 19:14
!
time-range li
periodic daily 19:26 to 19:29
!
time-range newstime
periodic daily 16:50 to 16:58
periodic weekdays 7:50 to 7:58
periodic daily 13:50 to 13:58
periodic daily 14:50 to 14:58
periodic daily 15:50 to 15:58
periodic daily 9:50 to 9:58
periodic daily 11:50 to 23:58
periodic daily 8:50 to 8:58
periodic daily 10:50 to 10:58
periodic daily 20:12 to 20:15
periodic daily 17:50 to 17:58
periodic daily 12:50 to 12:58
periodic daily 18:50 to 18:58
!
time-range test
periodic daily 18:32 to 18:35
!
time-range uy
periodic daily 18:40 to 18:43
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network mailserver
network-object host 192.168.20.1
object-group service SERVICES tcp
port-object eq www
port-object eq smtp
port-object eq pop3
port-object eq 3000
port-object eq 3389
port-object eq imap4
object-group service UDPSERVICES udp
port-object eq 3389
object-group network LAN
network-object 192.168.20.0 255.255.255.0
object-group service WWW tcp
port-object eq www
object-group service TIELINE tcp-udp
port-object eq 9000
port-object eq 9002
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object host 192.168.20.189
object-group service cam tcp
port-object eq 8081
access-list WAN_LAN extended permit tcp any host 95.45.254.84 object-group SERVICES log
access-list WAN_LAN extended permit udp any host 95.45.254.84 object-group UDPSERVICES log
access-list WAN_LAN extended permit tcp any host 95.45.254.85 object-group WWW log
access-list WAN_LAN extended permit tcp any host 95.45.254.86 object-group TIELINE log
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 172.16.8.0 255.255.255.0
access-list LAN-WAN extended permit tcp object-group LAN any object-group SERVICES
access-list LAN-WAN extended permit ip object-group mailserver any
access-list split standard permit 192.168.20.0 255.255.255.0
access-list OutsideNew_access_in extended permit tcp any host 79.140.211.194 object-group SERVICES
access-list OutsideNew_access_in extended permit udp any host 79.140.211.194 object-group UDPSERVICES
access-list OutsideNew_access_in extended permit tcp any host 79.140.211.195 object-group WWW
access-list OutsideNew_access_in extended permit tcp any host 79.140.211.197 object-group TIELINE
access-list OutsideNew_access_in extended permit tcp 62.190.143.32 255.255.255.224 host 79.140.211.195 eq 3389
access-list OutsideNew_access_in remark telnet
access-list OutsideNew_access_in extended permit tcp any host 79.140.211.194 eq telnet
access-list OutsideNew_access_in extended permit tcp any host 79.140.211.194 object-group cam
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host 95.131.70.85 object-group WWW
access-list inside_access_in extended deny tcp host 192.168.20.231 any object-group WWW time-range newstime inactive
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu OutsideNew 1500
mtu management 1500
ip local pool vpnpool 172.16.8.2-172.16.8.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (OutsideNew) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) 95.45.254.85 192.168.20.2 netmask 255.255.255.255
static (inside,outside) 95.45.254.86 192.168.20.52 netmask 255.255.255.255
static (inside,outside) 95.45.254.84 192.168.20.1 netmask 255.255.255.255 dns
static (inside,OutsideNew) 79.140.211.194 192.168.20.1 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.195 192.168.20.2 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.197 192.168.20.52 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.196 192.168.20.53 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.198 192.168.20.60 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.199 192.168.20.61 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.200 192.168.20.62 netmask 255.255.255.255
access-group WAN_LAN in interface outside
access-group inside_access_in in interface inside
access-group OutsideNew_access_in in interface OutsideNew
route outside 0.0.0.0 0.0.0.0 95.45.254.81 1
route OutsideNew 0.0.0.0 0.0.0.0 79.140.211.193 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 62.190.143.32 255.255.255.224 OutsideNew
http 192.168.1.0 255.255.255.0 management
http 192.168.20.0 255.255.255.0 inside
http 213.94.194.97 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start
crypto ipsec transform-set vpnsettings esp-3des esp-md5-hmac
crypto ipsec transform-set remotesettings esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map remoteclient 20 set transform-set remotesettings
crypto dynamic-map remoteclient 20 set security-association lifetime seconds 28800
crypto dynamic-map remoteclient 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map OutsideNew_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideNew_map interface OutsideNew
crypto isakmp identity address
crypto isakmp enable OutsideNew
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 159.134.222.0 255.255.254.0 outside
ssh 86.47.126.54 255.255.255.255 outside
ssh 213.94.194.97 255.255.255.255 outside
ssh 192.168.20.0 255.255.255.0 inside
ssh 62.190.43.32 255.255.255.224 OutsideNew
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpn3000 internal
group-policy vpn3000 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value iradio.ie
username eoin password 7edxZswxPykfTxe8 encrypted privilege 15
username macaccess password UdZ.taxrUOGvP0DU encrypted
username roger password /ZkYI2x0xdAgDw.P encrypted privilege 15
username kevin password mz6JxJib/sQqvsw9 encrypted
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group vpn3000 type remote-access
tunnel-group vpn3000 general-attributes
address-pool vpnpool
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
isakmp ikev1-user-authentication none
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:42c797b2694 13f69b784f 6158afc114 d
: end
Icouldnt see the nat config so i tried show running config? under show running config was show startup config
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(4)
!
hostname IRadio
domain-name default.domain.invalid
enable password 4wFk0gVzH/NYZlGa encrypted
passwd sz5KGsLFNRWtU97z encrypted
names
name 192.168.20.90 Cam
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 95.45.254.82 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.20.254 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif OutsideNew
security-level 0
ip address 79.140.211.206 255.255.255.240
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
!
time-range inter
periodic daily 19:12 to 19:14
!
time-range li
periodic daily 19:26 to 19:29
!
time-range newstime
periodic daily 16:50 to 16:58
periodic weekdays 7:50 to 7:58
periodic daily 13:50 to 13:58
periodic daily 14:50 to 14:58
periodic daily 15:50 to 15:58
periodic daily 9:50 to 9:58
periodic daily 11:50 to 23:58
periodic daily 8:50 to 8:58
periodic daily 10:50 to 10:58
periodic daily 20:12 to 20:15
periodic daily 17:50 to 17:58
periodic daily 12:50 to 12:58
periodic daily 18:50 to 18:58
!
time-range test
periodic daily 18:32 to 18:35
!
time-range uy
periodic daily 18:40 to 18:43
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network mailserver
network-object host 192.168.20.1
object-group service SERVICES tcp
port-object eq www
port-object eq smtp
port-object eq pop3
port-object eq 3000
port-object eq 3389
port-object eq imap4
object-group service UDPSERVICES udp
port-object eq 3389
object-group network LAN
network-object 192.168.20.0 255.255.255.0
object-group service WWW tcp
port-object eq www
object-group service TIELINE tcp-udp
port-object eq 9000
port-object eq 9002
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object host 192.168.20.189
object-group service cam tcp
port-object eq 8081
access-list WAN_LAN extended permit tcp any host 95.45.254.84 object-group SERVICES log
access-list WAN_LAN extended permit udp any host 95.45.254.84 object-group UDPSERVICES log
access-list WAN_LAN extended permit tcp any host 95.45.254.85 object-group WWW log
access-list WAN_LAN extended permit tcp any host 95.45.254.86 object-group TIELINE log
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 172.16.8.0 255.255.255.0
access-list LAN-WAN extended permit tcp object-group LAN any object-group SERVICES
access-list LAN-WAN extended permit ip object-group mailserver any
access-list split standard permit 192.168.20.0 255.255.255.0
access-list OutsideNew_access_in extended permit tcp any host 79.140.211.194 object-group SERVICES
access-list OutsideNew_access_in extended permit udp any host 79.140.211.194 object-group UDPSERVICES
access-list OutsideNew_access_in extended permit tcp any host 79.140.211.195 object-group WWW
access-list OutsideNew_access_in extended permit tcp any host 79.140.211.197 object-group TIELINE
access-list OutsideNew_access_in extended permit tcp 62.190.143.32 255.255.255.224 host 79.140.211.195 eq 3389
access-list OutsideNew_access_in remark telnet
access-list OutsideNew_access_in extended permit tcp any host 79.140.211.194 eq telnet
access-list OutsideNew_access_in extended permit tcp any host 79.140.211.194 object-group cam
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host 95.131.70.85 object-group WWW
access-list inside_access_in extended deny tcp host 192.168.20.231 any object-group WWW time-range newstime inactive
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu OutsideNew 1500
mtu management 1500
ip local pool vpnpool 172.16.8.2-172.16.8.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (OutsideNew) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 2 0.0.0.0 0.0.0.0
static (inside,outside) 95.45.254.85 192.168.20.2 netmask 255.255.255.255
static (inside,outside) 95.45.254.86 192.168.20.52 netmask 255.255.255.255
static (inside,outside) 95.45.254.84 192.168.20.1 netmask 255.255.255.255 dns
static (inside,OutsideNew) 79.140.211.194 192.168.20.1 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.195 192.168.20.2 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.197 192.168.20.52 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.196 192.168.20.53 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.198 192.168.20.60 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.199 192.168.20.61 netmask 255.255.255.255
static (inside,OutsideNew) 79.140.211.200 192.168.20.62 netmask 255.255.255.255
access-group WAN_LAN in interface outside
access-group inside_access_in in interface inside
access-group OutsideNew_access_in in interface OutsideNew
route outside 0.0.0.0 0.0.0.0 95.45.254.81 1
route OutsideNew 0.0.0.0 0.0.0.0 79.140.211.193 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 62.190.143.32 255.255.255.224 OutsideNew
http 192.168.1.0 255.255.255.0 management
http 192.168.20.0 255.255.255.0 inside
http 213.94.194.97 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start
crypto ipsec transform-set vpnsettings esp-3des esp-md5-hmac
crypto ipsec transform-set remotesettings esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map remoteclient 20 set transform-set remotesettings
crypto dynamic-map remoteclient 20 set security-association lifetime seconds 28800
crypto dynamic-map remoteclient 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map OutsideNew_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideNew_map interface OutsideNew
crypto isakmp identity address
crypto isakmp enable OutsideNew
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 159.134.222.0 255.255.254.0 outside
ssh 86.47.126.54 255.255.255.255 outside
ssh 213.94.194.97 255.255.255.255 outside
ssh 192.168.20.0 255.255.255.0 inside
ssh 62.190.43.32 255.255.255.224 OutsideNew
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpn3000 internal
group-policy vpn3000 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value iradio.ie
username eoin password 7edxZswxPykfTxe8 encrypted privilege 15
username macaccess password UdZ.taxrUOGvP0DU encrypted
username roger password /ZkYI2x0xdAgDw.P encrypted privilege 15
username kevin password mz6JxJib/sQqvsw9 encrypted
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group vpn3000 type remote-access
tunnel-group vpn3000 general-attributes
address-pool vpnpool
default-group-policy vpn3000
tunnel-group vpn3000 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
isakmp ikev1-user-authentication none
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:42c797b2694
: end