?
Solved

Cisco ASA5510 9.x code, ASDM understanding issues

Posted on 2014-08-18
12
Medium Priority
?
277 Views
Last Modified: 2014-12-13
Hello all,

I am having some major angst with the new cisco 9.x nat rules and asdm interface and can not figure out what to do.  I have been trying everything under the sun to get it to work.  I understood it completely in the 8.x stuff, but the 9.x is just confusing me with everything they are needing.  Please stay with me on this, I'll do my best to describe it.

First, a few setup things.

Internal Network is 10.30.x.x/16 (port0)
DMZ Network is 10.31.0.0 /21 (port3)
External Network is 71.1.2.0 /24  (port1) (not the real numbers but something real for explanation)

I have 1 host in the internal network
10.30.0.21
That I want to get to a host on the DMZ network (10.31.0.21) on port 1180.  In other words, Internally from any port and any ip to port 1180 on the 10.31.0.21 host.

Seems simple enough and should be able to route to it, with access rules.  However, with packet tracer, it says that a NAT rule is preventing this from happening....which then makes me think I have my NAT rules hosed up.

I would like to static, one to one nat 71.1.2.21 from the outside to 10.31.0.21 on the DMZ  Seems fairly simple....I think, but I am being asked all kinds of questions .

I think I want a "Network Object" NAT rule, and not one of those NAT RULES with all of the Match rules and translated packets.  This is where I am TOTALLY lost.

From the outside I want to open up ssh, ftp, ftp-data, http, https, 990, and a few others.....  I believe these use to be DMZ INCOMING rules....., but now I think they are Outside incoming rules.  Okay.....do I use the OUTSIDE address of 71.1.2.21, or do I use the translated address of 10.31.0.21?

Totally confused trying to do something that was so simple in pre 9.x days.

Any takers?
0
Comment
Question by:thafemann
  • 5
  • 4
  • 3
12 Comments
 
LVL 18

Expert Comment

by:max_the_king
ID: 40269684
Hi,
you may want ot have a look at the following article which explains the differences in NAT from pre 8.3 to post 8.3 release (you may as well vote it as useful if you think it's valuable):
http://www.experts-exchange.com/Security/Software_Firewalls/Cisco_PIX_Firewall/A_11175-Cisco-ASA-PRE-8-3-and-POST-8-3-NAT-Operations.html

after that, for the DMZ, the general rule is that, once you have exempted NAT from inside to DMZ, any machine on the inside can reach the dmz hosts. Should you want dmz hosts to access inside machine you need to do ACLso DMZ.
When you do ACL for static IP addresses, from 8.3 on you need to use the real (private) ip address.

hope this helps
max
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 40269699
0
 

Author Comment

by:thafemann
ID: 40270119
once you have exempted NAT from inside to DMZ

I am not sure that I understand this.  I got it to work by creating a NAT from Inside to DMZ.  I am guessing that wasn't correct.  I had expected to just route from inside to DMZ, but that doesn't seem to work.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 

Author Comment

by:thafemann
ID: 40270127
Pete Long, I have followed the step by step.  One thing I think is missing is the ability to go from the inside to the DMZ.  Can you explain?  I added a "Inside to DMZ" Nat rule, that works.  I am not sure I really want to NAT.
0
 
LVL 18

Expert Comment

by:max_the_king
ID: 40270237
... once you have exempted NAT from inside to DMZ ...

object network lan_internal
 subnet 10.30.0.0 255.255.0.0

object network obj-dmz
 subnet 10.31.0.0 255.255.255.0

nat (inside,dmz) source static lan_internal lan_internal destination static obj-dmz obj-dmz

max
0
 
LVL 58

Accepted Solution

by:
Pete Long earned 1500 total points
ID: 40270386
>>I have followed the step by step.  One thing I think is missing is the ability to go from the inside to the DMZ.

You should not need to add any more NAT statements? are you sure you don't have an access-list filtering outbound traffic that you need to allow access from the internal LAN to the DMZ IP address?

I just built the whole thing in GNS3 and it worked - it only stopped working when I added the outbound access-list. So I allowed telnet (port 23) to the DMZ host and it worked fine?

ciscoasa# show run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 123.123.123.123 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.1.0.254 255.255.0.0
!
interface GigabitEthernet2
 nameif DMZ
 security-level 50
 ip address 172.16.1.254 255.255.0.0
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
 object network DMZ-subnet
 subnet 172.16.0.0 255.255.0.0
object network DMZ-Host-EXT
 host 123.123.123.124
object network DMZ-Host-INT
 host 172.16.1.1
access-list outbound extended permit tcp host 10.1.0.100 host 172.16.1.1 eq telnet
access-list outbound extended deny ip any any
access-list inbound extended permit tcp any object DMZ-Host-INT eq www
access-list inbound extended permit tcp any object DMZ-Host-INT eq https
access-list DMZ-outbound extended permit tcp object DMZ-Host-INT host 10.1.0.100 eq 1433
access-list DMZ-outbound extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
object network DMZ-subnet
 nat (DMZ,outside) dynamic interface
object network DMZ-Host-INT
 nat (DMZ,outside) static DMZ-Host-EXT
!
nat (inside,outside) after-auto source dynamic any interface
nat (DMZ,outside) after-auto source dynamic any interface
access-group inbound in interface outside
access-group outbound in interface inside
access-group DMZ-outbound in interface DMZ
route outside 0.0.0.0 0.0.0.0 123.123.123.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect ipsec-pass-thru
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa#

Open in new window

0
 

Author Comment

by:thafemann
ID: 40270558
Result of the command: "sh run"

: Saved
:
ASA Version 9.1(3)
!
names
ip local pool Anyconnect-VPN-DHCP-Pool 10.30.9.0-10.30.9.254 mask 255.255.248.0
ip local pool Anyconnect-VPN-Pool 192.168.255.1-192.168.255.254 mask 255.255.255.0
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address X.X.x.X 255.255.255.0
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.30.8.1 255.255.248.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description DMZ
 nameif DMZ
 security-level 50
 ip address 10.31.7.254 255.255.248.0
!
interface Management0/0
 management-only
 shutdown
 nameif management
 security-level 100
 no ip address
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server x.x.x.x
 name-server x.x.x.x
 domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.30.9.0_24
 subnet 10.30.9.0 255.255.255.0
object network net1
 subnet 10.51.1.0 255.255.255.0
object network net2
 subnet 10.51.2.0 255.255.255.0
object network NETWORK_OBJ_10.30.8.0_21
 subnet 10.30.8.0 255.255.248.0
object network 10.160.170.0-24
 subnet 10.160.170.0 255.255.255.0
object network 10.160.171.0-24
 subnet 10.160.171.0 255.255.255.0
object network 10.204.0.0-16
 subnet 10.204.0.0 255.255.0.0
object network 192.168.10.0-24
 subnet 192.168.10.0 255.255.255.0
object network 192.168.101.0-24
 subnet 192.168.101.0 255.255.255.0
object network 192.168.12.0-24
 subnet 192.168.12.0 255.255.255.0
object network 192.168.13.0-24
 subnet 192.168.13.0 255.255.255.0
object network 192.168.2.0-24
 subnet 192.168.2.0 255.255.255.0
object network 192.168.3.0-24
 subnet 192.168.3.0 255.255.255.0
object network 192.168.4.0-24
 subnet 192.168.4.0 255.255.255.0
object network 192.168.6.0-24
 subnet 192.168.6.0 255.255.255.0
object network 192.168.7.0-24
 subnet 192.168.7.0 255.255.255.0
object network 1.0.0.0-8
 subnet 1.0.0.0 255.0.0.0
object network 10.30.0.0-16
 subnet 10.30.0.0 255.255.0.0
object network FTP-Server-Public
 host X.X.X.X
 description DMZ FTP Server
object network AnyConnect-VPN-Pool
 subnet 192.168.255.0 255.255.255.0
object network FTP-Server-DMZ
 host 10.31.0.21
object network FTP-Server-Internal
 host 10.30.0.21
object-group network DM_INLINE_NETWORK_1
 network-object object CinTel-51
 network-object object CinTel-52
object-group network LocalNetworks-net_VPN
 network-object object 10.160.170.0-24
 network-object object 10.160.171.0-24
 network-object object 10.204.0.0-16
 network-object object 192.168.10.0-24
 network-object object 192.168.101.0-24
 network-object object 192.168.12.0-24
 network-object object 192.168.13.0-24
 network-object object 192.168.2.0-24
 network-object object 192.168.3.0-24
 network-object object 192.168.4.0-24
 network-object object 192.168.6.0-24
 network-object object 192.168.7.0-24
 network-object object 1.0.0.0-8
 network-object object 10.30.0.0-16
 network-object object AnyConnect-VPN-Pool
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object tcp destination eq ftp
object-group network DM_INLINE_NETWORK_3
 network-object object 1.0.0.0-8
 network-object object 10.160.170.0-24
 network-object object 10.160.171.0-24
 network-object object 10.204.0.0-16
 network-object object 10.30.0.0-16
 network-object object 192.168.10.0-24
 network-object object 192.168.101.0-24
 network-object object 192.168.12.0-24
 network-object object 192.168.13.0-24
 network-object object 192.168.2.0-24
 network-object object 192.168.3.0-24
 network-object object 192.168.4.0-24
 network-object object 192.168.6.0-24
 network-object object 192.168.7.0-24
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service Serv-U tcp-udp
 description Serv-U
 port-object eq 1180
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list Split-Tunnel standard permit 10.30.0.0 255.255.0.0
access-list Split-Tunnel remark Inside old vlan
access-list Split-Tunnel standard permit 1.0.0.0 255.0.0.0
access-list Split-Tunnel standard permit 10.51.1.0 255.255.255.0
access-list Split-Tunnel standard permit 10.51.2.0 255.255.255.0
access-list Outside_cryptomap extended permit ip object-group LocalNetworks-Net_VPN object-group DM_INLINE_NETWORK_1
access-list Outside_access_in remark SSH/SFTP Service
access-list Outside_access_in extended permit tcp any object FTP-Server-DMZ eq ssh
access-list Outside_access_in remark SSH/SFTP Service
access-list Outside_access_in extended permit tcp any object FTP-Server-DMZ object-group DM_INLINE_TCP_1
access-list Outside_access_in extended permit tcp any object FTP-Server-DMZ eq ftp
access-list DMZ_access_in extended permit ip any object FTP-Server-Internal
access-list DMZ_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 2 burst-size 10
icmp deny any Outside
icmp permit any Inside
icmp permit any DMZ
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static AnyConnect-VPN-Pool AnyConnect-VPN-Pool no-proxy-arp route-lookup
nat (Inside,Outside) source static NETWORK_OBJ_10.30.8.0_21 NETWORK_OBJ_10.30.8.0_21 destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
nat (Inside,Outside) source static LocalNetworks-CinTel_VPN LocalNetworks-CinTel_VPN destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
nat (Outside,Outside) source static AnyConnect-VPN-Pool AnyConnect-VPN-Pool destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
nat (Inside,DMZ) source static any any
!
object network FTP-Server-DMZ
 nat (any,any) static FTP-Server-Public
!
nat (DMZ,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 71.13.168.1 1
route Inside 1.0.0.0 255.0.0.0 10.30.15.254 1
route Inside 10.30.0.0 255.255.0.0 10.30.15.254 1
route Inside 192.168.0.0 255.255.0.0 10.30.15.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
 reactivation-mode depletion deadtime 5
 max-failed-attempts 5
aaa-server LDAP_SRV_GRP (Inside) host XX.XX.XX
 server-port 636
 ldap-base-dn DC=XX,DC=XX
 ldap-group-base-dn CN=VPNUsers,ou=Groups,DC=XX,DC=XXX
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Cisco ASA,OU=Servers Users,DC=XX,DC=XXX
 ldap-over-ssl enable
 server-type microsoft
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 1.0.0.0 255.0.0.0 management
http 1.0.0.0 255.0.0.0 Inside
http 10.30.0.0 255.255.0.0 Inside
http 10.51.0.0 255.255.0.0 Inside
http 0.0.0.0 0.0.0.0 Inside
snmp-server host Inside 10.30.0.103 community ***** version 2c udp-port 161
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 66.161.226.66
crypto map Outside_map 1 set ikev1 phase1-mode aggressive
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint3
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint4
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint5
 enrollment terminal
 fqdn none
 subject-name CN=*.XXXXXx
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
 certificate e73db552
    XXX  quit
crypto ca certificate chain ASDM_TrustPoint1
 certificate ca 023456
XXXX
  quit
crypto ca certificate chain ASDM_TrustPoint2
 certificate ca 35def4cf
    XXXXX
  quit
crypto ca certificate chain ASDM_TrustPoint3
 certificate ca 12bbe6
    XXXXX
  quit
crypto ca certificate chain ASDM_TrustPoint4
 certificate ca 023a63
    XXXXX
  quit
crypto ca certificate chain ASDM_TrustPoint5
 certificate 12c21fa277a5b9e71bcd7f613f48a6f8
    XXXX
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable Outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable Outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.30.15.254 source Inside prefer
ssl encryption aes128-sha1 3des-sha1 aes256-sha1 rc4-sha1 rc4-md5 des-sha1 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1
ssl trust-point ASDM_TrustPoint5 Outside
webvpn
 enable Outside
 anyconnect image disk0:/anyconnect-win-3.1.05152-k9.pkg 1
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.05152-k9.pkg 2
 anyconnect profiles AnyConnectVPNClient_client_profile disk0:/AnyConnectVPNClient_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 default-domain value Connexuscu.org
group-policy Web-vpn internal
group-policy Web-vpn attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list value Bookmarks
group-policy Web-VPN-Local internal
group-policy Web-VPN-Local attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list value Bookmarks
group-policy GroupPolicy_66.161.226.66 internal
group-policy GroupPolicy_66.161.226.66 attributes
 vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_AnyConnectVPNClient internal
group-policy GroupPolicy_AnyConnectVPNClient attributes
 wins-server none
 dns-server value 10.30.0.100 10.30.0.101
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain value cu.loc
 webvpn
  anyconnect profiles value AnyConnectVPNClient_client_profile type user
username Kiwi password Ni3l9ZML3lgMDl0s encrypted privilege 15
username netech password ls2uRZcgeqRoUdIZ encrypted privilege 15
username thafemann password bMFjdO8CkItce3xq encrypted privilege 15
username root password 3U6c4ZXRA9sC3Shd encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool Anyconnect-VPN-Pool
tunnel-group Web-VPN type remote-access
tunnel-group Web-VPN general-attributes
 authentication-server-group LDAP_SRV_GRP LOCAL
 default-group-policy Web-vpn
tunnel-group Web-VPN webvpn-attributes
 group-alias Web-Portal enable
tunnel-group AnyConnectVPNClient type remote-access
tunnel-group AnyConnectVPNClient general-attributes
 address-pool Anyconnect-VPN-Pool
 authentication-server-group LDAP_SRV_GRP LOCAL
 default-group-policy GroupPolicy_AnyConnectVPNClient
tunnel-group AnyConnectVPNClient webvpn-attributes
 group-alias AnyConnectVPNClient enable
tunnel-group Web-VPN-Local type remote-access
tunnel-group Web-VPN-Local general-attributes
 default-group-policy Web-VPN-Local
tunnel-group AnyConnectVPNClient-Local type remote-access
tunnel-group AnyConnectVPNClient-Local general-attributes
 address-pool Anyconnect-VPN-Pool
 default-group-policy GroupPolicy_AnyConnectVPNClient
tunnel-group AnyConnectVPNClient-Local webvpn-attributes
 group-alias AnyConnectVPNClient-Local enable
tunnel-group 66.161.226.66 type ipsec-l2l
tunnel-group 66.161.226.66 general-attributes
 default-group-policy GroupPolicy_66.161.226.66
tunnel-group 66.161.226.66 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9214a11703d3934cd4b69733587ebf44
: end
0
 

Author Comment

by:thafemann
ID: 40270566
I am not sure what exempted nat means, especially when there is a Nat Statement

object network lan_internal
  subnet 10.30.0.0 255.255.0.0

 object network obj-dmz
  subnet 10.31.0.0 255.255.255.0

 nat (inside,dmz) source static lan_internal lan_internal destination static obj-dmz obj-dmz


I have this statement in my system
nat (Inside,DMZ) source static any any
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 40270601
OK Lets enable ICMP (we can turn) it off later

policy-map global_policy
 class inspection_default
  inspect icmp

Now run a packet trace to the DMZ

packet-tracer input Inside icmp 10.30.8.1 8 0 10.31.0.21 detailed

That will tell you where things are breaking
0
 
LVL 18

Expert Comment

by:max_the_king
ID: 40270893
Basically Nat exempt means that when packets come from inside to dmz they should be seen with their real address to dmz

I recommend NOT using
nat (Inside,DMZ) source static any any

you'd better use what i wrote above, and replacing with your objects:

nat (inside,dmz) source static 10.30.0.0-16 10.30.0.0-16 destination 10.30.1.21 10.30.1.21

then issue the command:
no nat (Inside,DMZ) source static any any

because it often create side effects

max
0
 

Author Comment

by:thafemann
ID: 40270930
nat (inside,dmz) source static 10.30.0.0-16 10.30.0.0-16 destination 10.30.1.21 10.30.1.21

I somewhat have a problem with this....I think

I have about 40 networks, including 10.30.0.0-16

nat (Inside,DMZ) source static LocalNetworks-CinTel_VPN LocalNetworks-CinTel_VPN destination static FTP-Server-DMZ FTP-Server-DMZ

I created a group of networks.  This might work

The one thing that is confusing is the "destination static"  Any concerns?
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 40278373
Guys, You DO NOT have to nat between network interfaces on an ASA firewall (you did before version 8.3) but this is running version 9. inside can get to DMZ without being NATTED! the only time you need to worry about NAT is for traffic going OUT.

version 8.3 and above come as standard with 'no-nat-control' enabled. Most NAT problems, I see in the wild are firewalls that were upgraded from 8.2 (or earlier) and the no-nat-control was not enabled prior to upgrade.
0

Featured Post

Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question