?
Solved

how to create firewall policies on PIX515e firewall to permit a subnet go to internet

Posted on 2014-08-19
14
Medium Priority
?
447 Views
Last Modified: 2014-08-20
I have a remote site connecting to my main site through MPLS network. The subnet is 10.10.42.0. My main site has the network 10.10.4.0. There is a PIX515e firewall sitting on my main site and have policies for the internet traffic.


When I was doing a traceroute, it shows the below result. It looks like a telepacific's routing issue, but after I contact them and did some test, they told me they could see the traffic reach their MPLS interface but got dropped on the firewall.

I know I need create some polices on the PIX to permit traffic from 10.10.42.0 network to go to internet, but I don't know how, could anyone here help?

thanks.

[root@jupiter ~]# traceroute www.google.com
traceroute to www.google.com (74.125.224.146), 30 hops max, 40 byte packets
 1  10.10.42.2 (10.10.42.2)  1.439 ms  1.755 ms  2.094 ms
 2  10.10.42.1 (10.10.42.1)  1.291 ms  1.440 ms  1.749 ms
 3  10.225.30.37 (10.225.30.37)  7.228 ms  7.624 ms  7.900 ms
 4  * * *
 5  te0000.mr3.irvnca.telepacific.net (100.43.223.50)  12.302 ms  12.775 ms  13.250 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  *
[root@jupiter ~]#
0
Comment
Question by:Jason Yu
  • 9
  • 5
14 Comments
 
LVL 25

Expert Comment

by:Ken Boone
ID: 40270977
post the statements in your pix config that start with:
global
nat

This will let me see how you are letting things out.

Also, issue this command and post the output:
show route

This will help answer your question
0
 

Author Comment

by:Jason Yu
ID: 40271142
0
 

Author Comment

by:Jason Yu
ID: 40271147
Hi, Ken:

Thank you for your replay. I use ASDM 5.2 to manage this firewall.

I am not sure if these pictures are what you requested.

Jason
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
LVL 25

Expert Comment

by:Ken Boone
ID: 40271165
Jason,
The quickest way for me to figure out what is going on is with the output from the cli.
0
 

Author Comment

by:Jason Yu
ID: 40271185
what is the command I need run in cli?

forgive my poor knowledge for cisco firewall, thanks.
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 40271197
once you log in to the cli and get to the enable mode which will end with a # prompt type the following:

show run

This will list a bunch of command line statements.  Just dump this over to a notepad.

Search for all statements that begin with one of the following commands:
nat
global
route

Just post those lines.. i don't need to see the whole config to start with.
0
 

Author Comment

by:Jason Yu
ID: 40271202
Result of the command: "show run"

: Saved
:
PIX Version 7.2(4) 
!
hostname pix515e
domain-name minkagroup.net
enable password 18KJC8i2oGWNhsX0 encrypted
passwd b/JoC9zf2wWKXgAO encrypted
names
name 109.104.109.0 Hethway-network description Hethway Public IPs
name 75.139.232.27 Jon-Home description Jon's home Public IP
name 10.10.4.55 Titan description Titan Backup Server
name 208.65.144.0 McAfee1
name 208.81.64.0 McAfee2
name 10.10.4.11 Aegis_Private description Email server LAN IP
name 10.10.28.101 NCFedEx description NC FedEx server
name 10.0.3.12 apollo description future dealer webserver
name 10.10.4.36 atlas_internal_ip description created by jason for vpn connection
name 10.10.20.2 Alcoa_MPLS_Gateway description created by jason
name 10.10.32.1 San_Diego_Firewall description San Diego Firewall Internal IP
name 192.208.251.94 Aegis_Public description Email server public IP
name 192.208.251.104 Apollo_Public description Apollo Public IP
name 192.208.251.98 Atlas_VPN description Created by Jason for vpn access
name 10.0.3.2 Blackhole_Internal description Blackhole Email filter
name 192.208.251.83 Bfdweb02_Public description Created by jason
name 192.208.251.97 Blackhole_Public description Created by Jason
name 10.0.3.3 Bfdweb02_Internal description current dealer server created by Jason
name 10.10.4.131 Luna_Internal description Created by Jason for Luna Server
name 10.0.3.7 Hera_Internal description Created by Jason
name 10.0.3.4 Mailer_Internal description Created by Jason for Mailer Server
name 192.208.251.85 Nova_Public description Created by
name 192.208.251.81 Mailer_Public description Created by Jason for Mailer Server
name 10.10.20.0 Alcoa_Network description Created by Jason
name 192.208.251.90 MV_DACS_SSH description Created by Jason
name 192.208.251.92 MV_DACS2_SSH description Created by Jason
name 192.208.251.95 BFD_DACS_4.140_SSH description Created by Jason
name 192.208.251.96 BFD_DACS_4.141_SSH description Created by Jason
name 192.208.251.100 AOC_VPN_Public description Created by Jason for AOC VPN
name 192.208.251.103 Orion_Public description Created by jason for warranty web server
name 192.208.251.84 Hera_Public description Created by Jason for Hera/Ftp
name 72.29.171.50 Hathway-Publi-IP description Created by Jason
name 219.95.232.132 IBM_Sterling_Van description Created for Richard by Jason
name 10.10.4.5 Firewal_LAN_IP description Created by Jason
name 10.10.4.1 MPLS_Interface description created by jason
name 10.10.4.128 FEDEXSERVER description created by jason
name 10.10.4.60 Barracuda60 description Primary Load Balancer
name 192.208.251.76 Firewall_Public description Created by Jason
name 192.208.251.91 Test_Public_IP description Created by jason
name 192.208.251.82 Thea_External description Updated by jason for Thea Server
name 10.10.4.234 Thea_Internal description updated by jason for the thea server
name 10.10.42.0 MV_network
dns-guard
!
interface Ethernet0
 description This is the Ip address for the PIX firewall, updated by Jason Yu on 09/27/2013
 nameif outside
 security-level 0
 ip address Firewall_Public 255.255.255.192 
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address Firewal_LAN_IP 255.255.252.0 
 ospf cost 10
!
interface Ethernet2
 nameif DMZ
 security-level 50
 ip address 10.0.3.1 255.255.255.224 
 ospf cost 10
!
!
time-range ldap_blackhole
 periodic daily 11:49 to 11:51
 periodic daily 16:49 to 16:51
!
boot system flash:/pix724.bin
no ftp mode passive
clock timezone PST -8
clock summer-time pst recurring
dns server-group DefaultDNS
 domain-name minkagroup.net
same-security-traffic permit inter-interface
object-group service Inside-deny tcp-udp
 port-object range 445 445
 port-object range 8200 8200
 port-object range 1214 1214
 port-object range 135 139
 port-object range 8100 8100
object-group network mv
 description MV Network defined by network/subnet
 network-object MV_network 255.255.254.0
object-group network alc
 description Alcoa Network defined by network/subnet 
 network-object Alcoa_Network 255.255.252.0
object-group network bfd
 description Bradford Network defined by network/subnet
 network-object 10.10.4.0 255.255.252.0
object-group network nc
 description NC Network defined by network/subnet
 network-object 10.10.28.0 255.255.252.0
object-group network sd
 description San Diego Network defined by network/subnet
 network-object 10.10.32.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_2
 network-object 0.0.0.0 0.0.0.0
 network-object Hethway-network 255.255.255.192
object-group network DM_INLINE_NETWORK_3
 network-object 0.0.0.0 0.0.0.0
 network-object Hethway-network 255.255.255.192
object-group network DM_INLINE_NETWORK_4
 network-object 0.0.0.0 0.0.0.0
 network-object Hethway-network 255.255.255.192
object-group network DM_INLINE_NETWORK_1
 network-object 0.0.0.0 0.0.0.0
 network-object Hethway-network 255.255.255.192
object-group network DM_INLINE_NETWORK_5
 network-object McAfee1 255.255.248.0
 network-object McAfee2 255.255.248.0
object-group service SqlSvr tcp
 description Sql Server Service
 port-object eq 1433
object-group network DM_INLINE_NETWORK_6
 network-object host apollo
 network-object host Bfdweb02_Internal
object-group network DM_INLINE_NETWORK_7
 network-object host apollo
 network-object host Bfdweb02_Internal
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object tcp
object-group network DM_INLINE_NETWORK_11
 network-object host apollo
 network-object host Apollo_Public
object-group service Logmein tcp
 description Logmein Port Range
 port-object eq 12975
 port-object eq 32976
 port-object eq https
object-group service DM_INLINE_TCP_4 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group network Sterling_Van_Luna_Server
 description Allowing luna server access these public ips
 network-object host 209.95.224.122
 network-object host 209.95.232.130
 network-object host 209.95.232.132
object-group service DM_INLINE_TCP_5 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service GIS_service tcp-udp
 description permit traffic for 8080 port
 port-object eq 8080
object-group network DM_INLINE_NETWORK_8
 network-object host 107.22.209.202
 network-object host 46.51.189.152
object-group network DM_INLINE_NETWORK_9
 network-object host 107.22.209.202
 network-object host 46.51.189.152
object-group network DM_INLINE_NETWORK_10
 network-object host 107.22.209.202
 network-object host 46.51.189.152
object-group service Fedex_port tcp
 description created by jason
 port-object eq 49612
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object tcp
object-group service DM_INLINE_TCP_2 tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq ssh
 port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq ssh
 port-object eq smtp
access-list acl-out remark AOC VPN access outside the company
access-list acl-out extended permit gre host 69.178.146.22 host AOC_VPN_Public 
access-list acl-out remark This only allows the previous IP to have VPN access for AOC
access-list acl-out extended deny gre any host AOC_VPN_Public 
access-list acl-out extended permit gre any host Atlas_VPN 
access-list acl-out extended permit tcp any host Atlas_VPN eq pptp 
access-list acl-out remark Network Time protocol
access-list acl-out remark OWA access for Exchange servers
access-list acl-out extended permit icmp any host Blackhole_Public 
access-list acl-out remark created by jason for testing
access-list acl-out extended permit object-group TCPUDP host Aegis_Public any 
access-list acl-out remark Created by Jason for testing OWA service
access-list acl-out extended permit tcp any host Aegis_Public eq www 
access-list acl-out remark Created by Jason for testing OWA service
access-list acl-out extended permit tcp any host Aegis_Public eq https 
access-list acl-out remark Created by  Jason for email testing
access-list acl-out extended permit tcp any host Aegis_Public eq smtp 
access-list acl-out remark Created by  Jason for email testing
access-list acl-out extended permit icmp any host Aegis_Public 
access-list acl-out extended permit tcp any host 192.208.251.86 eq ssh 
access-list acl-out remark created by jason for permitting vpn traffic to outside
access-list acl-out extended permit tcp host Atlas_VPN any eq pptp 
access-list acl-out extended permit tcp host 199.102.135.82 host BFD_DACS_4.140_SSH eq ssh inactive 
access-list acl-out extended permit tcp host 199.102.135.82 host BFD_DACS_4.141_SSH eq ssh inactive 
access-list acl-out remark SSH access for Allen Group to MV DACS1
access-list acl-out extended permit tcp host 199.102.135.82 host MV_DACS2_SSH eq ssh inactive 
access-list acl-out remark SSH access for Allen Group to MV DACS2
access-list acl-out extended permit tcp host 199.102.135.82 host MV_DACS_SSH eq ssh inactive 
access-list acl-out remark FTP Site
access-list acl-out extended permit icmp any host Hera_Public 
access-list acl-out extended permit tcp any host Hera_Public eq www 
access-list acl-out extended permit tcp any host Hera_Public eq ftp 
access-list acl-out remark Mailer access
access-list acl-out extended permit icmp any host Mailer_Public 
access-list acl-out extended permit tcp any host Mailer_Public eq www 
access-list acl-out extended permit tcp any host Orion_Public eq https 
access-list acl-out extended permit tcp any host Orion_Public eq www 
access-list acl-out extended permit icmp any host Orion_Public 
access-list acl-out remark Created by Jason for permitting traffic going to luna's external IP
access-list acl-out extended permit ip any host Thea_External 
access-list acl-out remark created by jason yu on 9/21/2013
access-list acl-out extended permit object-group DM_INLINE_PROTOCOL_1 any 10.10.4.0 255.255.252.0 
access-list acl-out extended permit ip host 74.208.43.112 host Bfdweb02_Public inactive 
access-list acl-out extended permit ip host 74.208.107.123 host Bfdweb02_Public inactive 
access-list acl-out extended permit ip host 74.208.13.141 host Bfdweb02_Public inactive 
access-list acl-out extended permit tcp host 140.239.19.151 host Bfdweb02_Public eq 3389 inactive 
access-list acl-out remark Created by Jason for allowing hethway to connect to BFDweb02 current dealer server
access-list acl-out extended permit tcp host Hathway-Publi-IP host Bfdweb02_Public eq 3389 inactive 
access-list acl-out extended permit tcp host 140.239.19.151 host Bfdweb02_Public eq 1433 inactive 
access-list acl-out extended permit ip host 74.208.43.112 host Orion_Public 
access-list acl-out extended permit ip host 74.208.107.123 host Orion_Public 
access-list acl-out extended permit tcp host 140.239.19.151 host Orion_Public eq ftp 
access-list acl-out extended permit tcp host 140.239.19.151 host Orion_Public eq 1433 
access-list acl-out extended permit tcp host 140.239.19.151 host Orion_Public eq 3389 
access-list acl-out remark Allows ICMP replies
access-list acl-out extended permit icmp any any echo-reply 
access-list acl-out remark SPAM filter server
access-list acl-out extended permit tcp any host Blackhole_Public eq 6900 
access-list acl-out extended permit tcp any host Blackhole_Public eq smtp 
access-list acl-out extended permit tcp any host Blackhole_Public eq https 
access-list acl-out remark Created by Jon for McAfee email routing
access-list acl-out extended permit tcp object-group DM_INLINE_NETWORK_5 host Aegis_Public eq smtp 
access-list acl-out extended permit tcp object-group DM_INLINE_NETWORK_1 host Apollo_Public eq ssh 
access-list acl-out extended permit udp object-group DM_INLINE_NETWORK_2 host Apollo_Public eq domain 
access-list acl-out extended permit tcp object-group DM_INLINE_NETWORK_3 host Apollo_Public object-group DM_INLINE_TCP_1 
access-list acl-out extended permit icmp object-group DM_INLINE_NETWORK_4 host Apollo_Public 
access-list acl-out extended permit udp any host Apollo_Public eq ntp 
access-list acl-out extended permit tcp any object-group DM_INLINE_NETWORK_11 eq ftp 
access-list acl-out remark Created by Jason for allowing ftp traffic to Luna server
access-list acl-out extended permit tcp host IBM_Sterling_Van host Thea_External eq ftp 
access-list acl-out remark Created by Jason for connectio nthe new warehouse
access-list acl-out extended permit object-group DM_INLINE_PROTOCOL_2 any host Firewall_Public 
access-list acl-out remark below blocks all non-routable internet IPs for class A B C
access-list acl-out extended deny ip 10.0.0.0 255.0.0.0 any 
access-list acl-out extended deny ip 192.168.0.0 255.255.255.0 any 
access-list acl-out extended deny ip 172.16.0.0 255.255.0.0 any 
access-list acl-out remark Created by Jason for testing.
access-list acl-out extended deny tcp any 10.10.4.0 255.255.252.0 object-group Logmein inactive 
access-list acl-out extended deny ip any any inactive 
access-list acl-in extended deny ip any host 115.124.105.92 
access-list acl-in extended permit tcp Alcoa_Network 255.255.252.0 host Bfdweb02_Internal eq 1433 
access-list acl-in extended deny tcp any any object-group Inside-deny 
access-list acl-in extended deny ip any host 206.142.53.0 
access-list acl-in extended deny icmp any host 206.142.53.0 
access-list acl-in extended deny ip any host 66.151.158.177 
access-list acl-in remark This allows MV SMTP traffic for the following hosts
access-list acl-in extended permit tcp host 10.10.42.21 any eq smtp 
access-list acl-in extended permit tcp host 10.10.42.22 any eq smtp 
access-list acl-in extended permit tcp host 10.10.42.32 any eq smtp 
access-list acl-in extended permit tcp host 10.10.42.33 any eq smtp 
access-list acl-in remark Created by Jason for permitting traffic to luna-d server on port 8080
access-list acl-in extended permit object-group TCPUDP any host Thea_Internal object-group GIS_service 
access-list acl-in extended permit icmp any host 10.10.42.21 
access-list acl-in remark created by jason for test purpose
access-list acl-in extended permit icmp any host 10.10.24.10 inactive 
access-list acl-in remark This denys all MV SMTP traffic to the internet.
access-list acl-in extended deny tcp object-group mv any eq smtp 
access-list acl-in remark This denys all Alcoa SMTP traffic to the internet.
access-list acl-in extended deny tcp object-group alc any eq smtp inactive 
access-list acl-in remark This denys all San Diego SMTP traffic to the internet
access-list acl-in extended deny tcp object-group sd any eq smtp 
access-list acl-in remark This allows NC SMTP traffic for the following hosts
access-list acl-in extended permit tcp host 10.10.28.141 any eq smtp 
access-list acl-in extended permit tcp host 10.10.28.140 any eq smtp 
access-list acl-in remark This denys all NC SMTP traffic to the internet.
access-list acl-in extended deny tcp object-group nc any eq smtp 
access-list acl-in remark The Bradford hosts below are allowed to send SMTP traffic to the internet.
access-list acl-in extended permit tcp host 10.10.4.141 any eq smtp 
access-list acl-in extended permit tcp host 10.10.4.140 any eq smtp 
access-list acl-in remark created by jason for allowing traffice to BFDDACS1
access-list acl-in extended permit icmp host 10.10.4.140 any 
access-list acl-in remark created by jason for allowing traffic to BFDDACS1
access-list acl-in extended permit icmp any host 10.10.4.140 
access-list acl-in extended permit tcp host 10.10.4.10 any eq smtp 
access-list acl-in remark This allows all of Bradford to send SMTP traffic to Blackhole
access-list acl-in extended permit tcp object-group bfd host Blackhole_Internal eq smtp 
access-list acl-in remark This denys all Bradford SMTP traffic to the internet.
access-list acl-in extended deny tcp object-group bfd any eq smtp 
access-list acl-in extended deny ip any host 67.223.237.195 
access-list acl-in extended deny ip any 192.168.0.0 255.255.255.0 
access-list acl-in remark This blockes the aoc test system from external access
access-list acl-in extended deny tcp host 10.10.20.236 any 
access-list acl-in remark This permits SD and NY access to www and Trend
access-list acl-in extended permit tcp 10.10.32.0 255.255.255.0 any eq 8080 
access-list acl-in extended permit tcp 10.10.32.0 255.255.255.0 any eq https 
access-list acl-in remark created by jason for allowing https traffic to outside for 24.0 network to outside
access-list acl-in extended permit tcp 10.10.4.0 255.255.252.0 host 46.51.189.152 eq https 
access-list acl-in extended permit tcp 10.10.35.0 255.255.255.0 any eq 8080 
access-list acl-in extended permit tcp 10.10.35.0 255.255.255.0 any eq www 
access-list acl-in extended permit tcp 10.10.35.0 255.255.255.0 any eq https 
access-list acl-in remark This allows domain auth and email for SD and NY
access-list acl-in extended permit tcp 10.10.32.0 255.255.255.0 any eq ldap 
access-list acl-in extended permit tcp 10.10.32.0 255.255.255.0 any eq ldaps 
access-list acl-in extended permit tcp 10.10.32.0 255.255.255.0 any eq pop3 
access-list acl-in extended permit tcp 10.10.32.0 255.255.255.0 any eq smtp 
access-list acl-in extended permit tcp 10.10.32.0 255.255.255.0 any eq domain 
access-list acl-in extended permit tcp 10.10.32.0 255.255.255.0 any eq 445 
access-list acl-in extended permit tcp 10.10.32.0 255.255.255.0 any eq 42 
access-list acl-in extended permit tcp 10.10.35.0 255.255.255.0 any eq 445 
access-list acl-in extended permit tcp 10.10.35.0 255.255.255.0 any eq 42 
access-list acl-in extended permit tcp 10.10.35.0 255.255.255.0 any eq domain 
access-list acl-in extended permit tcp 10.10.35.0 255.255.255.0 any eq smtp 
access-list acl-in extended permit tcp 10.10.35.0 255.255.255.0 any eq pop3 
access-list acl-in extended permit tcp 10.10.35.0 255.255.255.0 any eq ldaps 
access-list acl-in extended permit tcp 10.10.35.0 255.255.255.0 any eq ldap 
access-list acl-in remark created by jason
access-list acl-in extended permit ip Alcoa_Network 255.255.252.0 any 
access-list acl-in remark created by jason
access-list acl-in extended permit tcp Alcoa_Network 255.255.252.0 10.10.4.0 255.255.252.0 
access-list acl-in remark created by jason for Richard's luna server ftp traffic issue
access-list acl-in extended permit tcp host IBM_Sterling_Van host Thea_Internal object-group DM_INLINE_TCP_5 
access-list acl-in remark Permit SCP to Titan Server
access-list acl-in extended permit tcp any host Titan eq ssh 
access-list acl-in extended permit tcp host Titan any eq ssh 
access-list acl-in remark Created by Jason for testing ping from San Diego site to DMZ zone
access-list acl-in extended permit icmp any host MPLS_Interface 
access-list acl-in remark Created by Jason for testing ping from San Diego site to DMZ zone
access-list acl-in extended permit icmp any host Firewal_LAN_IP 
access-list acl-in remark Created by Jason for testing ping from firewall to others.
access-list acl-in extended permit icmp host Firewal_LAN_IP any 
access-list acl-in remark This denys SD and NY access
access-list acl-in extended deny ip 10.10.35.0 255.255.255.0 any 
access-list acl-in remark allow remote connectoin from internet
access-list acl-in extended permit tcp host Barracuda60 any eq ssh 
access-list acl-in remark allow remote connectoin from internet
access-list acl-in extended permit object-group TCPUDP host Barracuda60 any eq domain 
access-list acl-in remark allow remote connectoin from internet
access-list acl-in extended permit tcp host Barracuda60 any eq www 
access-list acl-in remark allow remote connectoin from internet
access-list acl-in extended permit udp host Barracuda60 any eq ntp 
access-list acl-in extended deny ip 10.10.32.0 255.255.255.0 any 
access-list acl-in extended deny ip any 172.16.0.0 255.255.0.0 
access-list acl-in extended deny ip any 208.80.54.0 255.255.255.0 
access-list acl-in extended deny ip any 208.80.55.0 255.255.255.0 
access-list acl-in extended deny ip any 208.80.53.0 255.255.255.0 
access-list acl-in extended deny ip any 208.80.52.0 255.255.255.0 
access-list acl-in extended permit ip any any 
access-list acl-in remark Created by Jason for allowing ftp traffic to go out from luna server
access-list acl-in extended permit tcp host Thea_Internal object-group Sterling_Van_Luna_Server object-group DM_INLINE_TCP_4 log debugging 
access-list acl-in remark Created by Jason for allowing ftp traffic to gout from luna server
access-list acl-in extended permit ip host Thea_Internal object-group Sterling_Van_Luna_Server log debugging 
access-list acl-in remark created by jason for accessing fedex sql server
access-list acl-in extended permit tcp any object-group Fedex_port host FEDEXSERVER 
access-list acl-in extended permit tcp MV_network 255.255.255.0 any object-group DM_INLINE_TCP_2 
access-list acl-in extended permit udp MV_network 255.255.255.0 any eq ntp 
access-list acl-in extended permit tcp any MV_network 255.255.255.0 object-group DM_INLINE_TCP_3 
access-list acl-in extended permit udp any MV_network 255.255.255.0 eq ntp 
access-list acl-in extended permit object-group TCPUDP any MV_network 255.255.255.0 
access-list acl-in extended permit ip any MV_network 255.255.255.0 
access-list acl-in extended permit ip MV_network 255.255.255.0 any 
access-list acl-in extended permit tcp MV_network 255.255.255.0 any 
access-list acl-dmz extended permit ip host Blackhole_Internal any 
access-list acl-dmz extended permit icmp host Hera_Internal any 
access-list acl-dmz extended permit icmp host Mailer_Internal any 
access-list acl-dmz extended permit icmp host Bfdweb02_Internal any 
access-list acl-dmz extended permit icmp host Blackhole_Internal any 
access-list acl-dmz extended permit icmp host 10.0.3.8 any 
access-list acl-dmz remark Created by jason for configuring CentOS server
access-list acl-dmz extended permit icmp any host apollo inactive 
access-list acl-dmz remark Created by jason for configuring CentOS server
access-list acl-dmz extended permit tcp any host apollo eq www 
access-list acl-dmz remark Created by Jason for testing ping outward
access-list acl-dmz extended permit icmp host apollo any inactive 
access-list acl-dmz remark Created by Jason for configuring new CentOS server.
access-list acl-dmz extended permit tcp host apollo any eq www 
access-list acl-dmz remark Webserver Ping request by JY
access-list acl-dmz extended permit tcp host apollo any eq echo 
access-list acl-dmz extended permit udp any any eq domain 
access-list acl-dmz extended permit tcp any any eq www 
access-list acl-dmz remark Gentran Perimeter Server
access-list acl-dmz extended permit tcp host 10.0.3.8 host 10.10.4.130 eq 10500 
access-list acl-dmz remark Jason Yu
access-list acl-dmz extended permit ip host 10.0.3.5 any 
access-list acl-dmz remark Gentran access out to Stercomm
access-list acl-dmz extended permit ip host Thea_Internal host 209.95.232.130 inactive 
access-list acl-dmz extended permit ip host Thea_Internal host 209.95.232.132 inactive 
access-list acl-dmz extended permit ip host Thea_Internal host 209.95.224.122 inactive 
access-list acl-dmz extended permit ip host 10.0.3.8 host 209.95.232.130 
access-list acl-dmz extended permit ip host 10.0.3.8 host 209.95.224.122 
access-list acl-dmz remark GIS 5.4 access to Stercomm
access-list acl-dmz extended permit tcp any any eq smtp 
access-list acl-dmz extended permit tcp any any eq https 
access-list acl-dmz remark Webserver access to Kotick
access-list acl-dmz extended permit ip host apollo host 98.130.0.29 
access-list acl-dmz extended permit ip host apollo host 74.208.107.123 
access-list acl-dmz remark Webserver access for Lares to update Trend AV
access-list acl-dmz extended permit tcp host apollo host 10.10.4.9 eq 8080 
access-list acl-dmz extended permit tcp host Bfdweb02_Internal host 10.10.4.9 eq 8080 
access-list acl-dmz remark file sharing between two dealer web servers
access-list acl-dmz extended permit object-group TCPUDP object-group DM_INLINE_NETWORK_6 object-group DM_INLINE_NETWORK_7 eq cifs 
access-list acl-dmz remark Blackhole Spam Server
access-list acl-dmz extended permit udp host Blackhole_Internal host 10.10.6.0 eq snmptrap 
access-list acl-dmz extended permit udp host Blackhole_Internal host 10.10.4.10 eq snmptrap 
access-list acl-dmz extended permit tcp host Blackhole_Internal any eq 2703 
access-list acl-dmz extended permit tcp host Blackhole_Internal any eq echo 
access-list acl-dmz extended permit udp host Blackhole_Internal any eq ntp 
access-list acl-dmz extended permit tcp host Blackhole_Internal host 10.10.4.3 eq ldap time-range ldap_blackhole 
access-list acl-dmz extended permit tcp host Blackhole_Internal host 10.10.4.25 eq ldap time-range ldap_blackhole 
access-list acl-dmz extended permit ip host 10.0.3.9 any 
access-list acl-dmz extended permit icmp host 10.0.3.9 any 
access-list acl-dmz remark Allow smtp from Dealer to blackhole JZ 8/8/2013
access-list acl-dmz extended permit tcp host Bfdweb02_Internal host Blackhole_Internal eq smtp 
access-list acl-dmz remark allow ping from dealer to blackhole JZ 8/8/2013
access-list acl-dmz extended permit icmp host Bfdweb02_Internal host Blackhole_Internal 
access-list acl-dmz remark test policy
access-list acl-dmz extended permit icmp host Blackhole_Internal host Bfdweb02_Internal 
access-list acl-dmz remark test policy for kay to get to registerserver.net JZ 9/5/13
access-list acl-dmz extended permit tcp any object-group DM_INLINE_NETWORK_8 eq www 
access-list acl-dmz remark test policy for kay to get to registerserver.net Jason.Y on 11/14/2013
access-list acl-dmz extended permit tcp object-group DM_INLINE_NETWORK_9 10.10.4.0 255.255.252.0 eq www 
access-list acl-dmz remark test policy for kay to get to registerserver.net Jason.Y on 11/14/2013
access-list acl-dmz extended permit tcp object-group DM_INLINE_NETWORK_10 10.10.4.0 255.255.252.0 eq https 
access-list acl-dmz extended deny ip any any inactive 
access-list acl-dmz extended permit ip any 10.0.3.0 255.255.255.224 inactive 
access-list bfd-ipcop extended permit ip 10.10.4.0 255.255.252.0 10.10.55.0 255.255.255.248 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 10.10.55.0 255.255.255.248 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 MV_network 255.255.255.0 
access-list vpn-out extended permit ip 10.10.16.0 255.255.252.0 10.10.35.0 255.255.255.0 
access-list vpn-out extended permit ip 10.10.12.0 255.255.252.0 10.10.35.0 255.255.255.0 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 10.10.35.0 255.255.255.0 
access-list vpn-out extended permit ip Alcoa_Network 255.255.252.0 MV_network 255.255.254.0 
access-list vpn-out extended permit ip Alcoa_Network 255.255.252.0 10.10.35.0 255.255.255.0 
access-list vpn-out extended permit ip MV_network 255.255.255.0 10.10.28.0 255.255.252.0 
access-list vpn-out extended permit ip Alcoa_Network 255.255.252.0 10.10.28.0 255.255.252.0 
access-list vpn-out extended permit ip 10.10.12.0 255.255.252.0 10.10.28.0 255.255.252.0 
access-list vpn-out extended permit ip 10.10.16.0 255.255.252.0 10.10.28.0 255.255.252.0 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 10.10.28.0 255.255.252.0 
access-list vpn-out extended permit ip MV_network 255.255.255.0 Alcoa_Network 255.255.252.0 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 10.10.45.0 255.255.255.128 
access-list vpn-out remark Dallas Kovacs showroom
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.46.5 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.46.57 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.46.2 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.46.3 
access-list vpn-out remark Dallas Lavery-Met showroom
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.45.2 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.45.3 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.45.5 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.45.6 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.45.7 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.45.16 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.45.17 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.45.18 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.45.19 
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 host 10.10.45.45 
access-list vpn-out remark San Diego Backup VPN
access-list vpn-out extended permit ip 10.10.4.0 255.255.252.0 10.10.32.0 255.255.255.0 
access-list vpn-out extended permit ip Alcoa_Network 255.255.252.0 10.10.32.0 255.255.255.0 
access-list mv-ipcop extended permit ip 10.10.4.0 255.255.252.0 MV_network 255.255.254.0 
access-list mv-ipcop extended permit ip Alcoa_Network 255.255.252.0 MV_network 255.255.254.0 
access-list mv-ipcop extended permit ip 10.10.28.0 255.255.252.0 MV_network 255.255.254.0 
access-list ny-ipcop extended permit ip 10.10.4.0 255.255.252.0 10.10.35.0 255.255.255.0 
access-list ny-ipcop extended permit ip Alcoa_Network 255.255.252.0 10.10.35.0 255.255.255.0 
access-list ny-ipcop extended permit ip 10.10.16.0 255.255.252.0 10.10.35.0 255.255.255.0 
access-list ny-ipcop extended permit ip 10.10.12.0 255.255.252.0 10.10.35.0 255.255.255.0 
access-list nc-ipcop extended permit ip 10.10.4.0 255.255.252.0 10.10.28.0 255.255.252.0 
access-list nc-ipcop extended permit ip Alcoa_Network 255.255.252.0 10.10.28.0 255.255.252.0 
access-list nc-ipcop extended permit ip MV_network 255.255.254.0 10.10.28.0 255.255.252.0 
access-list nc-ipcop extended permit ip 10.10.12.0 255.255.252.0 10.10.28.0 255.255.252.0 
access-list nc-ipcop extended permit ip 10.10.16.0 255.255.252.0 10.10.28.0 255.255.252.0 
access-list dal-ipcop extended permit ip 10.10.4.0 255.255.252.0 10.10.45.0 255.255.255.128 
access-list kov-ipcop extended permit ip 10.10.4.0 255.255.252.0 10.10.46.0 255.255.255.192 
access-list sd-vpn extended permit ip 10.10.4.0 255.255.252.0 10.10.32.0 255.255.255.0 inactive 
access-list sd-vpn extended permit ip Alcoa_Network 255.255.252.0 10.10.32.0 255.255.255.0 inactive 
access-list outside_cryptomap_1 extended permit ip 10.10.4.0 255.255.252.0 MV_network 255.255.255.0 
access-list outside_cryptomap_1 extended permit ip Alcoa_Network 255.255.252.0 10.10.44.0 255.255.255.0 
access-list outside_cryptomap_1 extended permit ip MV_network 255.255.254.0 10.10.44.0 255.255.255.0 
access-list outside_cryptomap_1 extended permit ip 10.10.4.0 255.255.252.0 10.10.44.0 255.255.255.0 
access-list outside_cryptomap_1 extended permit ip 10.10.12.0 255.255.252.0 MV_network 255.255.255.0 
access-list outside_cryptomap_1 extended permit ip 10.10.16.0 255.255.252.0 MV_network 255.255.255.0 
access-list outside_cryptomap_1 extended permit ip MV_network 255.255.254.0 MV_network 255.255.255.0 
access-list outside_cryptomap_2 extended permit ip Alcoa_Network 255.255.252.0 MV_network 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging list ftp_error_log level errors
logging list ftp_error_log level errors class session
logging monitor debugging
logging trap debugging
logging history errors
logging asdm informational
logging mail emergencies
logging from-address Bradford-PIX@minka.com
logging recipient-address jyu@minkagroup.net level errors
logging queue 1024
logging host inside 10.10.4.10 17/1740
logging debug-trace
logging class auth history critical trap debugging 
logging class ip history critical trap debugging 
logging class session history emergencies trap debugging 
logging class snmp history emergencies 
logging class sys history critical trap debugging 
logging message 100000 level debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip audit attack action alarm drop
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.10.4.0 255.255.252.0 inside
icmp permit Alcoa_Network 255.255.252.0 inside
asdm image flash:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 192.208.251.77 netmask 255.255.255.192
global (outside) 2 208.57.242.131 netmask 255.255.255.224
global (DMZ) 60 Blackhole_Internal-10.0.3.30 netmask 255.255.255.224
nat (inside) 0 access-list vpn-out
nat (inside) 1 10.10.24.3 255.255.255.255
nat (inside) 1 10.10.24.5 255.255.255.255
nat (inside) 1 10.10.24.7 255.255.255.255
nat (inside) 1 10.10.24.8 255.255.255.255
nat (inside) 1 10.10.24.16 255.255.255.255
nat (inside) 1 10.10.25.219 255.255.255.255
nat (inside) 1 MV_network 255.255.255.0
nat (inside) 1 10.10.4.0 255.255.252.0
nat (inside) 1 Alcoa_Network 255.255.252.0
nat (inside) 60 0.0.0.0 0.0.0.0
static (inside,outside) tcp Test_Public_IP ssh 10.10.4.2 ssh netmask 255.255.255.255 
static (DMZ,outside) tcp Hera_Public ftp-data Hera_Internal ftp-data netmask 255.255.255.255 tcp 5000 0 
static (DMZ,outside) tcp Hera_Public ftp Hera_Internal ftp netmask 255.255.255.255 tcp 5000 0 
static (DMZ,outside) tcp Hera_Public www Hera_Internal www netmask 255.255.255.255 tcp 5000 0 
static (inside,outside) tcp MV_DACS2_SSH ssh 10.10.42.21 ssh netmask 255.255.255.255 
static (inside,outside) tcp MV_DACS_SSH ssh 10.10.42.22 ssh netmask 255.255.255.255 
static (inside,outside) tcp Aegis_Public https Aegis_Private https netmask 255.255.255.255 tcp 1000 0 
static (inside,outside) tcp Aegis_Public smtp Aegis_Private smtp netmask 255.255.255.255 
static (outside,inside) tcp 10.10.42.21 ssh MV_DACS2_SSH ssh netmask 255.255.255.255 
static (outside,inside) tcp 10.10.42.22 ssh MV_DACS_SSH ssh netmask 255.255.255.255 
static (DMZ,outside) Blackhole_Public Blackhole_Internal netmask 255.255.255.255 tcp 7000 0 
static (DMZ,outside) Nova_Public 10.0.3.8 netmask 255.255.255.255 tcp 1000 0 
static (DMZ,outside) Bfdweb02_Public Bfdweb02_Internal netmask 255.255.255.255 tcp 7000 0 
static (DMZ,outside) Mailer_Public Mailer_Internal netmask 255.255.255.255 tcp 5000 0 
static (DMZ,outside) Apollo_Public apollo netmask 255.255.255.255 tcp 7000 0 
static (inside,outside) Atlas_VPN atlas_internal_ip netmask 255.255.255.255 tcp 1000 0 
static (outside,DMZ) apollo Apollo_Public netmask 255.255.255.255 
static (outside,DMZ) Hera_Internal Aegis_Public netmask 255.255.255.255 tcp 5000 0 
static (outside,DMZ) Bfdweb02_Internal Bfdweb02_Public netmask 255.255.255.255 
static (inside,DMZ) MV_network MV_network netmask 255.255.255.0 
static (inside,DMZ) Alcoa_Network Alcoa_Network netmask 255.255.252.0 
static (inside,DMZ) 10.10.4.0 10.10.4.0 netmask 255.255.252.0 
static (inside,outside) BFD_DACS_4.141_SSH 10.10.4.141 netmask 255.255.255.255 tcp 1000 0 
static (inside,outside) BFD_DACS_4.140_SSH 10.10.4.140 netmask 255.255.255.255 tcp 1000 0 
static (inside,outside) Orion_Public 10.10.4.48 netmask 255.255.255.255 tcp 7000 0 
access-group acl-out in interface outside
access-group acl-in in interface inside
access-group acl-dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 192.208.251.65 1
route inside 10.10.12.0 255.255.252.0 MPLS_Interface 1
route inside 10.10.16.0 255.255.255.0 MPLS_Interface 1
route inside 10.10.1.0 255.255.255.0 MPLS_Interface 1
route inside Alcoa_Network 255.255.252.0 MPLS_Interface 1
route inside 10.10.28.0 255.255.252.0 10.10.4.39 1
route inside 10.10.32.0 255.255.255.0 10.10.4.115 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 4:00:00 h225 4:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server minkagroup.net protocol nt
aaa-server minkagroup.net (inside) host 10.10.4.25
 timeout 5
 nt-auth-domain-controller saturn
aaa authentication ssh console LOCAL 
http server enable
http 10.10.4.0 255.255.252.0 inside
snmp-server host inside 10.10.4.10 community minka
snmp-server location Bradford
snmp-server contact mis@minka.com
snmp-server community minka
crypto ipsec transform-set ipcop esp-aes-256 esp-sha-hmac 
crypto map remote 2 match address bfd-ipcop
crypto map remote 2 set pfs 
crypto map remote 2 set peer 99.91.244.161 
crypto map remote 2 set transform-set ipcop
crypto map remote 3 match address mv-ipcop
crypto map remote 3 set pfs 
crypto map remote 3 set peer 71.116.246.157 
crypto map remote 3 set transform-set ipcop
crypto map remote 4 match address ny-ipcop
crypto map remote 4 set pfs 
crypto map remote 4 set peer 71.249.139.77 
crypto map remote 4 set transform-set ipcop
crypto map remote 5 match address nc-ipcop
crypto map remote 5 set pfs 
crypto map remote 5 set peer 173.188.150.133 
crypto map remote 5 set transform-set ipcop
crypto map remote 6 match address dal-ipcop
crypto map remote 6 set pfs 
crypto map remote 6 set peer 75.49.90.149 
crypto map remote 6 set transform-set ipcop
crypto map remote 7 match address kov-ipcop
crypto map remote 7 set pfs 
crypto map remote 7 set peer 70.243.26.158 
crypto map remote 7 set transform-set ipcop
crypto map remote 8 match address sd-vpn
crypto map remote 8 set pfs 
crypto map remote 8 set peer 66.126.220.213 
crypto map remote 8 set transform-set ipcop
crypto map remote 9 match address outside_cryptomap_1
crypto map remote 9 set peer 71.103.240.253 
crypto map remote 9 set transform-set ipcop
crypto map remote interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 3600
telnet atlas_internal_ip 255.255.255.255 inside
telnet timeout 10
ssh 10.10.4.0 255.255.252.0 inside
ssh timeout 60
ssh version 2
console timeout 60
management-access inside
ntp server atlas_internal_ip source inside prefer
ntp server 10.10.4.10 source inside prefer
tftp-server inside 10.10.4.10 pix515e
ssl encryption des-sha1 rc4-md5
group-policy Minka internal
group-policy Minka attributes
 wins-server value 10.10.4.25
 dns-server value 10.10.4.25 10.10.4.17
 default-domain value minkagroup.net
username admin password ZGA7EwdygnlkEr/t encrypted
username thron password ZbGtHqz1O6JZZn5u encrypted
tunnel-group 99.91.244.161 type ipsec-l2l
tunnel-group 99.91.244.161 ipsec-attributes
 pre-shared-key *
tunnel-group 71.116.246.157 type ipsec-l2l
tunnel-group 71.116.246.157 ipsec-attributes
 pre-shared-key *
tunnel-group 71.249.139.77 type ipsec-l2l
tunnel-group 71.249.139.77 ipsec-attributes
 pre-shared-key *
tunnel-group 173.188.150.133 type ipsec-l2l
tunnel-group 173.188.150.133 ipsec-attributes
 pre-shared-key *
tunnel-group 75.49.90.149 type ipsec-l2l
tunnel-group 75.49.90.149 ipsec-attributes
 pre-shared-key *
tunnel-group 70.243.26.158 type ipsec-l2l
tunnel-group 70.243.26.158 ipsec-attributes
 pre-shared-key *
tunnel-group 66.126.220.213 type ipsec-l2l
tunnel-group 66.126.220.213 ipsec-attributes
 pre-shared-key *
tunnel-group 71.103.240.253 type ipsec-l2l
tunnel-group 71.103.240.253 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect sip 
  inspect h323 h225 
  inspect h323 ras 
  inspect icmp 
policy-map global-policy
 class inspection_default
!
service-policy global_policy global
smtp-server 10.10.4.11
prompt hostname context 
Cryptochecksum:9e296e908f725b968fbf089b7aba462d
: end

Open in new window

0
 

Author Comment

by:Jason Yu
ID: 40271203
sorry, here is the txt file you requested.
show-run-command-result
0
 

Author Comment

by:Jason Yu
ID: 40271204
nat (inside) 0 access-list vpn-out
nat (inside) 1 10.10.24.3 255.255.255.255
nat (inside) 1 10.10.24.5 255.255.255.255
nat (inside) 1 10.10.24.7 255.255.255.255
nat (inside) 1 10.10.24.8 255.255.255.255
nat (inside) 1 10.10.24.16 255.255.255.255
nat (inside) 1 10.10.25.219 255.255.255.255
nat (inside) 1 MV_network 255.255.255.0
nat (inside) 1 10.10.4.0 255.255.252.0
nat (inside) 1 Alcoa_Network 255.255.252.0
nat (inside) 60 0.0.0.0 0.0.0.0

Open in new window

0
 

Author Comment

by:Jason Yu
ID: 40271206
route outside 0.0.0.0 0.0.0.0 192.208.251.65 1
route inside 10.10.12.0 255.255.252.0 MPLS_Interface 1
route inside 10.10.16.0 255.255.255.0 MPLS_Interface 1
route inside 10.10.1.0 255.255.255.0 MPLS_Interface 1
route inside Alcoa_Network 255.255.252.0 MPLS_Interface 1
route inside 10.10.28.0 255.255.252.0 10.10.4.39 1
route inside 10.10.32.0 255.255.255.0 10.10.4.115 1

Open in new window

0
 
LVL 25

Accepted Solution

by:
Ken Boone earned 2000 total points
ID: 40271451
Ok from the command line if you go into configuration mode
config t

then add this line

route inside 10.10.42.0 255.255.255.0 MPLS_Interface 1


The route statement adds a route so the ASA knows how to send traffic back to the remote network.

I think that is all you are missing from the ASA config.

I made an assumption that the subnet mask for the 10.10.42.0 network was a /24.  If not use the right mask.
0
 

Author Comment

by:Jason Yu
ID: 40272150
it indeed works. that's gorgeous. it worth I get up at 2:55 AM to try this command.

Why I couldn't input this command through the ASDM interface?
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 40272487
You could have done it through the ASDM - I am just more versed in the command line and I would have needed an ASDM in front of me to tell you how to do it through the ASDM.

If you dig around in the ASDM and look for routing - static routes you will see the change.
0
 

Author Comment

by:Jason Yu
ID: 40274057
Yep, after i checked the routing section, I found the new created policy. Thank you a lot, Ken, you are the BEST!
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question