cyexx
asked on
ASA 5510 - Shoretel vlan to Client Vlans
Having issues with ASA 5510 - V 8.0.2
Already have the vlan's in the same security level but having issues routing traffic between vlans
Have new Shortel phone system on vlan 33.
Need PC's on vlan 1 and other vlans to access vlan 33 for All traffic for shoretel applications.
************************** ********** ********** ********** ********** ********** ********** ****
Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)
Compiled on Fri 15-Jun-07 19:29 by builders
System image file is "disk0:/asa802-k8.bin"
Config file at boot was "startup-config"
fw1 up 3 days 22 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.0 4
0: Ext: Ethernet0/0 : address is 001e.5a10.b6e8, irq 9
1: Ext: Ethernet0/1 : address is 001e.5a10.b6e9, irq 9
2: Ext: Ethernet0/2 : address is 001e.5a10.b6ea, irq 9
3: Ext: Ethernet0/3 : address is 001e.5a10.b6eb, irq 9
4: Ext: Management0/0 : address is 001e.5a10.b6ec, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 2
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5510 Security Plus license.
Serial Number: JMX1208L1FF
Configuration register is 0x1
Configuration last modified by jfitzgerald at 16:29:36.785 EST Sat Dec 20 2014
************************** ********** ********** ********** ********** ********** ********** ******
: Saved
:
ASA Version 8.0(2)
!
hostname fw1
domain-name sugarloaf.****
names
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
ospf cost 10
management-only
!
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/1
nameif wan
security-level 0
ip address 209.156.64.66 255.255.255.192
ospf cost 10
!
interface Redundant2
member-interface Ethernet0/2
member-interface Ethernet0/3
nameif Lan
security-level 90
ip address 192.168.0.1 255.255.255.0
ospf cost 10
!
interface Redundant2.10
vlan 10
nameif Conf
security-level 90
ip address 192.168.249.1 255.255.255.0
!
interface Redundant2.33
vlan 33
nameif ShoreTel
security-level 90
ip address 192.168.10.1 255.255.255.0
!
interface Redundant2.101
vlan 101
nameif Vlan101
security-level 90
ip address 192.168.250.17 255.255.255.240
!
interface Redundant2.103
vlan 103
nameif Vlan103
security-level 90
ip address 192.168.250.49 255.255.255.240
!
interface Redundant2.104
vlan 104
nameif Sci
security-level 90
ip address 192.168.1.1 255.255.255.0
!
interface Redundant2.106
vlan 106
nameif Global
security-level 90
ip address 192.168.17.1 255.255.255.240
!
interface Redundant2.107
vlan 107
nameif 107
security-level 90
ip address 192.168.18.1 255.255.255.0
!
interface Redundant2.108
vlan 108
nameif Photo
security-level 90
ip address 192.168.19.1 255.255.255.0
!
interface Redundant2.120
vlan 120
nameif enterprise
security-level 90
ip address 192.168.21.1 255.255.255.0
!
interface Redundant2.121
vlan 121
nameif 1st
security-level 90
ip address 192.168.20.1 255.255.255.0
!
interface Redundant2.122
vlan 122
nameif Richard
security-level 90
ip address 192.168.23.1 255.255.255.0
!
interface Redundant2.123
vlan 123
nameif Expert
security-level 90
ip address 192.168.24.1 255.255.255.0
!
interface Redundant2.124
vlan 124
nameif Hew
security-level 90
ip address 192.168.25.1 255.255.255.0
!
interface Redundant2.125
vlan 125
nameif United
security-level 90
ip address 192.168.26.1 255.255.255.0
!
interface Redundant2.208
vlan 208
nameif 208
security-level 90
ip address 192.168.22.1 255.255.255.0
!
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Lan
dns domain-lookup Vlan101
dns domain-lookup Vlan103
dns domain-lookup Sci
dns domain-lookup enterprise
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name sugarloaf.****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
port-object eq 3389
access-list wan_access_in extended permit udp any range 1 65535 host 209.000.000.000 eq snmp
access-list wan_access_in extended permit tcp any range 1 65535 host 209.000.000.000 eq 9100
access-list wan_access_in extended permit tcp any range 1 65535 host 209.000.000.000 eq www
access-list wan_access_in extended permit tcp any range 1 65535 host 209.000.000.000 eq 445
access-list wan_access_in extended permit icmp any host 209.000.000.000 echo
access-list wan_access_in extended permit ip any host 192.168.0.108
access-list wan_access_in extended permit ip any host 209.000.000.000
access-list wan_access_in extended permit ip any host 192.168.1.199
access-list wan_access_in extended permit ip any host 209.000.000.000
access-list Cyexx_Support_splitTunnelA cl standard permit any
access-list management_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.224
access-list management_nat0_outbound extended permit ip any 192.168.2.32 255.255.255.224
access-list Cyexx_Support_splitTunnelA cl_1 standard permit any
access-list RDP extended permit tcp any host 192.168.0.218 eq 3389 log
access-list Lan_access_in extended permit ip any any
access-list Lan_access_in extended permit icmp any any
access-list Local_Lan_Access remark Local Lan Access
access-list Local_Lan_Access standard permit host 0.0.0.0
access-list ShoreTel_access_in extended permit ip any any
access-list ShoreTel_access_in extended permit icmp any any
access-list Lan_access_out extended permit ip any any
access-list ShoreTel_access_out extended permit ip any any
pager lines 24
mtu management 1500
mtu wan 1500
mtu Lan 1500
mtu Conf 1500
mtu Vlan101 1500
mtu Vlan103 1500
mtu Scintel 1500
mtu Global_Consultant 1500
mtu 107 1500
mtu Photo_Archive 1500
mtu enterprise_tech 1500
mtu 1st_choice_m 1500
mtu Richard 1500
mtu Expert_Bench 1500
mtu Hewitt 1500
mtu UnitedQHC 1500
mtu 208 1500
mtu ShoreTel 1500
ip local pool Support 192.168.2.40-192.168.2.50 mask 255.255.255.0
ip local pool Cyexx 10.0.1.20-10.0.1.40 mask 255.255.255.0
ip verify reverse-path interface wan
ip verify reverse-path interface Lan
ip verify reverse-path interface Vlan101
ip verify reverse-path interface Vlan103
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any wan
icmp permit any Lan
icmp permit any Vlan101
asdm image disk0:/asdm-602.bin
asdm history enable
arp Lan 192.168.0.78 001e.c92c.eb54
arp Lan 192.168.0.108 0000.7489.9fbc
arp Lan 192.168.0.145 0000.7487.f130
arp Lan 192.168.0.127 0013.72f8.93a3
arp timeout 14400
global (wan) 1 interface
nat (management) 0 access-list management_nat0_outbound
nat (Lan) 1 192.168.0.0 255.255.255.0
nat (Conf) 1 192.168.249.0 255.255.255.0
nat (Vlan101) 1 192.168.250.16 255.255.255.240
nat (Vlan103) 1 192.168.250.48 255.255.255.240
nat (Sci) 1 192.168.1.0 255.255.255.0
nat (Global) 1 192.168.17.0 255.255.255.240
nat (107) 1 192.168.18.0 255.255.255.0
nat (Photo) 1 192.168.19.0 255.255.255.0
nat (enterprise) 1 192.168.21.0 255.255.255.0
nat (1st) 1 192.168.20.0 255.255.255.0
nat (Richard) 1 192.168.23.0 255.255.255.0
nat (Expert) 1 192.168.24.0 255.255.255.0
nat (Hewitt) 1 192.168.25.0 255.255.255.0
nat (United) 1 192.168.26.0 255.255.255.0
nat (208) 1 192.168.22.0 255.255.255.0
nat (ShoreTel) 1 192.168.10.0 255.255.255.0
static (Lan,wan) 209.156.64.126 192.168.0.108 netmask 255.255.255.255
static (Lan,wan) 209.000.000.000 192.168.0.145 netmask 255.255.255.255
access-group wan_access_in in interface wan
access-group Lan_access_in in interface Lan
access-group Lan_access_out out interface Lan
access-group ShoreTel_access_in in interface ShoreTel
access-group ShoreTel_access_out out interface ShoreTel
!
router rip
version 1
!
route wan 0.0.0.0 0.0.0.0 209.000.000.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 98.000.000.000 255.255.255.255 wan
http 192.168.2.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Lan
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto map GMD_Design_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Lan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Lan_map interface Lan
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto isakmp enable management
crypto isakmp enable wan
crypto isakmp enable Lan
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 management
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 management
ssh 192.168.0.0 255.255.255.0 Lan
ssh timeout 5
ssh version 2
console timeout 0
management-access management
dhcpd address 192.168.0.50-192.168.0.252 Lan
dhcpd dns 208.67.222.222 192.228.79.201 interface Lan
dhcpd domain sl.building.local interface Lan
dhcpd enable Lan
!
dhcpd address 192.168.249.20-192.168.249 .250 Conf
dhcpd dns 208.67.222.222 208.67.220.220 interface Conf
dhcpd ping_timeout 100 interface Conf
dhcpd domain conf.sl.building.local interface Conf
dhcpd enable Conf
!
dhcpd address 192.168.250.19-192.168.250 .29 Vlan101
dhcpd dns 208.67.222.222 208.67.220.220 interface Vlan101
dhcpd domain building.local interface Vlan101
dhcpd enable Vlan101
!
dhcpd address 192.168.250.50-192.168.250 .60 Vlan103
dhcpd dns 208.67.222.222 208.67.220.220 interface Vlan103
dhcpd domain building.local interface Vlan103
dhcpd enable Vlan103
!
dhcpd address 192.168.1.200-192.168.1.25 4 Sci
dhcpd dns 8.8.8.8 8.8.4.4 interface Sci
dhcpd domain scintel.sl.building.local interface Sci
dhcpd enable Sci
!
dhcpd address 192.168.17.5-192.168.17.14 Global
dhcpd dns 208.67.222.222 208.67.220.220 interface Global
dhcpd domain gc.sl.building.local interface Global
dhcpd enable Global
!
dhcpd address 192.168.18.5-192.168.18.25 107
dhcpd dns 208.67.222.222 208.67.220.220 interface 107
dhcpd domain building.local interface 107
dhcpd enable 107
!
dhcpd address 192.168.19.20-192.168.19.2 00 Photo
dhcpd dns 208.67.222.222 208.67.220.220 interface Photo
dhcpd domain pa.sl.building.local interface Photo
dhcpd enable Photo
!
dhcpd address 192.168.21.10-192.168.21.2 50 enterprise
dhcpd dns 208.60.222.222 208.60.220.220 interface enterprise
dhcpd domain et.sl.building.local interface enterprise
dhcpd enable enterprise
!
dhcpd address 192.168.20.100-192.168.20. 120 1st
dhcpd dns 208.67.222.222 208.67.220.220 interface 1st
dhcpd domain 1st.sl.ceocenters.local interface 1st
dhcpd enable 1st
!
dhcpd address 192.168.23.50-192.168.23.1 00 Richard
dhcpd dns 208.67.222.222 208.67.220.220 interface Richard
dhcpd domain richard.sl.building.local interface Richard
dhcpd enable Richard
!
dhcpd address 192.168.24.20-192.168.24.2 49 Expert
dhcpd dns 208.67.222.222 208.67.220.220 interface Expert
dhcpd domain eb.sl.building.local interface Expert
dhcpd enable Expert
!
dhcpd address 192.168.25.20-192.168.25.2 49 Hewitt
dhcpd dns 208.67.222.222 208.67.220.220 interface Hewitt
dhcpd domain hewitt.sl.building.local interface Hewitt
dhcpd enable Hewitt
!
dhcpd address 192.168.26.100-192.168.26. 250 United
dhcpd dns 208.67.222.222 208.67.220.220 interface United
dhcpd domain 125.sl.building.local interface United
dhcpd enable United
!
dhcpd address 192.168.22.10-192.168.22.2 50 208
dhcpd dns 208.67.222.222 208.67.220.220 interface 208
dhcpd domain 208.sl.building.local interface 208
dhcpd enable 208
!
dhcpd address 192.168.10.50-192.168.10.2 00 ShoreTel
dhcpd dns 8.8.8.8 8.8.4.4 interface ShoreTel
dhcpd domain voice.ceocenters.local interface ShoreTel
dhcpd option 42 ip 192.168.10.10 interface ShoreTel
dhcpd option 156 ascii ftpservers=192.168.10.10,c ountry=1,l anguage=1, layer2tagg ing=1,vlan id=33 interface ShoreTel
dhcpd enable ShoreTel
!
vpn load-balancing
interface lbpublic 107
interface lbprivate 107
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
!
class-map type inspect im match-all MSN
match protocol msn-im
class-map type inspect im match-all Yahoo
match protocol yahoo-im
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect ftp FTP_Map
parameters
mask-banner
mask-syst-reply
policy-map type inspect esmtp PreSet_ESMTP_Map
parameters
no mask-banner
match sender-address length gt 320
log
match MIME filename length gt 255
log
match cmd line length gt 512
log
match cmd RCPT count gt 100
log
match body line length gt 998
log
policy-map type inspect im Instant-Message-Inspection
parameters
class MSN
log
class Yahoo
log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect im Instant-Message-Inspection
inspect pptp
inspect icmp
policy-map type inspect h323 h323_Map
parameters
policy-map type inspect netbios NetBios_Map
parameters
protocol-violation action drop log
policy-map type inspect http Http_Inspect_Map
description Http Inspect Map
parameters
protocol-violation action drop-connection
!
service-policy global_policy global
ntp server 74.53.198.146 source wan
ntp server 209.132.176.4 source wan
ntp server 24.20.30.232 source wan
tftp-server management 192.168.2.10 asa/ceo_config
group-policy Cyexx_Support internal
group-policy Cyexx_Support attributes
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_Lan_Access
default-domain value building.local
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy Cyexx_Support
tunnel-group Cyexx_Support type remote-access
tunnel-group Cyexx_Support general-attributes
address-pool Cyexx
default-group-policy Cyexx_Support
tunnel-group Cyexx_Support ipsec-attributes
pre-shared-key *
smtp-server 192.168.0.128
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:35c97da1435 8c38b96979 620b6214d7 f
: end
asdm image disk0:/asdm-602.bin
asdm history enable
************************** ********** ********** ********** ********** ********** ********** ******
Log Dump from ASA
3|Dec 20 2014|18:29:13|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
4|Dec 20 2014|18:29:10|106023|169.1 30.96.216| 209.000.00 0.66|Deny icmp src wan:169.130.96.216 dst Lan:209.000.000.66 (type 3, code 0) by access-group "wan_access_in" [0x0, 0x0]
4|Dec 20 2014|18:29:10|106023|169.1 30.96.216| 209.000.00 0.66|Deny icmp src wan:169.130.96.216 dst Lan:209.000.000.66 (type 3, code 0) by access-group "wan_access_in" [0x0, 0x0]
3|Dec 20 2014|18:29:08|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:29:03|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:58|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:57|305006|192.1 68.1.253|| portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:57|305006|192.1 68.1.253|| portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:53|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:48|305006|192.1 68.1.253|| portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:48|305006|192.1 68.1.253|| portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:48|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:43|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
4|Dec 20 2014|18:28:39|106023|169.1 30.96.216| 209.000.00 0.66|Deny icmp src wan:169.130.96.216 dst Sci:209.000.000.66 (type 3, code 0) by access-group "wan_access_in" [0x0, 0x0]
3|Dec 20 2014|18:28:38|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:37|305006|192.1 68.1.253|| portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:37|305006|192.1 68.1.253|| portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:33|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:28|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:23|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:18|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:13|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:08|305006|192.1 68.10.10|| portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
Already have the vlan's in the same security level but having issues routing traffic between vlans
Have new Shortel phone system on vlan 33.
Need PC's on vlan 1 and other vlans to access vlan 33 for All traffic for shoretel applications.
**************************
Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)
Compiled on Fri 15-Jun-07 19:29 by builders
System image file is "disk0:/asa802-k8.bin"
Config file at boot was "startup-config"
fw1 up 3 days 22 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.0
0: Ext: Ethernet0/0 : address is 001e.5a10.b6e8, irq 9
1: Ext: Ethernet0/1 : address is 001e.5a10.b6e9, irq 9
2: Ext: Ethernet0/2 : address is 001e.5a10.b6ea, irq 9
3: Ext: Ethernet0/3 : address is 001e.5a10.b6eb, irq 9
4: Ext: Management0/0 : address is 001e.5a10.b6ec, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 2
Advanced Endpoint Assessment : Disabled
This platform has an ASA 5510 Security Plus license.
Serial Number: JMX1208L1FF
Configuration register is 0x1
Configuration last modified by jfitzgerald at 16:29:36.785 EST Sat Dec 20 2014
**************************
: Saved
:
ASA Version 8.0(2)
!
hostname fw1
domain-name sugarloaf.****
names
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
ospf cost 10
management-only
!
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/1
nameif wan
security-level 0
ip address 209.156.64.66 255.255.255.192
ospf cost 10
!
interface Redundant2
member-interface Ethernet0/2
member-interface Ethernet0/3
nameif Lan
security-level 90
ip address 192.168.0.1 255.255.255.0
ospf cost 10
!
interface Redundant2.10
vlan 10
nameif Conf
security-level 90
ip address 192.168.249.1 255.255.255.0
!
interface Redundant2.33
vlan 33
nameif ShoreTel
security-level 90
ip address 192.168.10.1 255.255.255.0
!
interface Redundant2.101
vlan 101
nameif Vlan101
security-level 90
ip address 192.168.250.17 255.255.255.240
!
interface Redundant2.103
vlan 103
nameif Vlan103
security-level 90
ip address 192.168.250.49 255.255.255.240
!
interface Redundant2.104
vlan 104
nameif Sci
security-level 90
ip address 192.168.1.1 255.255.255.0
!
interface Redundant2.106
vlan 106
nameif Global
security-level 90
ip address 192.168.17.1 255.255.255.240
!
interface Redundant2.107
vlan 107
nameif 107
security-level 90
ip address 192.168.18.1 255.255.255.0
!
interface Redundant2.108
vlan 108
nameif Photo
security-level 90
ip address 192.168.19.1 255.255.255.0
!
interface Redundant2.120
vlan 120
nameif enterprise
security-level 90
ip address 192.168.21.1 255.255.255.0
!
interface Redundant2.121
vlan 121
nameif 1st
security-level 90
ip address 192.168.20.1 255.255.255.0
!
interface Redundant2.122
vlan 122
nameif Richard
security-level 90
ip address 192.168.23.1 255.255.255.0
!
interface Redundant2.123
vlan 123
nameif Expert
security-level 90
ip address 192.168.24.1 255.255.255.0
!
interface Redundant2.124
vlan 124
nameif Hew
security-level 90
ip address 192.168.25.1 255.255.255.0
!
interface Redundant2.125
vlan 125
nameif United
security-level 90
ip address 192.168.26.1 255.255.255.0
!
interface Redundant2.208
vlan 208
nameif 208
security-level 90
ip address 192.168.22.1 255.255.255.0
!
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Lan
dns domain-lookup Vlan101
dns domain-lookup Vlan103
dns domain-lookup Sci
dns domain-lookup enterprise
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.220.220
domain-name sugarloaf.****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service RDP tcp
port-object eq 3389
access-list wan_access_in extended permit udp any range 1 65535 host 209.000.000.000 eq snmp
access-list wan_access_in extended permit tcp any range 1 65535 host 209.000.000.000 eq 9100
access-list wan_access_in extended permit tcp any range 1 65535 host 209.000.000.000 eq www
access-list wan_access_in extended permit tcp any range 1 65535 host 209.000.000.000 eq 445
access-list wan_access_in extended permit icmp any host 209.000.000.000 echo
access-list wan_access_in extended permit ip any host 192.168.0.108
access-list wan_access_in extended permit ip any host 209.000.000.000
access-list wan_access_in extended permit ip any host 192.168.1.199
access-list wan_access_in extended permit ip any host 209.000.000.000
access-list Cyexx_Support_splitTunnelA
access-list management_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.224
access-list management_nat0_outbound extended permit ip any 192.168.2.32 255.255.255.224
access-list Cyexx_Support_splitTunnelA
access-list RDP extended permit tcp any host 192.168.0.218 eq 3389 log
access-list Lan_access_in extended permit ip any any
access-list Lan_access_in extended permit icmp any any
access-list Local_Lan_Access remark Local Lan Access
access-list Local_Lan_Access standard permit host 0.0.0.0
access-list ShoreTel_access_in extended permit ip any any
access-list ShoreTel_access_in extended permit icmp any any
access-list Lan_access_out extended permit ip any any
access-list ShoreTel_access_out extended permit ip any any
pager lines 24
mtu management 1500
mtu wan 1500
mtu Lan 1500
mtu Conf 1500
mtu Vlan101 1500
mtu Vlan103 1500
mtu Scintel 1500
mtu Global_Consultant 1500
mtu 107 1500
mtu Photo_Archive 1500
mtu enterprise_tech 1500
mtu 1st_choice_m 1500
mtu Richard 1500
mtu Expert_Bench 1500
mtu Hewitt 1500
mtu UnitedQHC 1500
mtu 208 1500
mtu ShoreTel 1500
ip local pool Support 192.168.2.40-192.168.2.50 mask 255.255.255.0
ip local pool Cyexx 10.0.1.20-10.0.1.40 mask 255.255.255.0
ip verify reverse-path interface wan
ip verify reverse-path interface Lan
ip verify reverse-path interface Vlan101
ip verify reverse-path interface Vlan103
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any wan
icmp permit any Lan
icmp permit any Vlan101
asdm image disk0:/asdm-602.bin
asdm history enable
arp Lan 192.168.0.78 001e.c92c.eb54
arp Lan 192.168.0.108 0000.7489.9fbc
arp Lan 192.168.0.145 0000.7487.f130
arp Lan 192.168.0.127 0013.72f8.93a3
arp timeout 14400
global (wan) 1 interface
nat (management) 0 access-list management_nat0_outbound
nat (Lan) 1 192.168.0.0 255.255.255.0
nat (Conf) 1 192.168.249.0 255.255.255.0
nat (Vlan101) 1 192.168.250.16 255.255.255.240
nat (Vlan103) 1 192.168.250.48 255.255.255.240
nat (Sci) 1 192.168.1.0 255.255.255.0
nat (Global) 1 192.168.17.0 255.255.255.240
nat (107) 1 192.168.18.0 255.255.255.0
nat (Photo) 1 192.168.19.0 255.255.255.0
nat (enterprise) 1 192.168.21.0 255.255.255.0
nat (1st) 1 192.168.20.0 255.255.255.0
nat (Richard) 1 192.168.23.0 255.255.255.0
nat (Expert) 1 192.168.24.0 255.255.255.0
nat (Hewitt) 1 192.168.25.0 255.255.255.0
nat (United) 1 192.168.26.0 255.255.255.0
nat (208) 1 192.168.22.0 255.255.255.0
nat (ShoreTel) 1 192.168.10.0 255.255.255.0
static (Lan,wan) 209.156.64.126 192.168.0.108 netmask 255.255.255.255
static (Lan,wan) 209.000.000.000 192.168.0.145 netmask 255.255.255.255
access-group wan_access_in in interface wan
access-group Lan_access_in in interface Lan
access-group Lan_access_out out interface Lan
access-group ShoreTel_access_in in interface ShoreTel
access-group ShoreTel_access_out out interface ShoreTel
!
router rip
version 1
!
route wan 0.0.0.0 0.0.0.0 209.000.000.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 98.000.000.000 255.255.255.255 wan
http 192.168.2.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Lan
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto map GMD_Design_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Lan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Lan_map interface Lan
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto isakmp enable management
crypto isakmp enable wan
crypto isakmp enable Lan
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 management
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 management
ssh 192.168.0.0 255.255.255.0 Lan
ssh timeout 5
ssh version 2
console timeout 0
management-access management
dhcpd address 192.168.0.50-192.168.0.252
dhcpd dns 208.67.222.222 192.228.79.201 interface Lan
dhcpd domain sl.building.local interface Lan
dhcpd enable Lan
!
dhcpd address 192.168.249.20-192.168.249
dhcpd dns 208.67.222.222 208.67.220.220 interface Conf
dhcpd ping_timeout 100 interface Conf
dhcpd domain conf.sl.building.local interface Conf
dhcpd enable Conf
!
dhcpd address 192.168.250.19-192.168.250
dhcpd dns 208.67.222.222 208.67.220.220 interface Vlan101
dhcpd domain building.local interface Vlan101
dhcpd enable Vlan101
!
dhcpd address 192.168.250.50-192.168.250
dhcpd dns 208.67.222.222 208.67.220.220 interface Vlan103
dhcpd domain building.local interface Vlan103
dhcpd enable Vlan103
!
dhcpd address 192.168.1.200-192.168.1.25
dhcpd dns 8.8.8.8 8.8.4.4 interface Sci
dhcpd domain scintel.sl.building.local interface Sci
dhcpd enable Sci
!
dhcpd address 192.168.17.5-192.168.17.14
dhcpd dns 208.67.222.222 208.67.220.220 interface Global
dhcpd domain gc.sl.building.local interface Global
dhcpd enable Global
!
dhcpd address 192.168.18.5-192.168.18.25
dhcpd dns 208.67.222.222 208.67.220.220 interface 107
dhcpd domain building.local interface 107
dhcpd enable 107
!
dhcpd address 192.168.19.20-192.168.19.2
dhcpd dns 208.67.222.222 208.67.220.220 interface Photo
dhcpd domain pa.sl.building.local interface Photo
dhcpd enable Photo
!
dhcpd address 192.168.21.10-192.168.21.2
dhcpd dns 208.60.222.222 208.60.220.220 interface enterprise
dhcpd domain et.sl.building.local interface enterprise
dhcpd enable enterprise
!
dhcpd address 192.168.20.100-192.168.20.
dhcpd dns 208.67.222.222 208.67.220.220 interface 1st
dhcpd domain 1st.sl.ceocenters.local interface 1st
dhcpd enable 1st
!
dhcpd address 192.168.23.50-192.168.23.1
dhcpd dns 208.67.222.222 208.67.220.220 interface Richard
dhcpd domain richard.sl.building.local interface Richard
dhcpd enable Richard
!
dhcpd address 192.168.24.20-192.168.24.2
dhcpd dns 208.67.222.222 208.67.220.220 interface Expert
dhcpd domain eb.sl.building.local interface Expert
dhcpd enable Expert
!
dhcpd address 192.168.25.20-192.168.25.2
dhcpd dns 208.67.222.222 208.67.220.220 interface Hewitt
dhcpd domain hewitt.sl.building.local interface Hewitt
dhcpd enable Hewitt
!
dhcpd address 192.168.26.100-192.168.26.
dhcpd dns 208.67.222.222 208.67.220.220 interface United
dhcpd domain 125.sl.building.local interface United
dhcpd enable United
!
dhcpd address 192.168.22.10-192.168.22.2
dhcpd dns 208.67.222.222 208.67.220.220 interface 208
dhcpd domain 208.sl.building.local interface 208
dhcpd enable 208
!
dhcpd address 192.168.10.50-192.168.10.2
dhcpd dns 8.8.8.8 8.8.4.4 interface ShoreTel
dhcpd domain voice.ceocenters.local interface ShoreTel
dhcpd option 42 ip 192.168.10.10 interface ShoreTel
dhcpd option 156 ascii ftpservers=192.168.10.10,c
dhcpd enable ShoreTel
!
vpn load-balancing
interface lbpublic 107
interface lbprivate 107
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
!
class-map type inspect im match-all MSN
match protocol msn-im
class-map type inspect im match-all Yahoo
match protocol yahoo-im
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect ftp FTP_Map
parameters
mask-banner
mask-syst-reply
policy-map type inspect esmtp PreSet_ESMTP_Map
parameters
no mask-banner
match sender-address length gt 320
log
match MIME filename length gt 255
log
match cmd line length gt 512
log
match cmd RCPT count gt 100
log
match body line length gt 998
log
policy-map type inspect im Instant-Message-Inspection
parameters
class MSN
log
class Yahoo
log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect im Instant-Message-Inspection
inspect pptp
inspect icmp
policy-map type inspect h323 h323_Map
parameters
policy-map type inspect netbios NetBios_Map
parameters
protocol-violation action drop log
policy-map type inspect http Http_Inspect_Map
description Http Inspect Map
parameters
protocol-violation action drop-connection
!
service-policy global_policy global
ntp server 74.53.198.146 source wan
ntp server 209.132.176.4 source wan
ntp server 24.20.30.232 source wan
tftp-server management 192.168.2.10 asa/ceo_config
group-policy Cyexx_Support internal
group-policy Cyexx_Support attributes
dns-server value 208.67.222.222 208.67.220.220
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_Lan_Access
default-domain value building.local
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy Cyexx_Support
tunnel-group Cyexx_Support type remote-access
tunnel-group Cyexx_Support general-attributes
address-pool Cyexx
default-group-policy Cyexx_Support
tunnel-group Cyexx_Support ipsec-attributes
pre-shared-key *
smtp-server 192.168.0.128
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:35c97da1435
: end
asdm image disk0:/asdm-602.bin
asdm history enable
**************************
Log Dump from ASA
3|Dec 20 2014|18:29:13|305006|192.1
4|Dec 20 2014|18:29:10|106023|169.1
4|Dec 20 2014|18:29:10|106023|169.1
3|Dec 20 2014|18:29:08|305006|192.1
3|Dec 20 2014|18:29:03|305006|192.1
3|Dec 20 2014|18:28:58|305006|192.1
3|Dec 20 2014|18:28:57|305006|192.1
3|Dec 20 2014|18:28:57|305006|192.1
3|Dec 20 2014|18:28:53|305006|192.1
3|Dec 20 2014|18:28:48|305006|192.1
3|Dec 20 2014|18:28:48|305006|192.1
3|Dec 20 2014|18:28:48|305006|192.1
3|Dec 20 2014|18:28:43|305006|192.1
4|Dec 20 2014|18:28:39|106023|169.1
3|Dec 20 2014|18:28:38|305006|192.1
3|Dec 20 2014|18:28:37|305006|192.1
3|Dec 20 2014|18:28:37|305006|192.1
3|Dec 20 2014|18:28:33|305006|192.1
3|Dec 20 2014|18:28:28|305006|192.1
3|Dec 20 2014|18:28:23|305006|192.1
3|Dec 20 2014|18:28:18|305006|192.1
3|Dec 20 2014|18:28:13|305006|192.1
3|Dec 20 2014|18:28:08|305006|192.1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How many clients on each VLAN? Why so many VLANs? Is there an actual security need for isolation?
ASKER
Multi-tenant setup we provide internet to multiple offices on the same floor so different companies, so they have to be isolated and the old phone system was analog lines but new system is IP based so all companies will need access to the software running on the shoretel phone system which is in a vlan of its own because of the custom FTP settings and such for phone booting.
ASKER
I found a solution that world work thanks for the help
http://blog.braini.ac/?p=38
static (Lan,ShoreTel) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (ShoreTel,Lan) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
http://blog.braini.ac/?p=38
static (Lan,ShoreTel) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (ShoreTel,Lan) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
ASKER
I am giving you credit on this one for helping trouble shoot the issue, even though I found the solution outside.
ASKER
Fiber Provider inbound to ASA which is the only configured router and then switches are linked behind the ASA
**************************
Result of the command: "show route"
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 209.000.000.65 to network 0.0.0.0
C 192.168.25.0 255.255.255.0 is directly connected, Hewitt
C 192.168.24.0 255.255.255.0 is directly connected, Expert
C 192.168.10.0 255.255.255.0 is directly connected, ShoreTel
C 192.168.26.0 255.255.255.0 is directly connected, United
C 209.000.000.64 255.255.255.192 is directly connected, wan
C 192.168.21.0 255.255.255.0 is directly connected, enterprise
C 192.168.250.16 255.255.255.240 is directly connected, Vlan101
C 192.168.250.48 255.255.255.240 is directly connected, Vlan103
C 192.168.20.0 255.255.255.0 is directly connected, 1st
C 192.168.249.0 255.255.255.0 is directly connected, Conf
C 192.168.23.0 255.255.255.0 is directly connected, Richard
C 192.168.22.0 255.255.255.0 is directly connected, 208
C 192.168.0.0 255.255.255.0 is directly connected, Lan
C 192.168.17.0 255.255.255.240 is directly connected, Global
C 192.168.1.0 255.255.255.0 is directly connected, Sci
C 192.168.2.0 255.255.255.0 is directly connected, management
C 192.168.19.0 255.255.255.0 is directly connected, Photo
C 192.168.18.0 255.255.255.0 is directly connected, 107
S* 0.0.0.0 0.0.0.0 [1/0] via 209.000.000.65, wan