Solved

ASA 5510 - Shoretel vlan to Client Vlans

Posted on 2014-12-20
6
254 Views
Last Modified: 2014-12-21
Having issues with ASA 5510 - V 8.0.2

Already have the vlan's in the same security level but having issues routing traffic between vlans
Have new Shortel phone system on vlan 33.
Need PC's on vlan 1 and other vlans to access vlan 33 for All traffic for shoretel applications.
******************************************************************************************
Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)

Compiled on Fri 15-Jun-07 19:29 by builders
System image file is "disk0:/asa802-k8.bin"
Config file at boot was "startup-config"

fw1 up 3 days 22 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Ext: Ethernet0/0         : address is 001e.5a10.b6e8, irq 9
 1: Ext: Ethernet0/1         : address is 001e.5a10.b6e9, irq 9
 2: Ext: Ethernet0/2         : address is 001e.5a10.b6ea, irq 9
 3: Ext: Ethernet0/3         : address is 001e.5a10.b6eb, irq 9
 4: Ext: Management0/0       : address is 001e.5a10.b6ec, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 100      
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled  
VPN Peers                    : 250      
WebVPN Peers                 : 2        
Advanced Endpoint Assessment : Disabled  

This platform has an ASA 5510 Security Plus license.

Serial Number: JMX1208L1FF
Configuration register is 0x1
Configuration last modified by jfitzgerald at 16:29:36.785 EST Sat Dec 20 2014

********************************************************************************************
: Saved
:
ASA Version 8.0(2)
!
hostname fw1
domain-name sugarloaf.****
names
!
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0
 ospf cost 10
 management-only
!
interface Redundant1
 member-interface Ethernet0/0
 member-interface Ethernet0/1
 nameif wan
 security-level 0
 ip address 209.156.64.66 255.255.255.192
 ospf cost 10
!
interface Redundant2
 member-interface Ethernet0/2
 member-interface Ethernet0/3
 nameif Lan
 security-level 90
 ip address 192.168.0.1 255.255.255.0
 ospf cost 10
!
interface Redundant2.10
 vlan 10
 nameif Conf
 security-level 90
 ip address 192.168.249.1 255.255.255.0
!
interface Redundant2.33
 vlan 33
 nameif ShoreTel
 security-level 90
 ip address 192.168.10.1 255.255.255.0
!
interface Redundant2.101
 vlan 101
 nameif Vlan101
 security-level 90
 ip address 192.168.250.17 255.255.255.240
!
interface Redundant2.103
 vlan 103
 nameif Vlan103
 security-level 90
 ip address 192.168.250.49 255.255.255.240
!
interface Redundant2.104
 vlan 104
 nameif Sci
 security-level 90
 ip address 192.168.1.1 255.255.255.0
!
interface Redundant2.106
 vlan 106
 nameif Global
 security-level 90
 ip address 192.168.17.1 255.255.255.240
!
interface Redundant2.107
 vlan 107
 nameif 107
 security-level 90
 ip address 192.168.18.1 255.255.255.0
!
interface Redundant2.108
 vlan 108
 nameif Photo
 security-level 90
 ip address 192.168.19.1 255.255.255.0
!
interface Redundant2.120
 vlan 120
 nameif enterprise
 security-level 90
 ip address 192.168.21.1 255.255.255.0
!
interface Redundant2.121
 vlan 121
 nameif 1st
 security-level 90
 ip address 192.168.20.1 255.255.255.0
!
interface Redundant2.122
 vlan 122
 nameif Richard
 security-level 90
 ip address 192.168.23.1 255.255.255.0
!
interface Redundant2.123
 vlan 123
 nameif Expert
 security-level 90
 ip address 192.168.24.1 255.255.255.0
!
interface Redundant2.124
 vlan 124
 nameif Hew
 security-level 90
 ip address 192.168.25.1 255.255.255.0
!
interface Redundant2.125
 vlan 125
 nameif United
 security-level 90
 ip address 192.168.26.1 255.255.255.0
!
interface Redundant2.208
 vlan 208
 nameif 208
 security-level 90
 ip address 192.168.22.1 255.255.255.0
!
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Lan
dns domain-lookup Vlan101
dns domain-lookup Vlan103
dns domain-lookup Sci
dns domain-lookup enterprise
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 domain-name sugarloaf.****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RDP tcp
 port-object eq 3389
access-list wan_access_in extended permit udp any range 1 65535 host 209.000.000.000 eq snmp
access-list wan_access_in extended permit tcp any range 1 65535 host 209.000.000.000 eq 9100
access-list wan_access_in extended permit tcp any range 1 65535 host 209.000.000.000 eq www
access-list wan_access_in extended permit tcp any range 1 65535 host 209.000.000.000 eq 445
access-list wan_access_in extended permit icmp any host 209.000.000.000 echo
access-list wan_access_in extended permit ip any host 192.168.0.108
access-list wan_access_in extended permit ip any host 209.000.000.000
access-list wan_access_in extended permit ip any host 192.168.1.199
access-list wan_access_in extended permit ip any host 209.000.000.000
access-list Cyexx_Support_splitTunnelAcl standard permit any
access-list management_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.224
access-list management_nat0_outbound extended permit ip any 192.168.2.32 255.255.255.224
access-list Cyexx_Support_splitTunnelAcl_1 standard permit any
access-list RDP extended permit tcp any host 192.168.0.218 eq 3389 log
access-list Lan_access_in extended permit ip any any
access-list Lan_access_in extended permit icmp any any
access-list Local_Lan_Access remark Local Lan Access
access-list Local_Lan_Access standard permit host 0.0.0.0
access-list ShoreTel_access_in extended permit ip any any
access-list ShoreTel_access_in extended permit icmp any any
access-list Lan_access_out extended permit ip any any
access-list ShoreTel_access_out extended permit ip any any
pager lines 24
mtu management 1500
mtu wan 1500
mtu Lan 1500
mtu Conf 1500
mtu Vlan101 1500
mtu Vlan103 1500
mtu Scintel 1500
mtu Global_Consultant 1500
mtu 107 1500
mtu Photo_Archive 1500
mtu enterprise_tech 1500
mtu 1st_choice_m 1500
mtu Richard 1500
mtu Expert_Bench 1500
mtu Hewitt 1500
mtu UnitedQHC 1500
mtu 208 1500
mtu ShoreTel 1500
ip local pool Support 192.168.2.40-192.168.2.50 mask 255.255.255.0
ip local pool Cyexx 10.0.1.20-10.0.1.40 mask 255.255.255.0
ip verify reverse-path interface wan
ip verify reverse-path interface Lan
ip verify reverse-path interface Vlan101
ip verify reverse-path interface Vlan103
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any wan
icmp permit any Lan
icmp permit any Vlan101
asdm image disk0:/asdm-602.bin
asdm history enable
arp Lan 192.168.0.78 001e.c92c.eb54
arp Lan 192.168.0.108 0000.7489.9fbc
arp Lan 192.168.0.145 0000.7487.f130
arp Lan 192.168.0.127 0013.72f8.93a3
arp timeout 14400
global (wan) 1 interface
nat (management) 0 access-list management_nat0_outbound
nat (Lan) 1 192.168.0.0 255.255.255.0
nat (Conf) 1 192.168.249.0 255.255.255.0
nat (Vlan101) 1 192.168.250.16 255.255.255.240
nat (Vlan103) 1 192.168.250.48 255.255.255.240
nat (Sci) 1 192.168.1.0 255.255.255.0
nat (Global) 1 192.168.17.0 255.255.255.240
nat (107) 1 192.168.18.0 255.255.255.0
nat (Photo) 1 192.168.19.0 255.255.255.0
nat (enterprise) 1 192.168.21.0 255.255.255.0
nat (1st) 1 192.168.20.0 255.255.255.0
nat (Richard) 1 192.168.23.0 255.255.255.0
nat (Expert) 1 192.168.24.0 255.255.255.0
nat (Hewitt) 1 192.168.25.0 255.255.255.0
nat (United) 1 192.168.26.0 255.255.255.0
nat (208) 1 192.168.22.0 255.255.255.0
nat (ShoreTel) 1 192.168.10.0 255.255.255.0
static (Lan,wan) 209.156.64.126 192.168.0.108 netmask 255.255.255.255
static (Lan,wan) 209.000.000.000 192.168.0.145 netmask 255.255.255.255
access-group wan_access_in in interface wan
access-group Lan_access_in in interface Lan
access-group Lan_access_out out interface Lan
access-group ShoreTel_access_in in interface ShoreTel
access-group ShoreTel_access_out out interface ShoreTel
!
router rip
 version 1
!
route wan 0.0.0.0 0.0.0.0 209.000.000.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 98.000.000.000 255.255.255.255 wan
http 192.168.2.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Lan
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto map GMD_Design_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Lan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Lan_map interface Lan
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto isakmp enable management
crypto isakmp enable wan
crypto isakmp enable Lan
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 management
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 management
ssh 192.168.0.0 255.255.255.0 Lan
ssh timeout 5
ssh version 2
console timeout 0
management-access management
dhcpd address 192.168.0.50-192.168.0.252 Lan
dhcpd dns 208.67.222.222 192.228.79.201 interface Lan
dhcpd domain sl.building.local interface Lan
dhcpd enable Lan
!
dhcpd address 192.168.249.20-192.168.249.250 Conf
dhcpd dns 208.67.222.222 208.67.220.220 interface Conf
dhcpd ping_timeout 100 interface Conf
dhcpd domain conf.sl.building.local interface Conf
dhcpd enable Conf
!
dhcpd address 192.168.250.19-192.168.250.29 Vlan101
dhcpd dns 208.67.222.222 208.67.220.220 interface Vlan101
dhcpd domain building.local interface Vlan101
dhcpd enable Vlan101
!
dhcpd address 192.168.250.50-192.168.250.60 Vlan103
dhcpd dns 208.67.222.222 208.67.220.220 interface Vlan103
dhcpd domain building.local interface Vlan103
dhcpd enable Vlan103
!
dhcpd address 192.168.1.200-192.168.1.254 Sci
dhcpd dns 8.8.8.8 8.8.4.4 interface Sci
dhcpd domain scintel.sl.building.local interface Sci
dhcpd enable Sci
!
dhcpd address 192.168.17.5-192.168.17.14 Global
dhcpd dns 208.67.222.222 208.67.220.220 interface Global
dhcpd domain gc.sl.building.local interface Global
dhcpd enable Global
!
dhcpd address 192.168.18.5-192.168.18.25 107
dhcpd dns 208.67.222.222 208.67.220.220 interface 107
dhcpd domain building.local interface 107
dhcpd enable 107
!
dhcpd address 192.168.19.20-192.168.19.200 Photo
dhcpd dns 208.67.222.222 208.67.220.220 interface Photo
dhcpd domain pa.sl.building.local interface Photo
dhcpd enable Photo
!
dhcpd address 192.168.21.10-192.168.21.250 enterprise
dhcpd dns 208.60.222.222 208.60.220.220 interface enterprise
dhcpd domain et.sl.building.local interface enterprise
dhcpd enable enterprise
!
dhcpd address 192.168.20.100-192.168.20.120 1st
dhcpd dns 208.67.222.222 208.67.220.220 interface 1st
dhcpd domain 1st.sl.ceocenters.local interface 1st
dhcpd enable 1st
!
dhcpd address 192.168.23.50-192.168.23.100 Richard
dhcpd dns 208.67.222.222 208.67.220.220 interface Richard
dhcpd domain richard.sl.building.local interface Richard
dhcpd enable Richard
!
dhcpd address 192.168.24.20-192.168.24.249 Expert
dhcpd dns 208.67.222.222 208.67.220.220 interface Expert
dhcpd domain eb.sl.building.local interface Expert
dhcpd enable Expert
!
dhcpd address 192.168.25.20-192.168.25.249 Hewitt
dhcpd dns 208.67.222.222 208.67.220.220 interface Hewitt
dhcpd domain hewitt.sl.building.local interface Hewitt
dhcpd enable Hewitt
!
dhcpd address 192.168.26.100-192.168.26.250 United
dhcpd dns 208.67.222.222 208.67.220.220 interface United
dhcpd domain 125.sl.building.local interface United
dhcpd enable United
!
dhcpd address 192.168.22.10-192.168.22.250 208
dhcpd dns 208.67.222.222 208.67.220.220 interface 208
dhcpd domain 208.sl.building.local interface 208
dhcpd enable 208
!
dhcpd address 192.168.10.50-192.168.10.200 ShoreTel
dhcpd dns 8.8.8.8 8.8.4.4 interface ShoreTel
dhcpd domain voice.ceocenters.local interface ShoreTel
dhcpd option 42 ip 192.168.10.10 interface ShoreTel
dhcpd option 156 ascii ftpservers=192.168.10.10,country=1,language=1,layer2tagging=1,vlanid=33 interface ShoreTel
dhcpd enable ShoreTel
!
vpn load-balancing
 interface lbpublic 107
 interface lbprivate 107
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
!
class-map type inspect im match-all MSN
 match protocol msn-im
class-map type inspect im match-all Yahoo
 match protocol yahoo-im
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect ftp FTP_Map
 parameters
  mask-banner
  mask-syst-reply
policy-map type inspect esmtp PreSet_ESMTP_Map
 parameters
  no mask-banner
 match sender-address length gt 320
  log
 match MIME filename length gt 255
  log
 match cmd line length gt 512
  log
 match cmd RCPT count gt 100
  log
 match body line length gt 998
  log
policy-map type inspect im Instant-Message-Inspection
 parameters
 class MSN
  log
 class Yahoo
  log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect im Instant-Message-Inspection
  inspect pptp
  inspect icmp
policy-map type inspect h323 h323_Map
 parameters
policy-map type inspect netbios NetBios_Map
 parameters
  protocol-violation action drop log
policy-map type inspect http Http_Inspect_Map
 description Http Inspect Map
 parameters
  protocol-violation action drop-connection
!
service-policy global_policy global
ntp server 74.53.198.146 source wan
ntp server 209.132.176.4 source wan
ntp server 24.20.30.232 source wan
tftp-server management 192.168.2.10 asa/ceo_config
group-policy Cyexx_Support internal
group-policy Cyexx_Support attributes
 dns-server value 208.67.222.222 208.67.220.220
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_Lan_Access
 default-domain value building.local
tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy Cyexx_Support
tunnel-group Cyexx_Support type remote-access
tunnel-group Cyexx_Support general-attributes
 address-pool Cyexx
 default-group-policy Cyexx_Support
tunnel-group Cyexx_Support ipsec-attributes
 pre-shared-key *
smtp-server 192.168.0.128
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:35c97da14358c38b96979620b6214d7f
: end
asdm image disk0:/asdm-602.bin
asdm history enable

********************************************************************************************
Log Dump from ASA

3|Dec 20 2014|18:29:13|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
4|Dec 20 2014|18:29:10|106023|169.130.96.216|209.000.000.66|Deny icmp src wan:169.130.96.216 dst Lan:209.000.000.66 (type 3, code 0) by access-group "wan_access_in" [0x0, 0x0]
4|Dec 20 2014|18:29:10|106023|169.130.96.216|209.000.000.66|Deny icmp src wan:169.130.96.216 dst Lan:209.000.000.66 (type 3, code 0) by access-group "wan_access_in" [0x0, 0x0]
3|Dec 20 2014|18:29:08|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:29:03|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:58|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:57|305006|192.168.1.253||portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:57|305006|192.168.1.253||portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:53|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:48|305006|192.168.1.253||portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:48|305006|192.168.1.253||portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:48|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:43|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
4|Dec 20 2014|18:28:39|106023|169.130.96.216|209.000.000.66|Deny icmp src wan:169.130.96.216 dst Sci:209.000.000.66 (type 3, code 0) by access-group "wan_access_in" [0x0, 0x0]
3|Dec 20 2014|18:28:38|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:37|305006|192.168.1.253||portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:37|305006|192.168.1.253||portmap translation creation failed for udp src Lan:192.168.0.57/55086 dst Sci:192.168.1.253/161
3|Dec 20 2014|18:28:33|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:28|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:23|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:18|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:13|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
3|Dec 20 2014|18:28:08|305006|192.168.10.10||portmap translation creation failed for icmp src Lan:192.168.0.83 dst ShoreTel:192.168.10.10 (type 8, code 0)
0
Comment
Question by:cyexx
  • 4
  • 2
6 Comments
 
LVL 12

Accepted Solution

by:
benhanson earned 500 total points
Comment Utility
What kind of switches do you have attached to the ASA?  Is the ASA the only router you have, if not what other routers?

Can you post the output of "show route"?
0
 

Author Comment

by:cyexx
Comment Utility
Switches are Dell Managed Switches and are connected to the ASA via trunk connections.

Fiber Provider inbound to ASA which is the only configured router and then switches are linked behind the ASA

********************************************************************************************
Result of the command: "show route"

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 209.000.000.65 to network 0.0.0.0

C    192.168.25.0 255.255.255.0 is directly connected, Hewitt
C    192.168.24.0 255.255.255.0 is directly connected, Expert
C    192.168.10.0 255.255.255.0 is directly connected, ShoreTel
C    192.168.26.0 255.255.255.0 is directly connected, United
C    209.000.000.64 255.255.255.192 is directly connected, wan
C    192.168.21.0 255.255.255.0 is directly connected, enterprise
C    192.168.250.16 255.255.255.240 is directly connected, Vlan101
C    192.168.250.48 255.255.255.240 is directly connected, Vlan103
C    192.168.20.0 255.255.255.0 is directly connected, 1st
C    192.168.249.0 255.255.255.0 is directly connected, Conf
C    192.168.23.0 255.255.255.0 is directly connected, Richard
C    192.168.22.0 255.255.255.0 is directly connected, 208
C    192.168.0.0 255.255.255.0 is directly connected, Lan
C    192.168.17.0 255.255.255.240 is directly connected, Global
C    192.168.1.0 255.255.255.0 is directly connected, Sci
C    192.168.2.0 255.255.255.0 is directly connected, management
C    192.168.19.0 255.255.255.0 is directly connected, Photo
C    192.168.18.0 255.255.255.0 is directly connected, 107
S*   0.0.0.0 0.0.0.0 [1/0] via 209.000.000.65, wan
0
 
LVL 12

Expert Comment

by:benhanson
Comment Utility
How many clients on each VLAN?  Why so many VLANs?  Is there an actual security need for isolation?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:cyexx
Comment Utility
Multi-tenant setup we provide internet to multiple offices on the same floor so different companies, so they have to be isolated and the old phone system was analog lines but new system is IP based so all companies will need access to the software running on the shoretel phone system which is in a vlan of its own because of the custom FTP settings and such for phone booting.
0
 

Author Comment

by:cyexx
Comment Utility
I found a solution that world work thanks for the help

http://blog.braini.ac/?p=38

static (Lan,ShoreTel) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (ShoreTel,Lan) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
0
 

Author Closing Comment

by:cyexx
Comment Utility
I am giving you credit on this one for helping trouble shoot the issue, even though I found the solution outside.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now