How do I allow multiple VLANs internet access on a Cisco ASA 5505?
Hello Experts!
I have a network built on SG-series switches from Cisco, running behind an ASA 5505 (ver 8.2). I have some familiarity with the switches, but not much practical experience on the firewall.
The firewall and switches were working fine when the entire network was configured as a flat class C. However, I've begun a project to move the routing to more core stack (SG500's) and add vlans to the network.
Currently, I have inter-vlan routing working on the network, but of course, no vlans can access the internet other than vlan 1, because I've yet to make any changes to the firewall.
I believe I understand the theory behind what I need to do... the new vlans would need to be incorporated into the NAT rules for traffic leaving the network, and routes would need to be created so the firewall knows what to do with return traffic bound for any of the new vlans. However, I don't know exactly how to create these rules, and I'm hoping someone can offer some help.
As some background information...
'Current' network
vlan 1 - 192.168.2.x/24
network gateway (LAN-side IP of firewall) - 192.168.2.3
'Desired' network
vlan 1 - empty
vlan 10 - Management - 192.168.10.x/24, gateway 192.168.10.1 (SG500 IP) **doesn't require internet access**
vlan 20 - Data - 192.168.2.x/24, gateway 192.168.2.1 (SG500 IP) **requires internet access**
vlan 30 - Telephony - 192.168.30.x/24, gateway 192.168.30.1 (SG500 IP) **requires internet access**
vlan 40 - Secure Wireless - 192.168.40.x/24, gateway 192.168.40.1 (SG500 IP) **requires internet access**
vlan 200 - Guest Wireless - 192.168.200.x/24, gateway 192.168.200.1 (SG500 IP) **requires internet access**
And here's my current ASA configuration. There seems to be a bunch of 'stuff' here that we don't need, but I'm not strong enough in the firewalls to be confident enough to start removing code.
another question... will the vlan numbers in the firewall need to be changed to accomodate the vlan numbering on my SG switches on my inside network?
JDASA# sh run
: Saved
:
ASA Version 8.2(4)
!
hostname JDASA
domain-name jd.local
enable password XXXXXX encrypted
passwd XXXXXX encrypted
names
name 192.168.2.40 EnterprisePortal-Inside description EP Inside
name XXX.XXX.XXX.XXX EnterprisePortal-Outside description Outside address assigned to JD-EP
name 192.168.2.30 JD-FS2-Inside description DHCP, Radius, File, Print
name 192.168.2.32 JD-FS1-Inside description AD, DNS
name 192.168.2.41 JD-DC1-Inside description AD, DNS
!
interface Ethernet0/0
description WAN
switchport access vlan 2
!
interface Ethernet0/1
description LAN
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
!
boot system disk0:/asa822-k8.bin
boot system disk0:/asa834-k8.bin
boot system disk0:/asa824-k8.bin
ftp mode passive
clock timezone Central -6
dns domain-lookup inside
dns server-group DefaultDNS
name-server JD-DC1-Inside
name-server JD-FS1-Inside
domain-name jd.local
access-list outside_in extended permit tcp any interface outside eq www
access-list outside_in extended permit tcp any interface outside eq smtp
access-list outside_in extended permit tcp any interface outside eq https
access-list outside_in extended permit tcp any interface outside eq 444
access-list outside_in extended permit tcp any interface outside eq 4125
access-list outside_in extended permit tcp any interface outside eq 3389
access-list outside_in extended permit tcp any interface outside eq pptp
access-list outside_in extended permit icmp any interface outside echo-reply
access-list outside_in extended permit icmp any interface outside source-quench
access-list outside_in extended permit icmp any interface outside unreachable
access-list outside_in extended permit icmp any interface outside time-exceeded
access-list outside_in extended permit udp any interface outside eq 6001
access-list outside_in extended permit udp any interface outside eq 6002
access-list outside_in extended permit udp any interface outside eq 6004
access-list NoNat extended permit ip 192.168.2.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list SplTunnel extended permit ip 192.168.2.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list NONAT_SSL_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list SSL_split-tunnel extended permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap errors
logging asdm informational
logging host inside 192.168.2.253
logging host inside JD-FS2-Inside
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSL_Client_Pool 192.168.99.200-192.168.99.
ip audit name outside_attack attack action alarm drop reset
ip audit interface outside outside_attack
ip audit attack action alarm drop reset
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT_SSL_VPN
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.2.253 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 192.168.2.253 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 444 192.168.2.253 444 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.2.253 pptp netmask 255.255.255.255
static (inside,outside) tcp interface smtp JD-FS1-Inside smtp netmask 255.255.255.255
static (inside,outside) tcp interface www JD-FS1-Inside www netmask 255.255.255.255
static (inside,outside) udp interface 6001 JD-FS1-Inside 6001 netmask 255.255.255.255
static (inside,outside) udp interface 6002 JD-FS1-Inside 6002 netmask 255.255.255.255
static (inside,outside) udp interface 6004 JD-FS1-Inside 6004 netmask 255.255.255.255
static (inside,outside) tcp XXX.XXX.XXX.XXX 5058 192.168.2.38 www netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa-server AuthRadius protocol radius
aaa-server AuthRadius (inside) host JD-FS2-Inside
key *****
aaa authentication ssh console LOCAL
http server enable 65000
http 192.168.2.0 255.255.255.0 inside
snmp-server host inside 192.168.2.43 community ***** udp-port 161
snmp-server location Server Room - Bldg1
snmp-server contact Scott
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 60 set transform-set myset
crypto map mymap 50 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=JDASA
proxy-ldc-issuer
crl configure
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.jd.local
subject-name CN=sslvpn.jd.local
keypair sslvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2a33b655
3082023a 308201a3 a0030201 0202042a 33b65530 0d06092a 864886f7 0d010105
0500302f 310e300c 06035504 0313054a 44415341 311d301b 06092a86 4886f70d
01090216 0e4a4441 53412e6a 642e6c6f 63616c30 1e170d31 35303830 34313835
3430345a 170d3235 30383031 31383534 30345a30 2f310e30 0c060355 04031305
4a444153 41311d30 1b06092a 864886f7 0d010902 160e4a44 4153412e 6a642e6c
6f63616c 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
00a8f1aa e1177d20 0a27bc9d 7d7ef33e cbd3e988 fd050161 9cc5fdcb b7e975b3
274a109f 8c9e49a2 6cde18a6 cfd892b9 cc3bae5e 6bd7cc2e 3464510c 87d12852
eb4e90b4 8820270e 5f33104f 9616fae7 402a1726 e7f96f19 beabffa5 53f64a1d
5626efc4 51620041 bedc869b 2bd74f65 bebadbad f0a971c1 786f66ac 3f69569a
a1020301 0001a363 3061300f 0603551d 130101ff 04053003 0101ff30 0e060355
1d0f0101 ff040403 02018630 1f060355 1d230418 30168014 95ffe980 ce8d70a8
6d4231d5 0a099a3e 888e13ad 301d0603 551d0e04 16041495 ffe980ce 8d70a86d
4231d50a 099a3e88 8e13ad30 0d06092a 864886f7 0d010105 05000381 810001d4
cd6b8717 9934d10e 96e49e78 3995753d 0505807a 88814e07 2b534527 98241562
ae923f49 85017e40 9d663309 6e1740c1 48df7269 84b19f75 a814cc34 1a3b955a
b79c6491 a26ed2e4 08b24ab4 41d61266 8803d7a7 7aebbf5e c4855f62 9630e1d9
7420b418 3b0cba07 9a5065e3 a46e5d1f 6296ce24 3d15cd56 f4fff781 dc67
quit
crypto ca certificate chain localtrust
certificate f0864a56
308201eb 30820154 a0030201 020204f0 864a5630 0d06092a 864886f7 0d010105
0500303a 31183016 06035504 03130f73 736c7670 6e2e6a64 2e6c6f63 616c311e
301c0609 2a864886 f70d0109 02160f73 736c7670 6e2e6a64 2e6c6f63 616c301e
170d3135 31313137 30343436 30355a17 0d323531 31313430 34343630 355a303a
31183016 06035504 03130f73 736c7670 6e2e6a64 2e6c6f63 616c311e 301c0609
2a864886 f70d0109 02160f73 736c7670 6e2e6a64 2e6c6f63 616c3081 9f300d06
092a8648 86f70d01 01010500 03818d00 30818902 818100ac f2c4ff67 c924cea4
19187c18 773cb567 3a4b451b 23011d45 5b3cd1d9 9d364dee bda0cf0c 338a2bb7
99a55332 3c54460b 6184f5a9 eaab21f8 64f1c12d e94519e0 949eff4f 0117ee9e
addfe866 8e28cc86 1d999ddc d4ec4323 5189c17c f3be9825 b989be92 c952fcfe
97c07e0c c04569e8 a2e9106b 23199f9f faf5f10d cd62a902 03010001 300d0609
2a864886 f70d0101 05050003 81810064 8cf35483 cc026b54 7e1c5179 9454262c
f9b584e1 fddd6bcf aa155315 9a326eee 5380720b dfaa18b0 46e65887 b07d8513
c03281c6 11145130 1a26ff09 010beec4 1e9bba3f 51ab6723 fb0d63e9 2a6d9efb
61c80c4b fd1c072a 0d708785 4eb11c85 e59449d5 78fcf088 d43c3ad1 7349d64a
48391ab3 7e469415 07022637 23af9e
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 204.34.198.41 source outside
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-3.1.
svc enable
tunnel-group-list enable
group-policy SSL_Client_Policy internal
group-policy SSL_Client_Policy attributes
dns-server value 192.168.2.32 192.168.2.41
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_split-tunnel
default-domain value jd.local
address-pools value SSL_Client_Pool
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username Schneider password XXXXXX encrypted
username Schneider attributes
service-type remote-access
username ScottT password XXXXXX encrypted
username BrianD password XXXXXX encrypted
username BrianD attributes
service-type remote-access
username sr_1 password XXXXXX encrypted
username sr_1 attributes
service-type remote-access
username TerryL password XXXXXX encrypted
username TerryL attributes
service-type remote-access
username CassandraB password XXXXXX encrypted
username CassandraB attributes
service-type remote-access
username Catherine password XXXXXXencrypted
username Catherine attributes
service-type remote-access
username JimH password XXXXXX encrypted
username JimH attributes
service-type remote-access
username rfsmart password XXXXXX encrypted
username rfsmart attributes
service-type remote-access
username JoshLee password XXXXXX encrypted
username JoshLee attributes
service-type remote-access
username tracyt password XXXXXX encrypted
username tracyt attributes
vpn-tunnel-protocol svc
service-type remote-access
username jason_sr password XXXXXX encrypted
username jason_sr attributes
service-type remote-access
username RichB password XXXXXX encrypted
username ToddP password XXXXXX encrypted
username ToddP attributes
service-type remote-access
username BillH password XXXXXX encrypted
username BillH attributes
service-type remote-access
username amya password XXXXXX encrypted
username amya attributes
vpn-tunnel-protocol svc
service-type remote-access
username jtimblin password XXXXXX encrypted
username jtimblin attributes
vpn-tunnel-protocol svc
service-type remote-access
username jdhr password XXXXXX encrypted
username jdhr attributes
vpn-tunnel-protocol svc
service-type remote-access
username JeffS password XXXXXX encrypted
username JeffS attributes
service-type remote-access
username na-smilner password XXXXXX encrypted privilege 15
username na-smilner attributes
vpn-tunnel-protocol svc
service-type remote-access
tunnel-group J&Duser type remote-access
tunnel-group WebVPN type remote-access
tunnel-group AnyConnectVPN type remote-access
tunnel-group SSL_VPN type remote-access
tunnel-group SSL_Client_Profile type remote-access
tunnel-group SSL_Client_Profile general-attributes
default-group-policy SSL_Client_Policy
tunnel-group SSL_Client_Profile webvpn-attributes
group-alias SSL_VPN_Client enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:35076af9e3e
: end
JDASA#
Thanks in advance for any help you might be able to give.
sm
I have a network built on SG-series switches from Cisco, running behind an ASA 5505 (ver 8.2). I have some familiarity with the switches, but not much practical experience on the firewall.
The firewall and switches were working fine when the entire network was configured as a flat class C. However, I've begun a project to move the routing to more core stack (SG500's) and add vlans to the network.
Currently, I have inter-vlan routing working on the network, but of course, no vlans can access the internet other than vlan 1, because I've yet to make any changes to the firewall.
I believe I understand the theory behind what I need to do... the new vlans would need to be incorporated into the NAT rules for traffic leaving the network, and routes would need to be created so the firewall knows what to do with return traffic bound for any of the new vlans. However, I don't know exactly how to create these rules, and I'm hoping someone can offer some help.
As some background information...
'Current' network
vlan 1 - 192.168.2.x/24
network gateway (LAN-side IP of firewall) - 192.168.2.3
'Desired' network
vlan 1 - empty
vlan 10 - Management - 192.168.10.x/24, gateway 192.168.10.1 (SG500 IP) **doesn't require internet access**
vlan 20 - Data - 192.168.2.x/24, gateway 192.168.2.1 (SG500 IP) **requires internet access**
vlan 30 - Telephony - 192.168.30.x/24, gateway 192.168.30.1 (SG500 IP) **requires internet access**
vlan 40 - Secure Wireless - 192.168.40.x/24, gateway 192.168.40.1 (SG500 IP) **requires internet access**
vlan 200 - Guest Wireless - 192.168.200.x/24, gateway 192.168.200.1 (SG500 IP) **requires internet access**
And here's my current ASA configuration. There seems to be a bunch of 'stuff' here that we don't need, but I'm not strong enough in the firewalls to be confident enough to start removing code.
another question... will the vlan numbers in the firewall need to be changed to accomodate the vlan numbering on my SG switches on my inside network?
JDASA# sh run
: Saved
:
ASA Version 8.2(4)
!
hostname JDASA
domain-name jd.local
enable password XXXXXX encrypted
passwd XXXXXX encrypted
names
name 192.168.2.40 EnterprisePortal-Inside description EP Inside
name XXX.XXX.XXX.XXX EnterprisePortal-Outside description Outside address assigned to JD-EP
name 192.168.2.30 JD-FS2-Inside description DHCP, Radius, File, Print
name 192.168.2.32 JD-FS1-Inside description AD, DNS
name 192.168.2.41 JD-DC1-Inside description AD, DNS
!
interface Ethernet0/0
description WAN
switchport access vlan 2
!
interface Ethernet0/1
description LAN
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.240
!
boot system disk0:/asa822-k8.bin
boot system disk0:/asa834-k8.bin
boot system disk0:/asa824-k8.bin
ftp mode passive
clock timezone Central -6
dns domain-lookup inside
dns server-group DefaultDNS
name-server JD-DC1-Inside
name-server JD-FS1-Inside
domain-name jd.local
access-list outside_in extended permit tcp any interface outside eq www
access-list outside_in extended permit tcp any interface outside eq smtp
access-list outside_in extended permit tcp any interface outside eq https
access-list outside_in extended permit tcp any interface outside eq 444
access-list outside_in extended permit tcp any interface outside eq 4125
access-list outside_in extended permit tcp any interface outside eq 3389
access-list outside_in extended permit tcp any interface outside eq pptp
access-list outside_in extended permit icmp any interface outside echo-reply
access-list outside_in extended permit icmp any interface outside source-quench
access-list outside_in extended permit icmp any interface outside unreachable
access-list outside_in extended permit icmp any interface outside time-exceeded
access-list outside_in extended permit udp any interface outside eq 6001
access-list outside_in extended permit udp any interface outside eq 6002
access-list outside_in extended permit udp any interface outside eq 6004
access-list NoNat extended permit ip 192.168.2.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list SplTunnel extended permit ip 192.168.2.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list NONAT_SSL_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list SSL_split-tunnel extended permit ip 192.168.2.0 255.255.255.0 192.168.99.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap errors
logging asdm informational
logging host inside 192.168.2.253
logging host inside JD-FS2-Inside
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSL_Client_Pool 192.168.99.200-192.168.99.
ip audit name outside_attack attack action alarm drop reset
ip audit interface outside outside_attack
ip audit attack action alarm drop reset
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-743.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT_SSL_VPN
nat (inside) 1 192.168.2.0 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.2.253 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4125 192.168.2.253 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 444 192.168.2.253 444 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.2.253 pptp netmask 255.255.255.255
static (inside,outside) tcp interface smtp JD-FS1-Inside smtp netmask 255.255.255.255
static (inside,outside) tcp interface www JD-FS1-Inside www netmask 255.255.255.255
static (inside,outside) udp interface 6001 JD-FS1-Inside 6001 netmask 255.255.255.255
static (inside,outside) udp interface 6002 JD-FS1-Inside 6002 netmask 255.255.255.255
static (inside,outside) udp interface 6004 JD-FS1-Inside 6004 netmask 255.255.255.255
static (inside,outside) tcp XXX.XXX.XXX.XXX 5058 192.168.2.38 www netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa-server AuthRadius protocol radius
aaa-server AuthRadius (inside) host JD-FS2-Inside
key *****
aaa authentication ssh console LOCAL
http server enable 65000
http 192.168.2.0 255.255.255.0 inside
snmp-server host inside 192.168.2.43 community ***** udp-port 161
snmp-server location Server Room - Bldg1
snmp-server contact Scott
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 60 set transform-set myset
crypto map mymap 50 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=JDASA
proxy-ldc-issuer
crl configure
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.jd.local
subject-name CN=sslvpn.jd.local
keypair sslvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2a33b655
3082023a 308201a3 a0030201 0202042a 33b65530 0d06092a 864886f7 0d010105
0500302f 310e300c 06035504 0313054a 44415341 311d301b 06092a86 4886f70d
01090216 0e4a4441 53412e6a 642e6c6f 63616c30 1e170d31 35303830 34313835
3430345a 170d3235 30383031 31383534 30345a30 2f310e30 0c060355 04031305
4a444153 41311d30 1b06092a 864886f7 0d010902 160e4a44 4153412e 6a642e6c
6f63616c 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
00a8f1aa e1177d20 0a27bc9d 7d7ef33e cbd3e988 fd050161 9cc5fdcb b7e975b3
274a109f 8c9e49a2 6cde18a6 cfd892b9 cc3bae5e 6bd7cc2e 3464510c 87d12852
eb4e90b4 8820270e 5f33104f 9616fae7 402a1726 e7f96f19 beabffa5 53f64a1d
5626efc4 51620041 bedc869b 2bd74f65 bebadbad f0a971c1 786f66ac 3f69569a
a1020301 0001a363 3061300f 0603551d 130101ff 04053003 0101ff30 0e060355
1d0f0101 ff040403 02018630 1f060355 1d230418 30168014 95ffe980 ce8d70a8
6d4231d5 0a099a3e 888e13ad 301d0603 551d0e04 16041495 ffe980ce 8d70a86d
4231d50a 099a3e88 8e13ad30 0d06092a 864886f7 0d010105 05000381 810001d4
cd6b8717 9934d10e 96e49e78 3995753d 0505807a 88814e07 2b534527 98241562
ae923f49 85017e40 9d663309 6e1740c1 48df7269 84b19f75 a814cc34 1a3b955a
b79c6491 a26ed2e4 08b24ab4 41d61266 8803d7a7 7aebbf5e c4855f62 9630e1d9
7420b418 3b0cba07 9a5065e3 a46e5d1f 6296ce24 3d15cd56 f4fff781 dc67
quit
crypto ca certificate chain localtrust
certificate f0864a56
308201eb 30820154 a0030201 020204f0 864a5630 0d06092a 864886f7 0d010105
0500303a 31183016 06035504 03130f73 736c7670 6e2e6a64 2e6c6f63 616c311e
301c0609 2a864886 f70d0109 02160f73 736c7670 6e2e6a64 2e6c6f63 616c301e
170d3135 31313137 30343436 30355a17 0d323531 31313430 34343630 355a303a
31183016 06035504 03130f73 736c7670 6e2e6a64 2e6c6f63 616c311e 301c0609
2a864886 f70d0109 02160f73 736c7670 6e2e6a64 2e6c6f63 616c3081 9f300d06
092a8648 86f70d01 01010500 03818d00 30818902 818100ac f2c4ff67 c924cea4
19187c18 773cb567 3a4b451b 23011d45 5b3cd1d9 9d364dee bda0cf0c 338a2bb7
99a55332 3c54460b 6184f5a9 eaab21f8 64f1c12d e94519e0 949eff4f 0117ee9e
addfe866 8e28cc86 1d999ddc d4ec4323 5189c17c f3be9825 b989be92 c952fcfe
97c07e0c c04569e8 a2e9106b 23199f9f faf5f10d cd62a902 03010001 300d0609
2a864886 f70d0101 05050003 81810064 8cf35483 cc026b54 7e1c5179 9454262c
f9b584e1 fddd6bcf aa155315 9a326eee 5380720b dfaa18b0 46e65887 b07d8513
c03281c6 11145130 1a26ff09 010beec4 1e9bba3f 51ab6723 fb0d63e9 2a6d9efb
61c80c4b fd1c072a 0d708785 4eb11c85 e59449d5 78fcf088 d43c3ad1 7349d64a
48391ab3 7e469415 07022637 23af9e
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 204.34.198.41 source outside
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-3.1.
svc enable
tunnel-group-list enable
group-policy SSL_Client_Policy internal
group-policy SSL_Client_Policy attributes
dns-server value 192.168.2.32 192.168.2.41
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_split-tunnel
default-domain value jd.local
address-pools value SSL_Client_Pool
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username Schneider password XXXXXX encrypted
username Schneider attributes
service-type remote-access
username ScottT password XXXXXX encrypted
username BrianD password XXXXXX encrypted
username BrianD attributes
service-type remote-access
username sr_1 password XXXXXX encrypted
username sr_1 attributes
service-type remote-access
username TerryL password XXXXXX encrypted
username TerryL attributes
service-type remote-access
username CassandraB password XXXXXX encrypted
username CassandraB attributes
service-type remote-access
username Catherine password XXXXXXencrypted
username Catherine attributes
service-type remote-access
username JimH password XXXXXX encrypted
username JimH attributes
service-type remote-access
username rfsmart password XXXXXX encrypted
username rfsmart attributes
service-type remote-access
username JoshLee password XXXXXX encrypted
username JoshLee attributes
service-type remote-access
username tracyt password XXXXXX encrypted
username tracyt attributes
vpn-tunnel-protocol svc
service-type remote-access
username jason_sr password XXXXXX encrypted
username jason_sr attributes
service-type remote-access
username RichB password XXXXXX encrypted
username ToddP password XXXXXX encrypted
username ToddP attributes
service-type remote-access
username BillH password XXXXXX encrypted
username BillH attributes
service-type remote-access
username amya password XXXXXX encrypted
username amya attributes
vpn-tunnel-protocol svc
service-type remote-access
username jtimblin password XXXXXX encrypted
username jtimblin attributes
vpn-tunnel-protocol svc
service-type remote-access
username jdhr password XXXXXX encrypted
username jdhr attributes
vpn-tunnel-protocol svc
service-type remote-access
username JeffS password XXXXXX encrypted
username JeffS attributes
service-type remote-access
username na-smilner password XXXXXX encrypted privilege 15
username na-smilner attributes
vpn-tunnel-protocol svc
service-type remote-access
tunnel-group J&Duser type remote-access
tunnel-group WebVPN type remote-access
tunnel-group AnyConnectVPN type remote-access
tunnel-group SSL_VPN type remote-access
tunnel-group SSL_Client_Profile type remote-access
tunnel-group SSL_Client_Profile general-attributes
default-group-policy SSL_Client_Policy
tunnel-group SSL_Client_Profile webvpn-attributes
group-alias SSL_VPN_Client enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:35076af9e3e
: end
JDASA#
Thanks in advance for any help you might be able to give.
sm
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The "1" indicates order of operation. If it was a "0", that would mean "process this rule before rule number 1"
ASKER
ah... got it. Thanks!
Does the 'nat exempt' mean that the rules aren't being followed, or am I being too literal there? :)
Does the 'nat exempt' mean that the rules aren't being followed, or am I being too literal there? :)
For traffic matching the exemption list, no NAT is going to be performed ...
ASKER
Thank you both... I'm able to access the internet from the other vlans now.
sm
sm
ASKER
Thanks again for your responses, and your patience with my questions!
ASKER
Can either of you help me understand your nat statement?
Your statement reads nat (inside) 1 192.168.30.0 255.255.255.0. What exactly is the 1 for?
As I try to recreate the statement in the ADSM, I add a static NAT rule. The wizard asks for the Original and Translated interfaces. I'm assuming my original interface is inside, and the source is vlan30 (the 192.168.30.0 network). The translated interface is then the outside interface, using it's IP address?
Also, at the bottom of the Configuration>Firewall>NAT
If I run the command 'show nat inside' from my CLI, I'm seeing 'Nat Exempt' after some of the rules...
JDASA# show nat inside
match ip inside 192.168.2.0 255.255.255.0 inside 192.168.99.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.2.0 255.255.255.0 outside 192.168.99.0 255.255.255.0
NAT exempt
translate_hits = 60944, untranslate_hits = 580703
match ip inside 192.168.2.0 255.255.255.0 dmz 192.168.99.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.2.0 255.255.255.0 _internal_loopback 192.168.99.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match tcp inside host JD-FS1-Inside eq 25 outside any
static translation to 71.13.170.34/25
translate_hits = 0, untranslate_hits = 3037
match tcp inside host JD-FS1-Inside eq 80 outside any
static translation to 71.13.170.34/80
translate_hits = 319, untranslate_hits = 61510
match udp inside host JD-FS1-Inside eq 6001 outside any
static translation to 71.13.170.34/6001
translate_hits = 0, untranslate_hits = 1
match udp inside host JD-FS1-Inside eq 6002 outside any
static translation to 71.13.170.34/6002
translate_hits = 0, untranslate_hits = 0
match udp inside host JD-FS1-Inside eq 6004 outside any
static translation to 71.13.170.34/6004
translate_hits = 0, untranslate_hits = 0
match tcp inside host 192.168.2.38 eq 80 outside any
static translation to 71.13.170.36/5058
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.2.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.2.0 255.255.255.0 outside any
dynamic translation to pool 1 (71.13.170.34 [Interface PAT])
translate_hits = 153745409, untranslate_hits = 18311376
match ip inside 192.168.2.0 255.255.255.0 dmz any
dynamic translation to pool 1 (No matching global)
translate_hits = 50, untranslate_hits = 0
match ip inside 192.168.2.0 255.255.255.0 _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Sorry for so many questions... I have a lot to learn! I'm just trying not to affect any other operations while making the changes. The only real thing I worry about is our VPN connections (outside sales staff connect on-demand using AnyConnect).
I appreciate both of your help!
sm