ASA PAT into internal from secondary outside IP address

Answered Question
May 25th, 2010

I'm running into problem configuring port address translation / forwarding from outside into internal network. What I have is ASA 5510 running on static address xx.xx.xx.38 and everything is working perfectly OK from inside to outside. I have also few VPN connections spun of of it to remote officess. What I'm trying to do now is to direct smtp and 5900 for VNC into internal network on spare public IP addresses that I have.

Following are commands I have added to the config which by theory it should work but I'm getting policy denied when I do packet trace

access-list Outside-in extended permit tcp any host xx.xx.xx.37 eq smtp

access-list Outside-in extended permit tcp any host xx.xx.xx.36 eq 5900

static (inside,outside) xx.xx.xx.37 192.168.2.12 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.36 192.168.2.13 netmask 255.255.255.255

access-group Outside-in in interface outside

looking for any help

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

Not too sure what you mean by removing the policy, as we remove the outbound access-list applied to the inside interface,

not the NAT/PAT access-list.

Can you please share the latest configuration as well as what exactly was removed?

Correct Answer by Jennifer Halim about 6 years 7 months ago

Pls remove this line: access-group inside_access_out out interface inside

Test the connection again, and if it still doesn't work, please share the output of the following:

show access-list Outside-in

prior to the connection test, and test a few connections and grab the output again. Thx.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Wed, 05/26/2010 - 03:00

The configuration should work.

1) Did you "clear xlate" after the configuration change?

2) Also double check if proxy arp is enabled on the ASA outside interface. Just configure "no sysopt noproxyarp outside".

3) Either reload the next hop router, or if you have access "clear arp", and just make sure that the next hop router has the 2 public ip addresses with the ASA outside interface mac address in the ARP entry.

Hope that helps.

jerrykomor Wed, 05/26/2010 - 11:47

Thank you for your answer, however this does not work for

me. I had some issues in the past that I had to restart the ASA which I have done and I have also did a reload on it and cleared the xlate table.

To add the ASA is internet facing so there should be no issue with routing/getting those ips to the ASA.

why is it theory does not apply to practice

Jennifer Halim Thu, 05/27/2010 - 04:34

Seems like you have reloaded the ASA. Have you reloaded or clear the arp table on the next hop router?

Most times, it's the arp entry on the router which is missing for those new ip addresses that you have added to the ASA static translation. OR/ some other devices might proxy arp those ip addresses. Best thing is to check the next hop router if you have access. I am assuming that the 2 new ip addresses that you have created on the ASA, the ASA outside interface and the next hop router is in the same subnet. What subnet and mask are they?

jerrykomor Fri, 05/28/2010 - 01:06

The ASA is Internet fasing on public interface with router/modem between us and the ISP

Following is current config running on the ASA, there is some junk in it that I need to clean up and mostr likely cause of my problem

: Saved
:
ASA Version 8.0(2)
!
hostname portal
domain-name company.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 206.47.255.38 255.255.255.248
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.10.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
ospf cost 10
management-only
!
passwd NuLKvvWGg.x9HEKO encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.11
domain-name company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Finch
network-object 192.168.1.0 255.255.255.0
object-group network Midland
network-object 192.168.2.0 255.255.255.0
object-group network Sheppard
network-object 192.168.0.0 255.255.255.0
object-group network Downtown
network-object 192.168.3.0 255.255.255.0
object-group network ISAPYork
network-object 192.168.7.0 255.255.255.0
object-group network Markham
network-object 192.168.5.0 255.255.255.0
object-group network Woodside
network-object 192.168.6.0 255.255.255.0
object-group network York_region
network-object 192.168.4.0 255.255.255.0
object-group service Exchange tcp
description 5900
port-object range 3389 3389
port-object range https https
port-object range 5900 5900
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network CICS-network
network-object 192.168.2.0 255.255.255.0
group-object Downtown
group-object Finch
group-object ISAPYork
group-object Markham
group-object Midland
group-object Sheppard
group-object Woodside
group-object York_region
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit tcp host 192.168.2.12 eq smtp any eq smtp inactive
access-list inside_access_out extended deny tcp object-group CICS-network eq smtp any eq smtp inactive
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 192.168.2.0 255.255.255.0 object-group Sheppard
access-list outside_100_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group York_region
access-list outside_cryptomap_160 extended permit ip 192.168.2.0 255.255.255.0 object-group Finch
access-list outside_cryptomap_140 extended permit ip 192.168.2.0 255.255.255.0 object-group Woodside
access-list outside_180_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list outside_200_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group Markham
access-list outside_220_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group Downtown
access-list Outside-in extended permit tcp any host 206.47.255.36 eq smtp
access-list Outside-in extended permit tcp any host 206.47.255.37 eq https
access-list Outside-in extended permit tcp any host 206.47.255.37 eq 3389
access-list Outside-in extended permit tcp any host 206.47.255.37 eq 5900
access-list Mail_in extended permit tcp any host 206.47.255.36 eq smtp
access-list Inside_access_in extended permit tcp any any
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit tcp any host 192.168.2.12 object-group Exchange
pager lines 24
logging enable
logging list VPNnotification level emergencies class vpn
logging asdm informational
logging mail VPNnotification
logging from-address [email protected]
logging rate-limit unlimited level 1
logging rate-limit 1 3600 level 4
logging rate-limit 1 3600 level 5
logging rate-limit 1 3600 level 6
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.2.0 255.255.255.0

static (inside,outside) 206.47.255.37 192.168.2.12 netmask 255.255.255.255
static (inside,outside) 206.47.255.36 192.168.2.13 netmask 255.255.255.255
access-group Outside-in in interface outside
access-group Inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server location 123 abc.blvd
snmp-server contact user 1
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set pfs
crypto map outside_map 60 set peer xx.xx.xx.xx
crypto map outside_map 60 set transform-set ESP-DES-SHA
crypto map outside_map 80 match address outside_220_cryptomap
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer xx.xx.xx.xx
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 100 match address outside_100_cryptomap
crypto map outside_map 100 set pfs
crypto map outside_map 100 set peer xx.xx.xx.xx
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 120 match address outside_200_cryptomap
crypto map outside_map 120 set pfs
crypto map outside_map 120 set peer xx.xx.xx.xx
crypto map outside_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set pfs
crypto map outside_map 140 set peer xx.xx.xx.xx
crypto map outside_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 160 match address outside_cryptomap_160
crypto map outside_map 160 set pfs
crypto map outside_map 160 set peer xx.xx.xx.xx
crypto map outside_map 160 set transform-set ESP-3DES-SHA
crypto map outside_map 180 match address outside_180_cryptomap
crypto map outside_map 180 set pfs
crypto map outside_map 180 set peer xx.xx.xx.xx

crypto map outside_map 180 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
management-access inside
vpdn username user@bellnet.ca password ********* store-local
dhcpd dns 192.168.2.11
dhcpd domain   company.com
!
dhcpd dns 192.168.2.11 interface inside
dhcpd domain cicscanada.com interface inside
!
dhcpd address 192.168.100.10-192.168.100.254 management
dhcpd dns 192.168.2.11 interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
!
webvpn
csd image disk0:/securedesktop_asa_3_2_0_123.pkg.zip
csd enable
svc enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
nem enable
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
  svc dpd-interval client none
  svc dpd-interval gateway none
username admin password fAWUsRGXQYXX5p7B encrypted privilege 15
username root password RZOKkycYJJ6gKIFQ encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 70.55.231.5 type ipsec-l2l
tunnel-group 70.55.231.5 ipsec-attributes
pre-shared-key *
tunnel-group York_region type ipsec-l2l
tunnel-group York_region ipsec-attributes
pre-shared-key *
tunnel-group 174.88.240.25 type ipsec-l2l
tunnel-group 174.88.240.25 ipsec-attributes
pre-shared-key *
tunnel-group Woodside type ipsec-l2l
tunnel-group Woodside ipsec-attributes
pre-shared-key *
tunnel-group ISAP_York type ipsec-l2l
tunnel-group ISAP_York ipsec-attributes
pre-shared-key *
tunnel-group Markham type ipsec-l2l
tunnel-group Markham ipsec-attributes
pre-shared-key *
tunnel-group Downtown type ipsec-l2l
tunnel-group Downtown ipsec-attributes
pre-shared-key *
smtp-server 192.168.2.12
prompt hostname context state
Cryptochecksum:8485da6859c007e127209c4232785189
: end

Correct Answer
Jennifer Halim Fri, 05/28/2010 - 02:35

Pls remove this line: access-group inside_access_out out interface inside

Test the connection again, and if it still doesn't work, please share the output of the following:

show access-list Outside-in

prior to the connection test, and test a few connections and grab the output again. Thx.

jerrykomor Mon, 05/31/2010 - 13:27

Thank you very much, that seems to did the trick.

Now I just need to verify why my SMTP server is not responding, but I least I have inbound connection

BTW following is responce from show access-list Outside-in


access-list Outside-in; 5 elements
access-list Outside-in line 1 extended permit tcp any host xx.xx.xx.36 eq smtp (hitcnt=10) 0x8eb06c52
access-list Outside-in line 2 extended permit tcp any host xx.xx.xx.37 eq https (hitcnt=4) 0x652492b3
access-list Outside-in line 3 extended permit tcp any host xx.xx.xx.37 eq 3389 (hitcnt=6) 0xdf66183
access-list Outside-in line 4 extended permit tcp any host xx.xx.xx.37 eq 5900 (hitcnt=4) 0x201c689
access-list Outside-in line 5 extended permit ip any any (hitcnt=32315) 0x8b61bb38

jerrykomor Mon, 05/31/2010 - 21:29

OK small problem

After removing the policy I have seem to lost all of my site-to-site VPN connections. Even the solution work helping my PAT situation it does not work for both PAT/NAT  and VPN

Is there a work around to have both NAT and VPN running????

Correct Answer
Jennifer Halim Tue, 06/01/2010 - 01:31

Not too sure what you mean by removing the policy, as we remove the outbound access-list applied to the inside interface,

not the NAT/PAT access-list.

Can you please share the latest configuration as well as what exactly was removed?

jerrykomor Tue, 06/01/2010 - 07:46

Sorry my mistake I meant the access list not the policy. I'm going back and forth between GUI and CLI as some things are more logical to 'me' in GUI and some in CLI

Anyway when I removed the Access-List I have lost VPN connection to all of my 7 remote officess. All entries in CLI are there however when I look through GUI there is no trace of any of them. They are not related in any way at least to what I see or maybe I do not have enough cafeene.

following is the current config as when the access list was removed

: Saved
:
ASA Version 7.2(2)
!
hostname portal
domain-name company.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xx.xx.xx.38 255.255.255.248
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
nameif DMZ
security-level 10
ip address 172.16.10.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
ospf cost 10
management-only
!
passwd NuLKvvWGg.x9HEKO encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.11
domain-name company.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Finch
network-object 192.168.1.0 255.255.255.0
object-group network Midland
network-object 192.168.2.0 255.255.255.0
object-group network Sheppard
network-object 192.168.0.0 255.255.255.0
object-group network Downtown
network-object 192.168.3.0 255.255.255.0
object-group network ISAPYork
network-object 192.168.7.0 255.255.255.0
object-group network Markham
network-object 192.168.5.0 255.255.255.0
object-group network Woodside
network-object 192.168.6.0 255.255.255.0
object-group network York_region
network-object 192.168.4.0 255.255.255.0
object-group service Exchange tcp
description 5900
port-object range 3389 3389
port-object range https https
port-object range 5900 5900
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network internal-network
network-object 192.168.2.0 255.255.255.0
group-object Downtown
group-object Finch
group-object ISAPYork
group-object Markham
group-object Midland
group-object Sheppard
group-object Woodside
group-object York_region
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Downtown
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Finch
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Markham
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Sheppard
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group Woodside
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit icmp 192.168.2.0 255.255.255.0 object-group York_region
access-list inside_access_out extended permit tcp host 192.168.2.13 eq smtp any eq smtp inactive
access-list inside_access_out extended permit tcp object-group CICS-network eq smtp any eq smtp inactive
access-list inside_access_out extended deny tcp object-group CICS-network eq smtp any eq smtp inactive
access-list inside_access_out extended permit tcp 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit udp 192.168.2.0 255.255.255.0 any
access-list inside_access_out extended permit tcp host 192.168.2.12 eq smtp any eq smtp inactive
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_cryptomap_VPN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_60 extended permit ip 192.168.2.0 255.255.255.0 object-group Sheppard
access-list outside_100_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group York_region
access-list outside_cryptomap_160 extended permit ip 192.168.2.0 255.255.255.0 object-group Finch
access-list outside_cryptomap_140 extended permit ip 192.168.2.0 255.255.255.0 object-group Woodside
access-list outside_180_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group ISAPYork
access-list outside_200_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group Markham
access-list outside_220_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object-group Downtown
access-list Outside-in extended permit tcp any host xx.xx.xx.36 eq smtp
access-list Outside-in extended permit tcp any host xx.xx.xx.37 eq https
access-list Outside-in extended permit tcp any host xx.xx.xx.37 eq 3389
access-list Outside-in extended permit tcp any host xx.xx.xx.37 eq 5900
access-list Outside-in extended permit ip any any inactive
access-list DMZ_access_in extended permit ip any any
access-list Inside_access_in extended permit tcp any any
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit tcp any host 192.168.2.12 object-group Exchange
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging list VPNnotification level emergencies class vpn
logging asdm informational
logging mail VPNnotification
logging from-address [email protected]
logging rate-limit unlimited level 1
logging rate-limit 1 3600 level 4
logging rate-limit 1 3600 level 5
logging rate-limit 1 3600 level 6
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.2.0 255.255.255.0
static (inside,outside) xx.xx.xx.37 192.168.2.12 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.36 192.168.2.13 netmask 255.255.255.255
access-group Outside-in in interface outside
access-group Inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.33 1
timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
username admin password fAWUsRGXQYXX5p7B encrypted privilege 15
username root password RZOKkycYJJ6gKIFQ encrypted privilege 15
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 management
snmp-server location 2330 Midland Ave
snmp-server contact Ricky

snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 70.31.154.92
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set pfs
crypto map outside_map 60 set peer 70.55.231.5
crypto map outside_map 60 set transform-set ESP-DES-SHA
crypto map outside_map 80 match address outside_220_cryptomap
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer 76.64.36.231
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 100 match address outside_100_cryptomap
crypto map outside_map 100 set pfs
crypto map outside_map 100 set peer 70.25.52.11
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 120 match address outside_200_cryptomap
crypto map outside_map 120 set pfs
crypto map outside_map 120 set peer 74.15.90.106
crypto map outside_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set pfs
crypto map outside_map 140 set peer 74.23.23.22
crypto map outside_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 160 match address outside_cryptomap_160
crypto map outside_map 160 set pfs
crypto map outside_map 160 set peer 70.31.154.92
crypto map outside_map 160 set transform-set ESP-3DES-SHA
crypto map outside_map 180 match address outside_180_cryptomap
crypto map outside_map 180 set pfs
crypto map outside_map 180 set peer 70.52.239.153
crypto map outside_map 180 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 70.55.231.5 type ipsec-l2l
tunnel-group 70.55.231.5 ipsec-attributes
pre-shared-key *
tunnel-group York_region type ipsec-l2l
tunnel-group York_region ipsec-attributes
pre-shared-key *
tunnel-group 174.88.240.25 type ipsec-l2l
tunnel-group 174.88.240.25 ipsec-attributes
pre-shared-key *
tunnel-group Woodside type ipsec-l2l
tunnel-group Woodside ipsec-attributes
pre-shared-key *
tunnel-group ISAP_York type ipsec-l2l
tunnel-group ISAP_York ipsec-attributes
pre-shared-key *
tunnel-group Markham type ipsec-l2l
tunnel-group Markham ipsec-attributes
pre-shared-key *
tunnel-group Downtown type ipsec-l2l
tunnel-group Downtown ipsec-attributes
pre-shared-key *
tunnel-group Finch type ipsec-l2l
tunnel-group Finch ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
console timeout 0
management-access inside
vpdn username [email protected] password ********* store-local
dhcpd dns 192.168.2.11
dhcpd domain company.com
!
dhcpd dns 192.168.2.11 67.69.184.199 interface inside
dhcpd domain cicscanada.com interface inside
!
dhcpd address 192.168.100.10-192.168.100.254 management
dhcpd dns 192.168.2.11 interface management
dhcpd enable management
!
!
!
webvpn
csd image disk0:/securedesktop_asa_3_2_0_123.pkg.zip
csd enable
svc enable
smtp-server 192.168.2.12
prompt hostname context state
Cryptochecksum:ec61d1ccd17e8d38382dffc911746988
: end

Jennifer Halim Wed, 06/02/2010 - 02:18

Hi Jerry,

One thing that I found is somehow you have downgraded the ASA from version 8.0.2 to 7.2.2 as the latest configuration that you posted says it is running version 7.2.2 now. You might want to upgrade it back to 8.0.2 at least.

In regards to the VPN, I don't see any reason why all the 7 sites would not connect as the configuration looks OK.

You might want to add: crypto isakmp nat-traversal 25, in case there is PAT device between the tunnel.

I would suggest that you re-upgrade it back to 8.0.2, then check if the VPN tunnels come back up. If not, you might want to get the following:

show crypto isa sa

show crypto ipsec sa

Hope that helps.

jerrykomor Wed, 06/09/2010 - 23:34

I hate leaving things hanging. Never the less I got the box running. There was a reason for going back to 7.2.2 which at this time I really do not want to say it.

Any way, I originally had it running with 8.0 and after the access-list was removed all the VPN policies have disapeared and some of the tunnels through GUI, but the funny part was that  through CLI everything was there as the OS was skipping on some of the config. Oce found I figured I try going back to 7.2.2 and see if the VPN would come back (not the reason for going back) and they where still not kicking in.

At the end what I had done was to clean up config through CLI for all the VPN config and policies and re-enter them back in.  Its been a week now and every thing still is running. I got my 7 tunnels up and runnig along with my NAT/PAT to internal servers. Though one of the tunnels for some reason keeps on dropping off and coing back on line once I try reaching something on the other end, but that another item to fix.

to end this thread,  A big thank you for your help and pointers  halijenn 

Actions

This Discussion