NAT/Firewall Issue

Answered Question
Jun 27th, 2010
User Badges:

I do have two internet connection on my Cisco ASA, int eth 0/0 and int eth 0/3.
the IP on int eth 0/0 139.130.1.206 is pingable and this IP is natted to our server 192.168.80.7 we can RDP to this server from internet.

we need to terminate RDP/NAT access to int eth 0/3 link which is a PPOE link, i added new firewall and static NAT rule but we cannot ping the PPOE ip address or RDP to our server from this ip address (202.7.215.118).

Can someone advice what command i missed:
aurecsyd/surec.com.au# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname aurecsyd
domain-name surec.com.au
enable password szSEFtlV2mjLR77c encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.80.10 SBS_Server
name 192.168.80.7 Terminal_Server
name 192.168.12.0 AurecCanberra
name 192.168.13.0 AurecSingapore
name 192.168.14.0 AurecMelbourne
name 192.168.15.0 AurecHongKong
name 202.7.215.0 tpg
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 139.130.1.206 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.80.254 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif outside_2
security-level 0
no ip address
!
interface Ethernet0/3
nameif outside_3
security-level 0
pppoe client vpdn group TPG
ip address pppoe
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.10 255.255.255.128
management-only
!
regex domainlist1 "\.worldofwarcraft\.com"
regex domianlist2 "\.wow\.com"
regex domainlist3 "\.facebook\.com"
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name surec.com.au
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq 4125
port-object eq www
port-object eq https
port-object eq smtp
port-object eq ftp
port-object eq ftp-data
port-object eq 993
object-group network DM_INLINE_NETWORK_1
network-object AurecCanberra 255.255.255.0
network-object AurecSingapore 255.255.255.0
network-object AurecMelbourne 255.255.255.0
network-object AurecHongKong 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service HTTP
service-object tcp eq www
object-group service DM_INLINE_TCP_2 tcp
port-object eq 3389
port-object eq 4125
port-object eq 993
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq smtp
access-list inside_access_in extended permit object-group TCPUDP host SBS_Server any eq domain log disable
access-list inside_access_in extended deny tcp any any eq domain log disable
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit tcp host SBS_Server any eq smtp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1 log disable
access-list inside_access_in extended permit gre any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list outside_access_in extended permit ip any 139.130.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 139.130.1.206 object-group DM_INLINE_TCP_1 log disable
access-list outside_access_in extended permit tcp any any eq 444
access-list outside_1_cryptomap extended permit ip 192.168.80.0 255.255.255.0 AurecCanberra 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.80.0 255.255.255.0 AurecCanberra 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.80.0 255.255.255.0 AurecSingapore 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.80.0 255.255.255.0 AurecMelbourne 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.80.0 255.255.255.0 192.168.80.160 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.80.0 255.255.255.0 AurecHongKong 255.255.255.0
access-list BranchOffices_splitTunnelAcl standard permit 192.168.80.0 255.255.255.0
access-list outside_3_access_in extended permit ip any 139.130.1.0 255.255.255.0
access-list outside_3_access_in extended permit tcp any host 202.7.215.118 object-group DM_INLINE_TCP_2 log disable
access-list outside_3_access_in extended permit tcp any any eq 444
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu outside_2 1500
mtu outside_3 1492
ip local pool VPNPool 192.168.80.160-192.168.80.180 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (outside_2) 103 interface
global (outside_3) 102 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp SBS_Server ftp netmask 255.255.255.255
static (inside,outside) tcp interface smtp SBS_Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface https SBS_Server https netmask 255.255.255.255
static (inside,outside) tcp interface www SBS_Server www netmask 255.255.255.255
static (inside,outside) tcp interface 444 192.168.80.2 www netmask 255.255.255.255
static (inside,outside) tcp interface 4125 SBS_Server 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 993 SBS_Server 993 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Terminal_Server 3389 netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica Terminal_Server citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 81 Terminal_Server 81 netmask 255.255.255.255
static (inside,outside) tcp interface 2598 Terminal_Server 2598 netmask 255.255.255.255
static (inside,inside) tcp 192.168.14.50 smtp Terminal_Server smtp netmask 255.255.255.255
static (inside,outside_3) tcp interface 3389 Terminal_Server 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_3_access_in in interface outside_3
route outside 0.0.0.0 0.0.0.0 139.130.1.205 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 10.10.10.0 255.255.255.128 management
http 192.168.80.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.80.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group TPG request dialout pppoe
vpdn group TPG localname [email protected]
vpdn group TPG ppp authentication pap
vpdn username [email protected] password *********
vpdn username [email protected] password *********
dhcp-client client-id interface outside_3
dhcpd address 10.10.10.11-10.10.10.126 management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy BranchOffices internal
group-policy BranchOffices attributes
dns-server value 192.168.80.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value BranchOffices_splitTunnelAcl
default-domain value aurec.com.au
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
nem enable
username aurecsig password cTMjLs6t2jB0v8J7 encrypted privilege 0
username aurecsig attributes
vpn-group-policy BranchOffices
username aurechk password WNF5K5bx.CLd5SSa encrypted privilege 0
username aurechk attributes
vpn-group-policy BranchOffices
username aureccan password vJSIcYRb43cBhk35 encrypted privilege 0
username aureccan attributes
vpn-group-policy BranchOffices
username aurecmel password at.vbO43bPU/cXAz encrypted privilege 0
username aurecmel attributes
vpn-group-policy BranchOffices
username admin password clofk8EM73OlZoFM encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate cert
tunnel-group BranchOffices type remote-access
tunnel-group BranchOffices general-attributes
address-pool VPNPool
default-group-policy BranchOffices
tunnel-group BranchOffices ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all bannedsites
match request uri regex domainlist3
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map type inspect http DomainList
parameters
  protocol-violation action drop-connection
match request uri regex domainlist3
  drop-connection log
match request uri regex domainlist1
  drop-connection log
match request uri regex domianlist2
  drop-connection log
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname domain
Cryptochecksum:69b06f8d3ce8db846f7a72cc6a1770ff
:End

Correct Answer by Jennifer Halim about 7 years 3 weeks ago

LAN-to-LAN tunnel is the same to Site-to-Site tunnel. It's just a different name and the name is used interchangebly.

If all the peer addresses are static ip address, then you do not need to change it, as long as you configure static route for each of the peer address and remote LAN subnet towards your Outside interface for VPN.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Mon, 06/28/2010 - 00:08
User Badges:
  • Cisco Employee,

Unfortunately, you can't have 2 outside interfaces active at the same time. Hence, your RDP is not working. You can't have 2 default routes pointing towards 2 different outside interfaces. You would be able to configure ISP backup link with the second ISP connection, however, only 1 outside interface will be active at any given time.


Hope that answers your question why RDP does not work on your second ISP link.

reza.rafatifard Mon, 06/28/2010 - 01:50
User Badges:

ok, let me  give more heads up of what i want to achive:


i have 4 branches that are connecting to headoffice through easy VPN setup all with Cisco ASA. i do have one existing Internet Link (139.130.1.0) which is useing for site-to-site VPN and Internet browsing.


i am exprincing slow performance and deciced to seprate out VPN and Internet traffic.


I setup second internet link from same ISP (on int eth 0/3 which is PPOE link), the link is active and running now.


I want all VPN-ipsec terminated on new link, and all other traffic pass through my default route (which is existing link)


first question is can i achive this senario ?


I have some Internet users which need to access my Terminal server via remote desktop,i want dns to resolve name to PPPOE's ip address, can i achive this ? (at this moment public DNS resolving name to exsiting public ip and all is working).


Your assist on this is much appreciated.


Reza

Jennifer Halim Mon, 06/28/2010 - 02:09
User Badges:
  • Cisco Employee,

Great, thanks for the detailed description.


If you would like to separate VPN traffic from Internet browsing traffic on 2 different links/interfaces, you can only do it for the following VPN:

- LAN-to-LAN tunnel with static peer ip address


Basically for example as follows:

- You have 2 interfaces called, Outside1 for internet browsing, and Outside2 for VPN


- The following routes will be configured:

route Outside1 0.0.0.0 0.0.0.0

route Outside2

route Outside2


Unfortunately if it's dynamic peer address, and/or remote access vpn where you do not know what ip address the client will be connecting from, you can't specify the actual static route for Outside2, hence, as advised earlier, only static LAN-to-LAN tunnel is possible with your 2 Outside interfaces scenario.


Hope that helps.

reza.rafatifard Mon, 06/28/2010 - 02:25
User Badges:

Hi There,


Thanks for your quick response.


my branches are accross countries, how can i setup LAN-to LAN setup ?

each branches ASA have static public IP and my headoffice ASA PPPOE's ip address is assgin by ISP " ip address pppoe" is on int eth 0/3


Dose LAN-to-LAN tunnle is different with site-to-site VPN (easy vpn) ?? all public ip address on branches and headoffice is static and not dynamic


thanks in advanced


Regards

Correct Answer
Jennifer Halim Mon, 06/28/2010 - 03:41
User Badges:
  • Cisco Employee,

LAN-to-LAN tunnel is the same to Site-to-Site tunnel. It's just a different name and the name is used interchangebly.

If all the peer addresses are static ip address, then you do not need to change it, as long as you configure static route for each of the peer address and remote LAN subnet towards your Outside interface for VPN.

Actions

This Discussion