dns through asa returns inspect-dns-invalid-pak

Unanswered Question
Dec 28th, 2011

ASA5510, ASA 8.0(4), ASDM 6.1(5), this is a productino ASA with plenty of lookups working through its 3 interfaces - outside, inside, dmz.  The problem is a new use.  I've segmented a switch on the inside network with a VLAN, and have a workstation routing through the switch to the default VLAN where all other hosts on the inside network reside so far.  The ASA inside interface is the default gateway for the inside network.  My test worksttion can PING inside hosts, so the static route is OK.

     ASA 10.1.1.2/16     DNS Server 10.1.5.1/16

                |                                  |

------------------------------------------------------------------

                    |

               Switch 10.1.8.20/16

               VLAN 10.7.1.1/16

                         |

--------------------------------------------

                                   |

                              Test Wkst. 10.7.1.10/16

                        

  But lookups fail, Wireshark says the test workstation sends, the dns server receives and responds, but the test workstation never receives.  I used the Packet Tracer tool, it gets to the last step syayin OK then finally "inspect-dns-invalid-pak".  I can't find any more there to tell just what is invlid about it.  So I'm trying to figure out global inspection.  While I'm trying to learn I appreciate any help.  Here's an extract from the config:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect dns

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

!

service-policy global_policy global

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Julio Carvaja Wed, 12/28/2011 - 12:44

Hello,

Seems like the DNS packets are not being recevided as expected.

inspect-dns-invalid-pak:

This counter will increment when the security  appliance detects an invalid DNS packet. For example, a DNS packet with  no DNS header, the number of DNS resource records not matching the  counter in the header, etc.

So in this case the packets will always be dropped until the DNS packets respect the DNS standard. I think that if you do not inspect DNS you will be able to get the DNS reply,

Can you give it a try:

policy-map global_policy

class inspection_default

  no  inspect dns preset_dns_map

Regards,

Julio

mcmurphytoo Wed, 12/28/2011 - 13:13

Thanks.  I'm using ASDM.  I went to Global Policy \ Inspectin Default \ rule Actions and unchecked DNS, which I thought should prevent inspection.  But my packet tool and test-sniffer results did not improve, and running config shows:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

So perhaps the next policy map statement after the rules list is still acting on the packets?

Julio Carvaja Wed, 12/28/2011 - 13:19

Hello,

No, it is not acting because we dont have the policy-map type inspect (Deep packet inspection) applied to any policy map of layer 3 and 4.

Did you save the changes over ASDM and run the packet tracer again?

Regards,

Julio

mcmurphytoo Wed, 12/28/2011 - 13:24

I had applied in the ASDM, but not saved.  But now I have also saved running config to flash, and run the packet tracer.  The final message is still: (inspect-dns-invalid-pak) DNS inspect invalid packet

Julio Carvaja Wed, 12/28/2011 - 13:32

Hello Mcmurphy,

Can you do a clear local-host xxxx ( Ip address of the host sending the DNS request)

And give it a try one more time,

Regards,

Julio

mcmurphytoo Wed, 12/28/2011 - 13:42

I tried it a couple times, using the command-line tool in the asdm; still get the Packet Tracer inspect-dns error.

Julio Carvaja Wed, 12/28/2011 - 14:14

Hello,

I might now what is the issue, you might be hitting bug ID: CSCsw80103.

By design, Domain Name System (DNS) inspection on Adaptive Security  Appliance (ASA) and PIX firewall blocks DNS responses with Truncated  flag set.

So you can add this following Policy map

policy-map type inspect dns limited-inspection
parameter
no nat-rewrite
no protocol-enforcement

Then

ciscoasa(config)# policy-map global_policy

ciscoasa(config-pmap)#  class inspection_default

ciscoasa(config-pmap-c)# inspect dns limited-inspection

Before doing that lets confirm if we see the truncated flag set!!!!

In order to do that can you create a capture and upload the capture here.

access-list test permit udp host test_host host DNS_server

access-list test permit udp host DNS_server host test_host

capture capin access-list test interface inside

capture capdmz access-list test interface dmz

Then go to a host on the inside and on a browser:

https://10.1.1.2/capture/capin/pcap

https://10.1.1.2/capture/capdmz/pcap

Please upload both files to this discussion!

Regards,

Do please rate helpful posts

Julio

mcmurphytoo Thu, 12/29/2011 - 06:00

Thanks, I'm working on this this morning.  I'll upload with another reply when I have them ready.

mcmurphytoo Thu, 12/29/2011 - 07:18

I"m trying the ASDM Packet Capture Wizard.  It does not allow for the Ingress and Egress on the same interface.  I selected Inside interface for Ingress, when the wizard came to Egress it allowed only the other interfaces - DMZ, outside, management - as choices.  I see in your instructions for the capture, using the command-line, the pair of capture commands specify different interfaces.  So - can this capture be run specifying Ingress and Egress on the same interface?  Alternatively, I can run the test twice using DMZ as the alternate interface and presumably will get no input on the DMZ side of each capture; but between the two tests will get usable results.

A larger question is, should this ASA be serving as default gateway for my inside network?  Its default behavior is to not allow intra-interface traffic, I changed that, but still seem to hist these issues where it is assuming there will be onlly inter-interface traffic.

Julio Carvaja Thu, 12/29/2011 - 08:12

Hello Mcmurphy,

Yes, the ASA can work as a default gateway.

Now one question:

Are the packets exchange on this communication on the same interface,

     ASA 10.1.1.2/16     DNS Server 10.1.5.1/16

                |                                  |

------------------------------------------------------------------

                    |

               Switch 10.1.8.20/16

               VLAN 10.7.1.1/16

                         |

--------------------------------------------

                                   |

                              Test Wkst. 10.7.1.10/16

On this diagram seems like the DNS server its on another interface, Is not this true?

To allow traffic in the same interface

same-security-traffic permit intra-interface

Regards,

Julio

Do rate helpful posts!!

mcmurphytoo Thu, 12/29/2011 - 08:36

I'll work on my graphics.

-----------------------             

          |outside

     63.171.86.xxx    

              ASA                      DNS Server              

     10.1.1.2/16                10.1.5.54/16

          | inside                         |inside

-----------------------------------------------------------

                    |inside

               10.1.8.20/16

               Switch/VLAN

               10.7.1.1/16

                         |remote

--------------------------------------------

                                   |

                              10.7.1.10/16

                              Test Workstation

The ASA also has a DMZ interface, but all the communication in this issue is on the ASA's inside interface.  The test workstation is on a remote network.  The Switch/VLAN routes Test Workstation traffic from remote interface through inside interface, to the ASA inside interface.  The ASA routes it back out through the inside interface to the DNS Server's inside interface.  Return traffic out the DNS Server inside interface in through the ASA inside interface, exiting its inside interface to the Switch/VLAN inside interface.  The switch/VLAN routes the traffic to the Test Workstation on the remote interface.

Julio Carvaja Thu, 12/29/2011 - 09:36

Hello,

Can you add the command

same-security-traffic permit intra-interface

And give it a try, also what happens if you use an external dns like 4.2.2.2

Regards,

Julio

mcmurphytoo Thu, 12/29/2011 - 11:54

It's a long thing, but I think I can paste in the whole config.  I added the 

"same-security-traffic permit intra-interface" when I faced this question a couple years ago, and at that time added the:

"sysopt noproxyarp inside".  I have my ISP's published DNS servers, but my test workstation does not get to the internet yet, this dns issue I may be just the start of getting this routing through the switch working.

: Saved
:
ASA Version 8.0(4)
!: Saved
:
ASA Version 8.0(4)
!
hostname CDCFCUASA
domain-name default.domain.invalid
enable password ufxaWULkRjFVEUDK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name 10.1.10.0 inside-clients description clients
name 170.135.216.250 ElanP1 description Elan Production 1
name 170.135.72.77 ElanP2 description Elan Production 2
name 170.135.128.149 ElanT1 description Elan Test 1
name 170.135.72.80 ElanT2 description Elan Test 2
name 10.1.5.58 CDC-IT
name 10.1.5.0 inside-servers
name 10.1.1.0 inside-routers
name 10.3.0.0 chamblee-network
name 10.1.32.0 OLD-CL
name 10.1.128.0 OLD-EP
name 10.1.192.0 OLD-CH
name 10.1.5.27 VelocityApp
name 63.171.86.196 Velocity-Netlend
name 10.1.5.52 HPSIM
name 10.1.5.50 SW-UDT description User Device Tracker
name 10.1.5.36 CDC-Calyx description Calyx Server
name 63.171.86.149 ExtCalyx
name 10.2.0.0 clifton-network
name 10.7.0.0 execpark-network description Executive Park network
name 10.1.5.54 CDC-Northlake
name 10.1.10.127 Test4DNSPC
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.1.1.2 255.255.0.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 63.171.86.133 255.255.255.224
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 63.171.86.193 255.255.255.224
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service non-well-known_tcp tcp
port-object range 1024 65535
object-group service Above_well-known_UDP udp
port-object range 1024 65535
object-group service sftp tcp
description Secure ftp
port-object range ssh ssh
object-group service StandardDNS udp
port-object range domain domain
object-group service Elan_multi-port_allow-mcm tcp
port-object range 21000 21400
object-group service Elan_ATM_auth tcp
port-object range 9999 9999
object-group service realplayer-st tcp
port-object range 50505 50505
object-group service TCP-UDP_DNS tcp-udp
port-object range domain domain
object-group service Port_1505-Proxy udp
port-object range 1505 1505
object-group service Port_1505-Proxy-TCP tcp
port-object range 1505 1505
object-group service Port_4242 tcp
port-object range 4242 4242
object-group service Port_4026 tcp
port-object range 4026 4026
object-group service Elan_High_Sftp tcp
port-object range 20021 20021
object-group service Port_1052 tcp
port-object range 1052 1052
object-group service Port_5013 tcp
port-object range 5013 5013
object-group service ntp_port tcp
port-object range 123 123
object-group service RIM_P3101 tcp
description for Blackberry
port-object range 3101 3101
object-group service ATM_Prod_Auth tcp
port-object range 5013 5013
object-group service ATM_Test_Auth tcp
port-object range 9999 9999
object-group service TCP8000 tcp
description Barracuda User Access Port
port-object range 8000 8000
object-group service DM_INLINE_TCP_1 tcp
group-object non-well-known_tcp
port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
group-object non-well-known_tcp
port-object eq smtp
object-group service ndmp tcp
description Backup Exec
port-object eq 10000
object-group service s-POP3 tcp
description Secure POP3
port-object range 995 995
object-group service Port_5106 tcp
description FDR Terminal Emulation
port-object range 5106 5106
object-group network INSIDE_NETWORKS
network-object 10.1.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
object-group service ssh-sftp tcp
description for Elan file xfrs
port-object range ftp ftp
object-group service ssh-sftp-dst tcp
description Elan xfr dst port
port-object range 55129 55129
object-group network ElanSftp
description Elan Sftp Servers
network-object host 170.135.128.149
network-object host 170.135.216.250
network-object host 170.135.72.77
network-object host 170.135.72.80
object-group service Elansftp tcp
description Elan's ssh-sftp
port-object eq 20022
object-group service vseaup tcp
description Mcafee VirusScan Enterprise Autoupdate
port-object eq 81
object-group network All-inside-networks
network-object 10.3.0.0 255.255.0.0
network-object 10.1.1.0 255.255.255.0
network-object 10.1.10.0 255.255.255.0
network-object 10.1.5.0 255.255.255.0
network-object 10.2.0.0 255.255.0.0
network-object 10.1.128.0 255.255.255.0
network-object 10.1.32.0 255.255.255.0
network-object 10.1.192.0 255.255.255.0
network-object 10.7.0.0 255.255.0.0
object-group network branch-networks
description Chamble, Clifton, Execpark
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.1.128.0 255.255.255.0
network-object 10.1.192.0 255.255.255.0
network-object 10.7.0.0 255.255.0.0
object-group network HPRSS
description HP Remote Support Servers
network-object host 15.193.24.60
network-object host 15.193.24.61
network-object host 15.216.12.255
object-group service Port_8443 tcp
description for Mcafee Agent
port-object range 8443 8444
object-group service WBEM tcp
description HPSIM
port-object range 5989 5989
object-group service compaq-https tcp
port-object range 2381 2381
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp eq snmp
service-object udp eq netbios-ns
access-list 101 standard permit 10.1.1.0 255.255.255.0
access-list inside_pnat_outbound extended permit ip 10.1.10.0 255.255.255.0 any
access-list inside_pnat_outbound extended permit ip 10.1.5.0 255.255.255.0 any
access-list inside_pnat_outbound extended permit ip 10.3.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.2.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.7.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.1.1.0 255.255.255.0 any
access-list dmz_access_in remark DMZ - dns to internal servers
access-list dmz_access_in extended permit tcp any object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq domain
access-list dmz_access_in remark Elan-Multipoint - production host authorization
access-list dmz_access_in extended permit tcp 206.208.79.0 255.255.255.0 object-group ATM_Prod_Auth host 10.1.5.9 object-group non-well-known_tcp
access-list dmz_access_in remark Netlend - respond to secure request
access-list dmz_access_in extended permit tcp host 63.171.86.196 eq https any object-group non-well-known_tcp
access-list dmz_access_in remark Netlend - respond to insecure request
access-list dmz_access_in extended permit tcp host 63.171.86.196 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in remark Internet Banking - eStatement traffic
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.2 eq www
access-list dmz_access_in remark Internet Banking - authorization traffic to Primary DB
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.5 object-group non-well-known_tcp
access-list dmz_access_in remark Elan-Multipoint - test host authorization
access-list dmz_access_in extended permit tcp 206.208.79.0 255.255.255.0 object-group ATM_Test_Auth host 10.1.5.9 object-group non-well-known_tcp
access-list dmz_access_in remark DMZ - Ping to outside
access-list dmz_access_in extended permit icmp 63.171.86.192 255.255.255.224 any
access-list dmz_access_in remark Barracuda - forward email to Exchange
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group DM_INLINE_TCP_2 host 10.1.5.55 eq smtp
access-list dmz_access_in remark Barracuda - ldap lookups to domain controllers
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ldap
access-list dmz_access_in remark Barracuda - Let http request out
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq www
access-list dmz_access_in remark Barracuda - SSH response out diagnostics request
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq ssh
access-list dmz_access_in remark Barracuda - respond to smtp  in
access-list dmz_access_in extended permit tcp host 63.171.86.194 eq smtp any object-group non-well-known_tcp
access-list dmz_access_in remark Barracuda - let smtp request out to Exchange or other
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq smtp
access-list dmz_access_in remark Barracuda - let NTP request out
access-list dmz_access_in extended permit udp host 63.171.86.194 eq ntp any eq ntp
access-list dmz_access_in remark DMZ - udp dns to internal dns servers
access-list dmz_access_in extended permit udp any object-group Above_well-known_UDP 10.1.5.0 255.255.255.0 eq domain
access-list dmz_access_in remark Barracuda - Let P8000 response into inside client
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group TCP8000 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list dmz_access_in remark Barracuda - ftp control port to back itself up to core ftp server
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ftp
access-list dmz_access_in remark Barracuda - ftp data port to back itself up to Core server
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ftp-data
access-list dmz_access_in extended permit tcp host 63.171.86.197 object-group non-well-known_tcp any eq www
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp host 10.1.5.58 object-group vseaup
access-list dmz_access_in remark Internet Banking - image retrieval for ISChecks
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.31 eq www
access-list dmz_access_in remark Netlend-Velocity Communication
access-list dmz_access_in extended permit tcp host 63.171.86.196 object-group non-well-known_tcp host 10.1.5.27 eq www
access-list dmz_access_in remark secure request dmz to inside
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq https
access-list dmz_access_in remark for Mcafee Agent
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 object-group Port_8443
access-list dmz_access_in remark snmp for SIM
access-list dmz_access_in extended permit udp host 63.171.86.196 host 10.1.5.52 eq snmp
access-list dmz_access_in remark HPSIM
access-list dmz_access_in extended permit tcp host 63.171.86.196 host 10.1.5.52 object-group compaq-https
access-list dmz_access_in extended permit tcp host 63.171.86.196 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ldap
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp host 64.235.144.107 eq https
access-list outside_access_in remark Barracuda - receive ssh request for diagnostics
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.144 eq ssh
access-list outside_access_in remark IAS_Credit receive bi-https for credit check
access-list outside_access_in extended permit tcp host 70.251.39.12 eq https host 63.171.86.141 eq https
access-list outside_access_in remark IAS_Credit receive for credit check
access-list outside_access_in extended permit tcp host 204.181.116.29 eq https host 63.171.86.141 eq https
access-list outside_access_in remark Barracuda - Let smtp request in
access-list outside_access_in extended permit tcp any object-group DM_INLINE_TCP_1 host 63.171.86.144 eq smtp
access-list outside_access_in remark Barracuda - let in smtp response to send email out
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.144 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - Let secure request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 eq https
access-list outside_access_in remark Netlend - let insecure request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 eq www
access-list outside_access_in remark NAT dyamic client - let icmp response in
access-list outside_access_in extended permit icmp any host 63.171.86.133
access-list outside_access_in remark Exchange - Let https request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.147 eq https
access-list outside_access_in remark IAS_Credit receive for credit check
access-list outside_access_in extended permit tcp host 67.133.186.12 eq https host 63.171.86.141 eq https
access-list outside_access_in remark DMZ - let icmp in
access-list outside_access_in extended permit icmp any 63.171.86.192 255.255.255.224
access-list outside_access_in remark NAT dynamic client - Let http response in
access-list outside_access_in extended permit tcp any eq www host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let https response in
access-list outside_access_in extended permit tcp any eq https host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - Let Proxy tcp in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 object-group Port_1505-Proxy-TCP
access-list outside_access_in remark Netlend - let Proxy udp in
access-list outside_access_in extended permit udp any object-group Above_well-known_UDP host 63.171.86.146 object-group Port_1505-Proxy
access-list outside_access_in remark Elan - Sftp control response for reports (in to SYSAPPS4)
access-list outside_access_in extended permit tcp any object-group Elan_High_Sftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let dns lookup replies in
access-list outside_access_in extended permit tcp any eq domain host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let nntp replies in
access-list outside_access_in extended permit tcp any eq nntp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let smtp reply in
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Elan - Let Multiport response into dynamic NAT client (sysapps4 for Elan reports)
access-list outside_access_in extended permit tcp any object-group Elan_multi-port_allow-mcm host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - let Blackberry traffic in
access-list outside_access_in extended permit tcp host 206.51.26.33 object-group non-well-known_tcp host 63.171.86.147 object-group RIM_P3101
access-list outside_access_in remark NAT dynamic client - let FTP response in
access-list outside_access_in extended permit tcp any eq ftp-data host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - let secure browse response in
access-list outside_access_in extended permit tcp any eq https host 63.171.86.146 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - let smtp response in
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.147 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - let in response to http browse
access-list outside_access_in extended permit tcp any eq www host 63.171.86.146 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - ICMP
access-list outside_access_in extended permit icmp any host 63.171.86.147
access-list outside_access_in remark Netlend - ICMP
access-list outside_access_in extended permit icmp any host 63.171.86.146
access-list outside_access_in remark Barracuda - let NTP response in
access-list outside_access_in extended permit udp any eq ntp host 63.171.86.144 object-group Above_well-known_UDP
access-list outside_access_in remark Netlend - Let http response in (stateful?)
access-list outside_access_in extended permit tcp any eq www host 63.171.86.144 object-group non-well-known_tcp inactive
access-list outside_access_in remark Exchange - Let Blackberry traffic in
access-list outside_access_in extended permit tcp host 204.187.87.33 object-group RIM_P3101 host 63.171.86.147 object-group non-well-known_tcp
access-list outside_access_in remark Barracuda - response to User Access (Stateful?)
access-list outside_access_in extended permit tcp host 63.171.86.194 object-group TCP8000 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - TEST to listen on smtp
access-list outside_access_in extended permit tcp any host 63.171.86.147 eq smtp inactive
access-list outside_access_in extended permit ip host 63.171.86.144 host 63.171.86.194 inactive
access-list outside_access_in remark Barracuda - let response to http request - for updates
access-list outside_access_in extended permit tcp any eq www host 63.171.86.144
access-list outside_access_in remark uMonitor Test VPN
access-list outside_access_in extended permit ip host 10.100.102.2 host 10.1.5.8
access-list outside_access_in remark uMonitor Test VPN
access-list outside_access_in extended permit icmp host 64.129.221.66 any
access-list outside_access_in remark uMonitor Prod1 VPN
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 host 10.1.5.8
access-list outside_access_in remark U-Monitor production1
access-list outside_access_in extended permit icmp host 64.209.230.234 any
access-list outside_access_in remark uMonitor Prod2
access-list outside_access_in extended permit icmp host 209.235.27.44 any
access-list outside_access_in remark uMonitor Prod2 VPN
access-list outside_access_in extended permit ip 192.168.12.0 255.255.255.0 host 10.1.5.8
access-list outside_access_in remark Exchange - Let secure POP3 in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.147 object-group s-POP3
access-list outside_access_in remark NAT Dynamic client - let ssh-sftp reply in (set up for Elan)
access-list outside_access_in extended permit tcp host 170.135.128.149 object-group ssh-sftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark for Proxy Host on extranet
access-list outside_access_in extended permit tcp 63.171.86.128 255.255.255.224 object-group Port_1505-Proxy-TCP 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list outside_access_in remark http response in
access-list outside_access_in extended permit tcp any eq www host 63.171.86.197 object-group non-well-known_tcp
access-list outside_access_in remark Let in Elan ssh-sftp response to Appworx file xfr request
access-list outside_access_in extended permit tcp object-group ElanSftp object-group Elansftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Verafin Test Vpn
access-list outside_access_in extended permit ip host 166.123.218.113 host 10.1.5.19
access-list outside_access_in remark Verafin VPN DR
access-list outside_access_in extended permit ip host 164.95.95.112 host 10.1.5.19
access-list outside_access_in remark Verafin VPN Prod
access-list outside_access_in extended permit ip host 166.123.218.112 host 10.1.5.19
access-list outside_access_in remark USBank ssh transfers
access-list outside_access_in extended permit tcp 170.135.128.0 255.255.255.0 eq ssh host 63.171.86.148 object-group non-well-known_tcp
access-list outside_access_in extended permit tcp 170.135.128.0 255.255.255.0 eq ssh 10.1.11.0 255.255.255.0 object-group non-well-known_tcp
access-list outside_access_in remark HP Sim server from HP Remote Support Servers
access-list outside_access_in extended permit tcp object-group HPRSS host 10.1.5.52 eq https
access-list outside_access_in remark Let UDT poll external switch
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 63.171.86.128 255.255.255.224 host 10.1.5.50
access-list outside_access_in remark Use Calyx server from outside
access-list outside_access_in extended permit tcp any host 63.171.86.149 eq https
access-list outside_access_in remark ssh diagnostic support for Barracudas
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.133 eq ssh
access-list inside_nat0_outbound remark UMonitor VPN remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 10.100.102.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 63.171.86.192 255.255.255.224
access-list inside_nat0_outbound remark eCB remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 10.199.8.0 255.255.255.0
access-list inside_nat0_outbound remark Elan remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 206.208.79.0 255.255.255.0
access-list inside_nat0_outbound remark U-Monitor production
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound remark uMonitor Prod2 VPN
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound remark NAT exemption for FinCen DR VPN
access-list inside_nat0_outbound extended permit ip host 10.1.5.19 host 164.95.95.112
access-list inside_nat0_outbound extended permit ip any 10.200.200.0 255.255.255.0
access-list inside_nat0_outbound remark traffic to FinCen Prod, Test VPN
access-list inside_nat0_outbound extended permit ip host 10.1.5.19 166.123.218.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 10.1.5.50 63.171.86.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.7.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list capout extended permit tcp any host 63.171.86.144 eq smtp
access-list capout extended permit tcp host 63.171.86.144 eq smtp any
access-list capout extended permit tcp any host 63.171.86.147 eq smtp
access-list capout extended permit tcp host 63.171.86.147 eq smtp any
access-list capdmz extended permit tcp any host 63.171.86.194 eq smtp
access-list capdmz extended permit tcp host 63.171.86.194 eq smtp any
access-list capin extended permit tcp any host 10.1.5.55 eq smtp
access-list capin extended permit tcp host 10.1.5.55 eq smtp any
access-list inside_nat_static extended permit tcp host 10.1.5.55 eq smtp any
access-list inside_nat_static_1 extended permit tcp host 10.1.5.55 eq smtp any
access-list policy_nat_mail2 extended permit ip host 10.1.5.55 any
access-list inside_access_in extended permit ip object-group INSIDE_NETWORKS any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 any inactive
access-list inside_access_in extended permit ip host 170.186.240.100 any
access-list inside_access_in extended permit udp host 10.1.10.127 host 10.1.5.54 inactive
access-list inside_access_in extended permit udp host 10.1.5.54 host 10.1.10.127 inactive
access-list outside_cryptomap extended permit ip host 10.1.5.8 192.168.0.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip host 10.1.5.8 192.168.12.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip host 10.1.5.19 host 166.123.2.110
access-list outside_cryptomap_3 extended permit ip host 10.1.5.19 host 166.123.2.126
access-list cap extended permit ip host 10.1.5.8 host 192.168.12.42
access-list inside_nat0_outbound_1 remark Exempt any traffic to new Chamblee
access-list inside_nat0_outbound_1 extended permit ip any 10.3.0.0 255.255.0.0
access-list inside_nat0_outbound_1 extended permit ip 170.186.240.0 255.255.255.0 any
access-list inside_nat0_outbound_1 extended permit ip 10.1.0.0 255.255.0.0 170.186.240.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.1.0.0 255.255.0.0 170.209.0.0 255.255.255.0
access-list inside_nat0_outbound_1 remark NAT exempt traffic to branches
access-list inside_nat0_outbound_1 extended permit ip object-group All-inside-networks object-group branch-networks
access-list outside_cryptomap_4 extended permit ip host 10.1.5.19 host 166.123.218.112
access-list outside_cryptomap_5 extended permit ip host 10.1.5.8 host 10.100.102.2
access-list outside_cryptomap_7 extended permit ip host 10.1.5.19 host 164.95.95.112
access-list outside_cryptomap_6 extended permit ip host 10.1.5.19 host 166.123.218.113
access-list split-tunnel standard permit 10.1.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 1000000
logging trap errors
logging asdm informational
logging from-address ASA5510@cdcfcu.com
logging recipient-address mcmurphy@cdcfcu.com level critical
logging host inside 10.1.10.121
logging ftp-server 10.1.5.54 syslogs barracuda ****
logging class vpn buffered debugging
logging message 713120 level errors
logging message 722022 level errors
logging message 722023 level errors
logging message 713050 level errors
logging message 302013 level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool remusers2 10.200.200.10-10.200.200.20 mask 255.255.0.0
ip local pool spltusers 10.210.210.10-10.210.210.20 mask 255.255.0.0
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 access-list inside_pnat_outbound
static (outside,inside) tcp 170.135.128.149 ssh 170.135.128.149 20022 netmask 255.255.255.255
static (outside,inside) tcp 170.135.216.250 ssh 170.135.216.250 20022 netmask 255.255.255.255
static (dmz,outside) 63.171.86.144 63.171.86.194 netmask 255.255.255.255 dns
static (inside,outside) 63.171.86.147 10.1.5.55 netmask 255.255.255.255 dns
static (dmz,outside) 63.171.86.146 63.171.86.196 netmask 255.255.255.255 dns norandomseq
static (inside,outside) 63.171.86.149 10.1.5.36 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 63.171.86.129 1
route inside 10.7.0.0 255.255.0.0 10.1.8.20 1
route outside 10.100.102.2 255.255.255.255 63.171.86.129 1
route dmz 10.199.8.0 255.255.255.0 63.171.86.203 1
route outside 64.209.230.234 255.255.255.255 63.171.86.129 1
route outside 66.194.237.176 255.255.255.255 63.171.86.129 1
route outside 166.123.2.110 255.255.255.255 63.171.86.129 1
route outside 166.123.2.126 255.255.255.255 63.171.86.129 1
route outside 166.123.2.142 255.255.255.255 63.171.86.129 1
route outside 166.123.208.198 255.255.255.255 63.171.86.129 1
route outside 166.123.216.112 255.255.255.255 63.171.86.129 1
route inside 170.186.240.0 255.255.255.0 10.1.8.6 1
route inside 170.209.0.2 255.255.255.255 10.1.8.13 1
route inside 170.209.0.3 255.255.255.255 10.1.8.13 1
route inside 172.19.102.190 255.255.255.255 10.1.8.6 1
route outside 192.168.0.0 255.255.255.0 63.171.86.129 1
route outside 192.168.12.0 255.255.255.0 63.171.86.129 1
route inside 192.168.29.0 255.255.255.0 10.1.8.6 1
route inside 192.168.93.26 255.255.255.255 10.1.8.12 1
route inside 199.186.96.0 255.255.255.0 10.1.8.16 1
route inside 199.186.97.0 255.255.255.0 10.1.8.16 1
route inside 199.186.98.0 255.255.255.0 10.1.8.16 1
route outside 199.196.144.143 255.255.255.255 63.171.86.129 1
route outside 199.196.144.144 255.255.255.255 63.171.86.129 1
route dmz 206.208.79.0 255.255.255.0 63.171.86.202 1
route outside 209.235.27.44 255.255.255.255 63.171.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 10.1.5.1
ldap-base-dn dc=cdcfcunet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=cdcfcunet,dc=local
server-type microsoft
ldap-attribute-map CISCOMAP
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside 10.1.5.52 community hpsim
snmp-server host inside 10.1.5.50 community swudt version 2c
snmp-server location Northlake
snmp-server contact Mike Murphy
snmp-server community swudt
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 64.209.230.234
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 209.235.27.44
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 199.196.144.144
crypto map outside_map 3 set transform-set ESP-AES-256-SHA
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address outside_cryptomap_3
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 199.196.144.143
crypto map outside_map 4 set transform-set ESP-AES-256-SHA
crypto map outside_map 4 set security-association lifetime seconds 28800
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 166.123.208.198
crypto map outside_map 5 set transform-set ESP-AES-256-SHA
crypto map outside_map 5 set security-association lifetime seconds 28800
crypto map outside_map 5 set security-association lifetime kilobytes 4608000
crypto map outside_map 6 match address outside_cryptomap_5
crypto map outside_map 6 set peer 64.129.221.66
crypto map outside_map 6 set transform-set ESP-3DES-MD5
crypto map outside_map 6 set security-association lifetime seconds 28800
crypto map outside_map 6 set security-association lifetime kilobytes 4608000
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 166.123.208.198
crypto map outside_map 7 set transform-set ESP-AES-256-SHA
crypto map outside_map 7 set security-association lifetime seconds 28800
crypto map outside_map 7 set security-association lifetime kilobytes 4608000
crypto map outside_map 8 match address outside_cryptomap_7
crypto map outside_map 8 set pfs
crypto map outside_map 8 set peer 164.95.95.4
crypto map outside_map 8 set transform-set ESP-AES-256-SHA
crypto map outside_map 8 set security-association lifetime seconds 28800
crypto map outside_map 8 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.192.1.193 source outside
ntp server 128.192.1.9 source outside
tftp-server inside 10.1.10.120 /asa5510
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy fcusers internal
group-policy fcusers attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
address-pools value remusers2
group-policy stusers internal
group-policy stusers attributes
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask none default svc
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
address-pools value remusers2
username mmurphy password G3c44QeLNGYkvwxa encrypted privilege 0
username mmurphy attributes
vpn-group-policy fcusers
username askeen nopassword privilege 0
username askeen attributes
vpn-group-policy fcusers
service-type remote-access
username velocity nopassword
username velocity attributes
vpn-group-policy fcusers
service-type remote-access
username special password fnYplaKWrx7ywBKR encrypted privilege 15
username dphilpot nopassword privilege 0
username dphilpot attributes
vpn-group-policy fcusers
service-type remote-access
username bjames password c9WvTlQzhs/8jgpt encrypted privilege 0
username bjames attributes
vpn-group-policy fcusers
username cisco password 3USUcOPFUiMCO4Jk encrypted
username jvaughn password /KdVynqfFx/TfX0m encrypted privilege 0
username jvaughn attributes
vpn-group-policy fcusers
service-type remote-access
tunnel-group fcusers type remote-access
tunnel-group fcusers general-attributes
address-pool (inside) remusers2
address-pool remusers2
authentication-server-group LDAP_SRV_GRP
default-group-policy fcusers
tunnel-group fcusers webvpn-attributes
group-alias cdcusers enable
tunnel-group fcusers ipsec-attributes
pre-shared-key *
tunnel-group 64.209.230.234 type ipsec-l2l
tunnel-group 64.209.230.234 ipsec-attributes
pre-shared-key *
tunnel-group 209.235.27.44 type ipsec-l2l
tunnel-group 209.235.27.44 ipsec-attributes
pre-shared-key *
tunnel-group 199.196.144.143 type ipsec-l2l
tunnel-group 199.196.144.143 ipsec-attributes
pre-shared-key *
tunnel-group 199.196.144.144 type ipsec-l2l
tunnel-group 199.196.144.144 ipsec-attributes
pre-shared-key *
tunnel-group 166.123.208.198 type ipsec-l2l
tunnel-group 166.123.208.198 ipsec-attributes
pre-shared-key *
tunnel-group 64.129.221.66 type ipsec-l2l
tunnel-group 64.129.221.66 ipsec-attributes
pre-shared-key *
tunnel-group 164.95.95.4 type ipsec-l2l
tunnel-group 164.95.95.4 ipsec-attributes
pre-shared-key *
tunnel-group Fincen-Test type ipsec-l2l
tunnel-group Fincen-Test general-attributes
tunnel-group Fincen-Test ipsec-attributes
pre-shared-key *
tunnel-group stusers type remote-access
tunnel-group stusers general-attributes
address-pool remusers2
authentication-server-group LDAP_SRV_GRP
default-group-policy stusers
tunnel-group stusers webvpn-attributes
group-alias 2wayusers enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect dns
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
!
service-policy global_policy global
smtp-server 10.1.5.55
prompt hostname context
Cryptochecksum:c26fd13eb40be4436a08b5bcc977aa2f
: end
asdm image disk0:/asdm-615.bin
asdm location 63.171.86.200 255.255.255.255 dmz
asdm location 10.1.5.5 255.255.255.255 inside
asdm location 10.1.5.2 255.255.255.255 inside
asdm location 10.1.5.9 255.255.255.255 inside
asdm location 63.171.86.133 255.255.255.255 inside
asdm location 63.171.86.197 255.255.255.255 dmz
asdm location 10.199.8.0 255.255.255.0 dmz
asdm location 206.208.79.0 255.255.255.0 dmz
asdm location 63.171.86.135 255.255.255.255 inside
asdm location 63.171.86.200 255.255.255.255 inside
asdm location 63.171.86.141 255.255.255.255 inside
asdm location 63.171.86.142 255.255.255.255 inside
asdm location 10.1.10.0 255.255.255.0 inside
asdm location 10.1.5.8 255.255.255.255 inside
asdm location 10.200.200.0 255.255.255.0 inside
asdm location 170.135.72.77 255.255.255.255 inside
asdm location 170.135.72.80 255.255.255.255 inside
asdm location 170.135.216.250 255.255.255.255 inside
asdm location 209.235.27.44 255.255.255.255 inside
asdm location 10.1.5.58 255.255.255.255 inside
asdm location 199.196.144.143 255.255.255.255 inside
asdm location 10.1.11.0 255.255.255.0 inside
asdm location 170.135.128.0 255.255.255.0 inside
asdm location 10.3.0.0 255.255.0.0 inside
asdm location 10.2.0.0 255.255.0.0 inside
asdm location 10.1.32.0 255.255.255.0 inside
asdm location 10.1.128.0 255.255.255.0 inside
asdm location 10.1.192.0 255.255.255.0 inside
asdm location 10.1.5.27 255.255.255.255 inside
asdm location 63.171.86.196 255.255.255.255 inside
asdm location 10.1.5.50 255.255.255.255 inside
asdm location 10.1.5.36 255.255.255.255 inside
asdm location 63.171.86.149 255.255.255.255 inside
asdm location 10.7.0.0 255.255.0.0 inside
asdm location 10.1.5.54 255.255.255.255 inside
asdm location 10.1.10.127 255.255.255.255 inside
no asdm history enable


hostname CDCFCUASA
domain-name default.domain.invalid
enable password ufxaWULkRjFVEUDK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name 10.1.10.0 inside-clients description clients
name 170.135.216.250 ElanP1 description Elan Production 1
name 170.135.72.77 ElanP2 description Elan Production 2
name 170.135.128.149 ElanT1 description Elan Test 1
name 170.135.72.80 ElanT2 description Elan Test 2
name 10.1.5.58 CDC-IT
name 10.1.5.0 inside-servers
name 10.1.1.0 inside-routers
name 10.3.0.0 chamblee-network
name 10.1.32.0 OLD-CL
name 10.1.128.0 OLD-EP
name 10.1.192.0 OLD-CH
name 10.1.5.27 VelocityApp
name 63.171.86.196 Velocity-Netlend
name 10.1.5.52 HPSIM
name 10.1.5.50 SW-UDT description User Device Tracker
name 10.1.5.36 CDC-Calyx description Calyx Server
name 63.171.86.149 ExtCalyx
name 10.2.0.0 clifton-network
name 10.7.0.0 execpark-network description Executive Park network
name 10.1.5.54 CDC-Northlake
name 10.1.10.127 Test4DNSPC
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.1.1.2 255.255.0.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 63.171.86.133 255.255.255.224
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 63.171.86.193 255.255.255.224
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service non-well-known_tcp tcp
port-object range 1024 65535
object-group service Above_well-known_UDP udp
port-object range 1024 65535
object-group service sftp tcp
description Secure ftp
port-object range ssh ssh
object-group service StandardDNS udp
port-object range domain domain
object-group service Elan_multi-port_allow-mcm tcp
port-object range 21000 21400
object-group service Elan_ATM_auth tcp
port-object range 9999 9999
object-group service realplayer-st tcp
port-object range 50505 50505
object-group service TCP-UDP_DNS tcp-udp
port-object range domain domain
object-group service Port_1505-Proxy udp
port-object range 1505 1505
object-group service Port_1505-Proxy-TCP tcp
port-object range 1505 1505
object-group service Port_4242 tcp
port-object range 4242 4242
object-group service Port_4026 tcp
port-object range 4026 4026
object-group service Elan_High_Sftp tcp
port-object range 20021 20021
object-group service Port_1052 tcp
port-object range 1052 1052
object-group service Port_5013 tcp
port-object range 5013 5013
object-group service ntp_port tcp
port-object range 123 123
object-group service RIM_P3101 tcp
description for Blackberry
port-object range 3101 3101
object-group service ATM_Prod_Auth tcp
port-object range 5013 5013
object-group service ATM_Test_Auth tcp
port-object range 9999 9999
object-group service TCP8000 tcp
description Barracuda User Access Port
port-object range 8000 8000
object-group service DM_INLINE_TCP_1 tcp
group-object non-well-known_tcp
port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
group-object non-well-known_tcp
port-object eq smtp
object-group service ndmp tcp
description Backup Exec
port-object eq 10000
object-group service s-POP3 tcp
description Secure POP3
port-object range 995 995
object-group service Port_5106 tcp
description FDR Terminal Emulation
port-object range 5106 5106
object-group network INSIDE_NETWORKS
network-object 10.1.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.2.0.0 255.255.0.0
network-object 10.7.0.0 255.255.0.0
object-group service ssh-sftp tcp
description for Elan file xfrs
port-object range ftp ftp
object-group service ssh-sftp-dst tcp
description Elan xfr dst port
port-object range 55129 55129
object-group network ElanSftp
description Elan Sftp Servers
network-object host 170.135.128.149
network-object host 170.135.216.250
network-object host 170.135.72.77
network-object host 170.135.72.80
object-group service Elansftp tcp
description Elan's ssh-sftp
port-object eq 20022
object-group service vseaup tcp
description Mcafee VirusScan Enterprise Autoupdate
port-object eq 81
object-group network All-inside-networks
network-object 10.3.0.0 255.255.0.0
network-object 10.1.1.0 255.255.255.0
network-object 10.1.10.0 255.255.255.0
network-object 10.1.5.0 255.255.255.0
network-object 10.2.0.0 255.255.0.0
network-object 10.1.128.0 255.255.255.0
network-object 10.1.32.0 255.255.255.0
network-object 10.1.192.0 255.255.255.0
network-object 10.7.0.0 255.255.0.0
object-group network branch-networks
description Chamble, Clifton, Execpark
network-object 10.2.0.0 255.255.0.0
network-object 10.3.0.0 255.255.0.0
network-object 10.1.128.0 255.255.255.0
network-object 10.1.192.0 255.255.255.0
network-object 10.7.0.0 255.255.0.0
object-group network HPRSS
description HP Remote Support Servers
network-object host 15.193.24.60
network-object host 15.193.24.61
network-object host 15.216.12.255
object-group service Port_8443 tcp
description for Mcafee Agent
port-object range 8443 8444
object-group service WBEM tcp
description HPSIM
port-object range 5989 5989
object-group service compaq-https tcp
port-object range 2381 2381
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp eq snmp
service-object udp eq netbios-ns
access-list 101 standard permit 10.1.1.0 255.255.255.0
access-list inside_pnat_outbound extended permit ip 10.1.10.0 255.255.255.0 any
access-list inside_pnat_outbound extended permit ip 10.1.5.0 255.255.255.0 any
access-list inside_pnat_outbound extended permit ip 10.3.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.2.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.7.0.0 255.255.0.0 any
access-list inside_pnat_outbound extended permit ip 10.1.1.0 255.255.255.0 any
access-list dmz_access_in remark DMZ - dns to internal servers
access-list dmz_access_in extended permit tcp any object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq domain
access-list dmz_access_in remark Elan-Multipoint - production host authorization
access-list dmz_access_in extended permit tcp 206.208.79.0 255.255.255.0 object-group ATM_Prod_Auth host 10.1.5.9 object-group non-well-known_tcp
access-list dmz_access_in remark Netlend - respond to secure request
access-list dmz_access_in extended permit tcp host 63.171.86.196 eq https any object-group non-well-known_tcp
access-list dmz_access_in remark Netlend - respond to insecure request
access-list dmz_access_in extended permit tcp host 63.171.86.196 10.1.0.0 255.255.0.0 eq www
access-list dmz_access_in remark Internet Banking - eStatement traffic
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.2 eq www
access-list dmz_access_in remark Internet Banking - authorization traffic to Primary DB
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.5 object-group non-well-known_tcp
access-list dmz_access_in remark Elan-Multipoint - test host authorization
access-list dmz_access_in extended permit tcp 206.208.79.0 255.255.255.0 object-group ATM_Test_Auth host 10.1.5.9 object-group non-well-known_tcp
access-list dmz_access_in remark DMZ - Ping to outside
access-list dmz_access_in extended permit icmp 63.171.86.192 255.255.255.224 any
access-list dmz_access_in remark Barracuda - forward email to Exchange
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group DM_INLINE_TCP_2 host 10.1.5.55 eq smtp
access-list dmz_access_in remark Barracuda - ldap lookups to domain controllers
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ldap
access-list dmz_access_in remark Barracuda - Let http request out
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq www
access-list dmz_access_in remark Barracuda - SSH response out diagnostics request
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq ssh
access-list dmz_access_in remark Barracuda - respond to smtp  in
access-list dmz_access_in extended permit tcp host 63.171.86.194 eq smtp any object-group non-well-known_tcp
access-list dmz_access_in remark Barracuda - let smtp request out to Exchange or other
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp any eq smtp
access-list dmz_access_in remark Barracuda - let NTP request out
access-list dmz_access_in extended permit udp host 63.171.86.194 eq ntp any eq ntp
access-list dmz_access_in remark DMZ - udp dns to internal dns servers
access-list dmz_access_in extended permit udp any object-group Above_well-known_UDP 10.1.5.0 255.255.255.0 eq domain
access-list dmz_access_in remark Barracuda - Let P8000 response into inside client
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group TCP8000 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list dmz_access_in remark Barracuda - ftp control port to back itself up to core ftp server
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ftp
access-list dmz_access_in remark Barracuda - ftp data port to back itself up to Core server
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ftp-data
access-list dmz_access_in extended permit tcp host 63.171.86.197 object-group non-well-known_tcp any eq www
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp host 10.1.5.58 object-group vseaup
access-list dmz_access_in remark Internet Banking - image retrieval for ISChecks
access-list dmz_access_in extended permit tcp 10.199.8.0 255.255.255.0 object-group non-well-known_tcp host 10.1.5.31 eq www
access-list dmz_access_in remark Netlend-Velocity Communication
access-list dmz_access_in extended permit tcp host 63.171.86.196 object-group non-well-known_tcp host 10.1.5.27 eq www
access-list dmz_access_in remark secure request dmz to inside
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq https
access-list dmz_access_in remark for Mcafee Agent
access-list dmz_access_in extended permit tcp 63.171.86.192 255.255.255.224 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 object-group Port_8443
access-list dmz_access_in remark snmp for SIM
access-list dmz_access_in extended permit udp host 63.171.86.196 host 10.1.5.52 eq snmp
access-list dmz_access_in remark HPSIM
access-list dmz_access_in extended permit tcp host 63.171.86.196 host 10.1.5.52 object-group compaq-https
access-list dmz_access_in extended permit tcp host 63.171.86.196 object-group non-well-known_tcp 10.1.5.0 255.255.255.0 eq ldap
access-list dmz_access_in extended permit tcp host 63.171.86.194 object-group non-well-known_tcp host 64.235.144.107 eq https
access-list outside_access_in remark Barracuda - receive ssh request for diagnostics
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.144 eq ssh
access-list outside_access_in remark IAS_Credit receive bi-https for credit check
access-list outside_access_in extended permit tcp host 70.251.39.12 eq https host 63.171.86.141 eq https
access-list outside_access_in remark IAS_Credit receive for credit check
access-list outside_access_in extended permit tcp host 204.181.116.29 eq https host 63.171.86.141 eq https
access-list outside_access_in remark Barracuda - Let smtp request in
access-list outside_access_in extended permit tcp any object-group DM_INLINE_TCP_1 host 63.171.86.144 eq smtp
access-list outside_access_in remark Barracuda - let in smtp response to send email out
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.144 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - Let secure request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 eq https
access-list outside_access_in remark Netlend - let insecure request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 eq www
access-list outside_access_in remark NAT dyamic client - let icmp response in
access-list outside_access_in extended permit icmp any host 63.171.86.133
access-list outside_access_in remark Exchange - Let https request in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.147 eq https
access-list outside_access_in remark IAS_Credit receive for credit check
access-list outside_access_in extended permit tcp host 67.133.186.12 eq https host 63.171.86.141 eq https
access-list outside_access_in remark DMZ - let icmp in
access-list outside_access_in extended permit icmp any 63.171.86.192 255.255.255.224
access-list outside_access_in remark NAT dynamic client - Let http response in
access-list outside_access_in extended permit tcp any eq www host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let https response in
access-list outside_access_in extended permit tcp any eq https host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - Let Proxy tcp in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.146 object-group Port_1505-Proxy-TCP
access-list outside_access_in remark Netlend - let Proxy udp in
access-list outside_access_in extended permit udp any object-group Above_well-known_UDP host 63.171.86.146 object-group Port_1505-Proxy
access-list outside_access_in remark Elan - Sftp control response for reports (in to SYSAPPS4)
access-list outside_access_in extended permit tcp any object-group Elan_High_Sftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let dns lookup replies in
access-list outside_access_in extended permit tcp any eq domain host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let nntp replies in
access-list outside_access_in extended permit tcp any eq nntp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark NAT Dynamic client - Let smtp reply in
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Elan - Let Multiport response into dynamic NAT client (sysapps4 for Elan reports)
access-list outside_access_in extended permit tcp any object-group Elan_multi-port_allow-mcm host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - let Blackberry traffic in
access-list outside_access_in extended permit tcp host 206.51.26.33 object-group non-well-known_tcp host 63.171.86.147 object-group RIM_P3101
access-list outside_access_in remark NAT dynamic client - let FTP response in
access-list outside_access_in extended permit tcp any eq ftp-data host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - let secure browse response in
access-list outside_access_in extended permit tcp any eq https host 63.171.86.146 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - let smtp response in
access-list outside_access_in extended permit tcp any eq smtp host 63.171.86.147 object-group non-well-known_tcp
access-list outside_access_in remark Netlend - let in response to http browse
access-list outside_access_in extended permit tcp any eq www host 63.171.86.146 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - ICMP
access-list outside_access_in extended permit icmp any host 63.171.86.147
access-list outside_access_in remark Netlend - ICMP
access-list outside_access_in extended permit icmp any host 63.171.86.146
access-list outside_access_in remark Barracuda - let NTP response in
access-list outside_access_in extended permit udp any eq ntp host 63.171.86.144 object-group Above_well-known_UDP
access-list outside_access_in remark Netlend - Let http response in (stateful?)
access-list outside_access_in extended permit tcp any eq www host 63.171.86.144 object-group non-well-known_tcp inactive
access-list outside_access_in remark Exchange - Let Blackberry traffic in
access-list outside_access_in extended permit tcp host 204.187.87.33 object-group RIM_P3101 host 63.171.86.147 object-group non-well-known_tcp
access-list outside_access_in remark Barracuda - response to User Access (Stateful?)
access-list outside_access_in extended permit tcp host 63.171.86.194 object-group TCP8000 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list outside_access_in remark Exchange - TEST to listen on smtp
access-list outside_access_in extended permit tcp any host 63.171.86.147 eq smtp inactive
access-list outside_access_in extended permit ip host 63.171.86.144 host 63.171.86.194 inactive
access-list outside_access_in remark Barracuda - let response to http request - for updates
access-list outside_access_in extended permit tcp any eq www host 63.171.86.144
access-list outside_access_in remark uMonitor Test VPN
access-list outside_access_in extended permit ip host 10.100.102.2 host 10.1.5.8
access-list outside_access_in remark uMonitor Test VPN
access-list outside_access_in extended permit icmp host 64.129.221.66 any
access-list outside_access_in remark uMonitor Prod1 VPN
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 host 10.1.5.8
access-list outside_access_in remark U-Monitor production1
access-list outside_access_in extended permit icmp host 64.209.230.234 any
access-list outside_access_in remark uMonitor Prod2
access-list outside_access_in extended permit icmp host 209.235.27.44 any
access-list outside_access_in remark uMonitor Prod2 VPN
access-list outside_access_in extended permit ip 192.168.12.0 255.255.255.0 host 10.1.5.8
access-list outside_access_in remark Exchange - Let secure POP3 in
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.147 object-group s-POP3
access-list outside_access_in remark NAT Dynamic client - let ssh-sftp reply in (set up for Elan)
access-list outside_access_in extended permit tcp host 170.135.128.149 object-group ssh-sftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark for Proxy Host on extranet
access-list outside_access_in extended permit tcp 63.171.86.128 255.255.255.224 object-group Port_1505-Proxy-TCP 10.1.0.0 255.255.0.0 object-group non-well-known_tcp
access-list outside_access_in remark http response in
access-list outside_access_in extended permit tcp any eq www host 63.171.86.197 object-group non-well-known_tcp
access-list outside_access_in remark Let in Elan ssh-sftp response to Appworx file xfr request
access-list outside_access_in extended permit tcp object-group ElanSftp object-group Elansftp host 63.171.86.133 object-group non-well-known_tcp
access-list outside_access_in remark Verafin Test Vpn
access-list outside_access_in extended permit ip host 166.123.218.113 host 10.1.5.19
access-list outside_access_in remark Verafin VPN DR
access-list outside_access_in extended permit ip host 164.95.95.112 host 10.1.5.19
access-list outside_access_in remark Verafin VPN Prod
access-list outside_access_in extended permit ip host 166.123.218.112 host 10.1.5.19
access-list outside_access_in remark USBank ssh transfers
access-list outside_access_in extended permit tcp 170.135.128.0 255.255.255.0 eq ssh host 63.171.86.148 object-group non-well-known_tcp
access-list outside_access_in extended permit tcp 170.135.128.0 255.255.255.0 eq ssh 10.1.11.0 255.255.255.0 object-group non-well-known_tcp
access-list outside_access_in remark HP Sim server from HP Remote Support Servers
access-list outside_access_in extended permit tcp object-group HPRSS host 10.1.5.52 eq https
access-list outside_access_in remark Let UDT poll external switch
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 63.171.86.128 255.255.255.224 host 10.1.5.50
access-list outside_access_in remark Use Calyx server from outside
access-list outside_access_in extended permit tcp any host 63.171.86.149 eq https
access-list outside_access_in remark ssh diagnostic support for Barracudas
access-list outside_access_in extended permit tcp any object-group non-well-known_tcp host 63.171.86.133 eq ssh
access-list inside_nat0_outbound remark UMonitor VPN remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 10.100.102.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 63.171.86.192 255.255.255.224
access-list inside_nat0_outbound remark eCB remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 10.199.8.0 255.255.255.0
access-list inside_nat0_outbound remark Elan remote network
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 206.208.79.0 255.255.255.0
access-list inside_nat0_outbound remark U-Monitor production
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound remark uMonitor Prod2 VPN
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group All-inside-networks 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound remark NAT exemption for FinCen DR VPN
access-list inside_nat0_outbound extended permit ip host 10.1.5.19 host 164.95.95.112
access-list inside_nat0_outbound extended permit ip any 10.200.200.0 255.255.255.0
access-list inside_nat0_outbound remark traffic to FinCen Prod, Test VPN
access-list inside_nat0_outbound extended permit ip host 10.1.5.19 166.123.218.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 10.1.5.50 63.171.86.128 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.7.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list capout extended permit tcp any host 63.171.86.144 eq smtp
access-list capout extended permit tcp host 63.171.86.144 eq smtp any
access-list capout extended permit tcp any host 63.171.86.147 eq smtp
access-list capout extended permit tcp host 63.171.86.147 eq smtp any
access-list capdmz extended permit tcp any host 63.171.86.194 eq smtp
access-list capdmz extended permit tcp host 63.171.86.194 eq smtp any
access-list capin extended permit tcp any host 10.1.5.55 eq smtp
access-list capin extended permit tcp host 10.1.5.55 eq smtp any
access-list inside_nat_static extended permit tcp host 10.1.5.55 eq smtp any
access-list inside_nat_static_1 extended permit tcp host 10.1.5.55 eq smtp any
access-list policy_nat_mail2 extended permit ip host 10.1.5.55 any
access-list inside_access_in extended permit ip object-group INSIDE_NETWORKS any
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 any inactive
access-list inside_access_in extended permit ip host 170.186.240.100 any
access-list inside_access_in extended permit udp host 10.1.10.127 host 10.1.5.54 inactive
access-list inside_access_in extended permit udp host 10.1.5.54 host 10.1.10.127 inactive
access-list outside_cryptomap extended permit ip host 10.1.5.8 192.168.0.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip host 10.1.5.8 192.168.12.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip host 10.1.5.19 host 166.123.2.110
access-list outside_cryptomap_3 extended permit ip host 10.1.5.19 host 166.123.2.126
access-list cap extended permit ip host 10.1.5.8 host 192.168.12.42
access-list inside_nat0_outbound_1 remark Exempt any traffic to new Chamblee
access-list inside_nat0_outbound_1 extended permit ip any 10.3.0.0 255.255.0.0
access-list inside_nat0_outbound_1 extended permit ip 170.186.240.0 255.255.255.0 any
access-list inside_nat0_outbound_1 extended permit ip 10.1.0.0 255.255.0.0 170.186.240.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.1.0.0 255.255.0.0 170.209.0.0 255.255.255.0
access-list inside_nat0_outbound_1 remark NAT exempt traffic to branches
access-list inside_nat0_outbound_1 extended permit ip object-group All-inside-networks object-group branch-networks
access-list outside_cryptomap_4 extended permit ip host 10.1.5.19 host 166.123.218.112
access-list outside_cryptomap_5 extended permit ip host 10.1.5.8 host 10.100.102.2
access-list outside_cryptomap_7 extended permit ip host 10.1.5.19 host 164.95.95.112
access-list outside_cryptomap_6 extended permit ip host 10.1.5.19 host 166.123.218.113
access-list split-tunnel standard permit 10.1.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 1000000
logging trap errors
logging asdm informational
logging from-address ASA5510@cdcfcu.com
logging recipient-address mcmurphy@cdcfcu.com level critical
logging host inside 10.1.10.121
logging ftp-server 10.1.5.54 syslogs barracuda ****
logging class vpn buffered debugging
logging message 713120 level errors
logging message 722022 level errors
logging message 722023 level errors
logging message 713050 level errors
logging message 302013 level errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool remusers2 10.200.200.10-10.200.200.20 mask 255.255.0.0
ip local pool spltusers 10.210.210.10-10.210.210.20 mask 255.255.0.0
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound_1 outside
nat (inside) 1 access-list inside_pnat_outbound
static (outside,inside) tcp 170.135.128.149 ssh 170.135.128.149 20022 netmask 255.255.255.255
static (outside,inside) tcp 170.135.216.250 ssh 170.135.216.250 20022 netmask 255.255.255.255
static (dmz,outside) 63.171.86.144 63.171.86.194 netmask 255.255.255.255 dns
static (inside,outside) 63.171.86.147 10.1.5.55 netmask 255.255.255.255 dns
static (dmz,outside) 63.171.86.146 63.171.86.196 netmask 255.255.255.255 dns norandomseq
static (inside,outside) 63.171.86.149 10.1.5.36 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 63.171.86.129 1
route inside 10.7.0.0 255.255.0.0 10.1.8.20 1
route outside 10.100.102.2 255.255.255.255 63.171.86.129 1
route dmz 10.199.8.0 255.255.255.0 63.171.86.203 1
route outside 64.209.230.234 255.255.255.255 63.171.86.129 1
route outside 66.194.237.176 255.255.255.255 63.171.86.129 1
route outside 166.123.2.110 255.255.255.255 63.171.86.129 1
route outside 166.123.2.126 255.255.255.255 63.171.86.129 1
route outside 166.123.2.142 255.255.255.255 63.171.86.129 1
route outside 166.123.208.198 255.255.255.255 63.171.86.129 1
route outside 166.123.216.112 255.255.255.255 63.171.86.129 1
route inside 170.186.240.0 255.255.255.0 10.1.8.6 1
route inside 170.209.0.2 255.255.255.255 10.1.8.13 1
route inside 170.209.0.3 255.255.255.255 10.1.8.13 1
route inside 172.19.102.190 255.255.255.255 10.1.8.6 1
route outside 192.168.0.0 255.255.255.0 63.171.86.129 1
route outside 192.168.12.0 255.255.255.0 63.171.86.129 1
route inside 192.168.29.0 255.255.255.0 10.1.8.6 1
route inside 192.168.93.26 255.255.255.255 10.1.8.12 1
route inside 199.186.96.0 255.255.255.0 10.1.8.16 1
route inside 199.186.97.0 255.255.255.0 10.1.8.16 1
route inside 199.186.98.0 255.255.255.0 10.1.8.16 1
route outside 199.196.144.143 255.255.255.255 63.171.86.129 1
route outside 199.196.144.144 255.255.255.255 63.171.86.129 1
route dmz 206.208.79.0 255.255.255.0 63.171.86.202 1
route outside 209.235.27.44 255.255.255.255 63.171.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
ldap attribute-map CISCOMAP
  map-name  msNPAllowDialin IETF-Radius-Class
  map-value msNPAllowDialin FALSE NOACCESS
  map-value msNPAllowDialin TRUE ALLOWACCESS
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (inside) host 10.1.5.1
ldap-base-dn dc=cdcfcunet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=users,dc=cdcfcunet,dc=local
server-type microsoft
ldap-attribute-map CISCOMAP
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside 10.1.5.52 community hpsim
snmp-server host inside 10.1.5.50 community swudt version 2c
snmp-server location Northlake
snmp-server contact Mike Murphy
snmp-server community swudt
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 64.209.230.234
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 209.235.27.44
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 199.196.144.144
crypto map outside_map 3 set transform-set ESP-AES-256-SHA
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address outside_cryptomap_3
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 199.196.144.143
crypto map outside_map 4 set transform-set ESP-AES-256-SHA
crypto map outside_map 4 set security-association lifetime seconds 28800
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 166.123.208.198
crypto map outside_map 5 set transform-set ESP-AES-256-SHA
crypto map outside_map 5 set security-association lifetime seconds 28800
crypto map outside_map 5 set security-association lifetime kilobytes 4608000
crypto map outside_map 6 match address outside_cryptomap_5
crypto map outside_map 6 set peer 64.129.221.66
crypto map outside_map 6 set transform-set ESP-3DES-MD5
crypto map outside_map 6 set security-association lifetime seconds 28800
crypto map outside_map 6 set security-association lifetime kilobytes 4608000
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 166.123.208.198
crypto map outside_map 7 set transform-set ESP-AES-256-SHA
crypto map outside_map 7 set security-association lifetime seconds 28800
crypto map outside_map 7 set security-association lifetime kilobytes 4608000
crypto map outside_map 8 match address outside_cryptomap_7
crypto map outside_map 8 set pfs
crypto map outside_map 8 set peer 164.95.95.4
crypto map outside_map 8 set transform-set ESP-AES-256-SHA
crypto map outside_map 8 set security-association lifetime seconds 28800
crypto map outside_map 8 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.192.1.193 source outside
ntp server 128.192.1.9 source outside
tftp-server inside 10.1.10.120 /asa5510
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy fcusers internal
group-policy fcusers attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
address-pools value remusers2
group-policy stusers internal
group-policy stusers attributes
vpn-tunnel-protocol l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask none default svc
group-policy ALLOWACCESS internal
group-policy ALLOWACCESS attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
address-pools value remusers2
username mmurphy password G3c44QeLNGYkvwxa encrypted privilege 0
username mmurphy attributes
vpn-group-policy fcusers
username askeen nopassword privilege 0
username askeen attributes
vpn-group-policy fcusers
service-type remote-access
username velocity nopassword
username velocity attributes
vpn-group-policy fcusers
service-type remote-access
username special password fnYplaKWrx7ywBKR encrypted privilege 15
username dphilpot nopassword privilege 0
username dphilpot attributes
vpn-group-policy fcusers
service-type remote-access
username bjames password c9WvTlQzhs/8jgpt encrypted privilege 0
username bjames attributes
vpn-group-policy fcusers
username cisco password 3USUcOPFUiMCO4Jk encrypted
username jvaughn password /KdVynqfFx/TfX0m encrypted privilege 0
username jvaughn attributes
vpn-group-policy fcusers
service-type remote-access
tunnel-group fcusers type remote-access
tunnel-group fcusers general-attributes
address-pool (inside) remusers2
address-pool remusers2
authentication-server-group LDAP_SRV_GRP
default-group-policy fcusers
tunnel-group fcusers webvpn-attributes
group-alias cdcusers enable
tunnel-group fcusers ipsec-attributes
pre-shared-key *
tunnel-group 64.209.230.234 type ipsec-l2l
tunnel-group 64.209.230.234 ipsec-attributes
pre-shared-key *
tunnel-group 209.235.27.44 type ipsec-l2l
tunnel-group 209.235.27.44 ipsec-attributes
pre-shared-key *
tunnel-group 199.196.144.143 type ipsec-l2l
tunnel-group 199.196.144.143 ipsec-attributes
pre-shared-key *
tunnel-group 199.196.144.144 type ipsec-l2l
tunnel-group 199.196.144.144 ipsec-attributes
pre-shared-key *
tunnel-group 166.123.208.198 type ipsec-l2l
tunnel-group 166.123.208.198 ipsec-attributes
pre-shared-key *
tunnel-group 64.129.221.66 type ipsec-l2l
tunnel-group 64.129.221.66 ipsec-attributes
pre-shared-key *
tunnel-group 164.95.95.4 type ipsec-l2l
tunnel-group 164.95.95.4 ipsec-attributes
pre-shared-key *
tunnel-group Fincen-Test type ipsec-l2l
tunnel-group Fincen-Test general-attributes
tunnel-group Fincen-Test ipsec-attributes
pre-shared-key *
tunnel-group stusers type remote-access
tunnel-group stusers general-attributes
address-pool remusers2
authentication-server-group LDAP_SRV_GRP
default-group-policy stusers
tunnel-group stusers webvpn-attributes
group-alias 2wayusers enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect dns
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
!
service-policy global_policy global
smtp-server 10.1.5.55
prompt hostname context
Cryptochecksum:c26fd13eb40be4436a08b5bcc977aa2f
: end
asdm image disk0:/asdm-615.bin
asdm location 63.171.86.200 255.255.255.255 dmz
asdm location 10.1.5.5 255.255.255.255 inside
asdm location 10.1.5.2 255.255.255.255 inside
asdm location 10.1.5.9 255.255.255.255 inside
asdm location 63.171.86.133 255.255.255.255 inside
asdm location 63.171.86.197 255.255.255.255 dmz
asdm location 10.199.8.0 255.255.255.0 dmz
asdm location 206.208.79.0 255.255.255.0 dmz
asdm location 63.171.86.135 255.255.255.255 inside
asdm location 63.171.86.200 255.255.255.255 inside
asdm location 63.171.86.141 255.255.255.255 inside
asdm location 63.171.86.142 255.255.255.255 inside
asdm location 10.1.10.0 255.255.255.0 inside
asdm location 10.1.5.8 255.255.255.255 inside
asdm location 10.200.200.0 255.255.255.0 inside
asdm location 170.135.72.77 255.255.255.255 inside
asdm location 170.135.72.80 255.255.255.255 inside
asdm location 170.135.216.250 255.255.255.255 inside
asdm location 209.235.27.44 255.255.255.255 inside
asdm location 10.1.5.58 255.255.255.255 inside
asdm location 199.196.144.143 255.255.255.255 inside
asdm location 10.1.11.0 255.255.255.0 inside
asdm location 170.135.128.0 255.255.255.0 inside
asdm location 10.3.0.0 255.255.0.0 inside
asdm location 10.2.0.0 255.255.0.0 inside
asdm location 10.1.32.0 255.255.255.0 inside
asdm location 10.1.128.0 255.255.255.0 inside
asdm location 10.1.192.0 255.255.255.0 inside
asdm location 10.1.5.27 255.255.255.255 inside
asdm location 63.171.86.196 255.255.255.255 inside
asdm location 10.1.5.50 255.255.255.255 inside
asdm location 10.1.5.36 255.255.255.255 inside
asdm location 63.171.86.149 255.255.255.255 inside
asdm location 10.7.0.0 255.255.0.0 inside
asdm location 10.1.5.54 255.255.255.255 inside
asdm location 10.1.10.127 255.255.255.255 inside
no asdm history enable

Julio Carvaja Thu, 12/29/2011 - 12:30

Hello Mcmpurphy,

So lets do the capture on the same interface

access-list test permit udp host test_host host DNS_server

access-list test permit udp host DNS_server host test_host

capture capin access-list test interface inside

Then go to a host on the inside and on a browser:

https://10.1.1.2/capture/capin/pcap

Lets see what the capture shows us

Regards,

mcmurphytoo Fri, 12/30/2011 - 08:42

Curiouser and curiouser.  I nno longer see the dns packet inspsection error I started with, but I still do not get NS lookups working.  I re-enabled DNS inspection, since disabling it did not seem to change the problem:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect dns

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect dns

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

Here's the sequence when I try lookups from my test PC at 10.7.1.10:

Sniffer on test PC shows dns requests going to 10.1.5.1 and 10.1.5.54 (I have 2 dns servers)

Sniffer on dns server 10.1.5.54 show it receives DNS query, sends DNS response

Real-Time Log Viewer on ASA shows a recurring sequence of:

  Built inbound UDP connection for inside 'dns-server' to inside 'test PC'

  Teardown UDP connection for inside 'dns-server' to inside 'test PC' duration 0:00:00 bytes 0

I ran the Capture,  it showed:

Is this sequence a problem?  10.7.1.10 sends packet destination 10.1.5.54.  In the switchVLAN the packet routes to the 10.1 network, where the destination 10.1.5.54 is local.  So the packet 10.7.1.10 sends does not touch the ASA 10.1.1.2, but goes directly to 10.1.5.54.  10.1.5.54 replies with a packet with destination 10.7.1.10 on another network, so it has to route the packet through the ASA 10.1.1.2.  The ASA has a static route 10.7.0.0 255.255.0.0 10.1.8.20, the ASA builds the connection 10.1.5.54 to 10.7.1.10, but tears it down right away for some reason and drops the packet.

Julio Carvaja Fri, 12/30/2011 - 11:26

Hello,

Asymetric routing seems to be the problem, ASA might be dropping the packets as he is not waiting for a DNS reply.

Here is what I though.

Test-pc------R1-----------Switch-------ASA

                                     !

                                     !

                                 Dns server

DNS server default gateway is ASA.

1-So test-pc udp packet will go to its default gateway R1, he will see the destination IP address and will know is directly connected so will send it to the DNS server without going to the ASA....

2-DNS server will reply to its default gateway witch is the ASA, he will receive the DNS reply and will say, Wait a minute I do not have on my existing connections a entry for this reply, so it will drop it.

How can we change this:

I did a lab recreation and I think this is the real solution ( work-around (Not real solution)make dns default gateway R1)

We need to let R1 that in order to get to the DNS server he needs to send the packet to the ASA interface,

For that I need you to give me an ip address you are not using on that segment ( inside network connected to dns) Lets say you gave me 10.1.5.33

1-Static (inside,inside) 10.1.5.33 10.1.5.54

The ASA will let R1 I have 10.1.5.33, You also will need to change in the PC test the DNS ip addres to 10.1.5.33

You also need a Global for the packet comming from the inside because as you know all the packets getting to a ASA with nat control enable need a global to match

2- global (inside) 1 inside

Here is the packet tracer output on my lab recreation (Test pc is 192.168.20.2, Server DNS 192.168.15.2 natted to 192.168.2.44):

# packet-tracer input inside udp 192.168.20.2 1025 192.168.15.

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

  match ip inside host 192.168.15.2 inside any

    static translation to 192.168.15.44

    translate_hits = 0, untranslate_hits = 4

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.15.44/0 to 192.168.15.2/0 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (192.168.15.1 [Interface PAT])

    translate_hits = 13, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.20.2/1025 to 192.168.15.1/54941 using netmask 255.255.255.255

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (192.168.15.1 [Interface PAT])

    translate_hits = 13, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

  match ip inside host 192.168.15.2 inside any

    static translation to 192.168.15.44

    translate_hits = 0, untranslate_hits = 2

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

  match ip inside host 192.168.15.2 inside any

    static translation to 192.168.15.44

    translate_hits = 0, untranslate_hits = 2

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 20, packet dispatched to next module

Phase: 11

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.15.2 using egress ifc inside

adjacency Active

next-hop mac address ca00.0e10.001c hits 2

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

pixfirewall(config)#  sh run glo

pixfirewall(config)#  sh run global

global (inside) 1 interface

global (outisde) 1 interface

pixfirewall(config)# packet-tracer input inside udp 192.168.20.2 1025 192.168.$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

  match ip inside host 192.168.15.2 inside any

    static translation to 192.168.15.44

    translate_hits = 0, untranslate_hits = 3

Additional Information:

NAT divert to egress interface inside

Untranslate 192.168.15.44/0 to 192.168.15.2/0 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (192.168.15.1 [Interface PAT])

    translate_hits = 14, untranslate_hits = 0

Additional Information:

Dynamic translate 192.168.20.2/1025 to 192.168.15.1/1194 using netmask 255.255.255.255

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 1 (192.168.15.1 [Interface PAT])

    translate_hits = 14, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

  match ip inside host 192.168.15.2 inside any

    static translation to 192.168.15.44

    translate_hits = 0, untranslate_hits = 3

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,inside) 192.168.15.44 192.168.15.2 netmask 255.255.255.255

  match ip inside host 192.168.15.2 inside any

    static translation to 192.168.15.44

    translate_hits = 0, untranslate_hits = 3

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 21, packet dispatched to next module

Phase: 11

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.15.2 using egress ifc inside

adjacency Active

next-hop mac address ca00.0e10.001c hits 3

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Hope this helps!!

Regards,

Julio

mcmurphytoo Wed, 01/04/2012 - 10:05

Sorry for the delay, the usual distractions from working things that break.  I'm trying to be sure I understand this before I put it in on a working ASA.  My config already has a "Global (outside) 1 interface", and all packets arriving on the inside are translated unless they meet one of the NAT exceptions.  Is the "Global (inside) 1 inside" you recommend also noeeded?  And does it not conflict naming the same nat_id?

Julio Carvaja Wed, 01/04/2012 - 10:13

Hello,

It will no affect,because the ASA only use the global (inside) to contact inside ip addresses not outside ip addresses (public ones)

Regards,

Julio

mcmurphytoo Wed, 01/04/2012 - 11:13

I see where I add a static route to the ASA:

1-Static (inside,inside) 10.1.5.33 10.1.5.54

This next I don't understand.  Am I to assign 10.1.5.33 to an interface?

The ASA will let R1 I have 10.1.5.33.

I get this - change the Test PC the DNS ip address to 10.1.5.33 from 10.1.5.54

And you explained the global, so it's OK

2- global (inside) 1 inside

Julio Carvaja Wed, 01/04/2012 - 11:32

Hello,

All we are doing is trying to avoid the Asymetric routing on this particular connection to see if that solves our problem..

1-Static (inside,inside) 10.1.5.33 10.1.5.54

This next I don't understand.  Am I to assign 10.1.5.33 to an interface?

The ASA will let R1 I have 10.1.5.33.

What we are doing here is to natting the internal server 10.1.5.33 to x.x.x.x.54 so when a user behind the router wants to connect to the server will need to go to the ASA first, instead of sending the packet direct to the server.

Do you understand?

Regards,

Julio

mcmurphytoo Wed, 01/04/2012 - 14:15

Yes.  I've spent my time with the ASDM, not enought with the command line, I'd confused Static NAT and static route.  The NAT entry is in OK, but the global command gives me:

mcmurphytoo Thu, 01/05/2012 - 12:53

I used 10.1.5.90 as the mapped address

My Test PC has 10.1.5.90 as DNS Server.

I try to do a nslookup, it gets "Can't find server name for address 10.1.5.90"

I'm running Wireshark monitoring the switch port that is the network inside interface, 10.1.8.20

I see 20.1.8.20 sending an ARP request Who Has 10.1.5.90, and getting no response

That causes the Test PC to fail to find its DNS server 10.1.5.90

I know the ASA config includes "sysopt noproxyarp inside"

It looks like if proxyarp were not disabled then the ASA would be responding to the ARP with its MAC

Then the 10.1.8.20 would be sending the nslookup to the ASA, which would via NAT send it to the real DNS server 10.1.5.54

The Cisco command reference says that proxyarp by defaualt is enabled, so I'm trying to remember at what point I disabled it.

I think it was at the same time as the "same-security-traffic permit intra-interface", but couldn't swear to it.

mcmurphytoo Tue, 01/17/2012 - 13:15

Long interruption, sorry.  I did enable proxyarp again.  Now I'm back to my 'inspect-dns-invalid-pak' errors.  I think at this point my plan is to be sure I have an inside router being my default gateway.  I'll let it do the inside work, and let my ASA focus on the DMZ, the Internet, and inside host communications with them.  I'm sure the ASA can it all, but if I can simplify its configuration that will be easier for me to keep up with, and let it apply its resources where best utilized.  

Julio Carvaja Tue, 01/17/2012 - 13:21

Hello,

That looks Okay, let me know if there is something else I can do for you.

Julio

dedmundson Tue, 12/10/2013 - 06:41

After updating our Cisco ASA 5550 from 8.0 code to 9.0(3)8 code we had the same problem. And from this post fixed our problem. Here are the changes that I made to out ASA.

I also had to add two rules for out public facing DNS servers.

access-list DMZ1_access_in extended deny udp object HQDNS2 host 63.170.xxx.xxx eq domain

access-list DMZ1_access_in extended deny udp object DRDNS1 host 63.170.xxx.xxx eq domain

I hope this helps anyone else that runs into this problem.

Actions

Login or Register to take actions

This Discussion

Posted December 28, 2011 at 12:35 PM
Stats:
Replies:27 Avg. Rating:5
Views:6324 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446