×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

asa5512 V8.6 nat web-server can not access

Answered Question
Dec 13th, 2013
User Badges:

hi ,all


asa5512 V8.6 nat web-server can not access.


my inside pc can access www.cisco.com,but outside client can not access my web-server inside..


all my config,i don not know which is error.


thank youe help.


ciscoasa#


ciscoasa# show run


ciscoasa# show running-config


: Saved


:


ASA Version 8.6(1)2


!


hostname ciscoasa


enable password 2KFQnbNIdI.2KYOU encrypted


passwd 2KFQnbNIdI.2KYOU encrypted


names


!


interface GigabitEthernet0/0


nameif outside


security-level 0


ip address X.X.X.1 255.255.255.240


!


interface GigabitEthernet0/1


shutdown


no nameif


no security-level


no ip address


!


interface GigabitEthernet0/2


shutdown


no nameif


no security-level


no ip address


!           


interface GigabitEthernet0/3


description Link To 3560 G0/1


speed 1000


duplex full


nameif inside


security-level 100


ip address 192.168.1.13 255.255.255.0


!


interface GigabitEthernet0/4


shutdown


no nameif


no security-level


no ip address


!


interface GigabitEthernet0/5


shutdown


no nameif


no security-level


no ip address


!


interface Management0/0


nameif management


security-level 100


ip address 192.168.100.1 255.255.255.0


!


!


time-range k3used


absolute start 08:00 01 January 2008


periodic daily 0:00 to 23:59


periodic daily 9:00 to 18:00


!


ftp mode passive


clock timezone BeiJing 8


object network obj-192.168.1.0


subnet 192.168.1.0 255.255.255.0


object network obj-192.168.200.0


subnet 192.168.200.0 255.255.255.0


object network obj-192.168.1.2


host 192.168.1.2


object network obj-192.168.1.2-01


host 192.168.1.2


object network obj-192.168.1.19


host 192.168.1.19


object network obj-192.168.1.20


host 192.168.1.20


object network obj-192.168.1.88


host 192.168.1.88


object network obj-192.168.1.1


host 192.168.1.1


object network obj-192.168.1.2-02


host 192.168.1.2


object network obj-192.168.1.6


host 192.168.1.6


object network obj-X.X.X.3


host X.X.X.3


object service obj-tcp-source-eq-25


service tcp source eq smtp


object service obj-tcp-source-eq-110


service tcp source eq pop3


object network obj-X.X.X.10


host X.X.X.10


object service obj-tcp-source-eq-8086


service tcp source eq 8086


object service obj-tcp-source-eq-80


service tcp source eq www


object network obj-192.168.1.1-01


host 192.168.1.1


object service obj-tcp-source-eq-3389


service tcp source eq 3389


object service obj-tcp-source-eq-9877


service tcp source eq 9877


object service obj-tcp-source-eq-21


service tcp source eq ftp


object service obj-tcp-source-eq-20


service tcp source eq ftp-data


object network obj-192.168.2.88


host 192.168.2.88


object network obj-192.168.2.88-01


host 192.168.2.88


object network obj-192.168.2.88-02


host 192.168.2.88


object network obj-192.168.1.19-01


host 192.168.1.19


object network obj-192.168.2.2


host 192.168.2.2


object network obj-192.168.2.2-01


host 192.168.2.2


object network obj-192.168.2.2-02


host 192.168.2.2


object network obj-192.168.3.2


host 192.168.3.2


object network obj-192.168.3.2-01


host 192.168.3.2


object network obj-192.168.3.2-02


host 192.168.3.2


object network obj-X.X.X.9


host X.X.X.9


object service obj-tcp-source-eq-8087


service tcp source eq 8087


object network obj-192.168.1.200


host 192.168.1.200


object network obj-192.168.1.200-01


host 192.168.1.200


object network obj-192.168.1.30


host 192.168.1.30


object network obj-192.168.1.30-01


host 192.168.1.30


object network obj-192.168.1.1-02


host 192.168.1.1


object network obj-X.X.X.6


host X.X.X.6


object service obj-tcp-source-eq-8088


service tcp source eq 8088


object network obj-192.168.3.5


host 192.168.3.5


object network obj-192.168.3.5-01


host 192.168.3.5


object network obj-192.168.3.5-02


host 192.168.3.5


object network obj-192.168.3.5-03


host 192.168.3.5


object network obj-192.168.3.5-04


host 192.168.3.5


object network obj-192.168.2.0


subnet 192.168.2.0 255.255.255.0


object network obj-192.168.3.0


subnet 192.168.3.0 255.255.255.0


object network obj-192.168.4.0


subnet 192.168.4.0 255.255.255.0


object network obj-192.168.5.0


subnet 192.168.5.0 255.255.255.0


object network obj-192.168.6.0


subnet 192.168.6.0 255.255.255.0


object network obj-192.168.7.0


subnet 192.168.7.0 255.255.255.0


object network obj-192.168.8.0


subnet 192.168.8.0 255.255.255.0


access-list vpn_list extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0


access-list vpn_list extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0


access-list 101 extended deny ip any host 58.215.78.113


access-list 101 extended deny ip any host 61.139.126.81


access-list 101 extended deny ip any host 61.152.94.154


access-list 101 extended permit ip host 192.168.4.2 any


access-list 101 extended permit ip host 192.168.4.3 any


access-list 101 extended permit ip host 192.168.4.4 any


access-list 101 extended permit ip host 192.168.4.5 any


access-list 101 extended permit ip host 192.168.4.7 any


access-list 101 extended permit ip host 192.168.4.8 any


access-list 101 extended permit ip host 192.168.4.9 any


access-list 101 extended permit ip host 192.168.4.10 any


access-list 101 extended permit ip host 192.168.4.11 any


access-list 101 extended permit ip host 192.168.4.12 any


access-list 101 extended permit ip host 192.168.4.13 any


access-list 101 extended permit ip host 192.168.4.14 any


access-list 101 extended permit ip host 192.168.4.15 any


access-list 101 extended permit ip host 192.168.4.16 any


access-list 101 extended permit ip host 192.168.4.18 any


access-list 101 extended permit ip host 192.168.4.19 any


access-list 101 extended permit ip host 192.168.4.20 any


access-list 101 extended permit ip host 192.168.4.180 any


access-list 101 extended deny ip 192.168.4.0 255.255.255.0 any


access-list 101 extended permit ip host 192.168.2.176 any


access-list 101 extended permit icmp any any


access-list 101 extended permit ip host 192.168.2.3 any


access-list 101 extended permit ip host 192.168.2.164 any


access-list 101 extended permit ip host 192.168.2.171 any


access-list 101 extended permit ip host 192.168.2.142 any


access-list 101 extended permit ip host 192.168.2.180 any


access-list 101 extended permit ip host 192.168.2.149 any


access-list 101 extended permit ip host 192.168.2.201 any


access-list 101 extended permit ip host 192.168.2.170 any


access-list 101 extended permit ip host 192.168.2.168 any


access-list 101 extended permit ip host 192.168.2.103 any


access-list 101 extended permit ip host 192.168.2.34 any


access-list 101 extended permit ip host 192.168.2.174 any


access-list 101 extended permit ip host 192.168.2.199 any


access-list 101 extended permit ip host 192.168.2.253 any


access-list 101 extended permit ip host 192.168.2.236 any


access-list 101 extended permit ip host 192.168.2.214 any


access-list 101 extended permit ip host 192.168.2.110 any


access-list 101 extended permit ip host 192.168.2.127 any


access-list 101 extended permit ip host 192.168.2.178 any


access-list 101 extended permit ip host 192.168.2.21 any


access-list 101 extended permit ip host 192.168.2.24 any


access-list 101 extended permit ip host 192.168.2.251 any


access-list 101 extended permit ip host 192.168.2.33 any


access-list 101 extended permit ip host 192.168.2.120 any


access-list 101 extended permit ip host 192.168.2.85 any


access-list 101 extended permit ip host 192.168.2.137 any


access-list 101 extended permit ip host 192.168.2.113 any


access-list 101 extended permit ip host 192.168.2.20 any


access-list 101 extended permit ip host 192.168.2.101 any


access-list 101 extended permit ip host 192.168.2.106 any


access-list 101 extended permit ip host 192.168.2.140 any


access-list 101 extended permit ip host 192.168.2.215 any


access-list 101 extended permit ip host 192.168.2.107 any


access-list 101 extended permit ip host 192.168.2.234 any


access-list 101 extended permit ip host 192.168.2.15 any


access-list 101 extended permit ip host 192.168.2.55 any


access-list 101 extended permit ip host 192.168.2.41 any


access-list 101 extended permit ip host 192.168.2.13 any


access-list 101 extended permit ip host 192.168.2.133 any


access-list 101 extended permit ip host 192.168.2.73 any


access-list 101 extended permit ip host 192.168.2.172 any


access-list 101 extended permit ip host 192.168.2.175 any


access-list 101 extended permit ip host 192.168.2.88 any


access-list 101 extended permit ip host 192.168.2.188 any


access-list 101 extended permit ip host 192.168.2.136 any


access-list 101 extended permit ip host 192.168.2.74 any


access-list 101 extended permit ip host 192.168.2.12 any


access-list 101 extended permit ip host 192.168.2.100 any


access-list 101 extended permit ip host 192.168.2.102 any


access-list 101 extended permit ip host 192.168.2.152 any


access-list 101 extended permit ip host 192.168.2.4 any


access-list 101 extended permit ip host 192.168.2.5 any


access-list 101 extended permit ip host 192.168.2.6 any


access-list 101 extended permit ip host 192.168.2.14 any


access-list 101 extended permit ip host 192.168.2.19 any


access-list 101 extended permit ip host 192.168.2.16 any


access-list 101 extended permit ip host 192.168.2.17 any


access-list 101 extended permit ip host 192.168.2.18 any


access-list 101 extended permit ip host 192.168.2.22 any


access-list 101 extended permit ip host 192.168.2.23 any


access-list 101 extended permit ip host 192.168.2.115 any


access-list 101 extended permit ip host 192.168.2.116 any


access-list 101 extended permit ip host 192.168.2.117 any


access-list 101 extended permit ip host 192.168.2.118 any


access-list 101 extended permit ip host 192.168.2.119 any


access-list 101 extended permit ip host 192.168.2.150 any


access-list 101 extended permit ip host 192.168.2.128 any


access-list 101 extended deny ip 192.168.2.0 255.255.255.0 any


access-list 101 extended permit ip host 192.168.3.2 any


access-list 101 extended permit ip host 192.168.3.3 any


access-list 101 extended permit ip host 192.168.3.4 any


access-list 101 extended permit ip host 192.168.3.5 any


access-list 101 extended permit ip host 192.168.3.6 any


access-list 101 extended permit ip host 192.168.3.7 any


access-list 101 extended permit ip host 192.168.3.8 any


access-list 101 extended permit ip host 192.168.3.9 any


access-list 101 extended permit ip host 192.168.3.10 any


access-list 101 extended permit ip host 192.168.3.11 any


access-list 101 extended permit ip host 192.168.3.12 any


access-list 101 extended permit ip host 192.168.3.13 any


access-list 101 extended permit ip host 192.168.3.14 any


access-list 101 extended permit ip host 192.168.3.15 any


access-list 101 extended permit ip host 192.168.3.16 any


access-list 101 extended permit ip host 192.168.3.17 any


access-list 101 extended permit ip host 192.168.3.18 any


access-list 101 extended permit ip host 192.168.3.19 any


access-list 101 extended permit ip host 192.168.3.20 any


access-list 101 extended permit ip host 192.168.3.21 any


access-list 101 extended permit ip host 192.168.3.22 any


access-list 101 extended permit ip host 192.168.3.23 any


access-list 101 extended permit ip host 192.168.3.24 any


access-list 101 extended permit ip host 192.168.3.25 any


access-list 101 extended permit ip host 192.168.3.26 any


access-list 101 extended permit ip host 192.168.3.27 any


access-list 101 extended permit ip host 192.168.3.28 any


access-list 101 extended permit ip host 192.168.3.29 any


access-list 101 extended permit ip host 192.168.3.30 any


access-list 101 extended permit ip host 192.168.3.31 any


access-list 101 extended permit ip host 192.168.3.32 any


access-list 101 extended permit ip host 192.168.3.33 any


access-list 101 extended permit ip host 192.168.3.34 any


access-list 101 extended permit ip host 192.168.3.35 any


access-list 101 extended permit ip host 192.168.3.36 any


access-list 101 extended permit ip host 192.168.3.37 any


access-list 101 extended permit ip host 192.168.3.38 any


access-list 101 extended permit ip host 192.168.3.39 any


access-list 101 extended permit ip host 192.168.3.40 any


access-list 101 extended permit ip host 192.168.3.41 any


access-list 101 extended permit ip host 192.168.3.42 any


access-list 101 extended permit ip host 192.168.3.43 any


access-list 101 extended permit ip host 192.168.3.86 any


access-list 101 extended permit ip host 192.168.3.88 any


access-list 101 extended permit ip host 192.168.3.89 any


access-list 101 extended permit ip host 192.168.3.56 any


access-list 101 extended permit ip host 192.168.3.55 any


access-list 101 extended permit ip host 192.168.3.96 any


access-list 101 extended permit ip host 192.168.3.97 any


access-list 101 extended permit ip host 192.168.3.98 any


access-list 101 extended permit ip host 192.168.3.116 any


access-list 101 extended permit ip host 192.168.3.111 any


access-list 101 extended permit ip host 192.168.3.175 any


access-list 101 extended permit ip host 192.168.3.176 any


access-list 101 extended permit ip host 192.168.3.201 any


access-list 101 extended permit ip host 192.168.3.202 any


access-list 101 extended permit ip host 192.168.3.203 any


access-list 101 extended permit ip host 192.168.3.204 any


access-list 101 extended permit ip host 192.168.3.205 any


access-list 101 extended permit ip host 192.168.3.206 any


access-list 101 extended permit ip host 192.168.3.207 any


access-list 101 extended permit ip host 192.168.3.208 any


access-list 101 extended permit ip host 192.168.3.209 any


access-list 101 extended permit ip host 192.168.3.210 any


access-list 101 extended permit ip host 192.168.3.213 any


access-list 101 extended permit ip host 192.168.3.214 any


access-list 101 extended permit ip host 192.168.3.215 any


access-list 101 extended permit ip host 192.168.3.101 any


access-list 101 extended permit ip host 192.168.3.102 any


access-list 101 extended permit ip host 192.168.3.103 any


access-list 101 extended permit ip host 192.168.3.106 any


access-list 101 extended permit ip host 192.168.3.107 any


access-list 101 extended permit ip host 192.168.3.152 any


access-list 101 extended permit ip host 192.168.3.151 any


access-list 101 extended permit ip host 192.168.3.153 any


access-list 101 extended permit ip host 192.168.3.195 any


access-list 101 extended permit ip host 192.168.3.45 any


access-list 101 extended permit ip host 192.168.3.46 any


access-list 101 extended permit ip host 192.168.3.199 any


access-list 101 extended permit ip host 192.168.3.157 any


access-list 101 extended deny ip 192.168.3.0 255.255.255.0 any


access-list 101 extended permit tcp any any


access-list 101 extended permit ip any any


access-list vpnclient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0


access-list 2 extended permit ip 192.168.2.0 255.255.255.0 any


access-list 3 extended permit ip 192.168.3.0 255.255.255.0 any


access-list 4 extended permit ip 192.168.4.0 255.255.255.0 any


access-list 500k extended permit ip host X.X.X.1 any


access-list 500k extended permit icmp host X.X.X.1 any


access-list 102 extended permit ip host 192.168.1.6 any


access-list 100 extended permit tcp any host 192.168.1.1 eq www


access-list 100 extended permit tcp any host 192.168.1.1 eq 8080


access-list 100 extended permit tcp any host X.X.X.4


access-list 100 extended permit ip any host X.X.X.4


access-list 100 extended permit icmp any host X.X.X.4


access-list 100 extended permit tcp any host 192.168.1.6 eq smtp


access-list 100 extended permit tcp any host 192.168.1.6 eq pop3


access-list 100 extended permit tcp any host 192.168.1.6 eq www


access-list 100 extended permit tcp any host 192.168.1.6


access-list 100 extended permit ip any host 192.168.1.6


access-list 100 extended permit icmp any host 192.168.1.6


access-list 100 extended permit tcp any host 192.168.1.19 eq 3389


access-list 100 extended permit tcp any host 192.168.1.20 eq 3389


access-list 100 extended permit tcp any host 192.168.1.88 eq 3389


access-list 100 extended permit tcp any host X.X.X.12


access-list 100 extended permit ip any host X.X.X.12


access-list 100 extended permit icmp any host X.X.X.12


access-list 100 extended permit tcp any host 192.168.1.6 eq 8086


access-list 100 extended permit tcp any host 192.168.1.1 eq 3389


access-list 100 extended permit tcp any host 192.168.1.6 eq 3389


access-list 100 extended permit tcp any host 192.168.1.6 eq ftp


access-list 100 extended permit tcp any host 192.168.1.6 eq ftp-data


access-list 100 extended permit tcp any host 192.168.2.88 eq 3389


access-list 100 extended permit tcp any host 192.168.2.88 eq 12172


access-list 100 extended permit tcp any host 192.168.2.2 eq 3389


access-list 100 extended permit tcp any host 192.168.2.2 eq 9116


access-list 100 extended permit tcp any host 192.168.3.2 eq 25243


access-list 100 extended permit tcp any host 192.168.3.2 eq 3389


access-list 100 extended permit tcp any host 192.168.1.200 eq www


access-list 100 extended permit tcp any host 192.168.1.200 eq 12001


access-list 100 extended permit tcp any host 192.168.1.30 eq 3389


access-list 100 extended permit tcp any host 192.168.3.5 eq 4160


access-list 100 extended permit tcp any host 192.168.3.5 eq 11111


access-list 100 extended permit tcp any host 192.168.3.5 eq 3389


access-list 100 extended permit tcp any host X.X.X.10


access-list 100 extended permit udp any host 192.168.2.88 eq 12172


access-list 100 extended permit udp any host 192.168.2.2 eq 9116


access-list 100 extended permit udp any host 192.168.3.2 eq 25243


access-list 100 extended permit udp any host 192.168.3.5 eq 4170


access-list 100 extended permit udp any host 192.168.3.5 eq 11111


access-list 100 extended permit ip any host X.X.X.10


access-list 100 extended permit tcp any host 192.168.1.6 eq 8087


access-list 100 extended permit tcp any host X.X.X.9


access-list 100 extended permit ip any host X.X.X.9


access-list 100 extended permit tcp any host 192.168.1.30 eq www


access-list 100 extended permit tcp any host X.X.X.5


access-list 100 extended permit ip any host X.X.X.5


access-list 100 extended permit icmp any any


access-list 100 extended permit tcp any host 192.168.1.6 eq 8088


access-list 100 extended permit ip any host X.X.X.6


access-list 100 extended permit tcp any host X.X.X.6


access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 eq 5872 time-range k3used


access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 eq 8088 time-range k3used


access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 eq 3389 time-range k3used


access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.19 eq www time-range k3used


access-list 100 extended permit tcp host 61.186.169.129 host X.X.X.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 eq 5872 time-range k3used


access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 eq 8088 time-range k3used


access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 eq 3389 time-range k3used


access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.19 eq www time-range k3used


access-list 100 extended permit tcp host 61.186.169.130 host X.X.X.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 eq 5872 time-range k3used


access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 eq 8088 time-range k3used


access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 eq 3389 time-range k3used


access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.19 eq www time-range k3used


access-list 100 extended permit tcp host 61.186.169.131 host X.X.X.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 eq 5872 time-range k3used


access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 eq 8088 time-range k3used


access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 eq 3389 time-range k3used


access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.19 eq www time-range k3used


access-list 100 extended permit tcp host 61.186.169.132 host X.X.X.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 eq 5872 time-range k3used


access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 eq 8088 time-range k3used


access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 eq 3389 time-range k3used


access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.19 eq www time-range k3used


access-list 100 extended permit tcp host 61.186.169.133 host X.X.X.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.129 host X.X.X.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.130 host X.X.X.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.131 host X.X.X.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.132 host X.X.X.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.133 host X.X.X.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.129 host X.X.X.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.130 host X.X.X.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.131 host X.X.X.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.132 host X.X.X.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.133 host X.X.X.2 time-range k3used


access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 eq 5872 time-range k3used


access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 eq 8088 time-range k3used


access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 eq 3389 time-range k3used


access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.19 eq www time-range k3used


access-list 100 extended permit tcp host 183.64.106.194 host X.X.X.2 time-range k3used


access-list 100 extended permit ip host 183.64.106.194 host X.X.X.2 time-range k3used


access-list 100 extended permit icmp host 183.64.106.194 host X.X.X.2 time-range k3used


access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 eq 5872 time-range k3used


access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 eq 8088 time-range k3used


access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 eq 3389 time-range k3used


access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.19 eq www time-range k3used


access-list 100 extended permit tcp host 183.64.106.195 host X.X.X.2 time-range k3used


access-list 100 extended permit ip host 183.64.106.195 host X.X.X.2 time-range k3used


access-list 100 extended permit icmp host 183.64.106.195 host X.X.X.2 time-range k3used


access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 eq 5872 time-range k3used


access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 eq 8088 time-range k3used


access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 eq 3389 time-range k3used


access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.19 eq www time-range k3used


access-list 100 extended permit tcp host 14.107.162.32 host X.X.X.2 time-range k3used


access-list 100 extended permit ip host 14.107.162.32 host X.X.X.2 time-range k3used


access-list 100 extended permit icmp host 14.107.162.32 host X.X.X.2 time-range k3used


access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 eq 5872 time-range k3used


access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 eq 8088 time-range k3used


access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 eq 3389 time-range k3used


access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.19 eq www time-range k3used


access-list 100 extended permit tcp host 14.107.247.121 host X.X.X.2 time-range k3used


access-list 100 extended permit ip host 14.107.247.121 host X.X.X.2 time-range k3used


access-list 100 extended permit icmp host 14.107.247.121 host X.X.X.2 time-range k3used


access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 eq 5872 time-range k3used


access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 eq 8088 time-range k3used


access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 eq 3389 time-range k3used


access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.19 eq www time-range k3used


access-list 100 extended permit tcp host 61.128.208.106 host X.X.X.2 time-range k3used


access-list 100 extended permit ip host 61.128.208.106 host X.X.X.2 time-range k3used


access-list 100 extended permit icmp host 61.128.208.106 host X.X.X.2 time-range k3used


access-list 100 extended deny tcp any host 192.168.1.2 eq 5872


access-list 100 extended deny tcp any host 192.168.1.2 eq 8088


access-list 100 extended deny tcp any host 192.168.1.2 eq 3389


access-list 100 extended deny tcp any host 192.168.1.19 eq www


access-list 100 extended deny tcp any host X.X.X.2


access-list 100 extended deny ip any host X.X.X.2


access-list 100 extended deny icmp any host X.X.X.2


pager lines 24


mtu outside 1500


mtu inside 1500


mtu management 1500


ip local pool vpn_pool 192.168.200.1-192.168.200.20 mask 255.255.255.0


icmp unreachable rate-limit 1 burst-size 1


no asdm history enable


arp timeout 14400


nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp


nat (inside,any) source static obj-192.168.200.0 obj-192.168.200.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp


nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.3 service obj-tcp-source-eq-25 obj-tcp-source-eq-25


nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.3 service obj-tcp-source-eq-110 obj-tcp-source-eq-110


nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-8086 obj-tcp-source-eq-80


nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-3389 obj-tcp-source-eq-9877


nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-21 obj-tcp-source-eq-21


nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.10 service obj-tcp-source-eq-20 obj-tcp-source-eq-20


nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.9 service obj-tcp-source-eq-8087 obj-tcp-source-eq-80


nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.6 service obj-tcp-source-eq-8088 obj-tcp-source-eq-80


nat (inside,outside) source static obj-192.168.1.6 obj-X.X.X.3 service obj-tcp-source-eq-80 obj-tcp-source-eq-80


nat (inside,outside) source dynamic obj-192.168.1.6 obj-X.X.X.3


!


object network obj-192.168.1.0


nat (inside,outside) dynamic interface


object network obj-192.168.200.0


nat (inside,outside) dynamic interface


object network obj-192.168.1.2


nat (inside,outside) static X.X.X.2 service tcp 5872 5872


object network obj-192.168.1.2-01


nat (inside,outside) static X.X.X.2 service tcp 8088 8088


object network obj-192.168.1.19


nat (inside,outside) static X.X.X.12 service tcp 3389 8001


object network obj-192.168.1.20


nat (inside,outside) static X.X.X.12 service tcp 3389 8002


object network obj-192.168.1.88


nat (inside,outside) static X.X.X.12 service tcp 3389 12345


object network obj-192.168.1.1


nat (inside,outside) static X.X.X.4 service tcp www www


object network obj-192.168.1.2-02


nat (inside,outside) static X.X.X.2 service tcp 3389 8005


object network obj-192.168.1.1-01


nat (inside,outside) static X.X.X.10 service tcp 3389 9876


object network obj-192.168.2.88


nat (inside,outside) static X.X.X.10 service tcp 3389 3129


object network obj-192.168.2.88-01


nat (inside,outside) static X.X.X.10 service tcp 12172 12172


object network obj-192.168.2.88-02


nat (inside,outside) static X.X.X.10 service udp 12172 12172


object network obj-192.168.1.19-01


nat (inside,outside) static X.X.X.2 service tcp www 8056


object network obj-192.168.2.2


nat (inside,outside) static X.X.X.10 service tcp 3389 3128


object network obj-192.168.2.2-01


nat (inside,outside) static X.X.X.10 service tcp 9116 9116


object network obj-192.168.2.2-02


nat (inside,outside) static X.X.X.10 service udp 9116 9116


object network obj-192.168.3.2


nat (inside,outside) static X.X.X.10 service tcp 25243 25243


object network obj-192.168.3.2-01


nat (inside,outside) static X.X.X.10 service udp 25243 25243


object network obj-192.168.3.2-02


nat (inside,outside) static X.X.X.10 service tcp 3389 3130


object network obj-192.168.1.200


nat (inside,outside) static X.X.X.10 service tcp www 1114


object network obj-192.168.1.200-01


nat (inside,outside) static X.X.X.10 service tcp 12001 12001


object network obj-192.168.1.30


nat (inside,outside) static X.X.X.5 service tcp www www


object network obj-192.168.1.30-01


nat (inside,outside) static X.X.X.10 service tcp 3389 9878


object network obj-192.168.1.1-02


nat (inside,outside) static X.X.X.4 service tcp 8080 8080


object network obj-192.168.3.5


nat (inside,outside) static X.X.X.10 service tcp 4160 4160


object network obj-192.168.3.5-01


nat (inside,outside) static X.X.X.10 service udp 4170 4170


object network obj-192.168.3.5-02


nat (inside,outside) static X.X.X.10 service tcp 11111 11111


object network obj-192.168.3.5-03


nat (inside,outside) static X.X.X.10 service tcp 3389 3127


object network obj-192.168.3.5-04


nat (inside,outside) static X.X.X.10 service udp 11111 11111


object network obj-192.168.2.0


nat (inside,outside) dynamic interface


object network obj-192.168.3.0


nat (inside,outside) dynamic interface


object network obj-192.168.4.0


nat (inside,outside) dynamic interface


object network obj-192.168.5.0


nat (inside,outside) dynamic interface


object network obj-192.168.6.0


nat (inside,outside) dynamic interface


object network obj-192.168.7.0


nat (inside,outside) dynamic interface


object network obj-192.168.8.0


nat (inside,outside) dynamic interface


access-group 100 in interface outside


access-group 101 in interface inside


route outside 0.0.0.0 0.0.0.0 X.X.X.14 1


route inside 192.168.2.0 255.255.255.0 192.168.1.12 1


route inside 192.168.3.0 255.255.255.0 192.168.1.12 1


route inside 192.168.4.0 255.255.255.0 192.168.1.12 1


route inside 192.168.5.0 255.255.255.0 192.168.1.12 1


route inside 192.168.6.0 255.255.255.0 192.168.1.12 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00


timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


timeout tcp-proxy-reassembly 0:01:00


timeout floating-conn 0:00:00


dynamic-access-policy-record DfltAccessPolicy


user-identity default-domain LOCAL


http server enable


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart


crypto ipsec ikev1 transform-set vpn_set esp-des esp-md5-hmac


crypto dynamic-map vpn_map 10 set ikev1 transform-set vpn_set


crypto dynamic-map vpn_map 10 set reverse-route


crypto map vpnmap 10 ipsec-isakmp dynamic vpn_map


crypto map vpnmap interface outside


crypto ikev1 enable outside


crypto ikev1 policy 1


authentication pre-share


encryption des


hash md5


group 2    


lifetime 86400


crypto ikev1 policy 65535


authentication pre-share


encryption 3des


hash sha


group 2


lifetime 86400


telnet 0.0.0.0 0.0.0.0 inside


telnet 192.168.1.0 255.255.255.0 inside


telnet timeout 5


ssh 0.0.0.0 0.0.0.0 outside


ssh timeout 30


ssh version 1


console timeout 0


threat-detection basic-threat


threat-detection statistics access-list


no threat-detection statistics tcp-intercept


ntp server 192.43.244.18


group-policy vpnclient internal


group-policy vpnclient attributes


dns-server value 61.128.128.68


vpn-tunnel-protocol ikev1


split-tunnel-policy tunnelspecified


split-tunnel-network-list value vpnclient_splitTunnelAcl


username cisco password 3USUcOPFUiMCO4Jk encrypted


tunnel-group vpn_group type remote-access


tunnel-group vpn_group general-attributes


address-pool vpn_pool


default-group-policy vpnclient


tunnel-group vpn_group ipsec-attributes


ikev1 pre-shared-key *****


!


class-map 500k


match access-list 500k


class-map inspection_default


match default-inspection-traffic


class-map 2


match access-list 2


class-map 3


match access-list 3


class-map 4


match access-list 4


!


!


policy-map type inspect dns preset_dns_map


parameters


  message-length maximum client auto


  message-length maximum 512


policy-map global_policy


class inspection_default


  inspect dns preset_dns_map


  inspect ftp


  inspect h323 h225


  inspect h323 ras


  inspect ip-options


  inspect netbios


  inspect rsh


  inspect rtsp


  inspect skinny


  inspect esmtp


  inspect sqlnet


  inspect sunrpc


  inspect tftp


  inspect sip


  inspect xdmcp


policy-map 500k


class 500k


policy-map 2


class 2


class 3


class 4


!           


service-policy global_policy global


prompt hostname context


call-home reporting anonymous prompt 2


call-home


profile CiscoTAC-1


  no active


  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService


  destination address email [email protected]


  destination transport-method http


  subscribe-to-alert-group diagnostic


  subscribe-to-alert-group environment


  subscribe-to-alert-group inventory periodic monthly 13


  subscribe-to-alert-group configuration periodic monthly 13


  subscribe-to-alert-group telemetry periodic daily


Cryptochecksum:ecead54d7c85807eb47c7cdaf7d7e82a


: end


ciscoasa#                                                                     $


ciscoasa#


ciscoasa#

Correct Answer by Jouni Forss about 3 years 8 months ago

Hi,


You changed the source IP address in the command I suggested?


There is no reason to use the IP 192.168.1.1 as the source of this "packet-tracer" command as the source will NEVER be that IP address as its a private IP address not routable on the public Internet.


So can you try with the command I suggested.


packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80


I presume that the above command/test failed because you were using the servers real IP address as the source IP address for the test.


- Jouni

Cisco Endorsed by yingpli
hailin huang about 3 years 8 months ago

hi,my

inside webserver 192.168.1.1 port 80     nat outside ip is  61.186.236.4 port 80


but  i can not offer packet-tracer  at the same time.
if later...may be.


like this:


object network obj-192.168.1.1

nat (inside,outside) static 61.186.236.4 service tcp www www

object network obj-192.168.1.1-01

nat (inside,outside) static 61.186.236.10 service tcp 3389 9876

object network obj-192.168.1.1-02

nat (inside,outside) static 61.186.236.4 service tcp 8080 8080

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jouni Forss Fri, 12/13/2013 - 08:15
User Badges:
  • Super Bronze, 10000 points or more

Hi,


You did not mention what your server IP address is.


Try using the "packet-tracer" with the correct information


packet-tracer input outside tcp 12345 80


Post the output here. It should tell us what the problem is


- Jouni

hailin huang Fri, 12/13/2013 - 19:49
User Badges:

hi,my

inside webserver 192.168.1.1 port 80     nat outside ip is  61.186.236.4 port 80


but  i can not offer packet-tracer  at the same time.
if later...may be.


like this:


object network obj-192.168.1.1

nat (inside,outside) static 61.186.236.4 service tcp www www

object network obj-192.168.1.1-01

nat (inside,outside) static 61.186.236.10 service tcp 3389 9876

object network obj-192.168.1.1-02

nat (inside,outside) static 61.186.236.4 service tcp 8080 8080

Jouni Forss Sun, 12/15/2013 - 04:30
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I can't really find a specific reason in the configuration why this would not work.


There should be no overlap with the NAT configurations on a quick glance and you seem to have the ACL rule allow traffic to this server at the top of the ACL also.


We would really need to see the "packet-tracer" command issued from the CLI of the ASA. You can naturally do this from ASDM too by going to the top menus and choosing Command Line Interface from there.


packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80


If the "packet-tracer" output looks fine I would next look at the actual server behind the ASA.


- Jouni

hailin huang Wed, 12/18/2013 - 03:56
User Badges:

hi,jouni:


my packer-tracer    and my show tech


ciscoasa# packet-tracer input outside tcp 192.168.1.1 80 61.186.236.4 80


Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list


Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network obj-192.168.1.1

nat (inside,outside) static 61.186.236.4 service tcp www www

Additional Information:

NAT divert to egress interface inside

Untranslate 61.186.236.4/80 to 192.168.1.1/80


Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:      

access-group 100 in interface outside

access-list 100 extended permit tcp any host 192.168.1.1 eq www

Additional Information:


Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:


Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network obj-192.168.1.1

nat (inside,outside) static 61.186.236.4 service tcp www www

Additional Information:


Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (sp-security-failed) Slowpath security checks failed

Correct Answer
Jouni Forss Wed, 12/18/2013 - 04:01
User Badges:
  • Super Bronze, 10000 points or more

Hi,


You changed the source IP address in the command I suggested?


There is no reason to use the IP 192.168.1.1 as the source of this "packet-tracer" command as the source will NEVER be that IP address as its a private IP address not routable on the public Internet.


So can you try with the command I suggested.


packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80


I presume that the above command/test failed because you were using the servers real IP address as the source IP address for the test.


- Jouni

hailin huang Thu, 12/19/2013 - 04:35
User Badges:

ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 61.186.236.4 80


Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static test test1 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

Additional Information:

NAT divert to egress interface inside

Untranslate 61.186.236.4/80 to 192.168.1.1/80


Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 100 in interface outside

access-list 100 extended permit tcp any host 192.168.1.1 eq www

Additional Information:


Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 4

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:


Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static test test1 service obj-tcp-source-eq-80 obj-tcp-source-eq-80

Additional Information:


Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 7     

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 9833, packet dispatched to next module


Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

hailin huang Sun, 12/22/2013 - 00:11
User Badges:

thank you .


my asa is ok and my config is ok.

The problem is the ISP.

it is  have update  long time.

Actions

This Discussion