×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

migrate ASA5520-V7.0 to asa5512-v8.6,some question vpn cannot ping and how failver

Answered Question
Nov 30th, 2013
User Badges:

hi ,all


migrate ASA5520-V7.0 to asa5512-v8.6,some question vpn cannot ping and how failver?


file 1 asa5520 version 7.0


file 2 asa5512 version 8.6


file 3 asa3560X


file 4 top


question one:


my migrate file is right?copare v7.0 to v8.6.i do not ensure my config is ok .


question two


my easy vpn user 192.168.200.1 can not ping my server 192.168.1.41. . my server can ping vlan10 gateway ,but can not ping asa inside interface..


question three


if i want user the 5520 on this top, for failover.,which i can do .


first, i update V7.0 TO V8.6 LIKE ASA5512 version


secend,connect ASA5512(active) to ASA5520,AND config failover.


is ok?


file 2 ASA5512 Version 8.6


ciscoasa#


ciscoasa# show run


ciscoasa# show running-config


: Saved


:


ASA Version 8.6(1)2


!


hostname ciscoasa


enable password 2KFQnbNIdI.2KYOU encrypted


passwd 2KFQnbNIdI.2KYOU encrypted


names


!


interface GigabitEthernet0/0


nameif ouside


security-level 0


ip address X.X.X.1 255.255.255.240


!


interface GigabitEthernet0/1


no nameif


no security-level


no ip address


!


interface GigabitEthernet0/2


no nameif


no security-level


no ip address


!


interface GigabitEthernet0/3


description Link To 3560 G0/1


speed 1000


duplex full


nameif inside


security-level 100


ip address 192.168.1.13 255.255.255.0


!


interface GigabitEthernet0/4


no nameif


no security-level


no ip address


!


interface GigabitEthernet0/5


no nameif


no security-level


no ip address


!


interface Management0/0


nameif management


security-level 100


ip address 192.168.100.1 255.255.255.0


management-only


!


!


time-range k3used


absolute start 08:00 01 January 2008


periodic daily 0:00 to 23:59


periodic daily 9:00 to 18:00


!


boot system disk0:/asa861-2-smp-k8.bin


ftp mode passive


object network internal_X.X.X.3


host X.X.X.3


object network inside_192.168.1.6


host 192.168.1.6


object network cisco


object network local-1-2


host 192.168.1.2


object service real_svc5872


service tcp source eq 5872


object network remote-lan2


host X.X.X.2


object service mapped_svc5872


service tcp destination eq 5872


object service real_svc8088


service tcp source eq 8088


object service mapped_svc8088


service tcp destination eq 8088


object service real_svc8005


service tcp source eq 8005


object service mapped_svc8005


service tcp destination eq 8005


object network local-1-19


host 192.168.1.19


object service real_svcwww


service tcp source eq www


object service mapped_svc8056


service tcp destination eq 8056


object network local-1-200


host 192.168.1.200


object service real_svc3389


service tcp source eq 3389


object service mapped_svc8001


service tcp destination eq 8001


object service mapped_svc8002


service tcp destination eq 8002


object service mapped_svc12345


service tcp destination eq 12345


object service mapped_svcwww


service tcp destination eq www


object service real_svcsmtp


service tcp source eq smtp


object service mapped_svcsmtp


service tcp destination eq smtp


object service real_svcpop3


service tcp source eq pop3


object service mapped_svcpop3


service tcp destination eq pop3


object service real_svc8086


service tcp source eq 8086


object service mapped_svc9876


service tcp destination eq 9876


object service mapped_svc9877


service tcp destination eq 9877


object service real_svcftp


service tcp source eq ftp


object service mapped_svcftp


service tcp destination eq ftp


object service real_svcftp-data


service tcp source eq ftp-data


object service mapped_svcftp-data


service tcp destination eq ftp-data


object service mapped_svc3129


service tcp destination eq 3129


object service real_svc12172


service tcp source eq 12172


object service mapped_svc12172


service tcp destination eq 12172


object service real_svcu12172


service udp source eq 12172


object service mapped_svcu12172


service udp destination eq 12172


object service mapped_svc3128


service tcp destination eq 3128


object service real_svc9116


service tcp source eq 9116


object service mapped_svc9116


service tcp destination eq 9116


object service real_svcu9116


service udp source eq 9116


object service mapped_svcu9116


service udp destination eq 9116


object service real_svc25243


service tcp source eq 25243


object service mapped_svc25243


service tcp destination eq 25243


object service real_svcu25243


service udp source eq 25243


object service mapped_svcu25243


service udp destination eq 25243


object service mapped_svc3130


service tcp destination eq 3130


object service real_svc8087


service tcp source eq 8087


object service mapped_svc1114


service tcp destination eq 1114


object service real_svc12001


service tcp source eq 12001


object service mapped_svc12001


service tcp destination eq 12001


object service mapped_svc19878


service tcp destination eq 9878


object service real_svc8080


service tcp source eq 8080


object service mapped_svc18080


service tcp destination eq 8080


object service real_svc4160


service tcp source eq 4160


object service mapped_svc4160


service tcp destination eq 4160


object service real_svcu4170


service udp source eq 4170


object service mapped_svcu4170


service udp destination eq 4170


object service real_svc11111


service tcp source eq 11111


object service mapped_svc11111


service tcp destination eq 11111


object service mapped_svc3127


service tcp destination eq 3127


object service real_svcu11111


service udp source eq 11111


object service mapped_svcu11111


service udp destination eq 11111


object network local-1-20


host 192.168.1.20


object network remote-lan12


host X.X.X.12


object network local-1-88


host 192.168.1.88


object network local-1-1


host 192.168.1.1


object network local-1-6


host 192.168.1.6


object network local-2-88


host 192.168.2.88


object network local-2-2


host 192.168.2.2


object network local-1-4


host 192.168.1.4


object network local-1-3


host 192.168.1.3


object network local-1-10


host 192.168.1.10


object network remote-lan4


host X.X.X.4


object network remote-lan3


host X.X.X.3


object network remote-lan10


host X.X.X.10


object network local-3-2


host 192.168.3.2


object network local-1-30


host 192.168.1.30


object network remote-lan9


host X.X.X.9


object network local-1-5


host 192.168.1.5


object service mapped_svc9878


service tcp destination eq 9878


object network remote-lan5


host X.X.X.5


object network remote-lan6


host X.X.X.6


object network local-3-5


host 192.168.3.5


object-group network pat-source


network-object 192.168.1.0 255.255.255.0


network-object 192.168.2.0 255.255.255.0


network-object 192.168.3.0 255.255.255.0


network-object 192.168.4.0 255.255.255.0


network-object 192.168.5.0 255.255.255.0


network-object 192.168.6.0 255.255.255.0


network-object 192.168.7.0 255.255.255.0


network-object 192.168.8.0 255.255.255.0


network-object 192.168.200.0 255.255.255.0


access-list 100 extended permit tcp any host 192.168.1.1


access-list 100 extended permit ip any host 192.168.1.1


access-list 100 extended permit icmp any host 192.168.1.1


access-list 100 extended permit tcp any host 192.168.1.6


access-list 100 extended permit ip any host 192.168.1.6


access-list 100 extended permit icmp any host 192.168.1.6


access-list 100 extended permit tcp any host 192.168.1.12


access-list 100 extended permit ip any host 192.168.1.12


access-list 100 extended permit icmp any host 192.168.1.12


access-list 100 extended permit tcp any host 192.168.1.30


access-list 100 extended permit ip any host 192.168.1.30


access-list 100 extended permit icmp any any


access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.129 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.130 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.131 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.132 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.133 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.129 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.130 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.131 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.132 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.133 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 183.64.106.194 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 183.64.106.194 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 183.64.106.195 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 183.64.106.195 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 14.107.162.32 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 14.107.162.32 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 14.107.247.121 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 14.107.247.121 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.128.208.106 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.128.208.106 host 192.168.1.2 time-range k3used


access-list 100 extended deny tcp any host 192.168.1.2


access-list 100 extended deny ip any host 192.168.1.2


access-list 100 extended deny icmp any host 192.168.1.2


access-list vpn_list extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0


access-list vpn_list extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0


access-list 101 extended deny ip any host 58.215.78.113


access-list 101 extended deny ip any host 61.139.126.81


access-list 101 extended deny ip any host 61.152.94.154


access-list 101 extended permit ip host 192.168.4.2 any


access-list 101 extended permit ip host 192.168.4.3 any


access-list 101 extended permit ip host 192.168.4.4 any


access-list 101 extended permit ip host 192.168.4.5 any


access-list 101 extended permit ip host 192.168.4.7 any


access-list 101 extended permit ip host 192.168.4.8 any


access-list 101 extended permit ip host 192.168.4.9 any


access-list 101 extended permit ip host 192.168.4.10 any


access-list 101 extended permit ip host 192.168.4.11 any


access-list 101 extended permit ip host 192.168.4.12 any


access-list 101 extended permit ip host 192.168.4.13 any


access-list 101 extended permit ip host 192.168.4.14 any


access-list 101 extended permit ip host 192.168.4.15 any


access-list 101 extended permit ip host 192.168.4.16 any


access-list 101 extended permit ip host 192.168.4.18 any


access-list 101 extended permit ip host 192.168.4.19 any


access-list 101 extended permit ip host 192.168.4.20 any


access-list 101 extended permit ip host 192.168.4.180 any


access-list 101 extended deny ip 192.168.4.0 255.255.255.0 any


access-list 101 extended permit ip host 192.168.2.176 any


access-list 101 extended permit icmp any any


access-list 101 extended permit ip host 192.168.2.3 any


access-list 101 extended permit ip host 192.168.2.164 any


access-list 101 extended permit ip host 192.168.2.171 any


access-list 101 extended permit ip host 192.168.2.142 any


access-list 101 extended permit ip host 192.168.2.180 any


access-list 101 extended permit ip host 192.168.2.149 any


access-list 101 extended permit ip host 192.168.2.201 any


access-list 101 extended permit ip host 192.168.2.170 any


access-list 101 extended permit ip host 192.168.2.168 any


access-list 101 extended permit ip host 192.168.2.103 any


access-list 101 extended permit ip host 192.168.2.34 any


access-list 101 extended permit ip host 192.168.2.174 any


access-list 101 extended permit ip host 192.168.2.199 any


access-list 101 extended permit ip host 192.168.2.253 any


access-list 101 extended permit ip host 192.168.2.236 any


access-list 101 extended permit ip host 192.168.2.214 any


access-list 101 extended permit ip host 192.168.2.110 any


access-list 101 extended permit ip host 192.168.2.127 any


access-list 101 extended permit ip host 192.168.2.178 any


access-list 101 extended permit ip host 192.168.2.21 any


access-list 101 extended permit ip host 192.168.2.24 any


access-list 101 extended permit ip host 192.168.2.251 any


access-list 101 extended permit ip host 192.168.2.33 any


access-list 101 extended permit ip host 192.168.2.120 any


access-list 101 extended permit ip host 192.168.2.85 any


access-list 101 extended permit ip host 192.168.2.137 any


access-list 101 extended permit ip host 192.168.2.113 any


access-list 101 extended permit ip host 192.168.2.20 any


access-list 101 extended permit ip host 192.168.2.101 any


access-list 101 extended permit ip host 192.168.2.106 any


access-list 101 extended permit ip host 192.168.2.140 any


access-list 101 extended permit ip host 192.168.2.215 any


access-list 101 extended permit ip host 192.168.2.107 any


access-list 101 extended permit ip host 192.168.2.234 any


access-list 101 extended permit ip host 192.168.2.15 any


access-list 101 extended permit ip host 192.168.2.55 any


access-list 101 extended permit ip host 192.168.2.41 any


access-list 101 extended permit ip host 192.168.2.13 any


access-list 101 extended permit ip host 192.168.2.133 any


access-list 101 extended permit ip host 192.168.2.73 any


access-list 101 extended permit ip host 192.168.2.172 any


access-list 101 extended permit ip host 192.168.2.175 any


access-list 101 extended permit ip host 192.168.2.88 any


access-list 101 extended permit ip host 192.168.2.188 any


access-list 101 extended permit ip host 192.168.2.136 any


access-list 101 extended permit ip host 192.168.2.74 any


access-list 101 extended permit ip host 192.168.2.12 any


access-list 101 extended permit ip host 192.168.2.100 any


access-list 101 extended permit ip host 192.168.2.102 any


access-list 101 extended permit ip host 192.168.2.152 any


access-list 101 extended permit ip host 192.168.2.4 any


access-list 101 extended permit ip host 192.168.2.5 any


access-list 101 extended permit ip host 192.168.2.6 any


access-list 101 extended permit ip host 192.168.2.14 any


access-list 101 extended permit ip host 192.168.2.19 any


access-list 101 extended permit ip host 192.168.2.16 any


access-list 101 extended permit ip host 192.168.2.17 any


access-list 101 extended permit ip host 192.168.2.18 any


access-list 101 extended permit ip host 192.168.2.22 any


access-list 101 extended permit ip host 192.168.2.23 any


access-list 101 extended permit ip host 192.168.2.115 any


access-list 101 extended permit ip host 192.168.2.116 any


access-list 101 extended permit ip host 192.168.2.117 any


access-list 101 extended permit ip host 192.168.2.118 any


access-list 101 extended permit ip host 192.168.2.119 any


access-list 101 extended permit ip host 192.168.2.150 any


access-list 101 extended permit ip host 192.168.2.128 any


access-list 101 extended deny ip 192.168.2.0 255.255.255.0 any


access-list 101 extended permit ip host 192.168.3.2 any


access-list 101 extended permit ip host 192.168.3.3 any


access-list 101 extended permit ip host 192.168.3.4 any


access-list 101 extended permit ip host 192.168.3.5 any


access-list 101 extended permit ip host 192.168.3.6 any


access-list 101 extended permit ip host 192.168.3.7 any


access-list 101 extended permit ip host 192.168.3.8 any


access-list 101 extended permit ip host 192.168.3.9 any


access-list 101 extended permit ip host 192.168.3.10 any


access-list 101 extended permit ip host 192.168.3.11 any


access-list 101 extended permit ip host 192.168.3.12 any


access-list 101 extended permit ip host 192.168.3.13 any


access-list 101 extended permit ip host 192.168.3.14 any


access-list 101 extended permit ip host 192.168.3.15 any


access-list 101 extended permit ip host 192.168.3.16 any


access-list 101 extended permit ip host 192.168.3.17 any


access-list 101 extended permit ip host 192.168.3.18 any


access-list 101 extended permit ip host 192.168.3.19 any


access-list 101 extended permit ip host 192.168.3.20 any


access-list 101 extended permit ip host 192.168.3.21 any


access-list 101 extended permit ip host 192.168.3.22 any


access-list 101 extended permit ip host 192.168.3.23 any


access-list 101 extended permit ip host 192.168.3.24 any


access-list 101 extended permit ip host 192.168.3.25 any


access-list 101 extended permit ip host 192.168.3.26 any


access-list 101 extended permit ip host 192.168.3.27 any


access-list 101 extended permit ip host 192.168.3.28 any


access-list 101 extended permit ip host 192.168.3.29 any


access-list 101 extended permit ip host 192.168.3.30 any


access-list 101 extended permit ip host 192.168.3.31 any


access-list 101 extended permit ip host 192.168.3.32 any


access-list 101 extended permit ip host 192.168.3.33 any


access-list 101 extended permit ip host 192.168.3.34 any


access-list 101 extended permit ip host 192.168.3.35 any


access-list 101 extended permit ip host 192.168.3.36 any


access-list 101 extended permit ip host 192.168.3.37 any


access-list 101 extended permit ip host 192.168.3.38 any


access-list 101 extended permit ip host 192.168.3.39 any


access-list 101 extended permit ip host 192.168.3.40 any


access-list 101 extended permit ip host 192.168.3.41 any


access-list 101 extended permit ip host 192.168.3.42 any


access-list 101 extended permit ip host 192.168.3.43 any


access-list 101 extended permit ip host 192.168.3.86 any


access-list 101 extended permit ip host 192.168.3.88 any


access-list 101 extended permit ip host 192.168.3.89 any


access-list 101 extended permit ip host 192.168.3.56 any


access-list 101 extended permit ip host 192.168.3.55 any


access-list 101 extended permit ip host 192.168.3.96 any


access-list 101 extended permit ip host 192.168.3.97 any


access-list 101 extended permit ip host 192.168.3.98 any


access-list 101 extended permit ip host 192.168.3.116 any


access-list 101 extended permit ip host 192.168.3.111 any


access-list 101 extended permit ip host 192.168.3.175 any


access-list 101 extended permit ip host 192.168.3.176 any


access-list 101 extended permit ip host 192.168.3.201 any


access-list 101 extended permit ip host 192.168.3.202 any


access-list 101 extended permit ip host 192.168.3.203 any


access-list 101 extended permit ip host 192.168.3.204 any


access-list 101 extended permit ip host 192.168.3.205 any


access-list 101 extended permit ip host 192.168.3.206 any


access-list 101 extended permit ip host 192.168.3.207 any


access-list 101 extended permit ip host 192.168.3.208 any


access-list 101 extended permit ip host 192.168.3.209 any


access-list 101 extended permit ip host 192.168.3.210 any


access-list 101 extended permit ip host 192.168.3.213 any


access-list 101 extended permit ip host 192.168.3.214 any


access-list 101 extended permit ip host 192.168.3.215 any


access-list 101 extended permit ip host 192.168.3.101 any


access-list 101 extended permit ip host 192.168.3.102 any


access-list 101 extended permit ip host 192.168.3.103 any


access-list 101 extended permit ip host 192.168.3.106 any


access-list 101 extended permit ip host 192.168.3.107 any


access-list 101 extended permit ip host 192.168.3.152 any


access-list 101 extended permit ip host 192.168.3.151 any


access-list 101 extended permit ip host 192.168.3.153 any


access-list 101 extended permit ip host 192.168.3.195 any


access-list 101 extended permit ip host 192.168.3.45 any


access-list 101 extended permit ip host 192.168.3.46 any


access-list 101 extended permit ip host 192.168.3.199 any


access-list 101 extended permit ip host 192.168.3.157 any


access-list 101 extended deny ip 192.168.3.0 255.255.255.0 any


access-list 101 extended permit tcp any any


access-list 101 extended permit ip any any


access-list vpnclient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0


access-list 2 extended permit ip 192.168.2.0 255.255.255.0 any


access-list 3 extended permit ip 192.168.3.0 255.255.255.0 any


access-list 4 extended permit ip 192.168.4.0 255.255.255.0 any


access-list 500k extended permit ip host X.X.X.1 any


access-list 500k extended permit icmp host X.X.X.1 any


access-list 102 extended permit ip host 192.168.1.6 any


pager lines 24


logging asdm informational


mtu ouside 1500


mtu inside 1500


mtu management 1500


ip local pool vpn_pool 192.168.200.1-192.168.200.20 mask 255.255.255.0


icmp unreachable rate-limit 1 burst-size 1


asdm image disk0:/asdm-66114.bin


no asdm history enable


arp timeout 14400


nat (inside,ouside) source dynamic pat-source interface


nat (inside,ouside) source static inside_192.168.1.6 internal_X.X.X.3


nat (inside,ouside) source static local-1-2 remote-lan2 service real_svc5872 mapped_svc5872


nat (inside,ouside) source static local-1-2 remote-lan2 service real_svc8088 mapped_svc8088


nat (inside,ouside) source static local-1-2 remote-lan2 service real_svc3389 mapped_svc8005


nat (inside,ouside) source static local-1-19 remote-lan12 service real_svc3389 mapped_svc8001


nat (inside,ouside) source static local-1-20 remote-lan12 service real_svc3389 mapped_svc8002


nat (inside,ouside) source static local-1-88 remote-lan12 service real_svc3389 mapped_svc12345


nat (inside,ouside) source static local-1-19 remote-lan12 service real_svcwww mapped_svc8056


nat (inside,ouside) source static local-1-1 remote-lan4 service real_svcwww mapped_svcwww


nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcsmtp mapped_svcsmtp


nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcpop3 mapped_svcpop3


nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc8086 mapped_svcwww


nat (inside,ouside) source static local-1-1 remote-lan10 service real_svc3389 mapped_svc9876


nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc3389 mapped_svc9877


nat (inside,ouside) source static local-1-6 remote-lan10 service real_svcftp mapped_svcftp


nat (inside,ouside) source static local-1-6 remote-lan10 service real_svcftp-data mapped_svcftp-data


nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc3389 mapped_svc3129


nat (inside,ouside) source static local-2-88 remote-lan10 service real_svc12172 mapped_svc12172


nat (inside,ouside) source static local-2-88 remote-lan10 service real_svcu12172 mapped_svcu12172


nat (inside,ouside) source static local-2-2 remote-lan10 service real_svc3389 mapped_svc3128


nat (inside,ouside) source static local-2-2 remote-lan10 service real_svc9116 mapped_svc9116


nat (inside,ouside) source static local-2-2 remote-lan10 service real_svcu9116 mapped_svcu9116


nat (inside,ouside) source static local-1-200 remote-lan10 service real_svcwww mapped_svc1114


nat (inside,ouside) source static local-1-200 remote-lan10 service real_svc12001 mapped_svc12001


nat (inside,ouside) source static local-3-2 remote-lan10 service real_svc25243 mapped_svc25243


nat (inside,ouside) source static local-3-2 remote-lan10 service real_svcu25243 mapped_svcu25243


nat (inside,ouside) source static local-3-2 remote-lan10 service real_svc3389 mapped_svc3130


nat (inside,ouside) source static local-1-6 remote-lan9 service real_svc8087 mapped_svcwww


nat (inside,ouside) source static local-1-30 remote-lan10 service real_svc3389 mapped_svc9878


nat (inside,ouside) source static local-1-30 remote-lan5 service real_svcwww mapped_svcwww


nat (inside,ouside) source static local-1-1 remote-lan4 service real_svc8080 mapped_svc8088


nat (inside,ouside) source static local-1-6 remote-lan6 service real_svc8088 mapped_svcwww


nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcwww mapped_svcwww


nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc4160 mapped_svc4160


nat (inside,ouside) source static local-3-5 remote-lan10 service real_svcu4170 mapped_svcu4170


nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc11111 mapped_svc11111


nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc3389 mapped_svc3127


nat (inside,ouside) source static local-3-5 remote-lan10 service real_svcu11111 mapped_svcu11111


access-group 100 in interface ouside


access-group 101 in interface inside


route ouside 0.0.0.0 0.0.0.0 X.X.X.14 1


route inside 192.168.1.0 255.255.255.0 192.168.1.12 1


route inside 192.168.2.0 255.255.255.0 192.168.1.12 1


route inside 192.168.3.0 255.255.255.0 192.168.1.12 1


route inside 192.168.4.0 255.255.255.0 192.168.1.12 1


route inside 192.168.5.0 255.255.255.0 192.168.1.12 1


route inside 192.168.6.0 255.255.255.0 192.168.1.12 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00


timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


timeout tcp-proxy-reassembly 0:01:00


timeout floating-conn 0:00:00


dynamic-access-policy-record DfltAccessPolicy


user-identity default-domain LOCAL


aaa authentication ssh console LOCAL


http server enable


http 192.168.1.0 255.255.255.0 management


http 0.0.0.0 0.0.0.0 inside


http 0.0.0.0 0.0.0.0 management


http 0.0.0.0 0.0.0.0 ouside


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart


crypto ipsec ikev1 transform-set vpn_set esp-des esp-md5-hmac


crypto dynamic-map vpn_map 10 set ikev1 transform-set vpn_set


crypto dynamic-map vpn_map 10 set reverse-route


crypto map vpnmap 10 ipsec-isakmp dynamic vpn_map


crypto map vpnmap interface ouside


crypto ikev1 enable ouside


crypto ikev1 policy 1


authentication pre-share


encryption des


hash md5


group 2


lifetime 86400


crypto ikev1 policy 10


authentication pre-share


encryption des


hash sha


group 2


lifetime 86400


telnet 0.0.0.0 0.0.0.0 inside


telnet 0.0.0.0 0.0.0.0 management


telnet timeout 5


ssh 0.0.0.0 0.0.0.0 ouside


ssh 0.0.0.0 0.0.0.0 inside


ssh 0.0.0.0 0.0.0.0 management


ssh timeout 5


console timeout 0


threat-detection basic-threat


threat-detection statistics access-list


no threat-detection statistics tcp-intercept


ssl encryption 3des-sha1


webvpn


group-policy vpnclient internal


group-policy vpnclient attributes


dns-server value 61.128.128.68


vpn-tunnel-protocol ikev1


split-tunnel-policy tunnelspecified


split-tunnel-network-list value vpnclient_splitTunnelAcl


username cisco password 3USUcOPFUiMCO4Jk encrypted


username cisco attributes


vpn-group-policy vpnclient


tunnel-group vpn_group type remote-access


tunnel-group vpn_group general-attributes


address-pool vpn_pool


default-group-policy vpnclient


tunnel-group vpn_group ipsec-attributes


ikev1 pre-shared-key *****


!


class-map inspection_default


match default-inspection-traffic


!


!


policy-map type inspect dns preset_dns_map


parameters


  message-length maximum client auto


  message-length maximum 512


policy-map global_policy


class inspection_default


  inspect dns preset_dns_map


  inspect ftp


  inspect h323 h225


  inspect h323 ras


  inspect rsh


  inspect rtsp


  inspect esmtp


  inspect sqlnet


  inspect skinny


  inspect sunrpc


  inspect xdmcp


  inspect sip


  inspect netbios


  inspect tftp


  inspect ip-options


  inspect icmp


!


service-policy global_policy global


prompt hostname context


call-home reporting anonymous prompt 1


Cryptochecksum:a08da6ec8948c7427396140d22675be0


: end

Correct Answer by Marvin Rhoads about 3 years 8 months ago

1. One thing I see is you have neglected to exempt your VPN pool addresses from NAT. This will be necessary on the new configuration. This also impacts question #2.


2. Make sure to exempt the VPN from NAT. Also, your attachment shows that the 5512X inside interface is down:


     GigabitEthernet0/3         192.168.1.13    YES CONFIG down                  down


That will certainly impact being able to reach inside resources like your server.


3. You cannot create a failover pair between different ASA models. The hardware must match exactly. Reference.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Marvin Rhoads Sun, 12/01/2013 - 14:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

1. One thing I see is you have neglected to exempt your VPN pool addresses from NAT. This will be necessary on the new configuration. This also impacts question #2.


2. Make sure to exempt the VPN from NAT. Also, your attachment shows that the 5512X inside interface is down:


     GigabitEthernet0/3         192.168.1.13    YES CONFIG down                  down


That will certainly impact being able to reach inside resources like your server.


3. You cannot create a failover pair between different ASA models. The hardware must match exactly. Reference.

hailin huang Sat, 12/07/2013 - 06:21
User Badges:

hi,Marvin Rhoads:


thanks for helping me.


one and two question is ok when i  add this config:


nat (inside,ouside) source static inside-192.168.1.0 inside-192.168.1.0 destination static vpn-192.168.200.0 vpn-192.168.200.0.


other question is :


1、my inside web-server 192.168.1.4 port 80   map to ouside X.X.X.4 port 80 is not ok.


i can not acces web-server or X.X.X.4 from internet


my inside PC can access internet(www.cisco.com),can ping ASA inside ip.


2、also my insde server have EMAIL AND OTHER  all not ok.


my email web-server 192.168.1.6  map  outside X.X.X.3


The new config file is ,is my config is fail or other thing?


thank you .


ASA Version 8.6(1)2


hostname ciscoasa


enable password 2KFQnbNIdI.2KYOU encrypted


passwd 2KFQnbNIdI.2KYOU encrypted


names


!


interface GigabitEthernet0/0


nameif ouside


security-level 0


ip address X.X.X.1 255.255.255.240


interface GigabitEthernet0/3


description Link To 3560 G0/1


speed 1000


duplex full


nameif inside


security-level 100


ip address 192.168.1.13 255.255.255.0 !


interface GigabitEthernet0/4


no nameif


no security-level


no ip address


!


interface GigabitEthernet0/5


no nameif


no security-level


no ip address


!


interface Management0/0


nameif management


security-level 100


ip address 192.168.100.1 255.255.255.0


management-only


!


!


time-range k3used


absolute start 08:00 01 January 2008


periodic daily 0:00 to 23:59


periodic daily 9:00 to 18:00


!


boot system disk0:/asa861-2-smp-k8.bin


ftp mode passive


clock timezone CST 8


dns server-group DefaultDNS


name-server 61.128.128.68


object network internal_X.X.X.3


host X.X.X.3


object network inside_192.168.1.6


host 192.168.1.6


object network cisco


object network local-1-2


host 192.168.1.2


object service real_svc5872


service tcp destination eq 5872


object network remote-lan2


host X.X.X.2


object service mapped_svc5872


service tcp destination eq 5872


object service real_svc8088


service tcp destination eq 8088


object service mapped_svc8088


service tcp destination eq 8088


object service real_svc8005


service tcp destination eq 8005


object service mapped_svc8005


service tcp destination eq 8005


object network local-1-19


host 192.168.1.19


object service real_svcwww


service tcp destination eq www


object service mapped_svc8056


service tcp destination eq 8056


object network local-1-200


host 192.168.1.200


object service real_svc3389


service tcp destination eq 3389


object service mapped_svc8001


service tcp destination eq 8001


object service mapped_svc8002


service tcp destination eq 8002


object service mapped_svc12345


service tcp destination eq 12345


object service mapped_svcwww


service tcp destination eq www


object service real_svcsmtp


service tcp destination eq smtp


object service mapped_svcsmtp


service tcp destination eq smtp


object service real_svcpop3


service tcp destination eq pop3


object service mapped_svcpop3


service tcp destination eq pop3


object service real_svc8086


service tcp destination eq 8086


object service mapped_svc9876


service tcp destination eq 9876


object service mapped_svc9877


service tcp destination eq 9877


object service real_svcftp


service tcp destination eq ftp


object service mapped_svcftp


service tcp destination eq ftp


object service real_svcftp-data


service tcp destination eq ftp-data


object service mapped_svcftp-data


service tcp destination eq ftp-data


object service mapped_svc3129


service tcp destination eq 3129


object service real_svc12172


service tcp destination eq 12172


object service mapped_svc12172


service tcp destination eq 12172


object service real_svcu12172


service udp destination eq 12172


object service mapped_svcu12172


service udp destination eq 12172


object service mapped_svc3128


service tcp destination eq 3128


object service real_svc9116


service tcp destination eq 9116


object service mapped_svc9116


service tcp destination eq 9116


object service real_svcu9116


service udp destination eq 9116


object service mapped_svcu9116


service udp destination eq 9116


object service real_svc25243


service tcp destination eq 25243


object service mapped_svc25243


service tcp destination eq 25243


object service real_svcu25243


service udp destination eq 25243


object service mapped_svcu25243


service udp destination eq 25243


object service mapped_svc3130


service tcp destination eq 3130


object service real_svc8087


service tcp destination eq 8087


object service mapped_svc1114


service tcp destination eq 1114


object service real_svc12001


service tcp destination eq 12001


object service mapped_svc12001


service tcp destination eq 12001


object service mapped_svc19878


service tcp destination eq 9878


object service real_svc8080


service tcp destination eq 8080


object service mapped_svc18080


service tcp destination eq 8080


object service real_svc4160


service tcp destination eq 4160


object service mapped_svc4160


service tcp destination eq 4160


object service real_svcu4170


service udp destination eq 4170


object service mapped_svcu4170


service udp destination eq 4170


object service real_svc11111


service tcp destination eq 11111


object service mapped_svc11111


service tcp destination eq 11111


object service mapped_svc3127


service tcp destination eq 3127


object service real_svcu11111


service udp destination eq 11111


object service mapped_svcu11111


service udp destination eq 11111


object network local-1-20


host 192.168.1.20


object network remote-lan12


host X.X.X.12


object network local-1-88


host 192.168.1.88


object network local-1-1


host 192.168.1.1


object network local-1-6


host 192.168.1.6


object network local-2-88


host 192.168.2.88


object network local-2-2


host 192.168.2.2


object network local-1-4


host 192.168.1.4


object network local-1-3


host 192.168.1.3


object network local-1-10


host 192.168.1.10


object network remote-lan4


host X.X.X.4


object network remote-lan3


host X.X.X.3


object network remote-lan10


host X.X.X.10


object network local-3-2


host 192.168.3.2


object network local-1-30


host 192.168.1.30


object network remote-lan9


host X.X.X.9


object network local-1-5


host 192.168.1.5


object service mapped_svc9878


service tcp destination eq 9878


object network remote-lan5


host X.X.X.5


object network remote-lan6


host X.X.X.6


object network local-3-5


host 192.168.3.5


object network inside-192.168.1.0


subnet 192.168.1.0 255.255.255.0


object network vpn-192.168.200.0


subnet 192.168.200.0 255.255.255.0


object network NETWORK_OBJ_192.168.200.0_27


subnet 192.168.200.0 255.255.255.0


object service test1207www


service tcp destination eq www


object service test1207mapwww


service tcp destination eq www


object-group network pat-source


network-object 192.168.1.0 255.255.255.0


network-object 192.168.2.0 255.255.255.0


network-object 192.168.3.0 255.255.255.0


network-object 192.168.4.0 255.255.255.0


network-object 192.168.5.0 255.255.255.0


network-object 192.168.6.0 255.255.255.0


network-object 192.168.7.0 255.255.255.0


network-object 192.168.8.0 255.255.255.0


network-object 192.168.200.0 255.255.255.0


object-group service 192.168.1.6-smtp


service-object tcp destination eq pop3


service-object tcp destination eq smtp


access-list 100 extended permit tcp any host 192.168.1.1


access-list 100 extended permit ip any host 192.168.1.1


access-list 100 extended permit icmp any host 192.168.1.1


access-list 100 extended permit tcp any host 192.168.1.6


access-list 100 extended permit ip any host 192.168.1.6


access-list 100 extended permit icmp any host 192.168.1.6


access-list 100 extended permit tcp any host 192.168.1.12


access-list 100 extended permit ip any host 192.168.1.12


access-list 100 extended permit icmp any host 192.168.1.12


access-list 100 extended permit tcp any host 192.168.1.30


access-list 100 extended permit ip any host 192.168.1.30


access-list 100 extended permit icmp any any


access-list 100 extended permit tcp host 61.186.169.129 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.130 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.131 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.132 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 61.186.169.133 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.129 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.130 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.131 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.132 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.186.169.133 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.129 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.130 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.131 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.132 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.186.169.133 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 183.64.106.194 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 183.64.106.194 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 183.64.106.194 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 183.64.106.195 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 183.64.106.195 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 183.64.106.195 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 14.107.162.32 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 14.107.162.32 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 14.107.162.32 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 14.107.247.121 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 14.107.247.121 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 14.107.247.121 host 192.168.1.2 time-range k3used


access-list 100 extended permit tcp host 61.128.208.106 host 192.168.1.2 time-range k3used


access-list 100 extended permit ip host 61.128.208.106 host 192.168.1.2 time-range k3used


access-list 100 extended permit icmp host 61.128.208.106 host 192.168.1.2 time-range k3used


access-list 100 extended deny tcp any host 192.168.1.2


access-list 100 extended deny ip any host 192.168.1.2


access-list 100 extended deny icmp any host 192.168.1.2


access-list 100 extended permit object-group 192.168.1.6-smtp any object local-1-6


access-list vpn_list extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0


access-list vpn_list extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0


access-list 101 extended deny ip any host 58.215.78.113


access-list 101 extended deny ip any host 61.139.126.81


access-list 101 extended deny ip any host 61.152.94.154


access-list 101 extended permit ip host 192.168.4.2 any


access-list 101 extended permit ip host 192.168.4.3 any


access-list 101 extended permit ip host 192.168.4.4 any


access-list 101 extended permit ip host 192.168.4.5 any


access-list 101 extended permit ip host 192.168.4.7 any


access-list 101 extended permit ip host 192.168.4.8 any


access-list 101 extended permit ip host 192.168.4.9 any


access-list 101 extended permit ip host 192.168.4.10 any


access-list 101 extended permit ip host 192.168.4.11 any


access-list 101 extended permit ip host 192.168.4.12 any


access-list 101 extended permit ip host 192.168.4.13 any


access-list 101 extended permit ip host 192.168.4.14 any


access-list 101 extended permit ip host 192.168.4.15 any


access-list 101 extended permit ip host 192.168.4.16 any


access-list 101 extended permit ip host 192.168.4.18 any


access-list 101 extended permit ip host 192.168.4.19 any


access-list 101 extended permit ip host 192.168.4.20 any


access-list 101 extended permit ip host 192.168.4.180 any


access-list 101 extended deny ip 192.168.4.0 255.255.255.0 any


access-list 101 extended permit ip host 192.168.2.176 any


access-list 101 extended permit icmp any any


access-list 101 extended permit ip host 192.168.2.3 any


access-list 101 extended permit ip host 192.168.2.164 any


access-list 101 extended permit ip host 192.168.2.171 any


access-list 101 extended permit ip host 192.168.2.142 any


access-list 101 extended permit ip host 192.168.2.180 any


access-list 101 extended permit ip host 192.168.2.149 any


access-list 101 extended permit ip host 192.168.2.201 any


access-list 101 extended permit ip host 192.168.2.170 any


access-list 101 extended permit ip host 192.168.2.168 any


access-list 101 extended permit ip host 192.168.2.103 any


access-list 101 extended permit ip host 192.168.2.34 any


access-list 101 extended permit ip host 192.168.2.174 any


access-list 101 extended permit ip host 192.168.2.199 any


access-list 101 extended permit ip host 192.168.2.253 any


access-list 101 extended permit ip host 192.168.2.236 any


access-list 101 extended permit ip host 192.168.2.214 any


access-list 101 extended permit ip host 192.168.2.110 any


access-list 101 extended permit ip host 192.168.2.127 any


access-list 101 extended permit ip host 192.168.2.178 any


access-list 101 extended permit ip host 192.168.2.21 any


access-list 101 extended permit ip host 192.168.2.24 any


access-list 101 extended permit ip host 192.168.2.251 any


access-list 101 extended permit ip host 192.168.2.33 any


access-list 101 extended permit ip host 192.168.2.120 any


access-list 101 extended permit ip host 192.168.2.85 any


access-list 101 extended permit ip host 192.168.2.137 any


access-list 101 extended permit ip host 192.168.2.113 any


access-list 101 extended permit ip host 192.168.2.20 any


access-list 101 extended permit ip host 192.168.2.101 any


access-list 101 extended permit ip host 192.168.2.106 any


access-list 101 extended permit ip host 192.168.2.140 any


access-list 101 extended permit ip host 192.168.2.215 any


access-list 101 extended permit ip host 192.168.2.107 any


access-list 101 extended permit ip host 192.168.2.234 any


access-list 101 extended permit ip host 192.168.2.15 any


access-list 101 extended permit ip host 192.168.2.55 any


access-list 101 extended permit ip host 192.168.2.41 any


access-list 101 extended permit ip host 192.168.2.13 any


access-list 101 extended permit ip host 192.168.2.133 any


access-list 101 extended permit ip host 192.168.2.73 any


access-list 101 extended permit ip host 192.168.2.172 any


access-list 101 extended permit ip host 192.168.2.175 any


access-list 101 extended permit ip host 192.168.2.88 any


access-list 101 extended permit ip host 192.168.2.188 any


access-list 101 extended permit ip host 192.168.2.136 any


access-list 101 extended permit ip host 192.168.2.74 any


access-list 101 extended permit ip host 192.168.2.12 any


access-list 101 extended permit ip host 192.168.2.100 any


access-list 101 extended permit ip host 192.168.2.102 any


access-list 101 extended permit ip host 192.168.2.152 any


access-list 101 extended permit ip host 192.168.2.4 any


access-list 101 extended permit ip host 192.168.2.5 any


access-list 101 extended permit ip host 192.168.2.6 any


access-list 101 extended permit ip host 192.168.2.14 any


access-list 101 extended permit ip host 192.168.2.19 any


access-list 101 extended permit ip host 192.168.2.16 any


access-list 101 extended permit ip host 192.168.2.17 any


access-list 101 extended permit ip host 192.168.2.18 any


access-list 101 extended permit ip host 192.168.2.22 any


access-list 101 extended permit ip host 192.168.2.23 any


access-list 101 extended permit ip host 192.168.2.115 any


access-list 101 extended permit ip host 192.168.2.116 any


access-list 101 extended permit ip host 192.168.2.117 any


access-list 101 extended permit ip host 192.168.2.118 any


access-list 101 extended permit ip host 192.168.2.119 any


access-list 101 extended permit ip host 192.168.2.150 any


access-list 101 extended permit ip host 192.168.2.128 any


access-list 101 extended deny ip 192.168.2.0 255.255.255.0 any


access-list 101 extended permit ip host 192.168.3.2 any


access-list 101 extended permit ip host 192.168.3.3 any


access-list 101 extended permit ip host 192.168.3.4 any


access-list 101 extended permit ip host 192.168.3.5 any


access-list 101 extended permit ip host 192.168.3.6 any


access-list 101 extended permit ip host 192.168.3.7 any


access-list 101 extended permit ip host 192.168.3.8 any


access-list 101 extended permit ip host 192.168.3.9 any


access-list 101 extended permit ip host 192.168.3.10 any


access-list 101 extended permit ip host 192.168.3.11 any


access-list 101 extended permit ip host 192.168.3.12 any


access-list 101 extended permit ip host 192.168.3.13 any


access-list 101 extended permit ip host 192.168.3.14 any


access-list 101 extended permit ip host 192.168.3.15 any


access-list 101 extended permit ip host 192.168.3.16 any


access-list 101 extended permit ip host 192.168.3.17 any


access-list 101 extended permit ip host 192.168.3.18 any


access-list 101 extended permit ip host 192.168.3.19 any


access-list 101 extended permit ip host 192.168.3.20 any


access-list 101 extended permit ip host 192.168.3.21 any


access-list 101 extended permit ip host 192.168.3.22 any


access-list 101 extended permit ip host 192.168.3.23 any


access-list 101 extended permit ip host 192.168.3.24 any


access-list 101 extended permit ip host 192.168.3.25 any


access-list 101 extended permit ip host 192.168.3.26 any


access-list 101 extended permit ip host 192.168.3.27 any


access-list 101 extended permit ip host 192.168.3.28 any


access-list 101 extended permit ip host 192.168.3.29 any


access-list 101 extended permit ip host 192.168.3.30 any


access-list 101 extended permit ip host 192.168.3.31 any


access-list 101 extended permit ip host 192.168.3.32 any


access-list 101 extended permit ip host 192.168.3.33 any


access-list 101 extended permit ip host 192.168.3.34 any


access-list 101 extended permit ip host 192.168.3.35 any


access-list 101 extended permit ip host 192.168.3.36 any


access-list 101 extended permit ip host 192.168.3.37 any


access-list 101 extended permit ip host 192.168.3.38 any


access-list 101 extended permit ip host 192.168.3.39 any


access-list 101 extended permit ip host 192.168.3.40 any


access-list 101 extended permit ip host 192.168.3.41 any


access-list 101 extended permit ip host 192.168.3.42 any


access-list 101 extended permit ip host 192.168.3.43 any


access-list 101 extended permit ip host 192.168.3.86 any


access-list 101 extended permit ip host 192.168.3.88 any


access-list 101 extended permit ip host 192.168.3.89 any


access-list 101 extended permit ip host 192.168.3.56 any


access-list 101 extended permit ip host 192.168.3.55 any


access-list 101 extended permit ip host 192.168.3.96 any


access-list 101 extended permit ip host 192.168.3.97 any


access-list 101 extended permit ip host 192.168.3.98 any


access-list 101 extended permit ip host 192.168.3.116 any


access-list 101 extended permit ip host 192.168.3.111 any


access-list 101 extended permit ip host 192.168.3.175 any


access-list 101 extended permit ip host 192.168.3.176 any


access-list 101 extended permit ip host 192.168.3.201 any


access-list 101 extended permit ip host 192.168.3.202 any


access-list 101 extended permit ip host 192.168.3.203 any


access-list 101 extended permit ip host 192.168.3.204 any


access-list 101 extended permit ip host 192.168.3.205 any


access-list 101 extended permit ip host 192.168.3.206 any


access-list 101 extended permit ip host 192.168.3.207 any


access-list 101 extended permit ip host 192.168.3.208 any


access-list 101 extended permit ip host 192.168.3.209 any


access-list 101 extended permit ip host 192.168.3.210 any


access-list 101 extended permit ip host 192.168.3.213 any


access-list 101 extended permit ip host 192.168.3.214 any


access-list 101 extended permit ip host 192.168.3.215 any


access-list 101 extended permit ip host 192.168.3.101 any


access-list 101 extended permit ip host 192.168.3.102 any


access-list 101 extended permit ip host 192.168.3.103 any


access-list 101 extended permit ip host 192.168.3.106 any


access-list 101 extended permit ip host 192.168.3.107 any


access-list 101 extended permit ip host 192.168.3.152 any


access-list 101 extended permit ip host 192.168.3.151 any


access-list 101 extended permit ip host 192.168.3.153 any


access-list 101 extended permit ip host 192.168.3.195 any


access-list 101 extended permit ip host 192.168.3.45 any


access-list 101 extended permit ip host 192.168.3.46 any


access-list 101 extended permit ip host 192.168.3.199 any


access-list 101 extended permit ip host 192.168.3.157 any


access-list 101 extended deny ip 192.168.3.0 255.255.255.0 any


access-list 101 extended permit tcp any any


access-list 101 extended permit ip any any


access-list 101 extended permit ip 192.168.200.0 255.255.255.0 any


access-list 101 extended permit ip host 192.168.1.6 any


access-list vpnclient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0


access-list 2 extended permit ip 192.168.2.0 255.255.255.0 any


access-list 3 extended permit ip 192.168.3.0 255.255.255.0 any


access-list 4 extended permit ip 192.168.4.0 255.255.255.0 any


access-list 500k extended permit ip host X.X.X.1 any


access-list 500k extended permit icmp host X.X.X.1 any


access-list 102 extended permit ip host 192.168.1.6 any


access-list test1207_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0


pager lines 24


logging enable


logging asdm informational


mtu ouside 1500


mtu inside 1500


mtu management 1500


ip local pool vpn_pool 192.168.200.1-192.168.200.20 mask 255.255.255.0


icmp unreachable rate-limit 1 burst-size 1


asdm image disk0:/asdm-66114.bin


no asdm history enable


arp timeout 14400


nat (inside,ouside) source dynamic pat-source interface


nat (inside,ouside) source static local-1-2 remote-lan2 service real_svc8088 mapped_svc8088


nat (inside,ouside) source static local-1-2 remote-lan2 service real_svc3389 mapped_svc8005


nat (inside,ouside) source static local-1-19 remote-lan12 service real_svc3389 mapped_svc8001


nat (inside,ouside) source static local-1-20 remote-lan12 service real_svc3389 mapped_svc8002


nat (inside,ouside) source static local-1-88 remote-lan12 service real_svc3389 mapped_svc12345


nat (inside,ouside) source static local-1-19 remote-lan12 service real_svcwww mapped_svc8056


nat (inside,ouside) source static local-1-1 remote-lan4 service real_svcwww mapped_svcwww


nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcsmtp mapped_svcsmtp


nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcpop3 mapped_svcpop3


nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc8086 mapped_svcwww


nat (inside,ouside) source static local-1-1 remote-lan10 service real_svc3389 mapped_svc9876


nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc3389 mapped_svc9877


nat (inside,ouside) source static local-1-6 remote-lan10 service real_svcftp mapped_svcftp


nat (inside,ouside) source static local-1-6 remote-lan10 service real_svcftp-data mapped_svcftp-data


nat (inside,ouside) source static local-1-6 remote-lan10 service real_svc3389 mapped_svc3129


nat (inside,ouside) source static local-2-88 remote-lan10 service real_svc12172 mapped_svc12172


nat (inside,ouside) source static local-2-88 remote-lan10 service real_svcu12172 mapped_svcu12172


nat (inside,ouside) source static local-2-2 remote-lan10 service real_svc3389 mapped_svc3128


nat (inside,ouside) source static local-2-2 remote-lan10 service real_svc9116 mapped_svc9116


nat (inside,ouside) source static local-2-2 remote-lan10 service real_svcu9116 mapped_svcu9116


nat (inside,ouside) source static local-1-200 remote-lan10 service real_svcwww mapped_svc1114


nat (inside,ouside) source static local-1-200 remote-lan10 service real_svc12001 mapped_svc12001


nat (inside,ouside) source static local-3-2 remote-lan10 service real_svc25243 mapped_svc25243


nat (inside,ouside) source static local-3-2 remote-lan10 service real_svcu25243 mapped_svcu25243


nat (inside,ouside) source static local-3-2 remote-lan10 service real_svc3389 mapped_svc3130


nat (inside,ouside) source static local-1-6 remote-lan9 service real_svc8087 mapped_svcwww


nat (inside,ouside) source static local-1-30 remote-lan10 service real_svc3389 mapped_svc9878


nat (inside,ouside) source static local-1-30 remote-lan5 service real_svcwww mapped_svcwww


nat (inside,ouside) source static local-1-1 remote-lan4 service real_svc8080 mapped_svc8088


nat (inside,ouside) source static local-1-6 remote-lan6 service real_svc8088 mapped_svcwww


nat (inside,ouside) source static local-1-6 remote-lan3 service real_svcwww mapped_svcwww


nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc4160 mapped_svc4160


nat (inside,ouside) source static local-3-5 remote-lan10 service real_svcu4170 mapped_svcu4170


nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc11111 mapped_svc11111


nat (inside,ouside) source static local-3-5 remote-lan10 service real_svc3389 mapped_svc3127


nat (inside,ouside) source static local-3-5 remote-lan10 service real_svcu11111 mapped_svcu11111


nat (inside,ouside) source static inside-192.168.1.0 inside-192.168.1.0 destination static vpn-192.168.200.0 vpn-192.168.200.0


nat (inside,ouside) source static inside-192.168.1.0 inside-192.168.1.0 destination static NETWORK_OBJ_192.168.200.0_27 NETWORK_OBJ_192.168.200.0_27 no-proxy-arp route-lookup


access-group 100 in interface ouside


access-group 101 in interface inside


route ouside 0.0.0.0 0.0.0.0 X.X.X.14 1


route inside 192.168.2.0 255.255.255.0 192.168.1.12 1


route inside 192.168.3.0 255.255.255.0 192.168.1.12 1


route inside 192.168.4.0 255.255.255.0 192.168.1.12 1


route inside 192.168.5.0 255.255.255.0 192.168.1.12 1


route inside 192.168.6.0 255.255.255.0 192.168.1.12 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00


timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


timeout tcp-proxy-reassembly 0:01:00


timeout floating-conn 0:00:00


dynamic-access-policy-record DfltAccessPolicy


user-identity default-domain LOCAL


aaa authentication ssh console LOCAL


http server enable


http 192.168.1.0 255.255.255.0 management


http 0.0.0.0 0.0.0.0 inside


http 0.0.0.0 0.0.0.0 management


http 0.0.0.0 0.0.0.0 ouside


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart


crypto ipsec ikev1 transform-set vpn_set esp-des esp-md5-hmac


crypto dynamic-map vpn_map 10 set pfs group1


crypto dynamic-map vpn_map 10 set ikev1 transform-set vpn_set


crypto dynamic-map vpn_map 10 set reverse-route


crypto map vpnmap 10 ipsec-isakmp dynamic vpn_map


crypto map vpnmap interface ouside


crypto ikev1 enable ouside


crypto ikev1 policy 1


authentication pre-share


encryption des


hash md5


group 2


lifetime 86400


crypto ikev1 policy 10


authentication pre-share


encryption des


hash sha


group 2


lifetime 86400


telnet 0.0.0.0 0.0.0.0 inside


telnet 0.0.0.0 0.0.0.0 management


telnet timeout 5


ssh 0.0.0.0 0.0.0.0 ouside


ssh 0.0.0.0 0.0.0.0 inside


ssh 0.0.0.0 0.0.0.0 management


ssh timeout 5


console timeout 0


threat-detection basic-threat


threat-detection statistics access-list


no threat-detection statistics tcp-intercept


ntp server 192.43.244.18


ssl encryption 3des-sha1


webvpn


group-policy test1207 internal


group-policy test1207 attributes


vpn-tunnel-protocol ikev1


split-tunnel-policy tunnelspecified


group-policy vpnclient internal


group-policy vpnclient attributes


dns-server value 61.128.128.68


vpn-tunnel-protocol ikev1


split-tunnel-policy tunnelspecified


split-tunnel-network-list value vpnclient_splitTunnelAcl


username cisco password 3USUcOPFUiMCO4Jk encrypted


username cisco attributes


vpn-group-policy vpnclient


tunnel-group vpn_group type remote-access


tunnel-group vpn_group general-attributes


address-pool vpn_pool


default-group-policy vpnclient


tunnel-group vpn_group ipsec-attributes


ikev1 pre-shared-key *****


tunnel-group test1207 type remote-access


tunnel-group test1207 general-attributes


address-pool vpn_pool


default-group-policy test1207


tunnel-group test1207 ipsec-attributes


ikev1 pre-shared-key *****


!


class-map inspection_default


match default-inspection-traffic


!


!


policy-map type inspect dns preset_dns_map


parameters


  message-length maximum client auto


  message-length maximum 512


policy-map global_policy


class inspection_default


  inspect dns preset_dns_map


  inspect ftp


  inspect h323 h225


  inspect h323 ras


  inspect rsh


  inspect rtsp


  inspect esmtp


  inspect sqlnet


  inspect skinny


  inspect sunrpc


  inspect xdmcp


  inspect sip


  inspect netbios


  inspect tftp


  inspect ip-options


  inspect icmp

Marvin Rhoads Sat, 12/07/2013 - 11:38
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

You're welcome.


For your 192.168.1.6 web server, you have the necessary access-list entry and the access-group is applied to the outside interface:


     access-list 100 extended permit tcp any host 192.168.1.6


    access-group 100 in interface ouside


but you seem to have lost the NAT rule you had in the original configuration according to the lastest one you posted:


     nat (inside,ouside) source static inside_192.168.1.6 internal_61.186.236.3

hailin huang Sat, 12/07/2013 - 19:53
User Badges:

hi,


in my new config ,the nat and acl  all i have config. 

my web-server real ip 192.168.1.1   and maping ip is 61.186.236.4


access-list 100 extended permit tcp any host 192.168.1.1

access-group 100 in interface ouside

nat (inside,ouside) source static local-1-1 remote-lan4 service real_svcwww mapped_svcwww




but,all can not access my web server from internet.

Actions

This Discussion