: Saved : ASA Version 8.0(3) ! hostname ASA domain-name MYDOMAIN.LOCAL enable password r9 encrypted passwd r9 encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address x.x.x.x 255.255.255.240 ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.0.0.190 255.255.0.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name MYDOMAIN.LOCAL same-security-traffic permit intra-interface access-list nat extended permit ip 10.0.0.0 255.255.0.0 any access-list nat extended permit ip 10.1.101.0 255.255.255.0 any access-list inside_int_in extended permit ip 10.0.0.0 255.255.0.0 10.1.101.0 255.255.255.0 access-list inside_int_in extended permit ip any any access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.1.101.0 255.255.255.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 10.0.0.0 255.255.0.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.5.0.0 255.255.0.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.50.0.0 255.255.255.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.4.0.0 255.255.0.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.40.0.0 255.255.255.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.3.0.0 255.255.0.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.30.0.0 255.255.255.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.2.0.0 255.255.0.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.20.0.0 255.255.255.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.6.0.0 255.255.0.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 10.60.0.0 255.255.255.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 10.2.0.0 255.255.0.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 10.20.0.0 255.255.255.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 10.3.0.0 255.255.0.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 10.30.0.0 255.255.255.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 10.4.0.0 255.255.0.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 10.40.0.0 255.255.255.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 10.5.0.0 255.255.0.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 10.50.0.0 255.255.255.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 10.6.0.0 255.255.0.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 10.60.0.0 255.255.255.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 192.168.10.0 255.255.255.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 192.168.9.0 255.255.255.0 access-list nonat extended permit ip 10.0.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list nonat extended permit ip 10.1.101.0 255.255.255.0 192.168.2.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-603.bin no asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 0 access-list nonat nat (inside) 10 access-list nat access-group inside_int_in in interface inside ! router eigrp 100 no auto-summary eigrp router-id 10.0.0.190 network 10.0.0.0 255.255.0.0 ! route outside 0.0.0.0 0.0.0.0 x.x.x.x 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 10.0.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet 10.0.0.0 255.255.0.0 inside telnet timeout 5 ssh 10.0.0.0 255.255.0.0 inside ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept username cisco password Qt encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global prompt hostname context Cryptochecksum:70f168fb7f7865b304362928257765e4 : end ASA# ---------------------------------------------------------- -----------------------ASA Packet Trace------------------- ---------------------------------------------------------- ASA# packet-tracer input inside tcp 10.0.0.235 65333 10.1.101.100 3389 Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 10.1.101.0 255.255.255.0 inside Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_int_in in interface inside access-list inside_int_in extended permit ip 10.0.0.0 255.255.0.0 10.1.101.0 255 .255.255.0 Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: SSM-DIVERT Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: match ip inside 10.0.0.0 255.255.0.0 inside 10.1.101.0 255.255.255.0 NAT exempt translate_hits = 6, untranslate_hits = 0 Additional Information: Phase: 7 Type: NAT-EXEMPT Subtype: rpf-check Result: ALLOW Config: match ip inside 10.1.101.0 255.255.255.0 inside 10.0.0.0 255.255.0.0 NAT exempt translate_hits = 0, untranslate_hits = 6 Additional Information: Phase: 8 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 10 access-list nat match ip inside 10.0.0.0 255.255.0.0 inside any dynamic translation to pool 10 (No matching global) translate_hits = 9, untranslate_hits = 0 Additional Information: Phase: 9 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 10 access-list nat match ip inside 10.0.0.0 255.255.0.0 outside any dynamic translation to pool 10 (x.x.x.227 [Interface PAT]) translate_hits = 183, untranslate_hits = 3 Additional Information: Phase: 10 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (inside) 10 access-list nat match ip inside 10.1.101.0 255.255.255.0 inside any dynamic translation to pool 10 (No matching global) translate_hits = 0, untranslate_hits = 0 Additional Information: Phase: 11 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 10 access-list nat match ip inside 10.1.101.0 255.255.255.0 outside any dynamic translation to pool 10 (x.x.x.227 [Interface PAT]) translate_hits = 0, untranslate_hits = 0 Additional Information: Phase: 12 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 13 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 400, packet dispatched to next module Phase: 14 Type: ROUTE-LOOKUP Subtype: output and adjacency Result: ALLOW Config: Additional Information: found next-hop 10.0.0.8 using egress ifc inside adjacency Active next-hop mac address 0013.19ca.01c1 hits 14 Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: allow ASA#