Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 with Cisco 2811 Router Behind it - Not forwarding traffic

Hi all,

Some might know that I have been dealing with an issue where I cannot seem to get forwarded packets to reach their destinations behind an ASA 5510 that has a Cisco 2811 connected directly behind it.

Some examples that work.

I can SSH into the ASA.

I can SSH to the Cisco Routers behind the ASA.

I cannot reach items beind the Cisco Routers.

My Configuration is this (I am sure I included a bunch of info I didn't need to, but I am hoping it'll help!):

I have a static Ip assigned to my Ouside Interface Ethernet 0/1

It has an IP address of 199.195.xxx.xxx

I am trying to learn how to shape network traffic (this is all new to me) via the ASA and the Routers to specific devices.

The Inside Interface on the ASA is 10.10.1.1 255.255.255.252

The Outside Interface on the 2811 is 10.10.1.2 255.255.255.252

I can ping the router from the ASA. I can SSH through the ASA to the router.

BUT I CANNOT ACCESS DEVICES BEHIND THE ROUTER.

So, I wanted to BAM that statement above because I just don't kjnow where the issue is. Is the issue on the router or the ASA, my guess is, the router, but I just don't know.

Here are my configs, helpfully someone can help.

ASA errors on the ASDM when I try and hit resources; specifically a web device behind the ASA and the 2811. It's Ip address 192.168.1.5 it's listening on port 80.Static IP, not assigned via DHCP.

6Feb 14 201419:38:56
98.22.121.x41164192.168.1.580Built inbound TCP connection 1922859 for Outside:98.22.121.x/41164 (98.22.121.x/41164) to Inside:192.168.1.5/80 (199.195.168.x/8080)

6Feb 14 201419:38:56
10.10.1.28098.22.121.x41164Deny TCP (no connection) from 10.10.1.2/80 to 98.22.121.x/41164 flags SYN ACK  on interface Inside

ASA5510# sh nat

Auto NAT Policies (Section 2)

1 (DMZ) to (Outside) source static ROUTER-2821 interface   service tcp ssh 2222

    translate_hits = 1, untranslate_hits = 18

2 (Inside) to (Outside) source static ROUTER-2811 interface   service tcp ssh 222

    translate_hits = 0, untranslate_hits = 13

3 (VOIP) to (Outside) source static ROUTER-3745 interface   service tcp ssh 2223

    translate_hits = 0, untranslate_hits = 3

4 (Inside) to (Outside) source static RDP-DC1 interface   service tcp 3389 3389

    translate_hits = 0, untranslate_hits = 236

5 (Inside) to (Outside) source static WEBCAM-01 interface   service tcp www 8080

    translate_hits = 0, untranslate_hits = 162

Manual NAT Policies (Section 3)

1 (any) to (Outside) source dynamic PAT-SOURCE interface

    translate_hits = 1056862, untranslate_hits = 83506

ASA5510# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list USERS; 1 elements; name hash: 0x50681c1e

access-list USERS line 1 standard permit 10.10.1.0 255.255.255.0 (hitcnt=0) 0xdd6ba495

access-list Outside_access_in; 5 elements; name hash: 0xe796c137

access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh (hitcnt=37) 0x5a53778d

  access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x host 10.10.1.2 eq ssh (hitcnt=37) 0x5a53778d

access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh (hitcnt=8) 0x9f32bc21

  access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x host 10.10.0.2 eq ssh (hitcnt=8) 0x9f32bc21

access-list Outside_access_in line 3 extended permit tcp host 98.22.121.x interface Outside eq https (hitcnt=0) 0x385488b2

access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x object WEBCAM-01 eq www (hitcnt=60) 0xe66674ec

  access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x host 192.168.1.5 eq www (hitcnt=60) 0xe66674ec

access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389 (hitcnt=3) 0x02f13f4e

  access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x host 192.168.1.2 eq 3389 (hitcnt=3) 0x02f13f4e

access-list dmz-access-vlan1; 1 elements; name hash: 0xc3450860

access-list dmz-access-vlan1 line 1 extended permit ip 128.162.1.0 255.255.255.0 any (hitcnt=0) 0x429fedf1

access-list dmz-access; 3 elements; name hash: 0xf53f5801

access-list dmz-access line 1 remark Permit all traffic to DC1

access-list dmz-access line 2 extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2 (hitcnt=0) 0xd2dced0a

access-list dmz-access line 3 remark Permit only DNS traffic to DNS server

access-list dmz-access line 4 extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain (hitcnt=0) 0xbb21093e

access-list dmz-access line 5 remark Permit ICMP to all devices in DC

access-list dmz-access line 6 extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x71269ef7

CISCO-2811#show access-lists

Standard IP access list 1

    10 permit any (1581021 matches)

CISCO-2811#show translate

CISCO-2811#show route

CISCO-2811#show route-map

CISCO-2811#show host

CISCO-2811#show hosts

Default domain is maladomini.int

Name/address lookup uses domain service

Name servers are 192.168.1.2, 199.195.168.4, 205.171.2.65, 205.171.3.65, 8.8.8.8

Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate

       temp - temporary, perm - permanent

       NA - Not Applicable None - Not defined

Host                      Port  Flags      Age Type   Address(es)

api.mixpanel.com          None  (temp, OK)  2   IP    198.23.64.21

                                                      198.23.64.22

                                                      198.23.64.18

                                                      198.23.64.19

                                                      198.23.64.20

ASA5510:

ASA5510# sh run all

: Saved

:

ASA Version 9.1(4)

!

command-alias exec h help

command-alias exec lo logout

command-alias exec p ping

command-alias exec s show

terminal width 80

hostname ASA5510

domain-name maladomini.int

enable password x encrypted

no fips enable

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

xlate per-session permit tcp any4 any4

xlate per-session permit tcp any4 any6

xlate per-session permit tcp any6 any4

xlate per-session permit tcp any6 any6

xlate per-session permit udp any4 any4 eq domain

xlate per-session permit udp any4 any6 eq domain

xlate per-session permit udp any6 any4 eq domain

xlate per-session permit udp any6 any6 eq domain

passwd x encrypted

names

dns-guard

lacp system-priority 32768

!

interface Ethernet0/0

description LAN Interface

speed auto

duplex auto

no  flowcontrol send on

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

delay 10

!

interface Ethernet0/1

description WAN Interface

speed auto

duplex auto

no  flowcontrol send on

nameif Outside

security-level 0

ip address 199.195.168.xxx 255.255.255.240

delay 10

!

interface Ethernet0/2

description DMZ

speed auto

duplex auto

no  flowcontrol send on

nameif DMZ

security-level 100

ip address 10.10.0.1 255.255.255.252

delay 10

!

interface Ethernet0/3

description VOIP

speed auto

duplex auto

no  flowcontrol send on

nameif VOIP

security-level 100

ip address 10.10.2.1 255.255.255.252

delay 10

!

interface Management0/0

speed auto

duplex auto

management-only

shutdown

nameif management

security-level 0

no ip address

delay 10

!

regex _default_gator "Gator"

regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"

regex _default_shoutcast-tunneling-protocol "1"

regex _default_http-tunnel "[/\\]HT_PortLog.aspx"

regex _default_x-kazaa-network "[\r\n\t ]+[xX]-[kK][aA][zZ][aA][aA]-[nN][eE][tT][wW][oO][rR][kK]"

regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"

regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"

regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"

regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"

regex _default_gnu-http-tunnel_arg "crap"

regex _default_icy-metadata "[\r\n\t ]+[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"

regex _default_GoToMyPC-tunnel "machinekey"

regex _default_windows-media-player-tunnel "NSPlayer"

regex _default_yahoo-messenger "YMSG"

regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"

regex _default_firethru-tunnel_1 "firethru[.]com"

checkheaps check-interval 60

checkheaps validate-checksum 60

boot system disk0:/asa914-k8.bin

ftp mode passive

clock timezone UTC 0

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.168.4

name-server 205.171.2.65

name-server 205.171.3.65

domain-name maladomini.int

same-security-traffic permit inter-interface

object service ah pre-defined

service ah

description This is a pre-defined object

object service eigrp pre-defined

service eigrp

description This is a pre-defined object

object service esp pre-defined

service esp

description This is a pre-defined object

object service gre pre-defined

service gre

description This is a pre-defined object

object service icmp pre-defined

service icmp

description This is a pre-defined object

object service icmp6 pre-defined

service icmp6

description This is a pre-defined object

object service igmp pre-defined

service igmp

description This is a pre-defined object

object service igrp pre-defined

service igrp

description This is a pre-defined object

object service ip pre-defined

service ip

description This is a pre-defined object

object service ipinip pre-defined

service ipinip

description This is a pre-defined object

object service ipsec pre-defined

service esp

description This is a pre-defined object

object service nos pre-defined

service nos

description This is a pre-defined object

object service ospf pre-defined

service ospf

description This is a pre-defined object

object service pcp pre-defined

service pcp

description This is a pre-defined object

object service pim pre-defined

service pim

description This is a pre-defined object

object service pptp pre-defined

service gre

description This is a pre-defined object

object service snp pre-defined

service snp

description This is a pre-defined object

object service tcp pre-defined

service tcp

description This is a pre-defined object

object service udp pre-defined

service udp

description This is a pre-defined object

object service tcp-aol pre-defined

service tcp destination eq aol

description This is a pre-defined object

object service tcp-bgp pre-defined

service tcp destination eq bgp

description This is a pre-defined object

object service tcp-chargen pre-defined

service tcp destination eq chargen

description This is a pre-defined object

object service tcp-cifs pre-defined

service tcp destination eq cifs

description This is a pre-defined object

object service tcp-citrix-ica pre-defined

service tcp destination eq citrix-ica

description This is a pre-defined object

object service tcp-ctiqbe pre-defined

service tcp destination eq ctiqbe

description This is a pre-defined object

object service tcp-daytime pre-defined

service tcp destination eq daytime

description This is a pre-defined object

object service tcp-discard pre-defined

service tcp destination eq discard

description This is a pre-defined object

object service tcp-domain pre-defined

service tcp destination eq domain

description This is a pre-defined object

object service tcp-echo pre-defined

service tcp destination eq echo

description This is a pre-defined object

object service tcp-exec pre-defined

service tcp destination eq exec

description This is a pre-defined object

object service tcp-finger pre-defined

service tcp destination eq finger

description This is a pre-defined object

object service tcp-ftp pre-defined

service tcp destination eq ftp

description This is a pre-defined object

object service tcp-ftp-data pre-defined

service tcp destination eq ftp-data

description This is a pre-defined object

object service tcp-gopher pre-defined

service tcp destination eq gopher

description This is a pre-defined object

object service tcp-ident pre-defined

service tcp destination eq ident

description This is a pre-defined object

object service tcp-imap4 pre-defined

service tcp destination eq imap4

description This is a pre-defined object

object service tcp-irc pre-defined

service tcp destination eq irc

description This is a pre-defined object

object service tcp-hostname pre-defined

service tcp destination eq hostname

description This is a pre-defined object

object service tcp-kerberos pre-defined

service tcp destination eq kerberos

description This is a pre-defined object

object service tcp-klogin pre-defined

service tcp destination eq klogin

description This is a pre-defined object

object service tcp-kshell pre-defined

service tcp destination eq kshell

description This is a pre-defined object

object service tcp-ldap pre-defined

service tcp destination eq ldap

description This is a pre-defined object

object service tcp-ldaps pre-defined

service tcp destination eq ldaps

description This is a pre-defined object

object service tcp-login pre-defined

service tcp destination eq login

description This is a pre-defined object

object service tcp-lotusnotes pre-defined

service tcp destination eq lotusnotes

description This is a pre-defined object

object service tcp-nfs pre-defined

service tcp destination eq nfs

description This is a pre-defined object

object service tcp-netbios-ssn pre-defined

service tcp destination eq netbios-ssn

description This is a pre-defined object

object service tcp-whois pre-defined

service tcp destination eq whois

description This is a pre-defined object

object service tcp-nntp pre-defined

service tcp destination eq nntp

description This is a pre-defined object

object service tcp-pcanywhere-data pre-defined

service tcp destination eq pcanywhere-data

description This is a pre-defined object

object service tcp-pim-auto-rp pre-defined

service tcp destination eq pim-auto-rp

description This is a pre-defined object

object service tcp-pop2 pre-defined

service tcp destination eq pop2

description This is a pre-defined object

object service tcp-pop3 pre-defined

service tcp destination eq pop3

description This is a pre-defined object

object service tcp-pptp pre-defined

service tcp destination eq pptp

description This is a pre-defined object

object service tcp-lpd pre-defined

service tcp destination eq lpd

description This is a pre-defined object

object service tcp-rsh pre-defined

service tcp destination eq rsh

description This is a pre-defined object

object service tcp-rtsp pre-defined

service tcp destination eq rtsp

description This is a pre-defined object

object service tcp-sip pre-defined

service tcp destination eq sip

description This is a pre-defined object

object service tcp-smtp pre-defined

service tcp destination eq smtp

description This is a pre-defined object

object service tcp-ssh pre-defined

service tcp destination eq ssh

description This is a pre-defined object

object service tcp-sunrpc pre-defined

service tcp destination eq sunrpc

description This is a pre-defined object

object service tcp-tacacs pre-defined

service tcp destination eq tacacs

description This is a pre-defined object

object service tcp-talk pre-defined

service tcp destination eq talk

description This is a pre-defined object

object service tcp-telnet pre-defined

service tcp destination eq telnet

description This is a pre-defined object

object service tcp-uucp pre-defined

service tcp destination eq uucp

description This is a pre-defined object

object service tcp-www pre-defined

service tcp destination eq www

description This is a pre-defined object

object service tcp-http pre-defined

service tcp destination eq www

description This is a pre-defined object

object service tcp-https pre-defined

service tcp destination eq https

description This is a pre-defined object

object service tcp-cmd pre-defined

service tcp destination eq rsh

description This is a pre-defined object

object service tcp-sqlnet pre-defined

service tcp destination eq sqlnet

description This is a pre-defined object

object service tcp-h323 pre-defined

service tcp destination eq h323

description This is a pre-defined object

object service tcp-udp-cifs pre-defined

service tcp-udp destination eq cifs

description This is a pre-defined object

object service tcp-udp-discard pre-defined

service tcp-udp destination eq discard

description This is a pre-defined object

object service tcp-udp-domain pre-defined

service tcp-udp destination eq domain

description This is a pre-defined object

object service tcp-udp-echo pre-defined

service tcp-udp destination eq echo

description This is a pre-defined object

object service tcp-udp-kerberos pre-defined

service tcp-udp destination eq kerberos

description This is a pre-defined object

object service tcp-udp-nfs pre-defined

service tcp-udp destination eq nfs

description This is a pre-defined object

object service tcp-udp-pim-auto-rp pre-defined

service tcp-udp destination eq pim-auto-rp

description This is a pre-defined object

object service tcp-udp-sip pre-defined

service tcp-udp destination eq sip

description This is a pre-defined object

object service tcp-udp-sunrpc pre-defined

service tcp-udp destination eq sunrpc

description This is a pre-defined object

object service tcp-udp-tacacs pre-defined

service tcp-udp destination eq tacacs

description This is a pre-defined object

object service tcp-udp-www pre-defined

service tcp-udp destination eq www

description This is a pre-defined object

object service tcp-udp-http pre-defined

service tcp-udp destination eq www

description This is a pre-defined object

object service tcp-udp-talk pre-defined

service tcp-udp destination eq talk

description This is a pre-defined object

object service udp-biff pre-defined

service udp destination eq biff

description This is a pre-defined object

object service udp-bootpc pre-defined

service udp destination eq bootpc

description This is a pre-defined object

object service udp-bootps pre-defined

service udp destination eq bootps

description This is a pre-defined object

object service udp-cifs pre-defined

service udp destination eq cifs

description This is a pre-defined object

object service udp-discard pre-defined

service udp destination eq discard

description This is a pre-defined object

object service udp-domain pre-defined

service udp destination eq domain

description This is a pre-defined object

object service udp-dnsix pre-defined

service udp destination eq dnsix

description This is a pre-defined object

object service udp-echo pre-defined

service udp destination eq echo

description This is a pre-defined object

object service udp-www pre-defined

service udp destination eq www

description This is a pre-defined object

object service udp-http pre-defined

service udp destination eq www

description This is a pre-defined object

object service udp-nameserver pre-defined

service udp destination eq nameserver

description This is a pre-defined object

object service udp-kerberos pre-defined

service udp destination eq kerberos

description This is a pre-defined object

object service udp-mobile-ip pre-defined

service udp destination eq mobile-ip

description This is a pre-defined object

object service udp-nfs pre-defined

service udp destination eq nfs

description This is a pre-defined object

object service udp-netbios-ns pre-defined

service udp destination eq netbios-ns

description This is a pre-defined object

object service udp-netbios-dgm pre-defined

service udp destination eq netbios-dgm

description This is a pre-defined object

object service udp-ntp pre-defined

service udp destination eq ntp

description This is a pre-defined object

object service udp-pcanywhere-status pre-defined

service udp destination eq pcanywhere-status

description This is a pre-defined object

object service udp-pim-auto-rp pre-defined

service udp destination eq pim-auto-rp

description This is a pre-defined object

object service udp-radius pre-defined

service udp destination eq radius

description This is a pre-defined object

object service udp-radius-acct pre-defined

service udp destination eq radius-acct

description This is a pre-defined object

object service udp-rip pre-defined

service udp destination eq rip

description This is a pre-defined object

object service udp-secureid-udp pre-defined

service udp destination eq secureid-udp

description This is a pre-defined object

object service udp-sip pre-defined

service udp destination eq sip

description This is a pre-defined object

object service udp-snmp pre-defined

service udp destination eq snmp

description This is a pre-defined object

object service udp-snmptrap pre-defined

service udp destination eq snmptrap

description This is a pre-defined object

object service udp-sunrpc pre-defined

service udp destination eq sunrpc

description This is a pre-defined object

object service udp-syslog pre-defined

service udp destination eq syslog

description This is a pre-defined object

object service udp-tacacs pre-defined

service udp destination eq tacacs

description This is a pre-defined object

object service udp-talk pre-defined

service udp destination eq talk

description This is a pre-defined object

object service udp-tftp pre-defined

service udp destination eq tftp

description This is a pre-defined object

object service udp-time pre-defined

service udp destination eq time

description This is a pre-defined object

object service udp-who pre-defined

service udp destination eq who

description This is a pre-defined object

object service udp-xdmcp pre-defined

service udp destination eq xdmcp

description This is a pre-defined object

object service udp-isakmp pre-defined

service udp destination eq isakmp

description This is a pre-defined object

object service icmp6-unreachable pre-defined

service icmp6 unreachable

description This is a pre-defined object

object service icmp6-packet-too-big pre-defined

service icmp6 packet-too-big

description This is a pre-defined object

object service icmp6-time-exceeded pre-defined

service icmp6 time-exceeded

description This is a pre-defined object

object service icmp6-parameter-problem pre-defined

service icmp6 parameter-problem

description This is a pre-defined object

object service icmp6-echo pre-defined

service icmp6 echo

description This is a pre-defined object

object service icmp6-echo-reply pre-defined

service icmp6 echo-reply

description This is a pre-defined object

object service icmp6-membership-query pre-defined

service icmp6 membership-query

description This is a pre-defined object

object service icmp6-membership-report pre-defined

service icmp6 membership-report

description This is a pre-defined object

object service icmp6-membership-reduction pre-defined

service icmp6 membership-reduction

description This is a pre-defined object

object service icmp6-router-renumbering pre-defined

service icmp6 router-renumbering

description This is a pre-defined object

object service icmp6-router-solicitation pre-defined

service icmp6 router-solicitation

description This is a pre-defined object

object service icmp6-router-advertisement pre-defined

service icmp6 router-advertisement

description This is a pre-defined object

object service icmp6-neighbor-solicitation pre-defined

service icmp6 neighbor-solicitation

description This is a pre-defined object

object service icmp6-neighbor-advertisement pre-defined

service icmp6 neighbor-advertisement

description This is a pre-defined object

object service icmp6-neighbor-redirect pre-defined

service icmp6 neighbor-redirect

description This is a pre-defined object

object service icmp-echo pre-defined

service icmp echo

description This is a pre-defined object

object service icmp-echo-reply pre-defined

service icmp echo-reply

description This is a pre-defined object

object service icmp-unreachable pre-defined

service icmp unreachable

description This is a pre-defined object

object service icmp-source-quench pre-defined

service icmp source-quench

description This is a pre-defined object

object service icmp-redirect pre-defined

service icmp redirect

description This is a pre-defined object

object service icmp-alternate-address pre-defined

service icmp alternate-address

description This is a pre-defined object

object service icmp-router-advertisement pre-defined

service icmp router-advertisement

description This is a pre-defined object

object service icmp-router-solicitation pre-defined

service icmp router-solicitation

description This is a pre-defined object

object service icmp-time-exceeded pre-defined

service icmp time-exceeded

description This is a pre-defined object

object service icmp-parameter-problem pre-defined

service icmp parameter-problem

description This is a pre-defined object

object service icmp-timestamp-request pre-defined

service icmp timestamp-request

description This is a pre-defined object

object service icmp-timestamp-reply pre-defined

service icmp timestamp-reply

description This is a pre-defined object

object service icmp-information-request pre-defined

service icmp information-request

description This is a pre-defined object

object service icmp-information-reply pre-defined

service icmp information-reply

description This is a pre-defined object

object service icmp-mask-request pre-defined

service icmp mask-request

description This is a pre-defined object

object service icmp-mask-reply pre-defined

service icmp mask-reply

description This is a pre-defined object

object service icmp-traceroute pre-defined

service icmp traceroute

description This is a pre-defined object

object service icmp-conversion-error pre-defined

service icmp conversion-error

description This is a pre-defined object

object service icmp-mobile-redirect pre-defined

service icmp mobile-redirect

description This is a pre-defined object

object network ROUTER-2811

host 10.10.1.2

object network ROUTER-2821

host 10.10.0.2

object network WEBCAM-01

host 192.168.1.5

object network DNS-SERVER

host 192.168.1.2

object network ROUTER-3745

host 10.10.2.2

object network RDP-DC1

host 192.168.1.2

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

network-object 10.10.0.0 255.255.255.252

network-object 10.10.2.0 255.255.255.252

network-object 192.168.0.0 255.255.255.0

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 128.162.1.0 255.255.255.0

network-object 128.162.10.0 255.255.255.0

network-object 128.162.20.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object host 98.22.121.x

object-group network Outside_access_in

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object gre

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.121.x interface Outside eq https

access-list Outside_access_in extended permit tcp host 98.22.121.x object WEBCAM-01 eq www

access-list Outside_access_in extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffer-size 4096

logging asdm-buffer-size 100

logging asdm informational

logging flash-minimum-free 3076

logging flash-maximum-allocation 1024

logging rate-limit 1 10 message 747001

logging rate-limit 1 1 message 402116

logging rate-limit 1 10 message 620002

logging rate-limit 1 10 message 717015

logging rate-limit 1 10 message 717018

logging rate-limit 1 10 message 201013

logging rate-limit 1 10 message 201012

logging rate-limit 1 1 message 313009

logging rate-limit 100 1 message 750003

logging rate-limit 100 1 message 750002

logging rate-limit 100 1 message 750004

logging rate-limit 1 10 message 419003

logging rate-limit 1 10 message 405002

logging rate-limit 1 10 message 405003

logging rate-limit 1 10 message 421007

logging rate-limit 1 10 message 405001

logging rate-limit 1 10 message 421001

logging rate-limit 1 10 message 421002

logging rate-limit 1 10 message 337004

logging rate-limit 1 10 message 337005

logging rate-limit 1 10 message 337001

logging rate-limit 1 10 message 337002

logging rate-limit 1 60 message 199020

logging rate-limit 1 10 message 337003

logging rate-limit 2 5 message 199011

logging rate-limit 1 10 message 199010

logging rate-limit 1 10 message 337009

logging rate-limit 2 5 message 199012

logging rate-limit 1 10 message 710002

logging rate-limit 1 10 message 209003

logging rate-limit 1 10 message 209004

logging rate-limit 1 10 message 209005

logging rate-limit 1 10 message 431002

logging rate-limit 1 10 message 431001

logging rate-limit 1 1 message 447001

logging rate-limit 1 10 message 110003

logging rate-limit 1 10 message 110002

logging rate-limit 1 10 message 429007

logging rate-limit 1 10 message 216004

logging rate-limit 1 10 message 450001

flow-export template timeout-rate 30

flow-export active refresh-interval 1

mtu Inside 1500

mtu Outside 1500

mtu management 1500

mtu DMZ 1500

mtu VOIP 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www 8080

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

object network RDP-DC1

nat (Inside,Outside) static interface service tcp 3389 3389

!

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

access-group Outside_access_in in interface Outside

ipv6 dhcprelay timeout 60

!

router rip

network 10.0.0.0

version 2

no auto-summary

!

route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1

route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1

route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1

route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1

route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

action continue

no cts server-group

no cts sxp enable

no cts sxp default

no cts sxp default source-ip

cts sxp reconciliation period 120

cts sxp retry period 120

user-identity enable

user-identity domain LOCAL

user-identity default-domain LOCAL

user-identity action mac-address-mismatch remove-user-ip

user-identity inactive-user-timer minutes 60

user-identity poll-import-user-group-timer hours 8

user-identity ad-agent active-user-database full-download

user-identity ad-agent hello-timer seconds 30 retry-times 5

no user-identity user-not-found enable

aaa authentication ssh console LOCAL

http server enable 443

http 0.0.0.0 0.0.0.0 Inside

http 98.22.121.x 255.255.255.255 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no snmp-server enable traps syslog

no snmp-server enable traps ipsec start stop

no snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure

no snmp-server enable traps memory-threshold

no snmp-server enable traps interface-threshold

no snmp-server enable traps remote-access session-threshold-exceeded

no snmp-server enable traps connection-limit-reached

no snmp-server enable traps cpu threshold rising

no snmp-server enable traps ikev2 start stop

no snmp-server enable traps nat packet-discard

snmp-server enable

snmp-server listen-port 161

fragment size 200 Inside

fragment chain 24 Inside

fragment timeout 5 Inside

no fragment reassembly full Inside

fragment size 200 Outside

fragment chain 24 Outside

fragment timeout 5 Outside

no fragment reassembly full Outside

fragment size 200 management

fragment chain 24 management

fragment timeout 5 management

no fragment reassembly full management

fragment size 200 DMZ

fragment chain 24 DMZ

fragment timeout 5 DMZ

no fragment reassembly full DMZ

fragment size 200 VOIP

fragment chain 24 VOIP

fragment timeout 5 VOIP

no fragment reassembly full VOIP

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt radius ignore-secret

no sysopt noproxyarp Inside

no sysopt noproxyarp Outside

no sysopt noproxyarp management

no sysopt noproxyarp DMZ

no sysopt noproxyarp VOIP

service password-recovery

no crypto ipsec ikev2 sa-strength-enforcement

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec security-association replay window-size 64

crypto ipsec security-association pmtu-aging infinite

crypto ipsec fragmentation before-encryption Inside

crypto ipsec fragmentation before-encryption Outside

crypto ipsec fragmentation before-encryption management

crypto ipsec fragmentation before-encryption DMZ

crypto ipsec fragmentation before-encryption VOIP

crypto ipsec df-bit copy-df Inside

crypto ipsec df-bit copy-df Outside

crypto ipsec df-bit copy-df management

crypto ipsec df-bit copy-df DMZ

crypto ipsec df-bit copy-df VOIP

crypto ca trustpool policy

revocation-check none

crl cache-time 60

crl enforcenextupdate

crypto isakmp identity auto

crypto isakmp nat-traversal 20

crypto ikev2 cookie-challenge 50

crypto ikev2 limit max-in-negotiation-sa 100

no crypto ikev2 limit max-sa

crypto ikev2 redirect during-auth

crypto ikev1 limit max-in-negotiation-sa 20

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh 98.22.121.x 255.255.255.255 Outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

vpn-addr-assign aaa

vpn-addr-assign dhcp

vpn-addr-assign local reuse-delay 0

ipv6-vpn-addr-assign aaa

ipv6-vpn-addr-assign local reuse-delay 0

no vpn-sessiondb max-other-vpn-limit

no vpn-sessiondb max-anyconnect-premium-or-essentials-limit

no remote-access threshold

l2tp tunnel hello 60

!

tls-proxy maximum-session 100

!

threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800

threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640

threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200

threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160

threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000

threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 24.56.178.140 source Outside prefer

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1

ssl certificate-authentication fca-timeout 2

webvpn

memory-size percent 50

port 443

dtls port 443

character-encoding none

no http-proxy

no https-proxy

default-idle-timeout 1800

portal-access-rule none

no csd enable

no anyconnect enable

no tunnel-group-list enable

no tunnel-group-preference group-url

rewrite order 65535 enable resource-mask *

no internal-password

no onscreen-keyboard

no default-language

no smart-tunnel notification-icon

no keepout

cache

  no disable

  max-object-size 1000

  min-object-size 0

  no cache-static-content enable

  lmfactor 20

  expiry-time 1

no auto-signon

no error-recovery disable

no ssl-server-check

no mus password

mus host mus.cisco.com

no hostscan data-limit

: # show import webvpn customization

: Template

: DfltCustomization

: # show import webvpn url-list

: Template

: # show import webvpn translation-table

: Translation Tables' Templates:

:   PortForwarder

:   banners

:   customization

:   url-list

:   webvpn

: Translation Tables:

:   fr                   PortForwarder

:   fr                   customization

:   fr                   webvpn

:   ja                   PortForwarder

:   ja                   customization

:   ja                   webvpn

:   ru                   PortForwarder

:   ru                   customization

:   ru                   webvpn

: # show import webvpn mst-translation

: No MS translation tables defined

: # show import webvpn webcontent

: No custom webcontent is loaded

: # show import webvpn AnyConnect-customization

: No OEM resources defined

: # show import webvpn plug-in

:

group-policy DfltGrpPolicy internal

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-idle-timeout alert-interval 1

vpn-session-timeout none

vpn-session-timeout alert-interval 1

vpn-filter none

ipv6-vpn-filter none

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

ipv6-split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

split-tunnel-all-dns disable

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

client-bypass-protocol disable

gateway-fqdn none

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

msie-proxy pac-url none

msie-proxy lockdown enable

vlan none

nac-settings none

address-pools none

ipv6-address-pools none

smartcard-removal-disconnect enable

scep-forwarding-url none

client-firewall none

client-access-rule none

webvpn

  url-list none

  filter none

  homepage none

  html-content-filter none

  port-forward name Application Access

  port-forward disable

  http-proxy disable

  sso-server none

  anyconnect ssl dtls enable

  anyconnect mtu 1406

  anyconnect firewall-rule client-interface private none

  anyconnect firewall-rule client-interface public none

  anyconnect keep-installer installed

  anyconnect ssl keepalive 20

  anyconnect ssl rekey time none

  anyconnect ssl rekey method none

  anyconnect dpd-interval client 30

  anyconnect dpd-interval gateway 30

  anyconnect ssl compression none

  anyconnect dtls compression none

  anyconnect modules none

  anyconnect profiles none

  anyconnect ask none

  customization none

  keep-alive-ignore 4

  http-comp gzip

  download-max-size 2147483647

  upload-max-size 2147483647

  post-max-size 2147483647

  user-storage none

  storage-objects value cookies,credentials

  storage-key none

  hidden-shares none

  smart-tunnel disable

  activex-relay enable

  unix-auth-uid 65534

  unix-auth-gid 65534

  file-entry enable

  file-browsing enable

  url-entry enable

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  smart-tunnel auto-signon disable

  anyconnect ssl df-bit-ignore disable

  anyconnect routing-filtering-ignore disable

  smart-tunnel tunnel-policy tunnelall

  always-on-vpn profile-setting

password-policy minimum-length 3

password-policy minimum-changes 0

password-policy minimum-lowercase 0

password-policy minimum-uppercase 0

password-policy minimum-numeric 0

password-policy minimum-special 0

password-policy lifetime 0

no password-policy authenticate-enable

quota management-session 0

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

no accounting-server-group

default-group-policy DfltGrpPolicy

tunnel-group DefaultL2LGroup ipsec-attributes

no ikev1 pre-shared-key

peer-id-validate req

no chain

no ikev1 trust-point

isakmp keepalive threshold 10 retry 2

no ikev2 remote-authentication

no ikev2 local-authentication

tunnel-group DefaultRAGroup type remote-access

tunnel-group DefaultRAGroup general-attributes

no address-pool

no ipv6-address-pool

authentication-server-group LOCAL

secondary-authentication-server-group none

no accounting-server-group

default-group-policy DfltGrpPolicy

no dhcp-server

no strip-realm

no nat-assigned-to-public-ip

no scep-enrollment enable

no password-management

no override-account-disable

no strip-group

no authorization-required

username-from-certificate CN OU

secondary-username-from-certificate CN OU

authentication-attr-from-server primary

authenticated-session-username primary

tunnel-group DefaultRAGroup webvpn-attributes

customization DfltCustomization

authentication aaa

no override-svc-download

no radius-reject-message

no proxy-auth sdi

no pre-fill-username ssl-client

no pre-fill-username clientless

no secondary-pre-fill-username ssl-client

no secondary-pre-fill-username clientless

dns-group DefaultDNS

no without-csd

tunnel-group DefaultRAGroup ipsec-attributes

no ikev1 pre-shared-key

peer-id-validate req

no chain

no ikev1 trust-point

no ikev1 radius-sdi-xauth

isakmp keepalive threshold 300 retry 2

ikev1 user-authentication xauth

no ikev2 remote-authentication

no ikev2 local-authentication

tunnel-group DefaultRAGroup ppp-attributes

no authentication pap

authentication chap

authentication ms-chap-v1

no authentication ms-chap-v2

no authentication eap-proxy

tunnel-group DefaultWEBVPNGroup type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes

no address-pool

no ipv6-address-pool

authentication-server-group LOCAL

secondary-authentication-server-group none

no accounting-server-group

default-group-policy DfltGrpPolicy

no dhcp-server

no strip-realm

no nat-assigned-to-public-ip

no scep-enrollment enable

no password-management

no override-account-disable

no strip-group

no authorization-required

username-from-certificate CN OU

secondary-username-from-certificate CN OU

authentication-attr-from-server primary

authenticated-session-username primary

tunnel-group DefaultWEBVPNGroup webvpn-attributes

customization DfltCustomization

authentication aaa

no override-svc-download

no radius-reject-message

no proxy-auth sdi

no pre-fill-username ssl-client

no pre-fill-username clientless

no secondary-pre-fill-username ssl-client

no secondary-pre-fill-username clientless

dns-group DefaultDNS

no without-csd

tunnel-group DefaultWEBVPNGroup ipsec-attributes

no ikev1 pre-shared-key

peer-id-validate req

no chain

no ikev1 trust-point

no ikev1 radius-sdi-xauth

isakmp keepalive threshold 300 retry 2

ikev1 user-authentication xauth

no ikev2 remote-authentication

no ikev2 local-authentication

tunnel-group DefaultWEBVPNGroup ppp-attributes

no authentication pap

authentication chap

authentication ms-chap-v1

no authentication ms-chap-v2

no authentication eap-proxy

!

class-map type inspect http match-all _default_gator

match request header user-agent regex _default_gator

class-map type inspect http match-all _default_msn-messenger

match response header content-type regex _default_msn-messenger

class-map type inspect http match-all _default_yahoo-messenger

match request body regex _default_yahoo-messenger

class-map type inspect http match-all _default_windows-media-player-tunnel

match request header user-agent regex _default_windows-media-player-tunnel

class-map type inspect http match-all _default_gnu-http-tunnel

match request args regex _default_gnu-http-tunnel_arg

match request uri regex _default_gnu-http-tunnel_uri

class-map type inspect http match-all _default_firethru-tunnel

match request header host regex _default_firethru-tunnel_1

match request uri regex _default_firethru-tunnel_2

class-map type inspect http match-all _default_aim-messenger

match request header host regex _default_aim-messenger

class-map type inspect http match-all _default_http-tunnel

match request uri regex _default_http-tunnel

class-map type inspect http match-all _default_kazaa

match response header regex _default_x-kazaa-network count gt 0

class-map type inspect http match-all _default_shoutcast-tunneling-protocol

match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol

class-map class-default

match any

class-map inspection_default

match default-inspection-traffic

class-map type inspect http match-all _default_GoToMyPC-tunnel

match request args regex _default_GoToMyPC-tunnel

match request uri regex _default_GoToMyPC-tunnel_2

class-map type inspect http match-all _default_httport-tunnel

match request header host regex _default_httport-tunnel

!

!

policy-map type inspect rtsp _default_rtsp_map

description Default RTSP policymap

parameters

policy-map type inspect ipv6 _default_ipv6_map

description Default IPV6 policy-map

parameters

  verify-header type

  verify-header order

match header routing-type range 0 255

  drop log

policy-map type inspect h323 _default_h323_map

description Default H.323 policymap

parameters

  no rtp-conformance

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

  no message-length maximum server

  dns-guard

  protocol-enforcement

  nat-rewrite

  no id-randomization

  no id-mismatch

  no tsig enforced

policy-map type inspect esmtp _default_esmtp_map

description Default ESMTP policy-map

parameters

  mask-banner

  no mail-relay

  no special-character

  no allow-tls

match cmd line length gt 512

  drop-connection log

match cmd RCPT count gt 100

  drop-connection log

match body line length gt 998

  log

match header line length gt 998

  drop-connection log

match sender-address length gt 320

  drop-connection log

match MIME filename length gt 255

  drop-connection log

match ehlo-reply-parameter others

  mask

policy-map type inspect ip-options _default_ip_options_map

description Default IP-OPTIONS policy-map

parameters

  router-alert action allow

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225 _default_h323_map

  inspect h323 ras _default_h323_map

  inspect rsh

  inspect rtsp

  inspect esmtp _default_esmtp_map

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options _default_ip_options_map

  inspect icmp

  inspect icmp error

  inspect pptp

class class-default

policy-map type inspect sip _default_sip_map

description Default SIP policymap

parameters

  im

  no ip-address-privacy

  traffic-non-sip

  no rtp-conformance

policy-map type inspect dns _default_dns_map

description Default DNS policy-map

parameters

  no message-length maximum client

  no message-length maximum

  no message-length maximum server

  dns-guard

  protocol-enforcement

  nat-rewrite

  no id-randomization

  no id-mismatch

  no tsig enforced

policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map

description Default IPSEC-PASS-THRU policy-map

parameters

  esp per-client-max 0 timeout 0:10:00

!

service-policy global_policy global

imap4s

port 993

no server

outstanding 20

name-separator :

server-separator @

authentication-server-group LOCAL

no authorization-server-group

no accounting-server-group

default-group-policy DfltGrpPolicy

no authentication

no authorization-required

authorization-dn-attributes CN OU

pop3s

port 995

no server

outstanding 20

name-separator :

server-separator @

authentication-server-group LOCAL

no authorization-server-group

no accounting-server-group

default-group-policy DfltGrpPolicy

no authentication

no authorization-required

authorization-dn-attributes CN OU

smtps

port 988

no server

outstanding 20

name-separator :

server-separator @

authentication-server-group LOCAL

no authorization-server-group

no accounting-server-group

default-group-policy DfltGrpPolicy

authentication aaa

no authorization-required

authorization-dn-attributes CN OU

prompt hostname context

auto-update device-id hostname

auto-update poll-period 720 0 5

auto-update timeout 0

compression anyconnect-ssl http-comp

no coredump enable

no call-home reporting anonymous

call-home

alert-group all

alert-group-config environment

  threshold cpu 85-90

  threshold memory 85-90

event-queue-size 10

rate-limit 10

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination message-size-limit 3145728

  destination preferred-msg-format xml

  destination transport-method http

  subscribe-to-alert-group diagnostic severity informational

  subscribe-to-alert-group environment severity informational

  subscribe-to-alert-group inventory severity informational periodic monthly 26

  subscribe-to-alert-group configuration export minimum periodic monthly 26

  subscribe-to-alert-group telemetry severity informational periodic daily

password encryption aes

Cryptochecksum:6f99e1277a392a926d04735c7f6a8c50

: end

Cisco 2811:

CISCO-2811#sh run all

Building configuration...

Current configuration with default configurations exposed : 35894 bytes

!

! Last configuration change at 23:24:57 UTC Mon Feb 3 2014 by redacted

version 15.1

parser cache

parser config partition

parser command serializer

downward-compatible-config 15.1

no service log backtrace

no service config

no service exec-callback

no service nagle

service slave-log

no service slave-coredump

no service pad to-xot

no service pad from-xot

no service pad cmns

service pad

no service telnet-zeroidle

no service tcp-keepalives-in

no service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

no service exec-wait

no service linenumber

no service internal

no service scripting

no service compress-config

service prompt config

no service old-slip-prompts

no service pt-vty-logging

no service disable-ip-fast-frag

no service sequence-numbers

no service call-home

!

hostname CISCO-2811

!

boot-start-marker

boot system flash

boot-end-marker

!

shell processing

!

no logging discriminator

logging exception 4096

no logging count

no logging message-counter log

no logging message-counter debug

logging message-counter syslog

no logging snmp-authfail

no logging userinfo

logging buginf

logging queue-limit 100

logging queue-limit esm 0

logging queue-limit trap 100

logging buffered 0 debugging

logging reload message-limit 1000 notifications

no logging persistent

logging rate-limit console 10 except errors

logging console guaranteed

logging console debugging

logging monitor debugging

logging cns-events informational

logging on

enable Redacted

!

autoupgrade disk-cleanup crashinfo

autoupgrade disk-cleanup core

autoupgrade disk-cleanup image

ipc holdq threshold upper 0

ipc holdq threshold lower 0

ipc header-cache permanent 1000 100

ipc buffers max-free 8

ipc buffers min-free 1

ipc buffers permanent 2

aaa new-model

!

!

aaa authentication attempts login 3

aaa accounting jitter maximum 300

!

port 1645

!

!

!

port 1700

!

aaa session-id common

aaa memory threshold authentication reject 3

aaa memory threshold accounting disable 2

ethernet cfm ieee

ethernet cfm alarm notification mac-remote-error-xcon

ethernet cfm alarm delay 2500

ethernet cfm alarm reset 10000

ppp hold-queue 2800

!

process cpu extended history 12

process cpu autoprofile hog

cef table consistency-check IPv4 type scan-rib-ios count 1000 period 60

cef table consistency-check IPv4 type scan-ios-rib count 1000 period 60

no cef table consistency-check IPv4 data-checking

no cef table consistency-check IPv4 error-message

cef table consistency-check IPv4 auto-repair delay 10 holddown 300

cef table vrf tree IPv4 type MTRIE short-mask-protection 4 stride-pattern 8-8-8-8 hardware-api-notify off

cef table output-chain build favor default

cef table rate-monitor-period 5

errdisable detect cause all

errdisable recovery interval 300

network-clock-switch 10 10

!

dot11 syslog

dot11 activity-timeout unknown default 60

dot11 activity-timeout client default 60

dot11 activity-timeout repeater default 60

dot11 activity-timeout workgroup-bridge default 60

dot11 activity-timeout bridge default 60

dot11 aaa csid default

call-home

alert-group configuration

alert-group environment

alert-group inventory

alert-group syslog

rate-limit 20

profile "CiscoTAC-1"

  no active

  destination preferred-msg-format xml

  destination message-size-limit 3145728

  no destination transport-method http

  destination transport-method email

  destination address email callhome@cisco.com

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  subscribe-to-alert-group environment severity minor

  subscribe-to-alert-group syslog severity major pattern ".*"

  subscribe-to-alert-group configuration periodic monthly 21 13:47

  subscribe-to-alert-group inventory periodic monthly 21 13:32

prompt config hostname-length 20

ip subnet-zero

no ip source-route

ip routing protocol purge interface

ip arp queue 512

ip icmp redirect subnet

ip spd queue threshold minimum 73 maximum 74

ip verify drop-rate compute window 300

ip verify drop-rate compute interval 30

ip verify drop-rate notify hold-down 300

!

!

no ip nbar bypass

ip nbar resources system 30 4236 128

ip nbar port-map edonkey tcp 4662

ip nbar port-map kazaa2 tcp 80

ip nbar port-map gnutella udp 6346 6347 6348

ip nbar port-map gnutella tcp 6346 6347 6348 6349 6355 5634

ip nbar port-map fasttrack tcp 1214

ip nbar port-map citrix udp 1604

ip nbar port-map citrix tcp 2598 2512 2513 1494

ip nbar port-map http tcp 80

ip nbar port-map sap tcp 3200 3300 3600

ip nbar port-map telepresence-control tcp 5060

ip nbar port-map microsoftds udp 445

ip nbar port-map microsoftds tcp 445

ip nbar port-map blizwow udp 3724

ip nbar port-map blizwow tcp 3724

ip nbar port-map youtube tcp 80

ip nbar port-map cisco-phone udp 5060

ip nbar port-map cisco-phone tcp 2000 2001 2002 5060

ip nbar port-map cifs tcp 445 139

ip nbar port-map aol-messenger tcp 5190 1080 443

ip nbar port-map yahoo-messenger tcp 80 119 1080 5050 5101

ip nbar port-map msn-messenger tcp 80 1863 1080

ip nbar port-map dns udp 53

ip nbar port-map dns tcp 53

ip nbar port-map smtp tcp 25 587

ip nbar port-map directconnect tcp 411 412 413

ip nbar port-map bittorrent udp 3724

ip nbar port-map bittorrent tcp 3724 1080 6969 6881 6882 6883 6884 6885 6886 6887 6888 6889

ip nbar port-map winmx tcp 6699

ip nbar port-map sip udp 5060

ip nbar port-map sip tcp 5060

ip nbar port-map h323 udp 1300 1718 1719 1720 11720

ip nbar port-map h323 tcp 1300 1718 1719 1720 11000 - 11999

ip nbar port-map skinny tcp 2000 2001 2002

ip nbar port-map mgcp udp 2427 2727

ip nbar port-map mgcp tcp 2427 2428 2727

ip nbar port-map rtsp tcp 554 8554

ip nbar port-map custom-10 udp

ip nbar port-map custom-10 tcp

ip nbar port-map custom-09 udp

ip nbar port-map custom-09 tcp

ip nbar port-map custom-08 udp

ip nbar port-map custom-08 tcp

ip nbar port-map custom-07 udp

ip nbar port-map custom-07 tcp

ip nbar port-map custom-06 udp

ip nbar port-map custom-06 tcp

ip nbar port-map custom-05 udp

ip nbar port-map custom-05 tcp

ip nbar port-map custom-04 udp

ip nbar port-map custom-04 tcp

ip nbar port-map custom-03 udp

ip nbar port-map custom-03 tcp

ip nbar port-map custom-02 udp

ip nbar port-map custom-02 tcp

ip nbar port-map custom-01 udp

ip nbar port-map custom-01 tcp

ip nbar port-map streamwork udp 1558

ip nbar port-map sunrpc udp 111

ip nbar port-map sunrpc tcp 111

ip nbar port-map netshow tcp 1755

ip nbar port-map rcmd tcp 512 513 514

ip nbar port-map sqlnet tcp 1521

ip nbar port-map vdolive tcp 7000

ip nbar port-map exchange tcp 135

ip nbar port-map tftp udp 69

ip nbar port-map nntp udp 119

ip nbar port-map nntp tcp 119

ip nbar port-map socks tcp 1080

ip nbar port-map netbios udp 137 138

ip nbar port-map netbios tcp 139 137

ip nbar port-map secure-http tcp 443

ip nbar port-map submit tcp 773

ip nbar port-map tacacs udp 49 65

ip nbar port-map tacacs tcp 49 65

ip nbar port-map corba-iiop udp 683 684

ip nbar port-map corba-iiop tcp 683 684

ip nbar port-map vnc udp 5800 5900 5901

ip nbar port-map vnc tcp 5800 5900 5901

ip nbar port-map novadigm udp 3460 3461 3462 3463 3464 3465

ip nbar port-map novadigm tcp 3460 3461 3462 3463 3464 3465

ip nbar port-map xwindows tcp 6000 6001 6002 6003

ip nbar port-map shell tcp 514

ip nbar port-map syslog udp 514

ip nbar port-map snmp udp 161 162

ip nbar port-map snmp tcp 161 162

ip nbar port-map rsvp udp 1698 1699

ip nbar port-map pcanywhere udp 22 5632

ip nbar port-map pcanywhere tcp 65301 5631

ip nbar port-map kerberos udp 88 749

ip nbar port-map kerberos tcp 88 749

ip nbar port-map secure-imap udp 585 993

ip nbar port-map secure-imap tcp 585 993

ip nbar port-map imap udp 143 220

ip nbar port-map imap tcp 143 220

ip nbar port-map dhcp udp 67 68

ip nbar port-map cuseeme udp 7648 7649 24032

ip nbar port-map cuseeme tcp 7648 7649

ip nbar port-map ftp tcp 21

ip cef optimize neighbor resolution

ip cef

no ip cef accounting

ip cef load-sharing algorithm universal 309C488F

ip dhcp relay information policy replace

ip dhcp relay information check

ip dhcp use class

no ip dhcp use vrf connected

ip dhcp binding cleanup interval 120

ip dhcp compatibility suboption link-selection cisco

ip dhcp conflict logging

ip dhcp excluded-address 192.168.1.1 192.168.1.49

ip dhcp excluded-address 172.16.10.1 172.16.10.49

ip dhcp excluded-address 172.16.20.1 172.16.20.49

ip dhcp ping packets 2

ip dhcp ping timeout 500

!

ip dhcp pool Mitchs_Network

network 192.168.1.0 255.255.255.0

dns-server 192.168.1.2 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 192.168.1.1

!

ip dhcp pool VLAN10

network 172.16.10.0 255.255.255.0

default-router 172.16.10.1

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

!

ip dhcp pool VLAN20

network 172.16.20.0 255.255.255.0

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 172.16.20.1

!

!

!

no ip sctp asconf auto

ip sctp asconf authenticate check

no ip sctp authenticate data

no ip sctp authenticate init

no ip sctp authenticate init-ack

no ip sctp authenticate sack

no ip sctp authenticate heartbeat

no ip sctp authenticate heartbeat-ack

no ip sctp authenticate abort

no ip sctp authenticate shutdown

no ip sctp authenticate shutdown-ack

no ip sctp authenticate error

no ip sctp authenticate cookie-echo

no ip sctp authenticate cookie-ack

no ip sctp authenticate ecne

no ip sctp authenticate cwr

no ip sctp authenticate shutdown-complete

no ip sctp authenticate authentication

no ip sctp authenticate 16

no ip sctp authenticate 17

no ip sctp authenticate 18

no ip sctp authenticate 19

no ip sctp authenticate 20

no ip sctp authenticate 21

no ip sctp authenticate 22

no ip sctp authenticate 23

no ip sctp authenticate 24

no ip sctp authenticate 25

no ip sctp authenticate 26

no ip sctp authenticate 27

no ip sctp authenticate 28

no ip sctp authenticate 29

no ip sctp authenticate 30

no ip sctp authenticate 31

no ip sctp authenticate 32

no ip sctp authenticate 33

no ip sctp authenticate 34

no ip sctp authenticate 35

no ip sctp authenticate 36

no ip sctp authenticate 37

no ip sctp authenticate 38

no ip sctp authenticate 39

no ip sctp authenticate 40

no ip sctp authenticate 41

no ip sctp authenticate 42

no ip sctp authenticate 43

no ip sctp authenticate 44

no ip sctp authenticate 45

no ip sctp authenticate 46

no ip sctp authenticate 47

no ip sctp authenticate 48

no ip sctp authenticate 49

no ip sctp authenticate 50

no ip sctp authenticate 51

no ip sctp authenticate 52

no ip sctp authenticate 53

no ip sctp authenticate 54

no ip sctp authenticate 55

no ip sctp authenticate 56

no ip sctp authenticate 57

no ip sctp authenticate 58

no ip sctp authenticate 59

no ip sctp authenticate 60

no ip sctp authenticate 61

no ip sctp authenticate 62

no ip sctp authenticate 63

no ip sctp authenticate 64

no ip sctp authenticate 65

no ip sctp authenticate 66

no ip sctp authenticate 67

no ip sctp authenticate 68

no ip sctp authenticate 69

no ip sctp authenticate 70

no ip sctp authenticate 71

no ip sctp authenticate 72

no ip sctp authenticate 73

no ip sctp authenticate 74

no ip sctp authenticate 75

no ip sctp authenticate 76

no ip sctp authenticate 77

no ip sctp authenticate 78

no ip sctp authenticate 79

no ip sctp authenticate 80

no ip sctp authenticate 81

no ip sctp authenticate 82

no ip sctp authenticate 83

no ip sctp authenticate 84

no ip sctp authenticate 85

no ip sctp authenticate 86

no ip sctp authenticate 87

no ip sctp authenticate 88

no ip sctp authenticate 89

no ip sctp authenticate 90

no ip sctp authenticate 91

no ip sctp authenticate 92

no ip sctp authenticate 93

no ip sctp authenticate 94

no ip sctp authenticate 95

no ip sctp authenticate 96

no ip sctp authenticate 97

no ip sctp authenticate 98

no ip sctp authenticate 99

no ip sctp authenticate 100

no ip sctp authenticate 101

no ip sctp authenticate 102

no ip sctp authenticate 103

no ip sctp authenticate 104

no ip sctp authenticate 105

no ip sctp authenticate 106

no ip sctp authenticate 107

no ip sctp authenticate 108

no ip sctp authenticate 109

no ip sctp authenticate 110

no ip sctp authenticate 111

no ip sctp authenticate 112

no ip sctp authenticate 113

no ip sctp authenticate 114

no ip sctp authenticate 115

no ip sctp authenticate 116

no ip sctp authenticate 117

no ip sctp authenticate 118

no ip sctp authenticate 119

no ip sctp authenticate 120

no ip sctp authenticate 121

no ip sctp authenticate 122

no ip sctp authenticate 123

no ip sctp authenticate 124

no ip sctp authenticate 125

no ip sctp authenticate 126

no ip sctp authenticate 127

no ip sctp authenticate packet-drop

no ip sctp authenticate stream-reset

no ip sctp authenticate 131

no ip sctp authenticate 132

no ip sctp authenticate 133

no ip sctp authenticate 134

no ip sctp authenticate 135

no ip sctp authenticate 136

no ip sctp authenticate 137

no ip sctp authenticate 138

no ip sctp authenticate 139

no ip sctp authenticate 140

no ip sctp authenticate 141

no ip sctp authenticate 142

no ip sctp authenticate 143

no ip sctp authenticate 145

no ip sctp authenticate 146

no ip sctp authenticate 147

no ip sctp authenticate 148

no ip sctp authenticate 149

no ip sctp authenticate 150

no ip sctp authenticate 151

no ip sctp authenticate 152

no ip sctp authenticate 153

no ip sctp authenticate 154

no ip sctp authenticate 155

no ip sctp authenticate 156

no ip sctp authenticate 157

no ip sctp authenticate 158

no ip sctp authenticate 159

no ip sctp authenticate 160

no ip sctp authenticate 161

no ip sctp authenticate 162

no ip sctp authenticate 163

no ip sctp authenticate 164

no ip sctp authenticate 165

no ip sctp authenticate 166

no ip sctp authenticate 167

no ip sctp authenticate 168

no ip sctp authenticate 169

no ip sctp authenticate 170

no ip sctp authenticate 171

no ip sctp authenticate 172

no ip sctp authenticate 173

no ip sctp authenticate 174

no ip sctp authenticate 175

no ip sctp authenticate 176

no ip sctp authenticate 177

no ip sctp authenticate 178

no ip sctp authenticate 179

no ip sctp authenticate 180

no ip sctp authenticate 181

no ip sctp authenticate 182

no ip sctp authenticate 183

no ip sctp authenticate 184

no ip sctp authenticate 185

no ip sctp authenticate 186

no ip sctp authenticate 187

no ip sctp authenticate 188

no ip sctp authenticate 189

no ip sctp authenticate 190

no ip sctp authenticate 191

no ip sctp authenticate fwd-tsn

no ip sctp authenticate 194

no ip sctp authenticate 195

no ip sctp authenticate 196

no ip sctp authenticate 197

no ip sctp authenticate 198

no ip sctp authenticate 199

no ip sctp authenticate 200

no ip sctp authenticate 201

no ip sctp authenticate 202

no ip sctp authenticate 203

no ip sctp authenticate 204

no ip sctp authenticate 205

no ip sctp authenticate 206

no ip sctp authenticate 207

no ip sctp authenticate 208

no ip sctp authenticate 209

no ip sctp authenticate 210

no ip sctp authenticate 211

no ip sctp authenticate 212

no ip sctp authenticate 213

no ip sctp authenticate 214

no ip sctp authenticate 215

no ip sctp authenticate 216

no ip sctp authenticate 217

no ip sctp authenticate 218

no ip sctp authenticate 219

no ip sctp authenticate 220

no ip sctp authenticate 221

no ip sctp authenticate 222

no ip sctp authenticate 223

no ip sctp authenticate 224

no ip sctp authenticate 225

no ip sctp authenticate 226

no ip sctp authenticate 227

no ip sctp authenticate 228

no ip sctp authenticate 229

no ip sctp authenticate 230

no ip sctp authenticate 231

no ip sctp authenticate 232

no ip sctp authenticate 233

no ip sctp authenticate 234

no ip sctp authenticate 235

no ip sctp authenticate 236

no ip sctp authenticate 237

no ip sctp authenticate 238

no ip sctp authenticate 239

no ip sctp authenticate 240

no ip sctp authenticate 241

no ip sctp authenticate 242

no ip sctp authenticate 243

no ip sctp authenticate 244

no ip sctp authenticate 245

no ip sctp authenticate 246

no ip sctp authenticate 247

no ip sctp authenticate 248

no ip sctp authenticate 249

no ip sctp authenticate 250

no ip sctp authenticate 251

no ip sctp authenticate 252

no ip sctp authenticate 253

no ip sctp authenticate 254

no ip sctp authenticate 255

ip flow-cache entries 4096

ip flow-cache timeout inactive 15

ip flow-cache timeout active 30

ip bootp server

ip domain name maladomini.int

ip name-server 192.168.1.2

ip name-server 199.195.168.4

ip name-server 205.171.2.65

ip name-server 205.171.3.65

ip name-server 8.8.8.8

ip sap cache-timeout 1440

ip multicast route-limit 2147483647

ip mfib

ip pgm host ttl 255

ip pgm host stream-type apdu

ip pgm host nak-gen-ivl 60000

ip pgm host nak-rb-ivl 500

ip pgm host nak-rpt-ivl 2000

ip pgm host nak-rdata-ivl 2000

ip pgm host rx-buffer-mgmt minimum

ip pgm host tpdu-size 1400

ip pgm host ihb-min 1000

ip pgm host ihb-max 10000

ip pgm host join 0

ip pgm host spm-ambient-ivl 6000

ip pgm host txw-adv-secs 6000

ip pgm host txw-adv-timeout-max 3600000

ip pgm host txw-rte 16384

ip pgm host txw-secs 30000

ip pgm host ncf-max 4294967295

ip pgm host spm-rpt-ivl 3000

ip pgm host tx-buffer-mgmt return

ip pgm host txw-adv-method time

ip pgm router elimination-interval 2

ip ips memory threshold 14

ip dhcp-server query lease retries 2

ip dhcp-server query lease timeout 10

ip dhcp-client broadcast-flag

ip dhcp-client default-router distance 254

ip igmp snooping vlan 1

ip igmp snooping vlan 1 mrouter learn pim-dvmrp

ip igmp snooping

ip igmp ssm-map query dns

kerberos timeout 15

kerberos retry 4

kerberos processes 1

ntp max-associations 100

no vlan accounting input

!

multilink virtual-template 0

multilink bundle-name authenticated

!

cwmp agent

no enable download

no enable

request outstanding 5

parameter change notify interval 60

session retry limit 11

management server username 00000C-SICCO2811V03-FTX1041A07T

no management server password

no management server url

no provision code

no connection request username

no connection request password

no wan ipaddress

!

parameter-map type inspect default

audit-trail off

alert on

sessions maximum 2147483647

max-incomplete low 2147483647

max-incomplete high 2147483647

one-minute low 2147483647

one-minute high 2147483647

udp idle-time 30

icmp idle-time 10

dns-timeout 5

tcp idle-time 3600

tcp finwait-time 5

tcp synwait-time 30

tcp max-incomplete host 4294967295 block-time 0

parameter-map type ooo global

tcp reassembly timeout 5

tcp reassembly queue length 16

tcp reassembly memory limit 1024

isis display delimiter return 1

frame-relay address registration auto-address

mls qos map cos-dscp 0 8 16 26 32 46 48 56

!

password encryption aes

no virtual-template subinterface

no virtual-template snmp

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1290569776

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1290569776

revocation-check none

rsakeypair TP-self-signed-1290569776

!

!

crypto pki certificate chain TP-self-signed-1290569776

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31323930 35363937 3736301E 170D3134 30313035 30363130

  33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393035

  36393737 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B18F F63C5121 00785DE0 854601BA EE77DAA3 21286D8C 6E700C37 237CC1BE

  611023AF FBE04BBE 7B4B3233 E4E129DD A74604E5 62AA39BF 77F98D5D D63944E9

  2345AE37 D93C5753 E425E85A  CFC5D1A0 F800449B 0419A5C8 A0A101EC

  02928172 7B30A609 71ADA3D4 68F4F484 AF2B3249 0E225DB2 C72C136A E670D761

  DDE30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 1461F6DE 8EF50F7B 0E46359F 421EA106 9375F65F 30301D06

  03551D0E 04160414 61F6DE8E F50F7B0E 46359F42 1EA10693 75F65F30 300D0609

  2A864886 F70D0101 05050003 81810049 BA55F695 8525265F ED2D77EE 8706BF10

  63A7E644 202F6663 9EA5551F 47F7FC50 D4021EDD E3DC5A80 39FD161A C337D20D

  71B98875 0F1FE887 649E81D3 F93F7A1B A1E18B99 A77B1A59 84DB4711 867913FD

  044084FB 651ECA6E C6EDF35C E43A2946 8C01781E 26DB9484 C8740A82 4A7CA266

  A0655526 CBCB4982 F30D68E9 D70753

        quit

no snap notification exclude service acl

no snap notification exclude service eem

no snap notification exclude service snapt

!

!

port-channel load-balance src-dst-ip

license udi pid CISCO2811 sn FTX1041A07T

license agent max-sessions 9

license agent default authenticate

license call-home url https://tools.cisco.com/SWIFT/Licensing

memory check-interval 60

memory statistics history table 24

memory validate-checksum 60

memory lite

memory reserve console 0

memory chunk siblings threshold 10000

file prompt alert

emm clear 1b5b324a1b5b303b30480d

vtp file flash:vlan.dat

vtp mode server

vtp version 1

username Redacted

username Redacted

!

redundancy

no maintenance-mode

scripting tcl low-memory 33095074

scripting tcl trustpoint untrusted terminate

no scripting tcl secure-mode

!

process-max-time 200

!

no ip finger

no ip tcp ecn

no ip tcp selective-ack

no ip tcp timestamp

ip tcp delayed-ack

ip tcp chunk-size 0

ip tcp mss 0

ip tcp window-size 4128

ip tcp queuemax 20

ip tcp synwait-time 30

no ip tcp path-mtu-discovery

no ip tcp async-mobility server

ip tcp RST-count 10 RST-window 5000

ip telnet tos C0

ip telnet timeout retransmit 0

no ip telnet quiet

no ip telnet hidden hostnames

no ip telnet hidden addresses

ip telnet comport enable

ip telnet comport flow level 16

ip telnet comport receive window 4128

ip telnet comport disconnect delay 0

ip ftp passive

ip tftp min-timeout 3000

no ip tftp claim-netascii

ip ssh time-out 60

ip ssh authentication-retries 5

ip ssh break-string ~break

ip ssh version 2

ip ssh dh min size 1024

ip rcmd domain-lookup

!

crypto engine software ipsec

crypto ctcp keepalive 5

crypto isakmp aggressive-mode disable

crypto ipsec optional retry 300

!

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec security-association lifetime seconds 3600

no crypto ipsec security-association replay disable

crypto ipsec security-association replay window-size 64

!

crypto ipsec default transform-set

crypto ipsec nat-transparency udp-encapsulation

!

crypto call admission limit ike sa 0

crypto call admission limit ike in-negotiation-sa 1000

crypto call admission limit ipsec sa 0

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

buffers element permanent 500

buffers element minimum 100

buffers header permanent 768

buffers header max-free 1024

buffers header min-free 128

buffers header initial 0

buffers fastswitching permanent 768

buffers fastswitching max-free 1024

buffers fastswitching min-free 128

buffers fastswitching initial 0

buffers small permanent 50

buffers small max-free 150

buffers small min-free 20

buffers small initial 0

buffers middle permanent 25

buffers middle max-free 150

buffers middle min-free 10

buffers middle initial 0

buffers big permanent 50

buffers big max-free 150

buffers big min-free 5

buffers big initial 0

buffers verybig permanent 10

buffers verybig max-free 100

buffers verybig min-free 0

buffers verybig initial 0

buffers large permanent 0

buffers large max-free 10

buffers large min-free 0

buffers large initial 0

buffers huge permanent 0

buffers huge max-free 4

buffers huge min-free 0

buffers huge size 18024

buffers huge initial 0

no buffers tune automatic

buffers FastEthernet0/0 permanent 384

buffers FastEthernet0/0 max-free 384

buffers FastEthernet0/0 min-free 0

buffers FastEthernet0/0 initial 0

buffers FastEthernet0/1 permanent 384

buffers FastEthernet0/1 max-free 384

buffers FastEthernet0/1 min-free 0

buffers FastEthernet0/1 initial 0

!

!

!

!

interface FastEthernet0/0

description CONNECTION TO INSIDE INT. OF ASA

mtu 1500

ip address 10.10.1.2 255.255.255.252

ip redirects

ip proxy-arp

ip load-sharing per-destination

ip cef accounting non-recursive internal

ip pim dr-priority 1

ip pim query-interval 30

ip nat outside

ip mfib forwarding input

ip mfib forwarding output

ip mfib cef input

ip mfib cef output

ip virtual-reassembly in

ip route-cache cef

ip split-horizon

ip igmp last-member-query-interval 1000

ip igmp last-member-query-count 2

ip igmp query-max-response-time 10

ip igmp version 2

ip igmp query-interval 60

ip igmp tcn query count 2

ip igmp tcn query interval 10

load-interval 300

duplex auto

speed auto

dot1q tunneling ethertype 0x8100

snmp trap link-status

max-reserved-bandwidth 75

hold-queue 75 in

hold-queue 0 out

no bgp-policy accounting input

no bgp-policy accounting output

no bgp-policy accounting input source

no bgp-policy accounting output source

no bgp-policy source ip-prec-map

no bgp-policy source ip-qos-map

no bgp-policy destination ip-prec-map

no bgp-policy destination ip-qos-map

!

interface FastEthernet0/1

mtu 1500

no ip address

ip redirects

ip proxy-arp

ip load-sharing per-destination

ip cef accounting non-recursive internal

ip pim dr-priority 1

ip pim query-interval 30

ip nat inside

ip mfib forwarding input

ip mfib forwarding output

ip mfib cef input

ip mfib cef output

ip virtual-reassembly in

ip route-cache cef

ip split-horizon

ip igmp last-member-query-interval 1000

ip igmp last-member-query-count 2

ip igmp query-max-response-time 10

ip igmp version 2

ip igmp query-interval 60

ip igmp tcn query count 2

ip igmp tcn query interval 10

load-interval 300

duplex auto

speed auto

dot1q tunneling ethertype 0x8100

snmp trap link-status

max-reserved-bandwidth 75

hold-queue 75 in

hold-queue 0 out

no bgp-policy accounting input

no bgp-policy accounting output

no bgp-policy accounting input source

no bgp-policy accounting output source

no bgp-policy source ip-prec-map

no bgp-policy source ip-qos-map

no bgp-policy destination ip-prec-map

no bgp-policy destination ip-qos-map

!

interface FastEthernet0/1.1

description VLAN 10

encapsulation dot1Q 10

ip address 172.16.10.1 255.255.255.0

ip redirects

ip proxy-arp

ip load-sharing per-destination

ip cef accounting non-recursive internal

ip pim dr-priority 1

ip pim query-interval 30

ip nat inside

ip mfib forwarding input

ip mfib forwarding output

ip mfib cef input

ip mfib cef output

ip rip initial-delay 0

ip rip advertise 30

ip rip authentication mode text

ip virtual-reassembly in

ip split-horizon

ip igmp last-member-query-interval 1000

ip igmp last-member-query-count 2

ip igmp query-max-response-time 10

ip igmp version 2

ip igmp query-interval 60

ip igmp tcn query count 2

ip igmp tcn query interval 10

no snmp trap link-status

no bgp-policy accounting input

no bgp-policy accounting output

no bgp-policy accounting input source

no bgp-policy accounting output source

no bgp-policy source ip-prec-map

no bgp-policy source ip-qos-map

no bgp-policy destination ip-prec-map

no bgp-policy destination ip-qos-map

!

interface FastEthernet0/1.2

description VLAN 20

encapsulation dot1Q 20

ip address 172.16.20.1 255.255.255.0

ip redirects

ip proxy-arp

ip load-sharing per-destination

ip cef accounting non-recursive internal

ip pim dr-priority 1

ip pim query-interval 30

ip nat inside

ip mfib forwarding input

ip mfib forwarding output

ip mfib cef input

ip mfib cef output

ip rip initial-delay 0

ip rip advertise 30

ip rip authentication mode text

ip virtual-reassembly in

ip split-horizon

ip igmp last-member-query-interval 1000

ip igmp last-member-query-count 2

ip igmp query-max-response-time 10

ip igmp version 2

ip igmp query-interval 60

ip igmp tcn query count 2

ip igmp tcn query interval 10

no snmp trap link-status

no bgp-policy accounting input

no bgp-policy accounting output

no bgp-policy accounting input source

no bgp-policy accounting output source

no bgp-policy source ip-prec-map

no bgp-policy source ip-qos-map

no bgp-policy destination ip-prec-map

no bgp-policy destination ip-qos-map

!

interface FastEthernet0/1.3

description Trunk Interface VLAN 1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip redirects

ip proxy-arp

ip load-sharing per-destination

ip cef accounting non-recursive internal

ip pim dr-priority 1

ip pim query-interval 30

ip nat inside

ip mfib forwarding input

ip mfib forwarding output

ip mfib cef input

ip mfib cef output

ip rip initial-delay 0

ip rip advertise 30

ip rip authentication mode text

ip virtual-reassembly in

ip split-horizon

ip igmp last-member-query-interval 1000

ip igmp last-member-query-count 2

ip igmp query-max-response-time 10

ip igmp version 2

ip igmp query-interval 60

ip igmp tcn query count 2

ip igmp tcn query interval 10

no snmp trap link-status

no bgp-policy accounting input

no bgp-policy accounting output

no bgp-policy accounting input source

no bgp-policy accounting output source

no bgp-policy source ip-prec-map

no bgp-policy source ip-qos-map

no bgp-policy destination ip-prec-map

no bgp-policy destination ip-qos-map

!

interface Dialer0

mtu 1500

no ip address

ip redirects

ip proxy-arp

ip load-sharing per-destination

ip cef accounting non-recursive internal

ip pim dr-priority 1

ip pim query-interval 30

ip mfib forwarding input

ip mfib forwarding output

ip mfib cef input

ip mfib cef output

ip route-cache cef

ip split-horizon

ip igmp last-member-query-interval 1000

ip igmp last-member-query-count 2

ip igmp query-max-response-time 10

ip igmp version 2

ip igmp query-interval 60

ip igmp tcn query count 2

ip igmp tcn query interval 10

load-interval 300

dot1q tunneling ethertype 0x8100

snmp trap link-status

max-reserved-bandwidth 75

hold-queue 75 in

hold-queue 0 out

no bgp-policy accounting input

no bgp-policy accounting output

no bgp-policy accounting input source

no bgp-policy accounting output source

no bgp-policy source ip-prec-map

no bgp-policy source ip-qos-map

no bgp-policy destination ip-prec-map

no bgp-policy destination ip-qos-map

!

router rip

version 2

validate-update-source

timers basic 30 180 180 240

network 172.16.0.0 mask 255.255.0.0

network 192.168.1.0 mask 255.255.255.0

network 199.195.168.0 mask 255.255.255.0

maximum-paths 4

input-queue 150

distance 120

no auto-summary

!

ip default-gateway 10.10.1.1

ip classless

ip forward-protocol nd

no ip http server

ip http port 80

ip http authentication local

ip http secure-server

ip http secure-port 443

ip http secure-active-session-modules all

ip http max-connections 5

ip http timeout-policy idle 180 life 180 requests 1

ip http active-session-modules all

ip http digest algorithm md5

ip http client cache memory pool 100

ip http client cache memory file 2

ip http client cache ager interval 5

ip http client connection timeout 10

ip http client connection retry 1

ip http client connection pipeline-length 5

ip http client connection idle timeout 30

ip http client response timeout 30

ip http path

!

!

ip dns server

ip pim dm-fallback

ip pim autorp

ip pim bidir-offer-interval 100 msec

ip pim bidir-offer-limit 3

ip pim v1-rp-reachability

ip pim log-neighbor-changes

ip msdp timer 30

ip rtcp report interval 5000

ip rtcp sub-rtcp message-type 209

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route static adjust-time 60

ip route static inter-vrf

ip route 0.0.0.0 0.0.0.0 10.10.1.1

ip ospf name-lookup

ip rsvp policy cops timeout 300

ip rsvp authentication type md5

ip rsvp pq-profile 12288 592 110

ip rsvp signalling initial-retransmit-delay 1000

ip rsvp signalling refresh reduction ack-delay 250

ip rsvp signalling refresh interval 30000

ip rsvp signalling refresh misses 4

no ip identd

no ip access-list helper egress check

!

ip prefix-list sequence-number

ip sla responder twamp

timeout 900

ip sla low-memory 28001275

ip sla server twamp

port 862

timer inactivity 900

logging policy-firewall rate-limit 30

logging history size 1

logging history warnings

logging trap informational

logging delimiter tcp

no logging origin-id

logging facility local7

no logging source-interface

access-list 1 permit any

dialer-list 1 protocol ip permit

ethernet cfm mep crosscheck start-delay 30

mac-address-table aging-time 300

cdp run

terminal-queue entry-retry-interval 60

!

!

!

snmp-server inform retries 3 timeout 15 pending 25

snmp mib event sample minimum 60

snmp mib event sample instance maximum 0

snmp mib expression delta minimum 1

snmp mib expression delta wildcard maximum 0

snmp mib nhrp

snmp mib notification-log globalsize 500

snmp mib notification-log globalageout 15

!

tftp-server system:running-config 1

tacacs-server cache expiry 24 enforce hours

!

radius-server attribute 77 include-in-acct-req

radius-server attribute 77 include-in-access-req

radius-server attribute 11 default direction out

radius-server attribute nas-port format a

radius-server attribute 31 mac format default

radius-server cache expiry 24 enforce hours

radius-server transaction max-tries 8

radius-server retransmit 3

radius-server timeout 5

radius-server ipc-limit in 10

radius-server ipc-limit done 10

!

!

control-plane

!

!

vstack join-window mode auto

alias exec h help

alias exec lo logout

alias exec p ping

alias exec r resume

alias exec s show

alias exec u undebug

alias exec un undebug

alias exec w where

no configuration mode exclusive

default-value exec-character-bits 7

default-value special-character-bits 7

default-value data-character-bits 8

!

line con 0

exec-timeout 0 0

timeout login response 30

privilege level 1

password Redacted

flush-at-activation

logout-warning 20

absolute-timeout 0

modem answer-timeout 15

modem dtr-delay 5

data-character-bits 8

exec-character-bits 7

special-character-bits 7

length 24

width 80

history size 20

databits 8

stopbits 2

start-character 17

stop-character 19

speed 9600

line aux 0

exec-timeout 10 0

timeout login response 30

privilege level 1

flush-at-activation

logout-warning 20

absolute-timeout 0

modem answer-timeout 15

modem dtr-delay 5

data-character-bits 8

exec-character-bits 7

special-character-bits 7

length 24

width 80

history size 20

callback forced-wait 4

callback nodsr-wait 5000

databits 8

stopbits 2

start-character 17

stop-character 19

speed 9600

line vty 0 4

access-class 20 in

exec-timeout 0 0

timeout login response 30

privilege level 1

password Redacted

flush-at-activation

logout-warning 20

absolute-timeout 0

modem answer-timeout 15

modem dtr-delay 5

data-character-bits 8

exec-character-bits 7

special-character-bits 7

length 24

width 80

history size 20

transport input ssh

start-character 17

stop-character 19

!

exception-slave core-file CISCO-2811-core

exception-slave protocol tftp

exception protocol tftp

exception region-size 131072

exception crashinfo file flash:crashinfo

exception crashinfo buffersize 32

exception crashinfo maximum files 1

no exception crashinfo dump garbage-detector

monitor event-trace stacktrace

monitor event-trace timestamps datetime msec

scheduler max-task-time 2000

scheduler process-watchdog normal

scheduler allocate 20000 1000

ntp maxdistance 8

ntp broadcastdelay 0

cns id hostname

cns id hostname event

cns id hostname image

cns image retry 60

netconf max-sessions 4

netconf lock-time 10

netconf max-message 0

wsma id hostname

event manager scheduler script thread class default number 1

event manager scheduler applet thread class default number 32

event manager scheduler call-home thread class default number 32

event manager scheduler shell thread class default number 1

event manager scheduler shell thread class Z number 1

event manager history size events 10

event manager history size traps 10

event manager detector rpc max-sessions 4

event manager detector routing bootup-delay 0

!

webvpn sslvpn-vif nat outside

!

webvpn sslvpn-vif nat inside

!

webvpn sslvpn-vif nat enable

!

no webvpn cef

end

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

Hi,

Ok this new output helped out alot.

What we are essentially seeing is that the ASA is not doing any translation for this traffic. Even though there is a NAT configuration clearly set for all the LAN networks it seems the ASA completely ignores. What makes it strange is the fact that the NAT seems to work just fine for your Routers link network when the Dynamic PAT is enabled on the Router.

The "show conn all" output is something that I see every now and then and its always problem with either the ASA routing (or rather routing towards the ASA from the WAN) or missing NAT configuration. You see plenty of DNS queries that dont go through and also some TCP connections that timeout with SYN Timeout

If you can I would next suggest that you change the Dynamic PAT rule on the ASA and then remove the NAT configuration again on the Router.

nat (any,Outside) after-auto source dynamic any interface

no nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

The NAT configuration we add should enable Dynamic PAT on the ASA for any source address. The next command will remove the current Dynamic PAT configuration with the "PAT-SOURCE" object.

I am not sure why its not being matched but its starting to seem like a bug and a major bug really since this should be a very basic configuration. This is the very basic configuration type we use on our firewalls. If there is major bug in the 9.1(4) software that somehow prevents this from working correctly then its a good thing to know. I will probably have to test this out myself also.

So can you try removing the Router NAT configurations again and then changing the NAT configuration on the ASA as described above.

- Jouni

Super Bronze

ASA 5510 with Cisco 2811 Router Behind it - Not forwarding traff

Hi,

The only thing we did was remove Dynamic PAT from the Router and change the Dynamic PAT on the ASA to somewhat identical configuration to the previous to get it working.

I am not sure how this would effect anything that was in use before.

I am not sure between which devices you use the VPN. I am not personally familiar with L2TP as I have never used it/configured it.

- Jouni

24 REPLIES
Super Bronze

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

Hi,

Can you rather edit the above post and copy/paste the output of "show run" instead of "show run all" as they show way to many configurations that dont play a role in this situation and make the actual setup extremely hard to read.

I remember answering some previous thread and it seems to me that the same situation that I suggested avoiding still is present in the configuration.

That situation is the fact that you are running Dynamic Routing protocols on a small network where you could handle everything needed with default routes on towards the ASA interface from the router (I presume that each where directly connected to ASA and there is no connections directly from Router to Router) and on the ASA have routes for all the local networks pointing towards their appropriate ASA interface and next hop IP address located on the Router.

You also are doing NAT on the internal router that does not make sense as there is no real need to perform NAT anywhere else than on the device that is on the edge of the network. Also when you are doing Dynamic PAT for the network 192.168.1.0/24 towards the ASA breaks any connectivity the external hosts on the Internet can have to these hosts.

So again, please remove the Dynamic Routing and configure Static Routing instead and remove any NAT configurations on the router.

I could take a look at the configurations if you could post the outputs of "show run"

- Jouni

Super Bronze

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

Also,

The logs messages you post show the problem with the Router NAT configuration.

A connections comes from the external network and is untranslated to point to the 192.168.1.5 port TCP/80. Connection goes to the internal server but the return message through the Router gets PATed to the interface IP address of the Router that is facing the ASA. ASA doesnt not recognize this as a part of an existing connection as its expecting the reply from the 192.168.1.5 IP address and not 10.10.1.2. It then drops that packet.

- Jouni

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

Yes, here is the show run. You have mentioned those suggestions, but I can't seem to get the proper statements setupo. When I try and modify them to what I think they should be, i lose all connectivity. i am just learning this so when you make statements like:

"So again, please remove the Dynamic Routing and configure Static Routing  instead and remove any NAT configurations on the router."

I know it's simple and I would probably agree if I knew how and where to make those statements, but alas, I can't seem to make the correct ones . That's why I have been making and reading different things for the last few weeks trying NOT to come back and ask for specifics, but I can't seem to get them myself.

I have also had replies to leave the PAT statements so that even confuses me more. I am very sorry, I hate to ask. I like to learn this on my own but sometimes I just get stuck and seeing the statements that should be there help me understand what I was missing.

ASA5510# show run

: Saved

:

ASA Version 9.1(4)

!

hostname ASA5510

domain-name maladomini.int

enable password Redacted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd redacted encrypted

names

dns-guard

!

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

!

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.195.168.x 255.255.255.240

!

interface Ethernet0/2

description DMZ

nameif DMZ

security-level 100

ip address 10.10.0.1 255.255.255.252

!

interface Ethernet0/3

description VOIP

nameif VOIP

security-level 100

ip address 10.10.2.1 255.255.255.252

!

interface Management0/0

management-only

shutdown

nameif management

security-level 0

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.168.4

name-server 205.171.2.65

name-server 205.171.3.65

domain-name maladomini.int

same-security-traffic permit inter-interface

object network ROUTER-2811

host 10.10.1.2

object network ROUTER-2821

host 10.10.0.2

object network WEBCAM-01

host 192.168.1.5

object network DNS-SERVER

host 192.168.1.2

object network ROUTER-3745

host 10.10.2.2

object network RDP-DC1

host 192.168.1.2

object-group network PAT-SOURCE

network-object 10.10.1.0 255.255.255.252

network-object 10.10.0.0 255.255.255.252

network-object 10.10.2.0 255.255.255.252

network-object 192.168.0.0 255.255.255.0

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 128.162.1.0 255.255.255.0

network-object 128.162.10.0 255.255.255.0

network-object 128.162.20.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

network-object host 98.22.121.x

object-group network Outside_access_in

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object gre

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh

access-list Outside_access_in extended permit tcp host 98.22.121.x interface Outside eq https

access-list Outside_access_in extended permit tcp host 98.22.121.x object WEBCAM-01 eq www

access-list Outside_access_in extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389

access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any

access-list dmz-access remark Permit all traffic to DC1

access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2

access-list dmz-access remark Permit only DNS traffic to DNS server

access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain

access-list dmz-access remark Permit ICMP to all devices in DC

access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

mtu DMZ 1500

mtu VOIP 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any Outside

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network ROUTER-2811

nat (Inside,Outside) static interface service tcp ssh 222

object network ROUTER-2821

nat (DMZ,Outside) static interface service tcp ssh 2222

object network WEBCAM-01

nat (Inside,Outside) static interface service tcp www 8080

object network ROUTER-3745

nat (VOIP,Outside) static interface service tcp ssh 2223

object network RDP-DC1

nat (Inside,Outside) static interface service tcp 3389 3389

!

nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

access-group Outside_access_in in interface Outside

!

router rip

network 10.0.0.0

version 2

no auto-summary

!

route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1

route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1

route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1

route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1

route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

http 98.22.121.x 255.255.255.255 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh 98.22.121.x 255.255.255.255 Outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 24.56.178.140 source Outside prefer

username redacted encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

  inspect pptp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:6f99e1277a392a926d04735c7f6a8c50

: end

Cisco 2811:

CISCO-2811#sh run

Building configuration...

Current configuration : 4778 bytes

!

! Last configuration change at 23:24:57 UTC Mon Feb 3 2014

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname CISCO-2811

!

boot-start-marker

boot system flash

boot-end-marker

!

!

enable redacted

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

!

!

dot11 syslog

no ip source-route

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.49

ip dhcp excluded-address 172.16.10.1 172.16.10.49

ip dhcp excluded-address 172.16.20.1 172.16.20.49

!

ip dhcp pool Mitchs_Network

network 192.168.1.0 255.255.255.0

dns-server 192.168.1.2 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 192.168.1.1

!

ip dhcp pool VLAN10

network 172.16.10.0 255.255.255.0

default-router 172.16.10.1

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

!

ip dhcp pool VLAN20

network 172.16.20.0 255.255.255.0

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 172.16.20.1

!

!

!

ip domain name maladomini.int

ip name-server 192.168.1.2

ip name-server 199.195.168.4

ip name-server 205.171.2.65

ip name-server 205.171.3.65

ip name-server 8.8.8.8

no vlan accounting input

!

multilink bundle-name authenticated

!

!

password encryption aes

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1290569776

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1290569776

revocation-check none

rsakeypair TP-self-signed-1290569776

!

!

crypto pki certificate chain TP-self-signed-1290569776

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31323930 35363937 3736301E 170D3134 30313035 30363130

  33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393035

  36393737 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B18F F63C5121 00785DE0 854601BA EE77DAA3 21286D8C 6E700C37 237CC1BE

  611023AF FBE04BBE 7B4B3233 E4E129DD A74604E5 62AA39BF 77F98D5D D63944E9

  2345AE37 D93C5753 E425E85A EB22C2C9 CFC5D1A0 F800449B 0419A5C8 A0A101EC

  02928172 7B30A609 71ADA3D4 68F4F484 AF2B3249 0E225DB2 C72C136A E670D761

  DDE30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 1461F6DE 8EF50F7B 0E46359F 421EA106 9375F65F 30301D06

  03551D0E 04160414 61F6DE8E F50F7B0E 46359F42 1EA10693 75F65F30 300D0609

  2A864886 F70D0101 05050003 81810049 BA55F695 8525265F ED2D77EE 8706BF10

  63A7E644 202F6663 9EA5551F 47F7FC50 D4021EDD E3DC5A80 39FD161A C337D20D

  71B98875 0F1FE887 649E81D3 F93F7A1B A1E18B99 A77B1A59 84DB4711 867913FD

  044084FB 651ECA6E C6EDF35C E43A2946 8C01781E 26DB9484 C8740A82 4A7CA266

  A0655526 CBCB4982 F30D68E9 D70753

        quit

!

!

license udi pid CISCO2811 sn FTX1041A07T

username redacted

username redacted

!

redundancy

!

!

ip ssh time-out 60

ip ssh authentication-retries 5

ip ssh version 2

!

!

!

!

!

!

!

interface FastEthernet0/0

description CONNECTION TO INSIDE INT. OF ASA

ip address 10.10.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1.1

description VLAN 10

encapsulation dot1Q 10

ip address 172.16.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.2

description VLAN 20

encapsulation dot1Q 20

ip address 172.16.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.3

description Trunk Interface VLAN 1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Dialer0

no ip address

!

router rip

version 2

network 172.16.0.0

network 192.168.1.0

network 199.195.168.0

no auto-summary

!

ip default-gateway 10.10.1.1

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 10.10.1.1

ip ospf name-lookup

!

access-list 1 permit any

dialer-list 1 protocol ip permit

!

!

!

!

tftp-server system:running-config 1

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

password Redacted

line aux 0

line vty 0 4

access-class 20 in

exec-timeout 0 0

password Redacted

transport input ssh

!

scheduler allocate 20000 1000

end

Super Bronze

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

Hi,

So we could have a look at the Routing/NAT/etc between the ASA and this Router (only).

You basically have all the Static routes present on both devices that are needed between the ASA and the Router

The Router has these LAN networks behind it

  • 192.168.1.0/24
  • 172.16.10.0/24
  • 172.16.20.0/24

The ASA has the correct routes for these networks that are pointing towards the Router behind the "Inside" interface

route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1

route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1

route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1

I however dont have an idea what these networks are?

route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1

They have a "route" on the ASA but I can't see them on the Router and to my understanding there is no other Router directly connected to this one? So the question is are these needed at all?

Your Router also has a default route towards the the ASA

ip route 0.0.0.0 0.0.0.0 10.10.1.1

So all in all the Static Routes you have should be fine for the ASA and Router to know where to forward traffic.

With regards to NAT the ASA seems to have the proper configurations so that each LAN network has a Dynamic PAT configuration and should therefore have a public IP address when they access the Internet.

On the Router you also have a Dynamic PAT configured

ip nat inside source list 1 interface FastEthernet0/0 overload

This configuration together with the ACL 1 and the "ip nat inside" and "ip nat outside" configurations essentially do a Dynamic PAT that translates all the networks 192.168.1.0/24, 172.16.10.0/24 and 172.16.20.0/24 to the IP address 10.10.1.2 when they connect towards the ASA.

ASA will in other words see all the connections coming from that IP address 10.10.1.2. It wont see anything from the internal networks directly.

While the above might work ok for any outbound connections formed from those LAN networks it will break connectivity to all those networks from other networks behind the ASA. This is because the Router sees a connection coming to one of its LAN networks and when that return packet comes through the Router it translates that source address (like 192.168.1.5) to the IP address 10.10.1.2 and therefore essentially prevent any connection forming from remote networks to these LAN networks.

If you have the samekind of Dynamic PAT on each of your Routers it will mean that LAN networks behind different Routers wont be able to connect with eachother.

Naturally you seem to have a switched network behind the Router also. So you will have to make sure that the Trunk interface on the switch is configured correctly and includes all the Vlan IDs configured on the Router interface also.

To my eye in the above setup the main problem is the Dynamic PAT on the Router. I am not sure what the purpose of it would be. I have never configured Dynamic PAT on a customer LAN router that is connected to a firewall. There is simply no need for it as we have no need to mask the IP address of the LAN users towards other LAN networks. The only real need to NAT the source IP address is when the host is connecting to the public network.

Removing the NAT or changing the routing configurations should naturally be done when you are able to also have console access locally to the device incase something goes wrong.

- Jouni

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

These networks are beind another router on different ports. The ASA actually has three different routers behind it.

Interface 0 has the 2811

Interface 1 has the WAN

Interface 2 has the 2821

Interface 3 has the 3745

These networks:

route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1

Are all behind the Cisco 2821.

The 3745 has different subnets, but I haven't figured out how to get to it yet, it's IOS is different and since I updated it I can't seem to ssh to it, but that's not important right now as there is nothing behind it

So, let me input your suggestions and see what happens now that I am home and have a console cable if I need it.

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

So should I remove the overload statement from the router?

ip nat inside source list 1 interface FastEthernet0/0 overload

remove that?

So should I remove the overload statement from the router?So
Super Bronze

ASA 5510 with Cisco 2811 Router Behind it - Not forwarding traff

Hi,

Yes, and you should probably also remove the statements from the interfaces.

interface FastEthernet0/0

no ip nat outside

!

interface FastEthernet0/1

  no ip nat inside

!

interface FastEthernet0/1.1

no ip nat inside

!

interface FastEthernet0/1.2

no ip nat inside

!

interface FastEthernet0/1.3

no ip nat inside

- Jouni

Super Bronze

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

Also with regards to the routes above.

The device behind "Inside" interface of ASA is 2811 correct and those routes should be pointing to another interface with a 2821?

That would mean that they are pointing towards the wrong router at the moment.

- Jouni

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

As soon as I remove the statement:

ip nat inside source list 1 interface FastEthernet0/0 overload

I lose internet connectivity on all devices behind the 2811.

I don't know. The 2821 in on a different port on the ASA. I don't have anything behind it right now so I don't know other than one laptop that I use to test and it is able to get to the internet. BUT, the 2821 has the same basic configuration as the 2811. including the overload statement.

Here is a link to all my configurations and a network diagram.

https://drive.google.com/a/maladomini.com/?pli=1#folders/0BzsKCe89GscxanUwQWI0bEI3azQ

A friend of mine that knows routers told me to use the Overload feature, but I am assuming that isn't needed in this config, I just have the wrong nat or route somewhere.

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

JouniForss wrote:

Also with regards to the routes above.

The device behind "Inside" interface of ASA is 2811 correct and those routes should be pointing to another interface with a 2821?

That would mean that they are pointing towards the wrong router at the moment.

- Jouni

No, I don't believe that is true. The 2821 is on a different port on the ASA and is not between the 2811 and the ASA.

Internet ----- ASA----2811

                        -----2821

                        -----3745

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

JouniForss wrote:

Hi,

Yes, and you should probably also remove the statements from the interfaces.

interface FastEthernet0/0

no ip nat outside

!

interface FastEthernet0/1

  no ip nat inside

!

interface FastEthernet0/1.1

no ip nat inside

!

interface FastEthernet0/1.2

no ip nat inside

!

interface FastEthernet0/1.3

no ip nat inside

- Jouni

Also, when I remove these statements, I lose internet.

Super Bronze

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

Ok,

This is getting confusing again.

You state the following

Interface 0 has the 2811 and that means the 2811 is behind "Inside" interface

Interface 2 has the 2821 and that means the 2821 is behind "DMZ" interface

Next you mention the following

These networks:

route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1

Are all behind the Cisco 2821.

This would mean that the above routes are wrong as the 2821 is NOT behind the "Inside" interface. These routes should actually be pointing towards the "DMZ" interface and not "Inside" since even the gateway IP address 10.10.0.2 used is located behind "DMZ".

Though that is not the main issue here.

In addition to removing the NAT configurations I would also suggest you remove the Dynamic Routing configurations. I imagine this could be done with the command

no router rip

On both of the devices.

If it still does not work after this I would like to see the following output from the devices.

ASA

show arp

show route

show xlate

sh conn all

Router

sh ip arp

sh ip route

It might not hurt saving the Router configurations (that does not have the NAT and Dynamic Routing on the Router) and rebooting the router after these changes. And then trying again.

The only thing removing the NAT from the Router should do is allow the hosts on the internal networks behind the router to connect to towards the ASA with their original IP address. The ASA would then translate those IP addresses to its public IP address if they were connecting to the Internet.

I basically have an identical setup at home at the moment but a bit different model devices. I have an ASA connected to a Cisco 1841 Router that is connected with a Trunk to a Cisco 2950 which has the hosts and other devices connected to it. So at the moment I am basically using the same network setup as you are.

The reason your friend might have suggested configuring Dynamic PAT (overload) on the Router is that he might have thought that you were going to use it at the edge of the network. Between the LAN and external network. Then it would have made sense. In the current setup it is not usefull.

- Jouni

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

JouniForss wrote:

Ok,

This is getting confusing again.

You state the following

Interface 0 has the 2811 and that means the 2811 is behind "Inside" interface

Interface 2 has the 2821 and that means the 2821 is behind "DMZ" interface

Next you mention the following

These networks:

route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1

route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1

Are all behind the Cisco 2821.

This would mean that the above routes are wrong as the 2821 is NOT behind the "Inside" interface. These routes should actually be pointing towards the "DMZ" interface and not "Inside" since even the gateway IP address 10.10.0.2 used is located behind "DMZ".

Though that is not the main issue here.

In addition to removing the NAT configurations I would also suggest you remove the Dynamic Routing configurations. I imagine this could be done with the command

no router rip

On both of the devices.

If it still does not work after this I would like to see the following output from the devices.

ASA

show arp

show route

show xlate

sh conn all

Router

sh ip arp

sh ip route

It might not hurt saving the Router configurations (that does not have the NAT and Dynamic Routing on the Router) and rebooting the router after these changes. And then trying again.

The only thing removing the NAT from the Router should do is allow the hosts on the internal networks behind the router to connect to towards the ASA with their original IP address. The ASA would then translate those IP addresses to its public IP address if they were connecting to the Internet.

I basically have an identical setup at home at the moment but a bit different model devices. I have an ASA connected to a Cisco 1841 Router that is connected with a Trunk to a Cisco 2950 which has the hosts and other devices connected to it. So at the moment I am basically using the same network setup as you are.

The reason your friend might have suggested configuring Dynamic PAT (overload) on the Router is that he might have thought that you were going to use it at the edge of the network. Between the LAN and external network. Then it would have made sense. In the current setup it is not usefull.

- Jouni

You would be correct, those statements should read:

ASA5510(config)# route DMZ 128.162.1.0 255.255.255.0 10.10.0.2

ASA5510(config)# route DMZ 128.162.10.0 255.255.255.0 10.10.0.2

ASA5510(config)# route DMZ 128.162.20.0 255.255.255.0 10.10.0.2

That was my mistake in not linking the interface names with the statement. I have fixed those as above. That should route that traffic accordingly.

I am going to remove the statements you have suggested and see if I can establish traffic. If not I will restore them and come back and post.

As in my previous post, I post a link that has all my configs and a simple diagram of my network, which I think is accurate .

So here I go.

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

OK, it didn't work. Unless I add the overload statement to the router, I cannot access the internet.

Here are the results of the commands you requested.

From the ASA:

ASA5510# sh arp

        Inside 10.10.1.2 0019.55a7.2ae8 728

        Outside 199.195.168.113 000c.4243.581a 1

        Outside 199.195.168.116 e05f.b947.116b 5375

        Outside 199.195.168.120 0017.c58a.1123 12106

        DMZ 10.10.0.2 0025.849f.63e0 5926

        VOIP 10.10.2.2 000d.bcdc.fc40 10311

ASA5510# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 199.195.168.113 to network 0.0.0.0

S    172.16.20.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S    172.16.10.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S    128.162.1.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ

S    128.162.10.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ

S    128.162.20.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ

C    199.195.168.112 255.255.255.240 is directly connected, Outside

C    10.10.0.0 255.255.255.252 is directly connected, DMZ

C    10.10.1.0 255.255.255.252 is directly connected, Inside

C    10.10.2.0 255.255.255.252 is directly connected, VOIP

S    192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S*   0.0.0.0 0.0.0.0 [1/0] via 199.195.168.113, Outside

ASA5510# sh xlate

39 in use, 784 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

       s - static, T - twice, N - net-to-net

TCP PAT from DMZ:10.10.0.2 22-22 to Outside:199.195.168.12x 2222-2222

    flags sr idle 458:44:04 timeout 0:00:00

TCP PAT from Inside:10.10.1.2 22-22 to Outside:199.195.168.12x 222-222

    flags sr idle 27:56:36 timeout 0:00:00

TCP PAT from VOIP:10.10.2.2 22-22 to Outside:199.195.168.12x 2223-2223

    flags sr idle 664:22:17 timeout 0:00:00

TCP PAT from Inside:192.168.1.2 3389-3389 to Outside:199.195.168.12x 3389-3389

    flags sr idle 434:06:51 timeout 0:00:00

TCP PAT from Inside:192.168.1.5 80-80 to Outside:199.195.168.12x 8080-8080

    flags sr idle 29:08:48 timeout 0:00:00

NAT from Outside:0.0.0.0/0 to any:0.0.0.0/0

    flags sIT idle 330:00:11 timeout 0:00:00

TCP PAT from any:10.10.1.2/47191 to Outside:199.195.168.12x/47191 flags ri idle 0:00:13 timeout 0:00:30

UDP PAT from any:10.10.1.2/64013 to Outside:199.195.168.12x/64013 flags ri idle 0:00:13 timeout 0:00:30

UDP PAT from any:10.10.1.2/65466 to Outside:199.195.168.12x/65466 flags ri idle 0:00:13 timeout 0:00:30

TCP PAT from any:10.10.1.2/57563 to Outside:199.195.168.12x/57563 flags ri idle 0:00:43 timeout 0:00:30

TCP PAT from any:10.10.1.2/57561 to Outside:199.195.168.12x/57561 flags ri idle 0:00:44 timeout 0:00:30

TCP PAT from any:10.10.1.2/55952 to Outside:199.195.168.12x/55952 flags ri idle 0:00:59 timeout 0:00:30

TCP PAT from any:10.10.1.2/53254 to Outside:199.195.168.12x/53254 flags ri idle 0:01:13 timeout 0:00:30

TCP PAT from any:10.10.1.2/57560 to Outside:199.195.168.12x/57560 flags ri idle 0:01:13 timeout 0:00:30

TCP PAT from any:10.10.1.2/55951 to Outside:199.195.168.12x/55951 flags ri idle 0:01:30 timeout 0:00:30

TCP PAT from any:10.10.1.2/57557 to Outside:199.195.168.12x/57557 flags ri idle 0:01:43 timeout 0:00:30

TCP PAT from any:10.10.1.2/57556 to Outside:199.195.168.12x/57556 flags ri idle 0:01:44 timeout 0:00:30

TCP PAT from any:10.10.1.2/57555 to Outside:199.195.168.12x/57555 flags ri idle 0:01:45 timeout 0:00:30

TCP PAT from any:10.10.1.2/57554 to Outside:199.195.168.12x/57554 flags ri idle 0:01:51 timeout 0:00:30

TCP PAT from any:10.10.1.2/57549 to Outside:199.195.168.12x/57549 flags ri idle 0:02:00 timeout 0:00:30

TCP PAT from any:10.10.1.2/57548 to Outside:199.195.168.12x/57548 flags ri idle 0:02:01 timeout 0:00:30

TCP PAT from any:10.10.1.2/2492 to Outside:199.195.168.12x/2492 flags ri idle 0:02:22 timeout 0:00:30

TCP PAT from any:10.10.1.2/57503 to Outside:199.195.168.12x/57503 flags ri idle 0:03:40 timeout 0:00:30

TCP PAT from any:10.10.1.2/57493 to Outside:199.195.168.12x/57493 flags ri idle 0:03:48 timeout 0:00:30

TCP PAT from any:10.10.1.2/57488 to Outside:199.195.168.12x/57488 flags ri idle 0:03:53 timeout 0:00:30

TCP PAT from any:10.10.1.2/55948 to Outside:199.195.168.12x/55948 flags ri idle 0:03:57 timeout 0:00:30

TCP PAT from any:10.10.1.2/57468 to Outside:199.195.168.12x/57468 flags ri idle 0:04:01 timeout 0:00:30

UDP PAT from any:10.10.1.2/57609 to Outside:199.195.168.12x/57609 flags ri idle 0:04:29 timeout 0:00:30

TCP PAT from any:10.10.1.2/57455 to Outside:199.195.168.12x/57455 flags ri idle 0:00:10 timeout 0:00:30

TCP PAT from any:10.10.1.2/36739 to Outside:199.195.168.12x/36739 flags ri idle 0:04:53 timeout 0:00:30

TCP PAT from any:10.10.1.2/57435 to Outside:199.195.168.12x/57435 flags ri idle 0:04:58 timeout 0:00:30

TCP PAT from any:10.10.1.2/57389 to Outside:199.195.168.12x/57389 flags ri idle 0:00:06 timeout 0:00:30

TCP PAT from any:10.10.1.2/57375 to Outside:199.195.168.12x/57375 flags ri idle 0:05:05 timeout 0:00:30

TCP PAT from any:10.10.1.2/57361 to Outside:199.195.168.12x/57361 flags ri idle 0:05:08 timeout 0:00:30

TCP PAT from any:10.10.1.2/55944 to Outside:199.195.168.12x/55944 flags ri idle 0:05:09 timeout 0:00:30

TCP PAT from any:10.10.1.2/57318 to Outside:199.195.168.12x/57318 flags ri idle 0:05:13 timeout 0:00:30

TCP PAT from any:10.10.1.2/57315 to Outside:199.195.168.12x/57315 flags ri idle 0:05:15 timeout 0:00:30

TCP PAT from any:10.10.1.2/55942 to Outside:199.195.168.12x/55942 flags ri idle 0:05:15 timeout 0:00:30

UDP PAT from any:172.16.20.3/123 to Outside:199.195.168.12x/123 flags ri idle 0:06:24 timeout 0:00:30

ASA5510# show conn all

28 in use, 815 most used

TCP DMZ  10.10.0.2:22 Inside  10.10.1.2:55509, idle 0:54:51, bytes 14947, flags UIOB

TCP Outside  74.125.142.125:5222 Inside  10.10.1.2:57468, idle 0:00:07, bytes 8944, flags UIO

TCP Outside  31.13.74.128:443 Inside  10.10.1.2:57493, idle 0:00:54, bytes 39300, flags UIO

TCP Outside  98.22.121.19:443 Inside  10.10.1.2:57568, idle 0:00:31, bytes 4480, flags UIO

TCP Outside  74.125.142.189:443 Inside  10.10.1.2:57315, idle 0:00:08, bytes 51097, flags UIO

TCP Outside  74.125.142.84:443 Inside  10.10.1.2:57567, idle 0:00:16, bytes 2940, flags UIO

TCP Outside  23.206.216.93:80 Inside  10.10.1.2:53254, idle 0:05:57, bytes 303, flags UfFrIO

TCP Outside  17.149.36.180:5223 Inside  10.10.1.2:55951, idle 0:06:16, bytes 4322, flags UIO

UDP Outside  199.195.168.4:53 Inside  10.10.1.2:64021, idle 0:00:00, bytes 44, flags -

TCP Outside  65.55.122.234:2492 Inside  10.10.1.2:2492, idle 0:06:55, bytes 1361, flags UIO

TCP Outside  74.125.225.54:443 Inside  10.10.1.2:57554, idle 0:00:04, bytes 139418, flags UIO

TCP Outside  74.125.225.37:443 Inside  10.10.1.2:57582, idle 0:00:58, bytes 9965, flags UIO

UDP Outside  96.226.242.9:123 Inside  172.16.20.3:123, idle 0:00:25, bytes 96, flags -

TCP Outside  17.149.32.75:5223 Inside  10.10.1.2:57435, idle 0:09:43, bytes 4540, flags UIO

TCP Outside  69.171.248.16:443 Inside  10.10.1.2:57606, idle 0:00:05, bytes 6236, flags UIO

TCP Outside  69.171.248.16:443 Inside  10.10.1.2:57548, idle 0:00:02, bytes 20177, flags UIO

TCP Outside  23.207.17.227:443 Inside  10.10.1.2:57607, idle 0:00:24, bytes 9290, flags UIO

TCP Outside  74.125.225.47:443 Inside  10.10.1.2:57602, idle 0:00:44, bytes 5570, flags UIO

TCP Outside  64.4.23.147:33033 Inside  10.10.1.2:55944, idle 0:01:01, bytes 23274, flags UIO

UDP Outside  66.104.81.70:5070 Inside  10.10.1.2:57609, idle 0:00:14, bytes 5357, flags -

TCP Outside  134.170.18.190:443 Inside  10.10.1.2:55948, idle 0:01:01, bytes 19804, flags UIO

TCP Outside  143.127.93.105:80 Inside  10.10.1.2:57503, idle 0:08:26, bytes 331, flags UO

TCP Outside  74.125.225.38:443 Inside  10.10.1.2:57596, idle 0:00:16, bytes 23761, flags UIO

TCP Outside  91.190.218.59:443 Inside  10.10.1.2:55942, idle 0:01:01, bytes 1217, flags UIO

TCP Outside  143.127.93.107:80 Inside  10.10.1.2:57318, idle 0:09:59, bytes 350, flags UO

TCP Outside  54.196.88.252:443 Inside  10.10.1.2:36739, idle 0:00:00, bytes 10912322, flags UIO

TCP Inside  10.10.1.2:57457 NP Identity Ifc  10.10.1.1:22, idle 0:00:00, bytes 38999, flags UOB

TCP Inside  192.168.1.20:55987 NP Identity Ifc  10.10.1.1:22, idle 0:15:54, bytes 40611, flags UOB

Cisco 2811 Router:

CISCO-2811#sh ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.10.1.1              21   c47d.4f3b.8ea6  ARPA   FastEthernet0/0

Internet  10.10.1.2               -   0019.55a7.2ae8  ARPA   FastEthernet0/0

Internet  172.16.10.1             -   0019.55a7.2ae9  ARPA   FastEthernet0/1.1

Internet  172.16.10.3            12   0011.5c73.28c1  ARPA   FastEthernet0/1.1

Internet  172.16.20.1             -   0019.55a7.2ae9  ARPA   FastEthernet0/1.2

Internet  172.16.20.3            12   0011.5c73.28c2  ARPA   FastEthernet0/1.2

Internet  192.168.1.1             -   0019.55a7.2ae9  ARPA   FastEthernet0/1.3

Internet  192.168.1.2             0   0024.e864.01a8  ARPA   FastEthernet0/1.3

Internet  192.168.1.3            12   0011.5c73.28c0  ARPA   FastEthernet0/1.3

Internet  192.168.1.20            0   5cf9.dd52.5fa9  ARPA   FastEthernet0/1.3

Internet  192.168.1.50           11   308c.fb47.f2d9  ARPA   FastEthernet0/1.3

Internet  192.168.1.51            7   ec35.8677.4057  ARPA   FastEthernet0/1.3

Internet  192.168.1.52           11   b418.d136.ef72  ARPA   FastEthernet0/1.3

Internet  192.168.1.53           12   b418.d136.ef72  ARPA   FastEthernet0/1.3

Internet  192.168.1.57           15   ec35.8677.4057  ARPA   FastEthernet0/1.3

Internet  192.168.1.174           0   b8ac.6fff.af83  ARPA   FastEthernet0/1.3

Internet  192.168.1.226           0   f47b.5e9a.7ae5  ARPA   FastEthernet0/1.3

CISCO-2811#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 10.10.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.10.1.1

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.10.1.0/30 is directly connected, FastEthernet0/0

L        10.10.1.2/32 is directly connected, FastEthernet0/0

      172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

C        172.16.10.0/24 is directly connected, FastEthernet0/1.1

L        172.16.10.1/32 is directly connected, FastEthernet0/1.1

C        172.16.20.0/24 is directly connected, FastEthernet0/1.2

L        172.16.20.1/32 is directly connected, FastEthernet0/1.2

      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.1.0/24 is directly connected, FastEthernet0/1.3

L        192.168.1.1/32 is directly connected, FastEthernet0/1.3

Super Bronze

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

Hi,

The link you posted earlier just takes to the google page and asks for credentials which I dont have. If you have some picture and information you can also post/attach it here.

I can't see no reason why the connections should not work after changing the Router configuration.

It seems to me that the ASA command outputs have been taken when the Router still had the configurations present because each connection is from the source address of 10.10.1.2 and not the real source.

When there is no translation configuration for the hosts on the Router then the connections would go like this

  • Host on a certain Vlan starts to form a connection and sends packet/frame to the Router through the switch
  • The router checks its routing table where to forward this packet and sees that it should forward it with the default route to the ASA
  • The ASA checks again where it should forward the packet and sees that it should use the default route and forward it to the ISP. The source address is also translated according to the Dynamic PAT rule and the traffic is allowed because of the "security-level" settings as there is no interface ACL.
  • Traffic/reply comes back from the Internet host and uses the existing connection and Dynamic PAT translation created initially to pass the traffic through the ASA.
  • The ASA then forwards the traffic to the Router
  • The Router sees the destination IP address of the packet belonging to one of the LAN hosts
  • It then checks the ARP table to which MAC address to forward the traffic. If it cant find that information it will ARP for the MAC address of the host
  • Router sends the packet to the host that opened the connection.

I can't see anything in the above configuration preventing this from happening. There should be no reason that this should not work. There might well be something involved that I am missing but the configuration is quite simple and I can't see and error in it and why the changes we do should matter at all for connectivity.

When the configurations on the Router are changed (and configuration saved + router is reloaded) I would open the ASDM on the ASA through some other computer and monitor what happens to the connection attempts from behind the Router. I would check if we get any logs from the source addresses from networks 192.168.1.0/24 , 172.16.10.0/24 and 172.16.20.0/24. I would also monitor looking at those logs if they get translated by the ASA. I would perhaps also try to ping from this router to the ASA and to the ISP gateway.

The "packet-tracer" command should also tell what happens with the ASA when a packet from the original source addresses of the host comes

packet-tracer input Inside tcp 192.168.1.100 12345 8.8.8.8 80

- Jouni

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

Right, th elink should of let anyone with it view the files. Now it it set to public. I'll also attach them here. These are the configs as they stand now, working.

If I remove the Overload statement on the router, I lose internet access. I can't ping anything pass the ASA. I can ping the ASA, the ASA can ping the router, but no traffic will pass beyond that.

I haven't pasted configs from when I remove those statements because all I have to do is remove the overload and everything stops. Even if I go and remove the rest of the statements, reboot, it doesn't allow the traffic past.

https://drive.google.com/file/d/0BzsKCe89GscxM1lqckI3SkV2bTA/edit?usp=sharing

https://drive.google.com/file/d/0BzsKCe89GscxMmxTblF4UmlGUE0/edit?usp=sharing

https://drive.google.com/file/d/0BzsKCe89GscxZ1owclN2UTYwVDg/edit?usp=sharing

https://drive.google.com/file/d/0BzsKCe89GscxaDE1VDRKaEdfcUU/edit?usp=sharing

https://drive.google.com/file/d/0BzsKCe89GscxaGhYR3BNenBlNUU/edit?usp=sharing

https://drive.google.com/file/d/0BzsKCe89GscxdEptTkc4M3ZuSGs/edit?usp=sharing

https://drive.google.com/file/d/0BzsKCe89GscxdTJ4eFR5QWJBdlE/edit?usp=sharing

Network.jpg

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

I ran those commands while I had the nat off on the router and here are the results. note, i didn't make any changes to the ASA as you only said to remove the router RIP which I did and reloaded and no change.

As long as the statements ip nat outside on the Fastethernet 0/0 is off and the ip nat inside is off on the vlan and the overload statement is taken out, I cannot hit the internet.

CISCO-2811#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

CISCO-2811(config)#int

CISCO-2811(config)#interface f

CISCO-2811(config)#interface fastEthernet 0/1.3

CISCO-2811(config-subif)#no ip nat inside

CISCO-2811(config-subif)#exit

CISCO-2811(config)#inter

CISCO-2811(config)#interface f

CISCO-2811(config)#interface fastEthernet 0/0

CISCO-2811(config-if)#no ip nat outside

CISCO-2811(config-if)#exit

CISCO-2811(config)#$nside source list 1 interface FastEthernet0/0 overload

Dynamic mapping in use, do you want to delete all entries? [no]: y

CISCO-2811(config)#exit

CISCO-2811#sh ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.10.1.1             202   c47d.4f3b.8ea6  ARPA   FastEthernet0/0

Internet  10.10.1.2               -   0019.55a7.2ae8  ARPA   FastEthernet0/0

Internet  172.16.10.1             -   0019.55a7.2ae9  ARPA   FastEthernet0/1.1

Internet  172.16.10.3           238   0011.5c73.28c1  ARPA   FastEthernet0/1.1

Internet  172.16.10.50           72   cc2d.8c78.065a  ARPA   FastEthernet0/1.1

Internet  172.16.20.1             -   0019.55a7.2ae9  ARPA   FastEthernet0/1.2

Internet  172.16.20.3           196   0011.5c73.28c2  ARPA   FastEthernet0/1.2

Internet  192.168.1.1             -   0019.55a7.2ae9  ARPA   FastEthernet0/1.3

Internet  192.168.1.2             0   0024.e864.01a8  ARPA   FastEthernet0/1.3

Internet  192.168.1.3           155   0011.5c73.28c0  ARPA   FastEthernet0/1.3

Internet  192.168.1.5            61   4802.2a4c.1c74  ARPA   FastEthernet0/1.3

Internet  192.168.1.20            0   5cf9.dd52.5fa9  ARPA   FastEthernet0/1.3

Internet  192.168.1.50            0   308c.fb47.f2d9  ARPA   FastEthernet0/1.3

Internet  192.168.1.51            1   ec35.8677.4057  ARPA   FastEthernet0/1.3

Internet  192.168.1.52            1   b418.d136.ef72  ARPA   FastEthernet0/1.3

Internet  192.168.1.53            1   8853.9572.e113  ARPA   FastEthernet0/1.3

Internet  192.168.1.54           12   0009.b044.9f23  ARPA   FastEthernet0/1.3

Internet  192.168.1.55            0   f47b.5e9a.7ae5  ARPA   FastEthernet0/1.3

Internet  192.168.1.149           0   001e.4fc5.a199  ARPA   FastEthernet0/1.3

Internet  192.168.1.174           0   b8ac.6fff.af83  ARPA   FastEthernet0/1.3

CISCO-2811#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 10.10.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.10.1.1

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.10.1.0/30 is directly connected, FastEthernet0/0

L        10.10.1.2/32 is directly connected, FastEthernet0/0

      172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

C        172.16.10.0/24 is directly connected, FastEthernet0/1.1

L        172.16.10.1/32 is directly connected, FastEthernet0/1.1

C        172.16.20.0/24 is directly connected, FastEthernet0/1.2

L        172.16.20.1/32 is directly connected, FastEthernet0/1.2

      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.1.0/24 is directly connected, FastEthernet0/1.3

L        192.168.1.1/32 is directly connected, FastEthernet0/1.3

ASA

ASA5510# sh arp

        Inside 10.10.1.2 0019.55a7.2ae8 12342

        Outside 199.195.168.113 000c.4243.581a 2

        Outside 199.195.168.116 e05f.b947.116b 2436

        Outside 199.195.168.120 0017.c58a.1123 9192

        DMZ 10.10.0.2 0025.849f.63e0 3192

        VOIP 10.10.2.2 000d.bcdc.fc40 7754

ASA5510# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 199.195.168.113 to network 0.0.0.0

S    172.16.20.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S    172.16.10.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S    128.162.1.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ

S    128.162.10.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ

S    128.162.20.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ

C    199.195.168.112 255.255.255.240 is directly connected, Outside

C    10.10.0.0 255.255.255.252 is directly connected, DMZ

C    10.10.1.0 255.255.255.252 is directly connected, Inside

S    192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside

S*   0.0.0.0 0.0.0.0 [1/0] via 199.195.168.113, Outside

ASA5510# show xlate

35 in use, 784 most used

Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,

       s - static, T - twice, N - net-to-net

TCP PAT from DMZ:10.10.0.2 22-22 to Outside:199.195.168.x 2222-2222

    flags sr idle 481:54:14 timeout 0:00:00

TCP PAT from Inside:10.10.1.2 22-22 to Outside:199.195.168.x 222-222

    flags sr idle 51:06:46 timeout 0:00:00

TCP PAT from VOIP:10.10.2.2 22-22 to Outside:199.195.168.x 2223-2223

    flags sr idle 687:32:27 timeout 0:00:00

TCP PAT from Inside:192.168.1.2 3389-3389 to Outside:199.195.168.x 3389-3389

    flags sr idle 457:17:01 timeout 0:00:00

TCP PAT from Inside:192.168.1.5 80-80 to Outside:199.195.168.x 8080-8080

    flags sr idle 52:18:58 timeout 0:00:00

NAT from Outside:0.0.0.0/0 to any:0.0.0.0/0

    flags sIT idle 353:10:21 timeout 0:00:00

UDP PAT from any:10.10.1.2/52581 to Outside:199.195.168.x/52581 flags ri idle 0:00:00 timeout 0:00:30

UDP PAT from any:10.10.1.2/55389 to Outside:199.195.168.x/55389 flags ri idle 0:00:03 timeout 0:00:30

UDP PAT from any:10.10.1.2/51936 to Outside:199.195.168.x/51936 flags ri idle 0:00:04 timeout 0:00:30

UDP PAT from any:10.10.1.2/51345 to Outside:199.195.168.x/51345 flags ri idle 0:00:09 timeout 0:00:30

UDP PAT from any:10.10.1.2/55985 to Outside:199.195.168.x/55985 flags ri idle 0:00:18 timeout 0:00:30

UDP PAT from any:10.10.1.2/49368 to Outside:199.195.168.x/49368 flags ri idle 0:00:22 timeout 0:00:30

UDP PAT from any:10.10.1.2/52441 to Outside:199.195.168.x/52441 flags ri idle 0:00:23 timeout 0:00:30

TCP PAT from any:10.10.1.2/57908 to Outside:199.195.168.x/57908 flags ri idle 0:08:37 timeout 0:00:30

TCP PAT from any:10.10.1.2/57907 to Outside:199.195.168.x/57907 flags ri idle 0:08:37 timeout 0:00:30

TCP PAT from any:10.10.1.2/57906 to Outside:199.195.168.x/57906 flags ri idle 0:08:37 timeout 0:00:30

TCP PAT from any:10.10.1.2/57896 to Outside:199.195.168.x/57896 flags ri idle 0:09:09 timeout 0:00:30

TCP PAT from any:10.10.1.2/57879 to Outside:199.195.168.x/57879 flags ri idle 0:10:23 timeout 0:00:30

TCP PAT from any:10.10.1.2/49441 to Outside:199.195.168.x/49441 flags ri idle 0:20:52 timeout 0:00:30

TCP PAT from any:10.10.1.2/57868 to Outside:199.195.168.x/57868 flags ri idle 0:25:28 timeout 0:00:30

TCP PAT from any:10.10.1.2/60519 to Outside:199.195.168.x/60519 flags ri idle 0:44:11 timeout 0:00:30

TCP PAT from any:10.10.1.2/60491 to Outside:199.195.168.x/60491 flags ri idle 0:44:20 timeout 0:00:30

TCP PAT from any:10.10.1.2/60484 to Outside:199.195.168.x/60484 flags ri idle 0:44:35 timeout 0:00:30

TCP PAT from any:10.10.1.2/60480 to Outside:199.195.168.x/60480 flags ri idle 0:44:51 timeout 0:00:30

TCP PAT from any:10.10.1.2/53851 to Outside:199.195.168.x/53851 flags ri idle 0:54:14 timeout 0:00:30

TCP PAT from any:10.10.1.2/57812 to Outside:199.195.168.x/57812 flags ri idle 0:58:30 timeout 0:00:30

TCP PAT from any:10.10.1.2/57810 to Outside:199.195.168.x/57810 flags ri idle 0:58:32 timeout 0:00:30

TCP PAT from any:10.10.1.2/53847 to Outside:199.195.168.x/53847 flags ri idle 1:00:18 timeout 0:00:30

TCP PAT from any:10.10.1.2/57808 to Outside:199.195.168.x/57808 flags ri idle 1:07:58 timeout 0:00:30

TCP PAT from any:10.10.1.2/60406 to Outside:199.195.168.x/60406 flags ri idle 1:42:13 timeout 0:00:30

TCP PAT from any:10.10.1.2/49259 to Outside:199.195.168.x/49259 flags ri idle 7:39:44 timeout 0:00:30

TCP PAT from any:10.10.1.2/49191 to Outside:199.195.168.x/49191 flags ri idle 7:42:39 timeout 0:00:30

TCP PAT from any:10.10.1.2/55951 to Outside:199.195.168.x/55951 flags ri idle 23:11:40 timeout 0:00:30

TCP PAT from any:10.10.1.2/55944 to Outside:199.195.168.x/55944 flags ri idle 23:15:19 timeout 0:00:30

TCP PAT from any:10.10.1.2/55942 to Outside:199.195.168.x/55942 flags ri idle 23:15:24 timeout 0:00:30

ASA5510# sh conn all

149 in use, 815 most used

TCP Outside  74.125.193.108:993 Inside  10.10.1.2:57879, idle 0:12:37, bytes 6398, flags UIO

TCP Outside  174.35.24.74:80 Inside  192.168.1.20:53879, idle 0:00:01, bytes 0, flags saA

TCP Outside  174.35.24.74:80 Inside  192.168.1.20:53878, idle 0:00:01, bytes 0, flags saA

TCP Outside  17.149.36.177:5223 Inside  10.10.1.2:60480, idle 0:16:53, bytes 4539, flags UIO

TCP Outside  98.22.121.19:443 Inside  192.168.1.20:53877, idle 0:00:02, bytes 0, flags saA

TCP Outside  98.22.121.19:443 Inside  192.168.1.20:53876, idle 0:00:02, bytes 0, flags saA

TCP Outside  98.22.121.19:443 Inside  192.168.1.20:53875, idle 0:00:05, bytes 0, flags saA

TCP Outside  98.22.121.19:443 Inside  192.168.1.20:53874, idle 0:00:05, bytes 0, flags saA

TCP Outside  98.22.121.19:443 Inside  192.168.1.20:53872, idle 0:00:11, bytes 0, flags saA

TCP Outside  98.22.121.19:443 Inside  192.168.1.20:53871, idle 0:00:11, bytes 0, flags saA

TCP Outside  98.22.121.19:443 Inside  192.168.1.20:53868, idle 0:00:08, bytes 0, flags saA

TCP Outside  98.22.121.19:443 Inside  192.168.1.20:53867, idle 0:00:08, bytes 0, flags saA

TCP Outside  98.22.121.19:443 Inside  192.168.1.20:53860, idle 0:00:17, bytes 0, flags saA

TCP Outside  98.22.121.19:443 Inside  192.168.1.20:53859, idle 0:00:17, bytes 0, flags saA

TCP Outside  17.172.233.95:5223 Inside  10.10.1.2:49191, idle 0:18:48, bytes 7384, flags UIO

TCP Outside  17.178.100.43:443 Inside  10.10.1.2:57810, idle 0:56:21, bytes 5797, flags UFIO

TCP Outside  23.206.216.93:80 Inside  10.10.1.2:53847, idle 0:54:15, bytes 2683, flags UFIO

TCP Outside  143.127.93.90:80 Inside  10.10.1.2:49259, idle 0:12:20, bytes 13315, flags UIO

TCP Outside  74.125.225.53:443 Inside  192.168.1.20:53864, idle 0:00:11, bytes 0, flags saA

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:49204, idle 0:00:04, bytes 67, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.174:50122, idle 0:00:07, bytes 43, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:63275, idle 0:00:08, bytes 54, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:63306, idle 0:00:18, bytes 51, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:65059, idle 0:00:22, bytes 46, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:64681, idle 0:00:30, bytes 54, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:64661, idle 0:00:30, bytes 51, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.20:55618, idle 0:00:32, bytes 43, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:65056, idle 0:00:33, bytes 48, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.55:59433, idle 0:00:41, bytes 33, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.20:52178, idle 0:00:42, bytes 33, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.174:61414, idle 0:00:43, bytes 34, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:65438, idle 0:00:44, bytes 44, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:63686, idle 0:00:44, bytes 51, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:65416, idle 0:00:45, bytes 45, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.52:53047, idle 0:00:47, bytes 32, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.52:62213, idle 0:00:46, bytes 74, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.52:52347, idle 0:00:46, bytes 92, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.52:58069, idle 0:00:46, bytes 64, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.52:50753, idle 0:00:46, bytes 74, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:65381, idle 0:00:50, bytes 50, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:65082, idle 0:00:50, bytes 51, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:64038, idle 0:00:50, bytes 54, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:49309, idle 0:00:51, bytes 43, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:64034, idle 0:00:51, bytes 54, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:49197, idle 0:00:51, bytes 50, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:64728, idle 0:00:51, bytes 49, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:64309, idle 0:00:51, bytes 54, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:63289, idle 0:00:51, bytes 51, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:64174, idle 0:00:52, bytes 54, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.55:39286, idle 0:01:09, bytes 33, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:63726, idle 0:01:09, bytes 54, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:65482, idle 0:01:12, bytes 51, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:65091, idle 0:01:13, bytes 61, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:64976, idle 0:01:13, bytes 57, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:63749, idle 0:00:51, bytes 103, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:64043, idle 0:01:14, bytes 52, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:64267, idle 0:01:24, bytes 45, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:64467, idle 0:01:26, bytes 45, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:65504, idle 0:01:26, bytes 46, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.55:38946, idle 0:01:35, bytes 33, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:63701, idle 0:01:38, bytes 51, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:63879, idle 0:01:46, bytes 45, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.174:58516, idle 0:01:49, bytes 51, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:63227, idle 0:01:51, bytes 62, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.174:65446, idle 0:01:53, bytes 43, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.2:49166, idle 0:01:55, bytes 54, flags -

UDP Outside  199.195.168.4:53 Inside  192.168.1.55:56680, idle 0:02:01, bytes 33, flags -

UDP Outside  192.55.83.30:53 Inside  192.168.1.2:65073, idle 0:00:44, bytes 50, flags -

TCP Outside  74.125.193.109:993 Inside  10.10.1.2:57808, idle 0:39:33, bytes 6392, flags UFIO

TCP Outside  74.125.225.54:443 Inside  192.168.1.20:53863, idle 0:00:13, bytes 0, flags saA

TCP Outside  143.127.93.89:80 Inside  10.10.1.2:60519, idle 0:46:30, bytes 346, flags UO

TCP Outside  74.125.225.32:443 Inside  192.168.1.20:53881, idle 0:00:01, bytes 0, flags saA

TCP Outside  74.125.225.32:443 Inside  192.168.1.20:53880, idle 0:00:01, bytes 0, flags saA

UDP Outside  205.171.3.65:53 Inside  192.168.1.52:60627, idle 0:00:39, bytes 78, flags -

UDP Outside  205.171.3.65:53 Inside  192.168.1.52:52088, idle 0:00:39, bytes 86, flags -

UDP Outside  205.171.3.65:53 Inside  192.168.1.52:50533, idle 0:00:39, bytes 76, flags -

UDP Outside  205.171.3.65:53 Inside  192.168.1.52:63347, idle 0:00:39, bytes 80, flags -

UDP Outside  205.171.3.65:53 Inside  192.168.1.52:62213, idle 0:00:40, bytes 37, flags -

UDP Outside  205.171.3.65:53 Inside  192.168.1.52:52347, idle 0:00:40, bytes 46, flags -

UDP Outside  205.171.3.65:53 Inside  192.168.1.52:58069, idle 0:00:40, bytes 32, flags -

UDP Outside  205.171.3.65:53 Inside  192.168.1.52:50753, idle 0:00:40, bytes 37, flags -

UDP Outside  205.171.3.65:53 Inside  192.168.1.174:52254, idle 0:01:09, bytes 43, flags -

UDP Outside  205.171.3.65:53 Inside  192.168.1.174:50791, idle 0:01:25, bytes 35, flags -

TCP Outside  74.125.225.46:443 Inside  192.168.1.20:53870, idle 0:00:08, bytes 0, flags saA

TCP Outside  17.173.255.101:443 Inside  10.10.1.2:53851, idle 0:56:33, bytes 58, flags UfIO

TCP Outside  64.4.23.147:33033 Inside  10.10.1.2:55944, idle 0:44:45, bytes 558164, flags UFIO

TCP Outside  74.125.225.35:443 Inside  192.168.1.20:53869, idle 0:00:09, bytes 0, flags saA

UDP Outside  64.4.23.175:33033 Inside  192.168.1.174:26511, idle 0:01:17, bytes 28, flags -

UDP Outside  192.54.112.30:53 Inside  192.168.1.2:65380, idle 0:00:44, bytes 49, flags -

TCP Outside  74.125.142.108:993 Inside  10.10.1.2:57908, idle 0:10:47, bytes 7895, flags UIO

TCP Outside  74.125.142.108:993 Inside  10.10.1.2:57907, idle 0:10:49, bytes 20323, flags UIO

TCP Outside  74.125.142.108:993 Inside  10.10.1.2:57906, idle 0:10:47, bytes 6539, flags UIO

TCP Outside  74.125.142.108:993 Inside  10.10.1.2:57868, idle 0:27:44, bytes 6395, flags UIO

TCP Outside  91.190.218.59:443 Inside  10.10.1.2:55942, idle 0:41:39, bytes 2727, flags UFIO

TCP Outside  17.172.233.123:5223 Inside  10.10.1.2:49441, idle 0:23:10, bytes 4409, flags UIO

TCP Outside  74.125.225.41:443 Inside  192.168.1.20:53862, idle 0:00:16, bytes 0, flags saA

TCP Outside  74.125.225.41:443 Inside  192.168.1.20:53861, idle 0:00:16, bytes 0, flags saA

TCP Outside  143.127.93.115:80 Inside  10.10.1.2:60406, idle 0:42:59, bytes 970, flags UFIO

TCP Outside  143.127.93.118:80 Inside  10.10.1.2:60484, idle 0:46:54, bytes 328, flags UO

TCP Outside  17.172.233.98:5223 Inside  10.10.1.2:57896, idle 0:11:28, bytes 5081, flags UIO

UDP Outside  111.221.74.16:33033 Inside  192.168.1.174:26511, idle 0:01:18, bytes 31, flags -

TCP Outside  17.149.36.103:5223 Inside  192.168.1.174:60729, idle 0:00:04, bytes 0, flags saA

UDP Outside  192.5.6.30:53 Inside  192.168.1.2:65317, idle 0:00:44, bytes 51, flags -

UDP Outside  192.12.94.30:53 Inside  192.168.1.2:65356, idle 0:00:44, bytes 54, flags -

TCP Outside  17.149.36.180:5223 Inside  10.10.1.2:55951, idle 0:46:08, bytes 14059, flags UFIO

UDP Outside  111.221.74.28:33033 Inside  192.168.1.174:26511, idle 0:01:20, bytes 33, flags -

TCP Outside  63.235.20.160:80 Inside  192.168.1.20:53873, idle 0:00:08, bytes 0, flags saA

TCP Outside  50.19.127.112:443 Inside  192.168.1.50:60678, idle 0:00:00, bytes 0, flags saA

TCP Outside  65.55.122.234:80 Inside  192.168.1.174:60728, idle 0:00:14, bytes 0, flags saA

TCP Outside  65.55.122.234:80 Inside  192.168.1.174:60727, idle 0:00:15, bytes 0, flags saA

TCP Outside  65.55.122.234:80 Inside  192.168.1.174:60726, idle 0:00:15, bytes 0, flags saA

TCP Outside  65.55.122.234:443 Inside  192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA

TCP Outside  65.55.122.234:2492 Inside  192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA

UDP Outside  157.55.56.170:33033 Inside  192.168.1.174:26511, idle 0:01:21, bytes 37, flags -

TCP Outside  74.125.230.207:443 Inside  192.168.1.20:53866, idle 0:00:11, bytes 0, flags saA

TCP Outside  74.125.230.207:443 Inside  192.168.1.20:53865, idle 0:00:11, bytes 0, flags saA

UDP Outside  111.221.74.18:33033 Inside  192.168.1.174:26511, idle 0:01:17, bytes 29, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.20:55546, idle 0:00:06, bytes 46, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.20:60277, idle 0:00:06, bytes 46, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.20:55618, idle 0:00:34, bytes 43, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.52:60627, idle 0:00:36, bytes 78, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.52:52088, idle 0:00:36, bytes 86, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.52:50533, idle 0:00:36, bytes 76, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.52:63347, idle 0:00:36, bytes 80, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.20:56958, idle 0:01:24, bytes 34, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.20:51360, idle 0:01:26, bytes 34, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.174:50791, idle 0:01:27, bytes 35, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.20:54134, idle 0:01:46, bytes 34, flags -

UDP Outside  8.8.8.8:53 Inside  192.168.1.174:58516, idle 0:01:50, bytes 51, flags -

TCP Outside  23.207.7.46:80 Inside  192.168.1.55:59350, idle 0:00:02, bytes 0, flags saA

TCP Outside  23.207.7.46:80 Inside  192.168.1.55:59349, idle 0:00:16, bytes 0, flags saA

UDP Outside  205.171.2.65:53 Inside  192.168.1.174:50122, idle 0:00:09, bytes 43, flags -

UDP Outside  205.171.2.65:53 Inside  192.168.1.55:48088, idle 0:00:42, bytes 33, flags -

UDP Outside  205.171.2.65:53 Inside  192.168.1.52:62213, idle 0:00:45, bytes 74, flags -

UDP Outside  205.171.2.65:53 Inside  192.168.1.52:52347, idle 0:00:45, bytes 92, flags -

UDP Outside  205.171.2.65:53 Inside  192.168.1.52:58069, idle 0:00:45, bytes 64, flags -

UDP Outside  205.171.2.65:53 Inside  192.168.1.52:50753, idle 0:00:45, bytes 74, flags -

UDP Outside  205.171.2.65:53 Inside  192.168.1.174:61414, idle 0:00:47, bytes 34, flags -

UDP Outside  205.171.2.65:53 Inside  192.168.1.55:54481, idle 0:01:08, bytes 33, flags -

UDP Outside  205.171.2.65:53 Inside  192.168.1.174:52254, idle 0:01:09, bytes 43, flags -

UDP Outside  205.171.2.65:53 Inside  192.168.1.55:40285, idle 0:01:34, bytes 33, flags -

UDP Outside  205.171.2.65:53 Inside  192.168.1.174:65446, idle 0:01:55, bytes 43, flags -

UDP Outside  205.171.2.65:53 Inside  192.168.1.55:46155, idle 0:02:00, bytes 33, flags -

UDP Outside  66.104.81.70:5070 Inside  192.168.1.174:57609, idle 0:00:11, bytes 46, flags -

UDP Outside  64.4.23.156:33033 Inside  192.168.1.174:26511, idle 0:01:14, bytes 38, flags -

TCP Outside  65.54.167.15:12350 Inside  10.10.1.2:60491, idle 0:11:02, bytes 1405, flags UIO

TCP Outside  17.172.192.35:443 Inside  10.10.1.2:57812, idle 0:56:11, bytes 6116, flags UFIO

UDP Outside  157.55.56.176:33033 Inside  192.168.1.174:26511, idle 0:01:16, bytes 32, flags -

TCP Inside  192.168.1.20:53667 NP Identity Ifc  10.10.1.1:22, idle 0:00:00, bytes 37555, flags UOB

TCP Inside  10.10.1.2:53431 NP Identity Ifc  10.10.1.1:22, idle 0:09:03, bytes 20739, flags UOB

Ran on the ASA while overload statements were down on the router:

ASA5510#   packet-tracer input Inside tcp 192.168.1.100 12345 8.8.8.8 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Outside

Phase: 2

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1988699, packet dispatched to next module

Result:

input-interface: Inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

Had to put these back in to get to the internet:

CISCO-2811#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

CISCO-2811(config)#inter

CISCO-2811(config)#interface f

CISCO-2811(config)#interface fastEthernet 0/0

CISCO-2811(config-if)#ip nat

CISCO-2811(config-if)#ip nat Outside

CISCO-2811(config-if)#exit

CISCO-2811(config)#in

CISCO-2811(config)#interface f

CISCO-2811(config)#interface fastEthernet 0/1.3

CISCO-2811(config-subif)#ip nat inside

CISCO-2811(config-subif)#exit

CISCO-2811(config)#$de source list 1 interface FastEthernet0/0 overload

CISCO-2811(config)#

Screenshot of ASDM:

asa.jpg

Super Bronze

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

Hi,

Ok this new output helped out alot.

What we are essentially seeing is that the ASA is not doing any translation for this traffic. Even though there is a NAT configuration clearly set for all the LAN networks it seems the ASA completely ignores. What makes it strange is the fact that the NAT seems to work just fine for your Routers link network when the Dynamic PAT is enabled on the Router.

The "show conn all" output is something that I see every now and then and its always problem with either the ASA routing (or rather routing towards the ASA from the WAN) or missing NAT configuration. You see plenty of DNS queries that dont go through and also some TCP connections that timeout with SYN Timeout

If you can I would next suggest that you change the Dynamic PAT rule on the ASA and then remove the NAT configuration again on the Router.

nat (any,Outside) after-auto source dynamic any interface

no nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

The NAT configuration we add should enable Dynamic PAT on the ASA for any source address. The next command will remove the current Dynamic PAT configuration with the "PAT-SOURCE" object.

I am not sure why its not being matched but its starting to seem like a bug and a major bug really since this should be a very basic configuration. This is the very basic configuration type we use on our firewalls. If there is major bug in the 9.1(4) software that somehow prevents this from working correctly then its a good thing to know. I will probably have to test this out myself also.

So can you try removing the Router NAT configurations again and then changing the NAT configuration on the ASA as described above.

- Jouni

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

JouniForss wrote:

Hi,

Ok this new output helped out alot.

What we are essentially seeing is that the ASA is not doing any translation for this traffic. Even though there is a NAT configuration clearly set for all the LAN networks it seems the ASA completely ignores. What makes it strange is the fact that the NAT seems to work just fine for your Routers link network when the Dynamic PAT is enabled on the Router.

The "show conn all" output is something that I see every now and then and its always problem with either the ASA routing (or rather routing towards the ASA from the WAN) or missing NAT configuration. You see plenty of DNS queries that dont go through and also some TCP connections that timeout with SYN Timeout

If you can I would next suggest that you change the Dynamic PAT rule on the ASA and then remove the NAT configuration again on the Router.

nat (any,Outside) after-auto source dynamic any interface

no nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

The NAT configuration we add should enable Dynamic PAT on the ASA for any source address. The next command will remove the current Dynamic PAT configuration with the "PAT-SOURCE" object.

I am not sure why its not being matched but its starting to seem like a bug and a major bug really since this should be a very basic configuration. This is the very basic configuration type we use on our firewalls. If there is major bug in the 9.1(4) software that somehow prevents this from working correctly then its a good thing to know. I will probably have to test this out myself also.

So can you try removing the Router NAT configurations again and then changing the NAT configuration on the ASA as described above.

- Jouni

I will have to do it this afternoon when I get home from work. If I do it remotely I will get disconnected.

So, when I get ready to do this I should add this statement on to the ASA:

nat (any,Outside) after-auto source dynamic any interface

And remove this statement:

no nat (any,Outside) after-auto source dynamic PAT-SOURCE interface

Then do the other steps on the 2811:

no ip nat outside on FastEthernet 0/0 on the 2811

no ip nat inside on the FastEthernet 0/1.3 on the 2811

no ip nat inside source list 1 interface FastEthernet0/0 overload on the 2811

Super Bronze

ASA 5510 with Cisco 2811 Router Behind it - Not forwarding traff

Hi,

Pretty much as you described though the order you do it in doesnt really matter but the above order should be fine.

Seems to me at this point the ASA is the reason your Internet does not work after the previous changes. It seems that the ASA just simply ignores the Dynamic PAT you currently have for the LAN networks behind the router even though they are defined there.

Who knows, it might even ignore the above suggested command but the ASA is probably the device we should be looking at to get the connections working after removing the Router NAT.

Just to be sure you could try to issue this command on the Router. I am not really sure if its needed since you are removing the NAT configurations

clear ip nat translation *

- Jouni

New Member

ASA 5510 with Cisco 2811 Router Behind it - Not forwarding traff

That worked! I can now hit the internet with those statements removed and that other statement in place.

I will have to try to hit external resources from the outside, but this is definately a step forward!

New Member

Re: ASA 5510 with Cisco 2811 Router Behind it - Not forwarding t

I have another question. How do I allow VPN connections through? I use openVPN but now that we made those changes I am unable to establish tunnels, any ideas?

That would be L2TP VPN's

Super Bronze

ASA 5510 with Cisco 2811 Router Behind it - Not forwarding traff

Hi,

The only thing we did was remove Dynamic PAT from the Router and change the Dynamic PAT on the ASA to somewhat identical configuration to the previous to get it working.

I am not sure how this would effect anything that was in use before.

I am not sure between which devices you use the VPN. I am not personally familiar with L2TP as I have never used it/configured it.

- Jouni

New Member

ASA 5510 with Cisco 2811 Router Behind it - Not forwarding traff

JouniForss wrote:

Hi,

The only thing we did was remove Dynamic PAT from the Router and change the Dynamic PAT on the ASA to somewhat identical configuration to the previous to get it working.

I am not sure how this would effect anything that was in use before.

I am not sure between which devices you use the VPN. I am not personally familiar with L2TP as I have never used it/configured it.

- Jouni

Well it worked and now stuff is routing correctly for inside stuff.

The VPN is one I use to connect all over the US. It is an OpenVPN client and I have to setup rules to allow it to create tunnels through the ASA. I'll see if I can find it, but the only page I found talks about PIX firewalls and a doezen different versions and I am not sure which one I have.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/18806-pix-pptp.html

For example, that is an instruction page, but I am not sure which ones to use.

The IP I will be making the tunnel out of is 192.168.1.20 and the destination will be any.

2250
Views
0
Helpful
24
Replies
CreatePlease login to create content