Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

I don’t know where’s the problem !!!

Hello ,

I spend 3 days trying to ping or to reach anything from

192.168.14.1    to      192.168.21.1

And it’s not working, can anyone help

Thanks

ASA Version 8.2(2)16

!

hostname ASA

domain-name corp.local

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.2  255.255.255.252

!

interface Ethernet0/1

no nameif

security-level 50

no ip address

!

interface Ethernet0/1.20

vlan 20

nameif DMZ

security-level 50

ip address 192.168.20.1 255.255.255.0

!

interface Ethernet0/1.21

vlan 21

nameif DMZ2

security-level 50

ip address 192.168.21.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif inside

security-level 100

ip address 192.168.14.2 255.255.255.0

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa822-16-k8.bin

ftp mode passive

clock timezone GST 4

dns domain-lookup inside

dns server-group DefaultDNS

name-server DC01-inside-10.11

name-server DC02-inside-10.12

domain-name corp.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network Corp-Domains

network-object host DC01-inside-10.11

network-object host DC02-inside-10.12

object-group network Users

network-object Wireless-Users-13 255.255.255.0

network-object Wired-users-14 255.255.255.0

object-group network DC-DNS

network-object host DC01-inside-10.11

network-object host DC02-inside-10.12

access-list inside_access_in extended permit ip any any inactive

access-list inside_access_in extended deny udp object-group Users host Etisalat-DNS eq domain

access-list inside_access_in extended permit udp any any eq domain

access-list inside_access_in extended permit icmp object-group Users any

access-list inside_access_in extended permit ip 192.168.50.0 255.255.255.0 any

access-list inside_access_in extended permit tcp object-group Users any eq www

access-list inside_access_in extended permit tcp object-group Users any eq 666

access-list inside_access_in extended permit tcp Server-Farm-10 255.255.255.0 any eq 8080

access-list inside_access_in extended permit tcp object-group Users any eq https

access-list inside_access_in extended permit tcp object-group Users any eq 8080

access-list inside_access_in extended permit tcp object-group Users any eq ssh

access-list inside_access_in extended permit icmp Server-Farm-10 255.255.255.0 any

access-list inside_access_in extended permit tcp Server-Farm-10 255.255.255.0 any eq www

access-list inside_access_in extended permit tcp Server-Farm-10 255.255.255.0 any eq https

access-list inside_access_in extended permit tcp host 192.168.10.15 host 192.168.20.11 eq smtp

access-list inside_access_in extended permit tcp host 192.168.10.16 host 192.168.21.16 eq 5062

access-list inside_access_in extended permit tcp host 192.168.10.16 host 192.168.21.16 eq 8057

access-list inside_access_in extended permit tcp host 192.168.10.15 host 192.168.20.11 eq 50636

access-list inside_access_in extended permit tcp host 192.168.10.16 host 192.168.21.16 eq 4443

access-list inside_access_in extended permit tcp host 192.168.10.16 host 192.168.21.16 eq 5061

access-list inside_access_in extended permit tcp any any eq 3389

access-list DMZ_access_in extended permit tcp host 192.168.20.13 Server-Farm-10 255.255.255.0 eq 3389

access-list fromout extended permit icmp any any

access-list fromdmz extended permit udp any host DC01-inside-10.11 eq domain

access-list fromdmz extended permit udp any host DC02-inside-10.12 eq domain

access-list fromdmz extended permit tcp 192.168.20.0 255.255.255.0 any eq www

access-list fromdmz extended permit tcp 192.168.20.0 255.255.255.0 any eq https

access-list fromdmz extended permit icmp 192.168.20.0 255.255.255.0 any

access-list fromdmz extended permit tcp 192.168.20.0 255.255.255.0 any eq smtp

access-list fromdmz extended permit udp 192.168.20.0 255.255.255.0 any eq domain

access-list fromdmz extended permit ip any any

access-list DMZ_access_in_1 extended permit ip any any inactive

access-list DMZ_access_in_1 extended permit tcp any any eq pptp

access-list DMZ_access_in_1 extended permit icmp any any

access-list DMZ_access_in_1 extended permit tcp any any eq smtp

access-list DMZ_access_in_1 extended permit udp any any eq domain

access-list DMZ_access_in_1 extended permit tcp any any eq www

access-list DMZ_access_in_1 extended permit tcp any any eq https

access-list DMZ_access_in_1 extended permit tcp any any eq ssh

access-list DMZ2_access_in extended permit ip any any inactive

access-list DMZ2_access_in extended permit ip 192.168.21.0 255.255.255.0 Server-Farm-10 255.255.255.0 inactive

access-list DMZ2_access_in extended permit ip 192.168.21.0 255.255.255.0 Wireless-Users-13 255.255.255.0 inactive

access-list DMZ2_access_in extended permit ip host 192.168.21.12 host DC01-inside-10.11

access-list DMZ2_access_in extended permit ip host 192.168.21.12 host DC02-inside-10.12

access-list DMZ2_access_in extended permit udp host 192.168.21.16 host Etisalat-DNS eq domain

access-list DMZ2_access_in extended permit tcp 192.168.21.0 255.255.255.0 object-group Users eq 3389 inactive

access-list DMZ2_access_in extended permit udp host 192.168.21.10 host DC01-inside-10.11 eq domain

access-list DMZ2_access_in extended permit udp host 192.168.21.10 host DC02-inside-10.12 eq domain

access-list to-out extended permit ip any any inactive

access-list to-out extended permit tcp any any eq 3389

access-list to-out extended permit tcp any any eq pptp

access-list to-out extended permit icmp any any

access-list to-out extended permit udp any any eq domain

access-list to-out extended permit tcp any any eq 8080 inactive

access-list to-out extended permit tcp any any eq https

access-list to-out extended permit tcp any any eq www

access-list to-out extended permit tcp any any eq smtp

access-list inside_nat0_outbound extended permit ip Server-Farm-10 255.255.255.0 192.168.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list outside_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 any

access-list splitt-tunnel standard permit Server-Farm-10 255.255.255.0

access-list splitt-tunnel standard permit 192.168.20.0 255.255.255.0

access-list splitt-tunnel standard permit 192.168.21.0 255.255.255.0

access-list splitt-tunnel standard permit 192.168.12.0 255.255.255.0

access-list DMZ_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 any

pager lines 24

logging enable

logging trap emergencies

logging asdm informational

mtu outside 1500

mtu DMZ 1500

mtu DMZ2 1500

mtu inside 1500

mtu management 1500

ip local pool VPN-Users 192.168.50.10-192.168.50.245 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any DMZ

icmp permit any DMZ2

icmp permit any inside

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

global (outside) 1 1.1.1.1. netmask 255.0.0.0

nat (outside) 0 access-list outside_nat0_outbound

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 Server-Farm-10 255.255.255.0

nat (inside) 1 Wireless-Users-13 255.255.255.0

nat (inside) 1 Wired-users-14 255.255.255.0

static (inside,DMZ) Wired-users-14 Wired-users-14 netmask 255.255.255.0

static (inside,DMZ) Wireless-Users-13 Wireless-Users-13 netmask 255.255.255.0

static (inside,DMZ) Server-Farm-10 Server-Farm-10 netmask 255.255.255.0

static (inside,DMZ2) Server-Farm-10 Server-Farm-10 netmask 255.255.255.0

static (inside,DMZ2) Wireless-Users-13 Wireless-Users-13 netmask 255.255.255.0

access-group fromout in interface outside

access-group to-out out interface outside

access-group DMZ_access_in_1 in interface DMZ

access-group DMZ2_access_in in interface DMZ2

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 3.3.3.3 1

route inside Server-Farm-10 255.255.255.0 192.168.10.1 1

route inside 192.168.12.0 255.255.255.0 192.168.12.1 1

route inside Wireless-Users-13 255.255.255.0 192.168.13.1 1

1 REPLY
Gold

Re: I don’t know where’s the problem !!!

Hi

First of all why are implementing 192.168.14.2 as the interface on the ASA ? all of the other interfaces are .1 ?

And Also why are you trying to reach something on the ASA interface ip address ?

Second thing, what exactly are you trying to make happen here ?

What is the purpose ?

The third thing you can do is to use Packet tracer to let you see where the packets fail.

In your case that would be to start the cli

packet-tracer input inside tcp 192.168.14.1 1025 192.168.21.1 80

as an example

276
Views
0
Helpful
1
Replies
CreatePlease login to create content