Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

DSL to ASA5510

I am brain dead when it comes to security for some reason. I have an ADSL Zyxel router plugged into an ASA 5510 and I am trying to do a simple translation:

DSL -> 84.12.169.200 Zyxel DSL Router PPoA 192.168.100.9 - > 192.168.100.10 ASA 5510

I am simply trying to sent port 443 to IP address 10.100.3.21 located on the inside interface, but it is not working. I have tried various combinations using the 192.168.100.9 and public address. What am I doing wrong?

Result of the command: "show run"

: Saved

:

ASA Version 8.0(4)

!

hostname ICD-PG-ASA-01

domain-name icdt.org.uk

enable password 4NnTfJ8McbjOev2J encrypted

passwd 4NnTfJ8McbjOev2J encrypted

names

name 10.100.3.21 TIM description TIM Server

name 84.12.169.200 PUBLIC_ADDRESS description Port Glasgow Broadband Public Address

name 10.100.3.20 CCM description Call Manager

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.100.10 255.255.255.252

ospf cost 10

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.200.3.10 255.255.255.0

ospf cost 10

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.10.1 255.255.255.0

ospf cost 10

management-only

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.210.3.21

name-server 10.200.2.21

domain-name icdt.org.uk

object-group network ICDT_Networks

description ICDT Internal Networks

network-object 10.100.0.0 255.255.0.0

network-object 10.200.0.0 255.255.0.0

network-object 10.210.0.0 255.255.255.0

object-group network Mail

description Mail Servers

network-object host 10.210.3.22

object-group service Mail_ports

description Mail Ports

service-object tcp eq https

service-object tcp eq smtp

access-list inside_nat0_outbound extended permit ip 10.200.3.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip any 10.80.3.0 255.255.255.0

access-list outside_access_in extended permit tcp any eq https host PUBLIC_ADDRESS eq https

access-list outside_access_in extended permit ip any any inactive

access-list inside_access_in extended permit tcp host TIM eq https any eq https inactive

access-list inside_access_in extended permit tcp any any eq https

access-list inside_nat_static extended permit tcp host TIM eq https any

no pager

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool VPN 10.80.3.50-10.80.3.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

static (inside,outside) tcp PUBLIC_ADDRESS https TIM https netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

!

router ospf 1

network 10.200.3.0 255.255.255.0 area 0

network 192.168.100.8 255.255.255.252 area 0

area 0

log-adj-changes

default-information originate metric 1

!

route outside 0.0.0.0 0.0.0.0 192.168.100.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.80.3.0 255.255.255.0 outside

http 10.100.3.0 255.255.255.0 inside

http 192.168.10.0 255.255.255.0 management

http 10.200.0.0 255.255.0.0 inside

snmp-server host inside TIM community icdtrrw

snmp-server location Port Glasgow

no snmp-server contact

snmp-server community icdtrw

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.80.3.0 255.255.255.0 outside

telnet 10.200.0.0 255.255.0.0 inside

telnet 10.1.0.0 255.255.0.0 inside

telnet 10.100.3.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.10.2-192.168.10.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 132.163.4.101 source outside

ntp server 132.163.4.102 source outside

ntp server 132.163.4.103 source outside

ntp server 131.107.1.10 source outside

group-policy VPN_UNRESTRICTED internal

group-policy VPN_UNRESTRICTED attributes

dns-server value 10.210.3.20 10.200.2.20

vpn-tunnel-protocol IPSec

username crawforde password fvFXLK8hmMQ6xycH encrypted privilege 15

username Administrator password sr9nyF6F4pWPyBot encrypted privilege 15

username commsfm password kAu0GvAYo6iGTAg3 encrypted privilege 15

username commsfm attributes

vpn-group-policy VPN_UNRESTRICTED

tunnel-group VPN_UNRESTRICTED type remote-access

tunnel-group VPN_UNRESTRICTED general-attributes

address-pool VPN

default-group-policy VPN_UNRESTRICTED

tunnel-group VPN_UNRESTRICTED ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a78724a86f26e65b77b359dd1ed780ae

: end

557
Views
0
Helpful
0
Replies
CreatePlease to create content