Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

2 routers - Same LAN

Good morning to all!

We are in the process of transitioning from one ISP to another. We’ll be changing our public IP addresses from 168.xx.xx.0/24 to 204.xx.xx.16/28 as well as replacing a PIX 515 with an ASA-5510. All of the public DNS entries still point to the 168.xx.xx.0 range. To make the DNS switchover as seamless as possible, I have connected the ASA in parallel with the PIX. The purpose of this is for when the DNS switchover is done, any traffic previously aimed at the PIX will go to the ASA. Once that works as it should, I’ll disconnect the PIX. The attached diagram gives the topology of what’s going on…

I’m far from being proficient in configuring routers and firewalls but I have given it a shot. The ASA config is shown below. With a computer connected to the internal network (IP: 10.165.11.xx/255.255.255.0 – GW: 10.165.11.10). I can surf and access the servers in the DMZ, including Outlook Web Access on the Hub server. All of the other internal computers (IP: 10.165.11.0/24 – GW: 10.165.11.1) have connectivity as usual.

When connected to the outside world (with an AirCard for example), I can’t access the web servers, OWA or VPN. Here’s the ping, tracert and nslookup results for the web server:

C:\>ping 204.xx.xx.20

Pinging 204.xx.xx.20 with 32 bytes of data:
Reply from 168.xx.xx.3: bytes=32 time=143ms TTL=110
Reply from 168. xx.xx.3: bytes=32 time=122ms TTL=110
Reply from 168. xx.xx.3: bytes=32 time=141ms TTL=110
Reply from 168. xx.xx.3: bytes=32 time=159ms TTL=110

Ping statistics for 204. xx.xx.20:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 122ms, Maximum = 159ms, Average = 141ms

C:\>tracert 204. xx.xx.20

Tracing route to dsl-13-20.g1.ncbrvr.ips.Net [204. xx.xx.20]
over a maximum of 30 hops:

  1   103 ms    85 ms    87 ms  h-75-116-245-29.ip.alltel.net
  2   101 ms    88 ms    97 ms  127.sub-66-174-168.myvzw.com
  3   130 ms   113 ms   108 ms  201.sub-69-83-43.myvzw.com
  4   105 ms   102 ms    92 ms  98.sub-66-174-36.myvzw.com
  5   107 ms    94 ms    99 ms  6.sub-69-83-33.myvzw.com
  6   105 ms    89 ms    99 ms  3.sub-69-83-33.myvzw.com
  7   118 ms    92 ms    93 ms  253.sub-69-83-33.myvzw.com
  8   108 ms    93 ms   195 ms  12.89.31.61
  9   123 ms   116 ms   108 ms  cr81.fldfl.ip.att.net
10   130 ms   119 ms   209 ms  cr2.ormfl.ip.att.net
11   131 ms   117 ms   123 ms  cr1.attga.ip.att.net
12   231 ms   113 ms   121 ms  attga03jt.ip.att.net
13   130 ms   114 ms   113 ms  192.205.34.234
14   130 ms   112 ms   110 ms  us-carrier-109356-atl-bb1.c.telia.net
15   132 ms   120 ms   121 ms  209.221.47.138
16   128 ms   125 ms   138 ms  207.144.173.43
17   136 ms   129 ms   142 ms  www.cccc.org [168. xx.xx.3]

Trace complete.

C:\>nslookup www.cccc.org
Server:  h-75-115-111-154.ip.alltel.net
Address:  75.115.111.154

Non-authoritative answer:
Name:    www.cccc.org
Address:  168. xx.xx.3

Somewhere, the 204.xx.xx.20 address translates back to 168.xx.xx.3.

The ASA log shows:
- Built inbound TCP connection 1225 for outside:75.111.111.47/49234 (75.111.111.47/49234) to dmz:web/80 (web-outside/80)
- ….
- Teardown TCP connection 1225 for outside:75.111.111.47/49234 to dmz:web/80 duration 0:00:30 bytes 0 SYN Timeout

Any help on figuring this out would be greatly appreciated! Also, fell free to correct any of my stupid router config mistakes…

Thanks,
Dave

ASA Version 8.2(3)
!
hostname cccc-asa
domain-name cccc.org
enable password qucvXv6yXeNYVlPA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.165.11.13 ad1 description File server
name 10.165.10.6 edge description Edge server
name 10.165.11.15 hub description Hub server
name 10.165.10.10 sdfs description SDFS server
name 10.165.10.3 web description Web server
name 204.xx.xx.21 mail-outside description Edge public
name 10.165.10.16 moodle description Moodle server
name 204.xx.xx.22 moodle-outside description Moodle public
name 204.xx.xx.26 owa-outside description OWA public
name 10.165.11.25 polycom description Polycom
name 204.xx.xx.29 polycom-outside description Polycom
name 10.165.10.12 remacc description Remacc server
name 204.xx.xx.30 remacc-outside description Remacc public
name 204.xx.xx.23 sdfs-outside description SDFS public
name 204.xx.xx.20 web-outside description Web public
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 204.xx.xx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.165.11.10 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 70
ip address 10.165.10.50 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup management
dns server-group DefaultDNS
name-server ad1
domain-name cccc.org
same-security-traffic permit inter-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3306
port-object eq www
object-group service remacc-ports
description Ports for remote access
service-object gre
service-object esp
service-object tcp eq pptp
service-object udp eq isakmp
object-group service edge-in-ports
description Edge to LAN ports
service-object tcp range 1025 1026
service-object tcp eq 135
service-object tcp range 3268 3269
service-object tcp eq 445
service-object tcp eq 50636
service-object tcp eq 88
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq smtp
object-group service polycom-ports
description Ports for Polycom
service-object tcp-udp eq 3230
service-object tcp-udp eq 3235
service-object tcp eq h323
object-group service icmp-service
description ICMP services
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp unreachable
service-object icmp6 echo-reply
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp eq www
access-list outside_access_in remark Public access to web server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host web-outside
access-list outside_access_in remark Public access to Moodle server
access-list outside_access_in extended permit tcp any host moodle-outside object-group DM_INLINE_TCP_1
access-list outside_access_in remark Incoming email
access-list outside_access_in extended permit tcp any host mail-outside eq smtp
access-list outside_access_in remark Public access to SDFS server
access-list outside_access_in extended permit tcp any host sdfs-outside eq www
access-list outside_access_in remark Public access to remote access server
access-list outside_access_in extended permit object-group remacc-ports any host remacc-outside
access-list outside_access_in remark Public access to Polycom
access-list outside_access_in extended permit object-group polycom-ports any host polycom-outside
access-list outside_access_in remark Outlook Web Access to Hub server
access-list outside_access_in extended permit tcp any host owa-outside eq https
access-list dmz_access_in remark Edge to LAN email transport and authentication
access-list dmz_access_in extended permit object-group edge-in-ports host edge 10.165.11.0 255.255.255.0
access-list dmz_access_in remark DMZ ICMP to LAN
access-list dmz_access_in extended permit icmp any 10.165.11.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dmz) 1 10.165.10.141-10.165.10.220 netmask 255.255.255.0
nat (inside) 0 10.165.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) mail-outside edge netmask 255.255.255.255
static (inside,outside) owa-outside hub netmask 255.255.255.255
static (inside,outside) polycom-outside polycom netmask 255.255.255.255
static (dmz,outside) sdfs-outside sdfs netmask 255.255.255.255
static (dmz,outside) remacc-outside remacc netmask 255.255.255.255
static (dmz,outside) moodle-outside moodle netmask 255.255.255.255
static (outside,dmz) web web-outside netmask 255.255.255.255
static (dmz,outside) web-outside web netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 204.xx.xx.17 1
route inside 10.165.12.0 255.255.255.0 10.165.11.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.165.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2f9041cddad9b754484a660d4decf7e3
: end

  • WAN Routing and Switching
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: 2 routers - Same LAN

daverutz58 wrote:

Thanks Jon,

I have added those commands and here's what sh run shows:

     access-list toweb extended permit tcp any host 204.xx.xx.20

     global (inside) 10 interface

     nat (outside) 10 access-list toweb outside

Now the ASA log shows:

     portmap translation creation failed for tcp src outside:75.202.104.47/49245 dst dmz:web-outside/80

I can't browse to 204.xx.xx.20 and the ping is still replied by 168.xx.xx.3...

Dave

Is the server on the DMZ ? If so it should be

global (dmz) 10 interface

Jon

6 REPLIES
Hall of Fame Super Blue

Re: 2 routers - Same LAN

I think the problem you have is that the internal web server is sending it's replies via the pix and not the ASA. So the traffic coming from the outside goes through the ASA but the return ping is coming via the pix.

If so you need to nat the source IPs on the ASA to the inside interface of the ASA so the return traffic would be routed back to the ASA instead of the pix eg.on your ASA

access-list toweb permit tcp any host 204.xx.xx.20

nat (outside) 10 accesslist toweb outside

global (10) inside interface

Jon

New Member

Re: 2 routers - Same LAN

Thanks Jon,

I have added those commands and here's what sh run shows:

     access-list toweb extended permit tcp any host 204.xx.xx.20

     global (inside) 10 interface

     nat (outside) 10 access-list toweb outside

Now the ASA log shows:

     portmap translation creation failed for tcp src outside:75.202.104.47/49245 dst dmz:web-outside/80

I can't browse to 204.xx.xx.20 and the ping is still replied by 168.xx.xx.3...

Dave

Hall of Fame Super Blue

Re: 2 routers - Same LAN

daverutz58 wrote:

Thanks Jon,

I have added those commands and here's what sh run shows:

     access-list toweb extended permit tcp any host 204.xx.xx.20

     global (inside) 10 interface

     nat (outside) 10 access-list toweb outside

Now the ASA log shows:

     portmap translation creation failed for tcp src outside:75.202.104.47/49245 dst dmz:web-outside/80

I can't browse to 204.xx.xx.20 and the ping is still replied by 168.xx.xx.3...

Dave

Is the server on the DMZ ? If so it should be

global (dmz) 10 interface

Jon

New Member

Re: 2 routers - Same LAN

That did it! I added the other DMZ servers to the toweb access-list and I can reach those too.

     - web-outside

     - moodle-outside

     - sdfs-outside

     - owa-outside

     - remacc-outside

Next issue is when an external client tries to connect with their VPN. Traffic goes to 204.116.82.30 (in the DMZ) which then sends the authentication request to the NPS server 10.165.11.13 (AD server in the LAN). The user sees the "Verifying user name and password..." but the connection fails. Everything works fine when the client connects to 168.xx.xx.12.

ASA logs show:

     - Built inbound TCP connection 357 for outside:75.202.104.47/49426 (10.165.10.50/26423) to dmz:remacc/1723 (remacc-outside/1723)
     - Built inbound GRE connection 358 from outside:75.202.104.47 (75.202.104.47) to dmz:remacc/4804 (remacc-outside/4804)
     - Teardown TCP connection 357 for outside:75.202.104.47/49426 to dmz:remacc/1723 duration 0:00:37 bytes 732 TCP FINs
     - Deny TCP (no connection) from 75.202.104.47/49426 to remacc-outside/1723 flags ACK  on interface outside

     - Teardown GRE connection 358 from outside:75.202.104.47 to dmz:remacc/4804 duration 0:02:32 bytes 210

I've reposted the config after the changes. Thanks for your help!

Dave

ASA Version 8.2(3)
!
hostname cccc-asa
domain-name cccc.org
enable password qucvXv6yXeNYVlPA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.165.11.13 ad1 description File server
name 10.165.10.6 edge description Edge server
name 10.165.11.15 hub description Hub server
name 10.165.10.10 sdfs description SDFS server
name 10.165.10.3 web description Web server
name 204.xx.xx.21 mail-outside description Edge public
name 10.165.10.16 moodle description Moodle server
name 204.xx.xx.22 moodle-outside description Moodle public
name 204.xx.xx.26 owa-outside description OWA public
name 10.165.11.25 polycom description Polycom
name 204.xx.xx.29 polycom-outside description Polycom
name 10.165.10.12 remacc description Remacc server
name 204.xx.xx.30 remacc-outside description Remacc public
name 204.xx.xx.23 sdfs-outside description SDFS public
name 204.xx.xx.20 web-outside description Web public
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 204.xx.xx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.165.11.10 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 70
ip address 10.165.10.50 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup management
dns server-group DefaultDNS
name-server ad1
domain-name fdresa.org
same-security-traffic permit inter-interface
object-group service remacc-ports
description Ports for remote access
service-object gre
service-object esp
service-object tcp eq pptp
service-object udp eq isakmp
object-group service edge-in-ports
description Edge to LAN ports
service-object tcp range 1025 1026
service-object tcp eq 135
service-object tcp range 3268 3269
service-object tcp eq 445
service-object tcp eq 50636
service-object tcp eq 88
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq smtp
object-group service polycom-ports
description Ports for Polycom
service-object tcp-udp eq 3230
service-object tcp-udp eq 3235
service-object tcp eq h323
object-group service icmp-service
description ICMP services
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp unreachable
service-object icmp6 echo-reply
object-group service DM_INLINE_SERVICE_1
group-object remacc-ports
service-object icmp
object-group network DM_INLINE_NETWORK_1
network-object host web-outside
network-object host moodle-outside
network-object host sdfs-outside
network-object host owa-outside
network-object host remacc-outside
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3306
port-object eq www
access-list outside_access_in remark Public access to web server
access-list outside_access_in extended permit tcp any host web-outside eq www
access-list outside_access_in remark Public access to Moodle server
access-list outside_access_in extended permit tcp any host moodle-outside object-group DM_INLINE_TCP_1
access-list outside_access_in remark Incoming email
access-list outside_access_in extended permit tcp any host mail-outside eq smtp
access-list outside_access_in remark Public access to SDFS server
access-list outside_access_in extended permit tcp any host sdfs-outside eq www
access-list outside_access_in remark Public access to remote access server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host remacc-outside
access-list outside_access_in remark Public access to Polycom
access-list outside_access_in extended permit object-group polycom-ports any host polycom-outside
access-list outside_access_in remark Outlook Web Access to Hub server
access-list outside_access_in extended permit tcp any host owa-outside eq https
access-list dmz_access_in remark Edge to LAN email transport and authentication
access-list dmz_access_in extended permit object-group edge-in-ports host edge 10.165.11.0 255.255.255.0
access-list dmz_access_in remark DMZ ICMP to LAN
access-list dmz_access_in extended permit icmp any 10.165.11.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list dmz_access_in remark VPN authentication with AD
access-list dmz_access_in extended permit object-group remacc-ports host remacc host ad1
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark Reply to authentication for VPN
access-list inside_access_in extended permit object-group remacc-ports any host remacc
access-list toweb extended permit tcp any object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (inside) 10 interface
global (dmz) 1 10.165.10.141-10.165.10.220 netmask 255.255.255.0
global (dmz) 10 interface
nat (outside) 10 access-list toweb outside
nat (inside) 0 10.165.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) mail-outside edge netmask 255.255.255.255
static (inside,outside) owa-outside hub netmask 255.255.255.255
static (inside,outside) polycom-outside polycom netmask 255.255.255.255
static (dmz,outside) sdfs-outside sdfs netmask 255.255.255.255
static (dmz,outside) remacc-outside remacc netmask 255.255.255.255
static (dmz,outside) moodle-outside moodle netmask 255.255.255.255
static (dmz,outside) web-outside web netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 204.116.82.17 1
route inside 10.165.12.0 255.255.255.0 10.165.11.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.165.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:41a5061f32798a6d1c43ff1582a108e0
: end

New Member

Re: 2 routers - Same LAN

Got VPN working by adding:

     policy-map global_policy
     class inspection_default
     inspect pptp

I'm about to do the public DNS changes so hope everything will go smoothly. My main concern besides the VPN is that email will flow correctly between the Edge (DMZ) and Hub (LAN) servers...

If anyone would like to double-check the config and tell me if anything is missing or superfluous, please fell free to do so! If needed, the network diagram is attached to my original post.

Thanks again!

Dave

ASA Version 8.2(3)
!
hostname cccc-asa
domain-name cccc.org
enable password qucvXv6yXeNYVlPA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.165.11.13 ad1 description File server
name 10.165.10.6 edge description Edge server
name 10.165.11.15 hub description Hub server
name 10.165.10.10 sdfs description SDFS server
name 10.165.10.3 web description Web server
name 204.xx.xx.21 mail-outside description Edge public
name 10.165.10.16 moodle description Moodle server
name 204.xx.xx.22 moodle-outside description Moodle public
name 204.xx.xx.26 owa-outside description OWA public
name 10.165.11.25 polycom description Polycom
name 204.xx.xx.29 polycom-outside description Polycom
name 10.165.10.12 remacc description Remacc server
name 204.xx.xx.30 remacc-outside description Remacc public
name 204.xx.xx.23 sdfs-outside description SDFS public
name 204.xx.xx.20 web-outside description Web public
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 204.xx.xx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.165.11.10 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 70
ip address 10.165.10.50 255.255.255.0
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup management
dns server-group DefaultDNS
name-server ad1
domain-name cccc.org
same-security-traffic permit inter-interface
object-group service remacc-ports
description Ports for remote access
service-object gre
service-object tcp eq pptp
object-group service edge-in-ports
description Edge to LAN ports
service-object tcp range 1025 1026
service-object tcp eq 135
service-object tcp range 3268 3269
service-object tcp eq 445
service-object tcp eq 50636
service-object tcp eq 88
service-object tcp eq domain
service-object tcp eq ldap
service-object tcp eq smtp
object-group service polycom-ports
description Ports for Polycom
service-object tcp-udp eq 3230
service-object tcp-udp eq 3235
service-object tcp eq h323
object-group service icmp-service
description ICMP services
service-object icmp echo-reply
service-object icmp source-quench
service-object icmp time-exceeded
service-object icmp unreachable
service-object icmp6 echo-reply
object-group service DM_INLINE_SERVICE_1
group-object remacc-ports
service-object icmp
object-group network DM_INLINE_NETWORK_1
network-object host web-outside
network-object host moodle-outside
network-object host sdfs-outside
network-object host owa-outside
network-object host remacc-outside
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq 3268
access-list outside_access_in remark Public access to web server
access-list outside_access_in extended permit tcp any host web-outside eq www
access-list outside_access_in remark Public access to Moodle server
access-list outside_access_in extended permit tcp any host moodle-outside object-group DM_INLINE_TCP_1
access-list outside_access_in remark Incoming email
access-list outside_access_in extended permit tcp any host mail-outside eq smtp
access-list outside_access_in remark Public access to SDFS server
access-list outside_access_in extended permit tcp any host sdfs-outside eq www
access-list outside_access_in remark Public access to remote access server
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host remacc-outside
access-list outside_access_in remark Public access to Polycom
access-list outside_access_in extended permit object-group polycom-ports any host polycom-outside
access-list outside_access_in remark Outlook Web Access to Hub server
access-list outside_access_in extended permit tcp any host owa-outside eq https
access-list dmz_access_in remark Edge to LAN email transport and authentication
access-list dmz_access_in extended permit object-group edge-in-ports host edge 10.165.11.0 255.255.255.0
access-list dmz_access_in remark DMZ ICMP to LAN
access-list dmz_access_in extended permit icmp any 10.165.11.0 255.255.255.0
access-list dmz_access_in extended permit ip any any inactive
access-list dmz_access_in extended permit object-group remacc-ports host remacc 10.165.11.0 255.255.255.0
access-list dmz_access_in remark Outgoing email
access-list dmz_access_in extended permit tcp host edge any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark Reply to authentication for VPN
access-list inside_access_in extended permit object-group remacc-ports host ad1 host remacc
access-list toweb extended permit tcp any object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (inside) 10 interface
global (dmz) 1 10.165.10.141-10.165.10.220 netmask 255.255.255.0
global (dmz) 10 interface
nat (outside) 10 access-list toweb outside
nat (inside) 0 10.165.10.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) mail-outside edge netmask 255.255.255.255
static (inside,outside) owa-outside hub netmask 255.255.255.255
static (inside,outside) polycom-outside polycom netmask 255.255.255.255
static (dmz,outside) sdfs-outside sdfs netmask 255.255.255.255
static (dmz,outside) remacc-outside remacc netmask 255.255.255.255
static (dmz,outside) moodle-outside moodle netmask 255.255.255.255
static (dmz,outside) web-outside web netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 204.xx.xx.17 1
route inside 10.165.12.0 255.255.255.0 10.165.11.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.165.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dcc26e9b060d7cd63f415fb871aa4c50
: end

New Member

Re: 2 routers - Same LAN

Once the public DNS address had been changed over, I unplugged the PIX, changed the interface addresses on the ASA and all went well. I removed those 3 lines from the config now that they aren't needed anymore.

Thanks,

Dave

659
Views
0
Helpful
6
Replies
This widget could not be displayed.