Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510: Changed destination object but traffic just will not go through

Hello

I have a fully functioning ASA5510.  One of the things that go through it is OWA, presently it is routed to a particular address.  I have just built a new Exchange server and I want to get OWA working.  I created a new destination object, making sure that all the major details were the same as the original object, just changing the IP address only.  I also did the same for the NAT.  I have also done the same with the two smarthost rules.

 

Now when I apply the new config, OWA and external mail is affected.  I can access OWA internally, and all I change is literally the destination point.

 

I have sat and gone through, line by line, the working and the non-working config.

 

Any ideas?

11 REPLIES
New Member

Can you show me the config

Can you show me the config about your ASA5510 ?

New Member

Sorry for the delay Walter,

Sorry for the delay Walter, which config would you like, the working or the non-working?

 

I can put the working one on, and change the font for the only different parts which is in the rules area.

New Member

Yes, put the working one on,

Yes, put the working one on, and change the font for the only different parts.

New Member

Thanks Walter, below then is

Thanks Walter, below then is the working config.  I have removed some information from it and put the whole section of the rules that were changed in red.

 

: Saved

:

ASA Version 8.4(3)

!

hostname TAAS-FW-HH-01

domain-name domain.local

enable password N5MzNpZasdasdadadM.GwZSfSB encrypted

passwd 2KFQnbNIdasdasdadaI.2KYOU encrypted

names

!

interface Ethernet0/0

 nameif WAN-HH-0

 security-level 0

 ip address x.x.x.243 255.255.255.240

!

interface Ethernet0/1

 nameif WAN-HH-1

 security-level 0

 pppoe client vpdn group PPPoE-GROUP

 ip address pppoe

!

interface Ethernet0/2

 nameif DMZ-HH

 security-level 50

 ip address 10.0.1.1 255.255.255.0

!

interface Ethernet0/3

 nameif LAN-HH

 security-level 100

 ip address 10.1.0.1 255.255.255.0

!

interface Management0/0

 nameif management

 security-level 100

 ip address 10.1.1.1 255.255.255.0

 management-only

!

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup WAN-HH-0

dns domain-lookup WAN-HH-1

dns domain-lookup DMZ-HH

dns domain-lookup LAN-HH

dns domain-lookup management

dns server-group DefaultDNS

 name-server 10.1.0.41

 domain-name domain.local

object network EXT-IP-HH4-244

 host x.x.x..244

 description EXT-IP-HH4-244 FOR NAT

object network RTR-HH

 host x.x.x..241

 description RTR-HH

object network EXT-IP-HH2-242

 host x.x.x..242

 description EXT-IP-HH2-242 FOR EXCHANGE SBS

object network WNAASBS

 host 10.1.0.30

 description WNAASBS

object network LAN-FUNDRAISING

 subnet 10.3.0.0 255.255.255.0

 description LAN-FUNDRAISING

object network LAN-HH

 subnet 10.1.0.0 255.255.255.0

 description LAN-HH

object network EXT-IP-RET

 host 80.229.161.185

 description EXT-IP-RET

object network LAN-RET

 subnet 10.2.0.0 255.255.255.0

 description LAN-RET

object network EXT-IP-COV1-130

 host 213.120.84.130

 description EXT-IP-COV1-130

object network LAN-COV

 subnet 10.4.0.0 255.255.255.0

 description LAN-COV

object network EXT-IP-DLR

 host 81.130.196.105

 description EXT-IP-DLR

object network LAN-DLR

 subnet 10.5.0.0 255.255.255.0

 description LAN-DLR

object network EXT-IP-HH5-245

 host x.x.x..245

 description EXT-IP-HH5-245 FOR FS

object network TAAS-FSP-HH-01

 host 10.0.1.10

 description TAAS-FSP-HH-01

object network EXT-IP-HH6-246

 host x.x.x..246

 description EXT-IP-HH6-246 FOR SSLVPN

object network EXT-IP-HH3-243

 host x.x.x..243

 description EXP-IP-HH3-243

object network LAN-LON

 subnet 10.6.0.0 255.255.255.0

 description LAN-LON

object network Supplier2-1-66.197.193.197

 host 66.197.193.197

 description Supplier2-1-66.197.193.197

object network Supplier2-2-92.48.99.0-mask-255.255.255.192

 subnet 92.48.99.0 255.255.255.192

 description Supplier2-2-92.48.99.0-mask-255.255.255.192

object network Supplier2-3-195.72.35.96-mask-255.255.255.240

 subnet 195.72.35.96 255.255.255.240

 description Supplier2-3-195.72.35.96-mask-255.255.255.240

object network Supplier2-4-95.154.198.192

 subnet 95.154.198.192 255.255.255.192

 description Supplier2-4-95.154.198.192

object network EXT-IP-HH14-254

 host x.x.x..254

 description EXT-IP-HH14-254

object network PANASONIC-PBX-IP

 host 10.1.0.80

 description PANASONIC-PBX-IP

object network SUPPLIER1-FIXED-IP

 host 81.137.210.17

 description SUPPLIER1-FIXED-IP

object network TAAS-DC-HH-01

 host 10.1.0.16

 description TAAS-DC-HH-01

object network TAAS-EX-HH-01

 host 10.1.0.20

 description TAAS-EX-HH-01

object network TAAS-FP-HH-01A

 host 10.1.0.18

 description TAAS-FP-HH-01A

object network Supplier3

 subnet 10.0.0.0 255.255.0.0

 description Supplier3

object network Supplier3IP

 host 87.84.167.147

 description Supplier3IP

object network LAN-RITM

 subnet 10.71.139.0 255.255.255.0

 description Translated LAN address for Supplier3

object network Supplier2_New1

 subnet 5.172.153.128 255.255.255.128

 description New Supplier2 5.172.153.128

object network Supplier2_New2

 host 5.172.153.233

 description Supplier2_New2   5.172.153.233

object network Supplier2_New3

 range 5.172.153.150 5.172.153.160

 description Supplier2_New3   5.172.153.150-160

object network Supplier2_New5

 range 5.172.153.230 5.172.153.235

 description Supplier2_New5  5.172.153.230-235

object network LAN-LF

 subnet 10.177.163.0 255.255.255.0

object network TAAS-SP-APP-01

 host 10.1.0.45

 description Sharepoint

object network SSL-VPN

 host 10.1.0.7

object network NETWORK_OBJ_10.1.0.192_26

 subnet 10.1.0.192 255.255.255.192

object network LF

 host 92.234.12.53

object service http

 service tcp source eq www destination eq www

 description http

object network 10.1.0.45

 host 10.1.0.45

object network TAAS-EX-HH

 host 10.1.0.31

 description TAAS-EX-HH

object network 187.72.55.177

 host 187.72.55.177

object network 92.51.156.106

 host 92.51.156.106

object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object ip

 protocol-object icmp

object-group network DM_INLINE_NETWORK_2

 network-object 10.0.1.0 255.255.255.0

 network-object object LAN-HH

object-group network Supplier2-SMTP

 description Supplier2-SMTP

 network-object object Supplier2-1-66.197.193.197

 network-object object Supplier2-2-92.48.99.0-mask-255.255.255.192

 network-object object Supplier2-3-195.72.35.96-mask-255.255.255.240

 network-object object Supplier2-4-95.154.198.192

object-group service PANASONIC-PBX tcp-udp

 description PANASONIC-PBX

 port-object eq 35300

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service DM_INLINE_SERVICE_1

 service-object tcp-udp destination eq domain

 service-object tcp destination eq www

 service-object tcp destination eq https

 service-object udp destination eq ntp

object-group network New_Supplier2_SMTP

 description New Supplier2 Group

 network-object object Supplier2_New1

 network-object object Supplier2_New2

 network-object object Supplier2_New3

 network-object object Supplier2_New5

 network-object object LF

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

object-group protocol DM_INLINE_PROTOCOL_2

 protocol-object ip

 protocol-object udp

 protocol-object tcp

 group-object TCPUDP

object-group network Malicious_IP_Addresses

 network-object object 187.72.55.177

 network-object object 92.51.156.106

access-list WAN-HH-0_access extended permit tcp any object WNAASBS eq https log debugging

access-list WAN-HH-0_access extended permit object-group TCPUDP object SUPPLIER1-FIXED-IP object PANASONIC-PBX-IP object-group PANASONIC-PBX

access-list WAN-HH-0_access extended permit tcp any object TAAS-FSP-HH-01 eq https

access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object WNAASBS eq smtp log debugging

access-list WAN-HH-0_access extended permit icmp any object-group DM_INLINE_NETWORK_2 echo-reply inactive

access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object WNAASBS eq smtp log debugging

access-list WAN-HH-0_access extended permit tcp any object TAAS-SP-APP-01 object-group DM_INLINE_TCP_1 log

access-list WAN-HH-0_access extended permit tcp any object SSL-VPN eq https

access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object TAAS-EX-HH eq smtp log debugging inactive

access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object TAAS-EX-HH eq smtp inactive

access-list WAN-HH-0_access extended permit tcp any eq https object TAAS-EX-HH eq https log debugging inactive

 

(The below part is the full section of that above with the new rules.  This is the only thing that is different between the two running config files)

access-list WAN-HH-0_access extended permit tcp any object WNAASBS eq https log debugging inactive

access-list WAN-HH-0_access extended permit object-group TCPUDP object SUPPLIER1-FIXED-IP object PANASONIC-PBX-IP object-group PANASONIC-PBX

access-list WAN-HH-0_access extended permit tcp any object TAAS-FSP-HH-01 eq https

access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object WNAASBS eq smtp log debugging inactive

access-list WAN-HH-0_access extended permit icmp any object-group DM_INLINE_NETWORK_2 echo-reply inactive

access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object WNAASBS eq smtp log debugging inactive

access-list WAN-HH-0_access extended permit tcp any object TAAS-SP-APP-01 object-group DM_INLINE_TCP_1 log

access-list WAN-HH-0_access extended permit tcp any object SSL-VPN eq https

access-list WAN-HH-0_access extended permit tcp object-group Supplier2-SMTP object TAAS-EX-HH eq smtp log debugging

access-list WAN-HH-0_access extended permit tcp object-group New_Supplier2_SMTP object TAAS-EX-HH eq smtp

access-list WAN-HH-0_access extended permit tcp any object TAAS-EX-HH eq https log debugging

 

access-list WAN-HH-0_cryptomap extended permit ip object LAN-HH object LAN-RET

access-list WAN-HH-0_cryptomap_2 extended permit ip object LAN-HH object LAN-COV

access-list WAN-HH-0_cryptomap_3 extended permit ip object LAN-HH object LAN-DLR

access-list DMZ-HH_access_in extended permit tcp object TAAS-FSP-HH-01 object TAAS-FP-HH-01A eq https

access-list DMZ-HH_access_in extended permit object-group DM_INLINE_SERVICE_1 object TAAS-FSP-HH-01 any

access-list DMZ-HH_access_in extended deny object-group DM_INLINE_PROTOCOL_1 any any inactive

access-list WAN-HH-0_cryptomap_5 extended permit ip object LAN-HH object LAN-RET

access-list WAN-HH-1_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any log

pager lines 24

logging enable

logging asdm informational

mtu WAN-HH-0 1500

mtu WAN-HH-1 1500

mtu DMZ-HH 1500

mtu LAN-HH 1500

mtu management 1500

ip local pool VPNAddresses 10.1.0.200-10.1.0.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-FUNDRAISING LAN-FUNDRAISING no-proxy-arp route-lookup

nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-RET LAN-RET no-proxy-arp route-lookup

nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-COV LAN-COV no-proxy-arp route-lookup

nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-DLR LAN-DLR no-proxy-arp route-lookup

nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-LON LAN-LON no-proxy-arp route-lookup

nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-RITM destination static Supplier3 Supplier3

nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-LF LAN-LF

nat (LAN-HH,WAN-HH-0) source static any any destination static NETWORK_OBJ_10.1.0.192_26 NETWORK_OBJ_10.1.0.192_26 no-proxy-arp route-lookup

!

object network WNAASBS

 nat (LAN-HH,WAN-HH-0) static EXT-IP-HH2-242

object network TAAS-FSP-HH-01

 nat (DMZ-HH,WAN-HH-0) static EXT-IP-HH5-245

object network PANASONIC-PBX-IP

 nat (LAN-HH,WAN-HH-0) static EXT-IP-HH14-254

object network SSL-VPN

 nat (LAN-HH,WAN-HH-0) static EXT-IP-HH6-246

object network 10.1.0.45

 nat (LAN-HH,WAN-HH-0) static interface service tcp www www

object network TAAS-EX-HH

 nat (LAN-HH,WAN-HH-0) static EXT-IP-HH2-242

!

nat (DMZ-HH,WAN-HH-0) after-auto source dynamic any EXT-IP-HH5-245 dns

nat (LAN-HH,WAN-HH-0) after-auto source dynamic any interface

access-group WAN-HH-0_access in interface WAN-HH-0

access-group WAN-HH-1_access_in in interface WAN-HH-1

access-group DMZ-HH_access_in in interface DMZ-HH

route WAN-HH-0 0.0.0.0 0.0.0.0 x.x.x..241 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.1.1.0 255.255.255.0 management

http 10.1.0.0 255.255.255.0 LAN-HH

http 195.171.184.58 255.255.255.255 WAN-HH-0

http 10.177.163.0 255.255.255.0 LAN-HH

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN-HH-0_map 1 match address WAN-HH-0_cryptomap

crypto map WAN-HH-0_map 1 set peer.110

crypto map WAN-HH-0_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN-HH-0_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map WAN-HH-0_map 2 match address WAN-HH-0_cryptomap_2

crypto map WAN-HH-0_map 2 set pfs

crypto map WAN-HH-0_map 2 set peer.130

crypto map WAN-HH-0_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN-HH-0_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map WAN-HH-0_map 2 set nat-t-disable

crypto map WAN-HH-0_map 4 match address WAN-HH-0_cryptomap_3

crypto map WAN-HH-0_map 4 set peer 105

crypto map WAN-HH-0_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN-HH-0_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map WAN-HH-0_map 6 match address WAN-HH-0_cryptomap_5

crypto map WAN-HH-0_map 6 set peer 78.154.108.110

crypto map WAN-HH-0_map 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN-HH-0_map 6 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map WAN-HH-0_map 6 set ikev2 pre-shared-key xxxxxxx

crypto map WAN-HH-0_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map WAN-HH-0_map interface WAN-HH-0

crypto ca trustpoint _SmartCallHome_ServerCA

 crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

 certificate TOOK THIS OUT AS WAY TOO MUCH TEXT

  quit

crypto ikev2 policy 1

 encryption aes-256

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 10

 encryption aes-192

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 30

 encryption 3des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 enable WAN-HH-0

crypto ikev2 enable WAN-HH-1

crypto ikev1 enable WAN-HH-0

crypto ikev1 enable WAN-HH-1

crypto ikev1 policy 10

 authentication crack

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 20

 authentication rsa-sig

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 30

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 40

 authentication crack

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 50

 authentication rsa-sig

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 60

 authentication pre-share

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 70

 authentication crack

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 80

 authentication rsa-sig

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 90

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 100

 authentication crack

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 110

 authentication rsa-sig

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 120

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 130

 authentication crack

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 140

 authentication rsa-sig

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 150

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh x.x.x.58 x.255.255.255 WAN-HH-0

ssh x.x.x.x 255.255.255.255 WAN-HH-0

ssh x.x.0.0 255.255.255.0 LAN-HH

ssh timeout 5

console timeout 0

management-access LAN-HH

vpdn group PPPoE_GROUP request dialout pppoe

vpdn group PPPoE_GROUP localname login

vpdn group PPPoE_GROUP ppp authentication chap

vpdn group PPPoE-GROUP request dialout pppoe

vpdn group PPPoE-GROUP localname login

vpdn group PPPoE-GROUP ppp authentication chap

vpdn username login password password

dhcpd address xx.x.x.-x.x.x.x. management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port number-of-rate 3

threat-detection statistics protocol number-of-rate 3

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server x.x.x.x source LAN-HH prefer

ntp server 80.87.128.243 source WAN-HH-0

webvpn

 enable WAN-HH-1

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 dns-server value 1x.x.x.x

 vpn-tunnel-protocol l2tp-ipsec

 default-domain value domain.local

group-policy TestIPSECTunnel internal

group-policy TestIPSECTunnel attributes

 dns-server value x.x.x.x

 vpn-tunnel-protocol ikev1

 default-domain value x.x.uk

group-policy DfltGrpPolicy attributes

 dns-server value x.x.x.x

 webvpn

  url-list value Links

group-policy GroupPolicy_147 internal

group-policy GroupPolicy_.147 attributes

 vpn-tunnel-protocol ikev1

group-policy GroupPolicy_105 internal

group-policy GroupPolicy_105 attributes

 vpn-tunnel-protocol ikev1 ikev2

group-policy GroupPolicy_130 internal

group-policy GroupPolicy_130 attributes

 vpn-tunnel-protocol ikev1 ikev2

username user password password privilege 0

username user attributes

 vpn-group-policy DfltGrpPolicy

username user2 password passwordy encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

 address-pool VPNAddresses

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 ikev1 pre-shared-key xxxxxxxx

tunnel-group DefaultRAGroup ppp-attributes

 authentication pap

 no authentication ms-chap-v1

 authentication ms-chap-v2

tunnel-group 10 type ipsec-l2l

tunnel-group110 ipsec-attributes

 ikev1 pre-shared-key

 ikev2 remote-authentication pre-shared-key

 ikev2 local-authentication pre-shared-key

tunnel-group 147 type ipsec-l2l

tunnel-group 147 general-attributes

 default-group-policy GroupPolicy_87.84.164.147

tunnel-group 147 ipsec-attributes

 ikev1 pre-shared-key

 ikev2 remote-authentication pre-shared-key

 ikev2 local-authentication pre-shared-key

tunnel-group.130 type ipsec-l2l

tunnel-group.130 general-attributes

 default-group-policy GroupPolicy_213.120.84.130

tunnel-group 130 ipsec-attributes

 ikev1 pre-shared-key

 ikev2 remote-authentication pre-shared-key

 ikev2 local-authentication pre-shared-key

tunnel-group 105 type ipsec-l2l

tunnel-group 105 general-attributes

 default-group-policy GroupPolicy_81.130.196.105

tunnel-group.105 ipsec-attributes

 ikev1 pre-shared-key xxxxxxx

 ikev2 remote-authentication pre-shared-key xxxxxxx

 ikev2 local-authentication pre-shared-key xxxxxxx

tunnel-group TestIPSECTunnel type remote-access

tunnel-group TestIPSECTunnel general-attributes

 address-pool VPNAddresses

 default-group-policy TestIPSECTunnel

tunnel-group TestIPSECTunnel ipsec-attributes

 ikev1 pre-shared-key xxxxxxx

tunnel-group SSLVPN type remote-access

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

 class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

hpm topN enable

Cryptochecksum:994038sdgfaefg cesrtsegse55fd0239

: end

no asdm history enable

 

New Member

What does it mean "debugging

What does it mean "debugging inactive" in access-list command ?

New Member

I turned up the logged to

I turned up the logged to debugging and inactive is where I have disabled the rule as that was pointing to the old address

you need to do clea xlateclea

you need to do 

clea xlate

clea conn

after changing config

 

and dont forget to rate posts

New Member

Thanks Tagir, before I run

Thanks Tagir, before I run these commands, can you just tell me what they do??  

New Member

Hi Tagir I had chance to do

Hi Tagir

 

I had chance to do this over the weekend and it still would not redirect it.

 

Any more ideas?

New Member

So I did a show run nat today

So I did a show run nat today and I got the below, what I do notice is that the new rule is WAN/LAN as opposed to the old rule being LAN/WAN.  Will this make a difference as it should be bi-directional?

 

Result of the command: "show run nat"

nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-FUNDRAISING LAN-FUNDRAISING no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-RET LAN-RET no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-COV LAN-COV no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-DLR LAN-DLR no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-LON LAN-LON no-proxy-arp route-lookup
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-RITM destination static Equanet Equanet
nat (LAN-HH,WAN-HH-0) source static LAN-HH LAN-HH destination static LAN-LF LAN-LF
nat (LAN-HH,WAN-HH-0) source static any any destination static NETWORK_OBJ_10.1.0.192_26 NETWORK_OBJ_10.1.0.192_26 no-proxy-arp route-lookup
!
object network EXT-IP-HH2-242
 nat (WAN-HH-0,LAN-HH) static TAAS-EX-HH
object network WNAASBS
 nat (LAN-HH,WAN-HH-0) static EXT-IP-HH2-242
object network TAAS-FSP-HH-01
 nat (DMZ-HH,WAN-HH-0) static EXT-IP-HH5-245
object network PANASONIC-PBX-IP
 nat (LAN-HH,WAN-HH-0) static EXT-IP-HH14-254
object network SSL-VPN
 nat (LAN-HH,WAN-HH-0) static EXT-IP-HH6-246
object network 10.1.0.45
 nat (LAN-HH,WAN-HH-0) static interface service tcp www www 
object network TAAS-EX-HH
 nat (LAN-HH,WAN-HH-0) static EXT-IP-HH2-242
!
nat (DMZ-HH,WAN-HH-0) after-auto source dynamic any EXT-IP-HH5-245 dns
nat (LAN-HH,WAN-HH-0) after-auto source dynamic any interface

New Member

Do I need to think about

Do I need to think about clear ip nat translation

 

 

60
Views
0
Helpful
11
Replies
CreatePlease login to create content