ASA 5505 8.41 dynamic configuration NAT NAT/static

Hello

I am having some problems of configuration statements NAT on my ASA5505 which has recently been upgraded to 8.41.

I have a unique dynamic IP on the external interface of the ASA and wish that all internal hosts NAT/Pat it. In addition, I would like to have multiple ports 'sent' to internal hosts, one of which is TCP/4343. With the current configuration guests originate from the external interface correctly, but the service running on TCP/4343 is not accessible from the outside. See the output of the command below:

exit "sh run object:

network of the object DrJones
Home 10.81.220.90
network of the LAN object - 10.81.220.0
10.81.220.0 subnet 255.255.255.0

exit "sh run nat:

network of the object DrJones
NAT (inside, outside) interface static 4343 4343 tcp service
network of the LAN object - 10.81.220.0
NAT dynamic interface (indoor, outdoor)

exit "sh run access-list":

access extensive list ip 10.81.220.0 inside_access_in allow 255.255.255.0 any
outside_access_in list extended access permit icmp any any echo response
outside_access_in list extended access permit tcp any interface outside eq 4343

Any help would be appreciated, if additional information is needed please let me know and I'll post it.

Thank you in advance.

Hi Mitch,

There are two major changes between 8.3 - pre and post - 8.3.

1 NAT

2 interface Access-list.

You went directly to step 1, but have set up the pre - 8.3 outside_access_in access list.

The correct config would be:

outside_access_in list extended access permit icmp any any echo-reply //you can remove this and add inspect icmp to the overall strategy.
outside_access_in list extended access permit tcp any host 10.81.220.90 eq 4343

8.3 and above, the access list interface should have the real ip and not the ip translated.

I hope this helps.

-Shrikant

P.S.: Please check the question as answered if it was resolved. Note the useful messages. Thank you.

Tags: Cisco Security

Similar Questions

ASA 5505 IPSEC VPN connected but cannot access the local network

ASA: 8.2.5

ASDM: 6.4.5

LAN: 10.1.0.0/22

Pool VPN: 172.16.10.0/24

Hi, we purcahsed a new ASA 5505 and try to configure IPSEC VPN via ASDM; I simply run the wizards, installation vpnpool, split tunnelling, etc.

I can connect to the ASA using the cisco VPN client and internet works fine on the local PC, but it can not access the local network (can not impossible. ping remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile, I created worked very well.

Here is my setup, wrong set up anything?

ASA Version 8.2 (5)

!

hostname asatest

domain XXX.com

activate 8Fw1QFqthX2n4uD3 encrypted password

g9NiG6oUPjkYrHNt encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 10.1.1.253 255.255.252.0

!

interface Vlan2

nameif outside

security-level 0

address IP XXX.XXX.XXX.XXX 255.255.255.240

!

passive FTP mode

clock timezone PST - 8

clock summer-time recurring PDT

DNS server-group DefaultDNS

domain vff.com

vpntest_splitTunnelAcl list standard access allowed 10.1.0.0 255.255.252.0

access extensive list ip 10.1.0.0 inside_nat0_outbound allow 255.255.252.0 172.16.10.0 255.255.255.0

pager lines 24

Enable logging

timestamp of the record

logging trap warnings

asdm of logging of information

logging - the id of the device hostname

host of logging inside the 10.1.1.230

Within 1500 MTU

Outside 1500 MTU

IP local pool 172.16.10.1 - 172.16.10.254 mask 255.255.255.0 vpnpool

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0-list of access inside_nat0_outbound

NAT (inside) 1 0.0.0.0 0.0.0.0

Route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

AAA-server protocol nt AD

AAA-server host 10.1.1.108 AD (inside)

NT-auth-domain controller 10.1.1.108

Enable http server

http 10.1.0.0 255.255.252.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set

Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5

outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

Telnet timeout 5

SSH 10.1.0.0 255.255.252.0 inside

SSH timeout 20

Console timeout 0

dhcpd outside auto_config

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal group vpntest strategy

Group vpntest policy attributes

value of 10.1.1.108 WINS server

Server DNS 10.1.1.108 value

Protocol-tunnel-VPN IPSec l2tp ipsec

disable the password-storage

disable the IP-comp

Re-xauth disable

disable the PFS

IPSec-udp disable

IPSec-udp-port 10000

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list vpntest_splitTunnelAcl

value by default-domain XXX.com

disable the split-tunnel-all dns

Dungeon-client-config backup servers

the address value vpnpool pools

admin WeiepwREwT66BhE9 encrypted privilege 15 password username

username user5 encrypted password privilege 5 yIWniWfceAUz1sUb

the encrypted password privilege 3 umNHhJnO7McrLxNQ util_3 username

tunnel-group vpntest type remote access

tunnel-group vpntest General attributes

address vpnpool pool

authentication-server-group AD

authentication-server-group (inside) AD

Group Policy - by default-vpntest

band-Kingdom

vpntest group tunnel ipsec-attributes

pre-shared-key BEKey123456

NOCHECK Peer-id-validate

!

!

privilege level 3 mode exec cmd command perfmon

privilege level 3 mode exec cmd ping command

mode privileged exec command cmd level 3

logging of the privilege level 3 mode exec cmd commands

privilege level 3 exec command failover mode cmd

privilege level 3 mode exec command packet cmd - draw

privilege show import at the level 5 exec mode command

privilege level 5 see fashion exec running-config command

order of privilege show level 3 exec mode reload

privilege level 3 exec mode control fashion show

privilege see the level 3 exec firewall command mode

privilege see the level 3 exec mode command ASP.

processor mode privileged exec command to see the level 3

privilege command shell see the level 3 exec mode

privilege show level 3 exec command clock mode

privilege exec mode level 3 dns-hosts command show

privilege see the level 3 exec command access-list mode

logging of orders privilege see the level 3 exec mode

privilege, level 3 see the exec command mode vlan

privilege show level 3 exec command ip mode

privilege, level 3 see fashion exec command ipv6

privilege, level 3 see the exec command failover mode

privilege, level 3 see fashion exec command asdm

exec mode privilege see the level 3 command arp

command routing privilege see the level 3 exec mode

privilege, level 3 see fashion exec command ospf

privilege, level 3 see the exec command in aaa-server mode

AAA mode privileged exec command to see the level 3

privilege, level 3 see fashion exec command eigrp

privilege see the level 3 exec mode command crypto

privilege, level 3 see fashion exec command vpn-sessiondb

privilege level 3 exec mode command ssh show

privilege, level 3 see fashion exec command dhcpd

privilege, level 3 see the vpnclient command exec mode

privilege, level 3 see fashion exec command vpn

privilege level see the 3 blocks from exec mode command

privilege, level 3 see fashion exec command wccp

privilege see the level 3 exec command mode dynamic filters

privilege, level 3 see the exec command in webvpn mode

privilege control module see the level 3 exec mode

privilege, level 3 see fashion exec command uauth

privilege see the level 3 exec command compression mode

level 3 for the show privilege mode configure the command interface

level 3 for the show privilege mode set clock command

level 3 for the show privilege mode configure the access-list command

level 3 for the show privilege mode set up the registration of the order

level 3 for the show privilege mode configure ip command

level 3 for the show privilege mode configure command failover

level 5 mode see the privilege set up command asdm

level 3 for the show privilege mode configure arp command

level 3 for the show privilege mode configure the command routing

level 3 for the show privilege mode configure aaa-order server

level mode 3 privilege see the command configure aaa

level 3 for the show privilege mode configure command crypto

level 3 for the show privilege mode configure ssh command

level 3 for the show privilege mode configure command dhcpd

level 5 mode see the privilege set privilege to command

privilege level clear 3 mode exec command dns host

logging of the privilege clear level 3 exec mode commands

clear level 3 arp command mode privileged exec

AAA-server of privilege clear level 3 exec mode command

privilege clear level 3 exec mode command crypto

privilege clear level 3 exec command mode dynamic filters

level 3 for the privilege cmd mode configure command failover

clear level 3 privilege mode set the logging of command

privilege mode clear level 3 Configure arp command

clear level 3 privilege mode configure command crypto

clear level 3 privilege mode configure aaa-order server

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

: end

Captures we can see packets going from the pool to the internal LAN, but we do not reply back packages.

The routing must be such that for 172.16.10.0/24 packages should reach the inside interface of the ASA.

On client machines or your internal LAN switch, you need to add route for 172.16.10.0/24 pointing to the inside interface of the ASA.

a public access remote vpn from an inside interface asa 5505

I'm trying to see if it is possible to accomplish what I am trying. I have an ASA 5505 with the following configuration.

1. There is an external connection, connected to the ISP. Let's say that it is 10.1.1.1/24 for ease. There is a remote VPN configuration as the access of people through this interface.

2. There's the inside network, which is the normal LAN. It's cable system in the office. to say that it is 172.20.0.1/24.

3. There is a wireless network on a VLAN separate called WLAN. It has an IP of 192.168.1.1/24. There is an ACL allowing traffic to that VLAN to the public internet.

Essentially, I would like users to be able to use the same VPN settings they use when connecting from outside of the Office when you are connected to WIFI.

Also, I would like that they can access public IP addresses that I have NAT would be to internal servers. In this way, they can use IP addresses when they use on the public internet.

Is this possible?

Hello

Well that's not going to be possible, the only thing you can really do is to activate the crypto map on the WLAN facing interface, by design, you cannot not access VPN, ping or manage the device on an interface which is not directly connected to you.

I hope this helps.

Mike

ASA 5505 as internet gateway (must reverse NAT)

Hi all the Cisco guru

I have this diet:

Office-> Cisco 877-> Internet-> ASA 5505-> remote network

Office network: 192.168.10.0/24

Cisco 877 IP internal: 192.168.10.200

Cisco 877 external IP: a.a.a.a

ASA 5505 external IP: b.b.b.b

ASA 5505 internal IP: 192.168.1.3 and 192.168.17.3

Remote network: 192.168.17.0/24 and 192.168.1.0/24

VPN tunnel is OK and more. I have the Office Access to the remote network and the remote network access to the bureau by the tunnel.

But when I try to access the network remotely (there are 2 VLANS: management and OLD-private) to the internet, ASA answer me:

305013 *. * NAT rules asymetrique.64.9 matched 53 for flows forward and backward; Connection for udp src OLD-Private:192.168.17.138/59949 dst WAN:*.*.64.9/53 refused due to path failure reverse that of NAT

Ping of OLD-private interface to google result:

110003 192.168.17.2 0 66.102.7.104 0 routing cannot locate the next hop for icmp NP identity Ifc:192.168.17.2/0 to OLD-Private:66.102.7.104/0

Result of traceroute

How can I fix reverse NAT and make ASA as internet gateway?

There is my full config

!
ASA Version 8.2 (2)
!
hostname ASA2
domain default.domain.invalid
activate the encrypted password password
encrypted passwd password
names of
!
interface Vlan1
Description INTERNET
1234.5678.0002 Mac address
nameif WAN
security-level 100
IP address b.b.b.b 255.255.248.0
OSPF cost 10
!
interface Vlan2
OLD-PRIVATE description
1234.5678.0202 Mac address
nameif OLD-private
security-level 0
IP 192.168.17.3 255.255.255.0
OSPF cost 10
!
interface Vlan6
Description MANAGEMENT
1234.5678.0206 Mac address
nameif management
security-level 0
192.168.1.3 IP address 255.255.255.0
OSPF cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
Shutdown
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
switchport trunk allowed vlan 2.6
switchport mode trunk
!
interface Ethernet0/7
Shutdown
!
connection of the banner * W A R N I N G *.
banner connect unauthorized access prohibited. All access is
connection banner monitored, and intruders will be prosecuted
connection banner to the extent of the law.
Banner motd * W A R N I N G *.
Banner motd unauthorised access prohibited. All access is
Banner motd monitored and trespassers will be prosecuted
Banner motd to the extent of the law.
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS domain-lookup WAN
DNS server-group DefaultDNS
Server name dns.dns.dns.dns
domain default.domain.invalid
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service RDP - tcp
RDP description
EQ port 3389 object
Access extensive list ip 192.168.17.0 LAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Standard access list LAN_IP allow 192.168.17.0 255.255.255.0
WAN_access_in list of allowed ip extended access all any debug log
WAN_access_in list extended access permitted ip OLD-private interface WAN newspaper inactive debugging interface
WAN_access_in list extended access permit tcp any object-group RDP any RDP log debugging object-group
MANAGEMENT_access_in list of allowed ip extended access all any debug log
access-list extended OLD-PRIVATE_access_in any allowed ip no matter what debug log
access-list OLD-PRIVATE_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0 inactive debug log
OLD-PRIVATE_access_in allowed extended object-group TCPUDP host 192.168.10.7 access-list no matter how inactive debug log
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.10.254 interface private OLD newspaper inactive debugging
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.17.155 interface private OLD newspaper debugging
access-list 101 extended allow host tcp 192.168.10.7 any eq 3389 debug log
Access extensive list ip 192.168.17.0 WAN_1_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
Capin list extended access permit ip host 192.18.17.155 192.168.10.7
Capin list extended access permit ip host 192.168.10.7 192.168.17.155
LAN_access_in list of allowed ip extended access all any debug log
Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Access extensive list ip 192.168.17.0 WAN_2_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0

permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
pager lines 24
Enable logging
recording of debug trap
logging of debug asdm
Debugging trace record
Debug class auth record trap
MTU 1500 WAN
MTU 1500 OLD-private
MTU 1500 management
mask 192.168.1.150 - 192.168.1.199 255.255.255.0 IP local pool VPN_Admin_IP
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP permitted host a.a.a.a WAN
ICMP deny any WAN
ICMP permitted host 192.168.10.7 WAN
ICMP permitted host b.b.b.b WAN
ASDM image disk0: / asdm - 631.bin
don't allow no asdm history
ARP timeout 14400
Global (OLD-private) 1 interface
Global interface (management) 1
NAT (WAN) 1 0.0.0.0 0.0.0.0

inside_nat0_outbound (WAN) NAT 0 access list
WAN_access_in access to the WAN interface group
Access-group interface private-OLD OLD-PRIVATE_access_in
Access-group MANAGEMENT_access_in in the management interface
Route WAN 0.0.0.0 0.0.0.0 b.b.b.185 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
local AAA authentication attempts 10 max in case of failure
Enable http server
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http b.b.b.b 255.255.255.255 WAN
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Service resetoutside
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map 1 corresponds to the address WAN_1_cryptomap
card crypto WAN_map 1 set peer a.a.a.a
WAN_map 1 transform-set ESP-DES-SHA crypto card game
card crypto WAN_map WAN interface
ISAKMP crypto enable WAN
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 1
life 86400
Telnet timeout 5
SSH a.a.a.a 255.255.255.255 WAN
SSH timeout 30
SSH version 2
Console timeout 0
dhcpd auto_config management
!

a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 129.6.15.28 source WAN prefer
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal admin group strategy
group admin policy attributes
DNS.DNS.DNS.DNS value of DNS server
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list LAN_IP
privilege of encrypted password password username administrator 15
type tunnel-group admin remote access
tunnel-group admin general attributes
address pool VPN_Admin_IP
strategy-group-by default admin
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a general-attributes
strategy-group-by default admin
a.a.a.a group of tunnel ipsec-attributes
pre-shared-key *.
NOCHECK Peer-id-validate
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!

Thank you for your time and help

Why you use this NAT type?

Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 any
NAT (OLD-private) 0-list of access WAN_nat0_outbound

You are basically saying the ASA not NAT traffic. This private IP address range is not routed on the Internet. This traffic is destined to be sent over the Internet? If so, that LAC should then not be there.

If you want NAT traffic to one IP public outside the ASA, you must remove this line and let the NAT and GLOBAL work:

NAT (OLD-private) 1 0.0.0.0 0.0.0.0

Global (WAN) 1 interface

ASA 5505 Anyconnect traversal nat error

Good afternoon gents,

I installed an ASA 5505 and can connect with anyconnect, but when I do, I can't access my LAN, then my LAN can access my laptop. In the newspapers, I see the following error message:

Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside;10.139.50.1/64506 dst inside 10.201.180.5/53 refused because of the failure of path opposite of that of NAT.

I can't seem to figure this point and nothing I read to try worked. Here's the relevant config, any help would be GREATLY appreciated.

interface Vlan1
nameif inside
security-level 100
IP 10.201.180.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 67.200.133.107 255.255.255.248
!

access extensive list ip 10.139.50.0 inside_nat0_outbound allow 255.255.255.0 10.201.180.0 255.255.255.0
access extensive list ip 10.201.180.0 inside_nat0_outbound allow 255.255.255.0 10.139.50.0 255.255.255.0

mask 10.139.50.1 - 10.139.50.50 255.255.255.0 IP local pool SSLClientPool

Global 1 interface (outside)
NAT (inside) 0 inside_nat0_outbound list of outdoor access
NAT (inside) 1 0.0.0.0 0.0.0.0

Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication

Try the nat statement 0 without the keyword on the outside.

NAT (inside) 0-list of access inside_nat0_outbound

In addition,

sh run sysopt and stick out.

Manish

HOW connection NAT on ASA 5505

Hello guys

first of all, thank fully any community of cisco, they helped me a lot withouth expert and University...

Today, I have some question on NAT

We HAVE site-to-site VPN, his job very well. our company demand of patern to use the public Ip address instead of the ip address private field of encryption. and they said, you have to NAT for you the private to the PUblic ip address. really, we don't know how NAT for cisco ASA 5505.

THIS IS THE CASE

OUR COMPANY = USES CISCO ASA 5505

OUR PUBLIC IP ADDRESS: 155.155.1555.20

PRIVATE IP: 192.168.7.2 SOUND LINUX SERVER, THEN HOW WE CAN NAT THIS IP PRIVATE AND CHANGE IN PUBLIC

Thank you very much

If you have 1 public IP address and it is assigned to your ASA outside interface, then you need to configure static PAT (you will need to know what exactly they want to access and configure the specific port they need).

However, if you have a free public IP address, then you need not to know exactly what they need to get to and you can configure the linux server using the public IP to spare.

Also, they need access to the linux server using public IP via the VPN tunnel (encrypted)? or they are happy to access only via the internet (clear text)?

Strange behavior of NAT ASA 5505

Hello

We have an ASA 5505 version 9.1 (5) and we need to open port TCP 55055 firewall that redirect to TCP port 80 on ip QNAP Viostor 192.168.11.254

I added a network object in this way:

The Viostor object network

Home 192.168.11.54

Description QNAP_Viostor

NAT rule:

NAT (inside, outside) interface static service tcp 80 55055

Firewall rule:

access-list outside_access_in line 8 Note Viostor

allowed to Access-list outside_access_in line 9 extended tcp any Viostor eq 55055 object

When I try to connect with the application Android Vmobile I see that notify the journal of the ASA:

Request TCP and eliminated from MY_EXTERNAL_IP to outside:X.Y:Z.W/55055

The ASA has no server UDP which serves the UDP request

I don't understand why UDP instead of TCP.

Please help me!

Thank you

Ahmed, thanks for your replies... However're missing you something important (sw ASA version). Tracer package shows THAT NAT is not affected; and on this sw version ACL does not use external_IP or mapped IP, but the real_IP instead.

s.be00001, follow these steps:
```
object service 55055 service tcp source eq 55055object service www service tcp source www!nat (inside,outside) 1 source static Viostor interface service www 55055!access-list outside_access_in line 9 extended permit tcp any object Viostor eq www
```
Run the packet - trace and send us the results:
```
packet-tracer input outside tcp 8.8.8.8 1025 [outside interface IP] 55055 detailed
```

Configuration of Cisco ASA 5505

Hello

I have configured cisco ASA 5505, but I can't access the internet using my laptop connected to the ASA. I did not use the console, but the GUI for configuration. I changed inside of the ASA and he is 192.168.2.1. Inside, I cannot ping the outside material and outside I cannot ping the laptop connected to the ASA.

Here is my configuration:

Output from the command: 'show running-config '.

: Saved

:

ASA Version 8.2 (5)

!

hostname xxxxxxxxxxxxxxxxx

domain xxxxxxxxxxxxxxxxxxx

enable the encrypted password xxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxx encrypted passwd

names of

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 192.168.1.48 255.255.255.0

!

passive FTP mode

DNS server-group DefaultDNS

domain processia.com

outside_access_in of access allowed any ip an extended list

icmp_out_in list extended access permit icmp any one

inside_access_in of access allowed any ip an extended list

pager lines 24

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

outside_access_ipv6_in IPv6 ip access list allow a whole

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 1 0.0.0.0 0.0.0.0

inside_access_in access to the interface inside group

Access-group icmp_out_in in interface outside

Access-group outside_access_ipv6_in in interface outside

Route outside 0.0.0.0 0.0.0.0 192.168.1.48 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

http 192.168.1.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Telnet timeout 5

SSH timeout 5

Console timeout 0

dhcpd outside auto_config

!

dhcpd address 192.168.2.2 - 192.168.2.129 inside

dhcpd dns 80.10.246.2 80.10.246.129 interface inside

interface ping_timeout 5000 dhcpd inside

dhcpd xxxxxxxxxxxxxxxxx area inside interface

dhcpd allow inside

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

!

!

!

Policy-map global_policy

!

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:7e6f35db321b722ca60009b0c0dc706e

: end

Thank you for your help

Hi Sylla,

The static route that you configured for Internet access needs to be corrected:
```
route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
```
The next hop address must be the IP address of your ISP gateway and not the ASA outside IP of the interface. Currently, both are set to 192.168.1.48.

-Mike

ASA 5505 Split Tunneling configured but still all traffic Tunneling

Hello

I installed an ASA 5505 running 8.3.2 and Cisco AnyConnect Client 2.5.2017.

There are the DefaultRAGroup and a newly configured Group called SplitTunnelNets.

I have 1 internal subnet (192.168.223.0/24) which has a matching ACL/AS configured on the DefaultRAGroup and the custom group policy called SSLClientPolicy.

When I start the VPN with the ASA, I can indeed reach internal resources, but when I look at the routing table, I see a new default gateway route 0.0.0.0 / 0-> 192.168.25.2 (that is in the IP pool) with a metric of 2. The default route before the start of the session AnyConnect now has a higher metric, so the 192.168.25.2 next hop is a priority.

I don't see the routes in the routing table for 192.168.223.0/24 as I expect to see. In the diagnosis of AnyConnect, I see that 0.0.0.0/0 is the policy applied to the client.

Here's my setup. Please tell me if you see something that I'm missing.

ASA 8.3 Version (2)
!
host name asa

names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.223.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP x.x.x.x 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system Disk0: / asa832 - k8.bin
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS lookup field inside
DNS server-group DefaultDNS
Server name 192.168.223.41
domain Labs.com
network obj_any object
subnet 0.0.0.0 0.0.0.0
vpn-client-net network object
255.255.255.0 subnet 192.168.25.0
network of the internal net object
192.168.223.0 subnet 255.255.255.0
the DM_INLINE_NETWORK_1 object-group network
internal-net network object
network-vpn-client-net object
the DM_INLINE_NETWORK_2 object-group network
internal-net network object
network-vpn-client-net object
SplitTunnelNets to access extensive ip list allow any 192.168.223.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask 192.168.25.1 - 192.168.25.50 255.255.255.0 IP local pool SSLClientPool
no failover
ICMP unreachable rate-limit 1 burst-size 1
ICMP allow any inside
ASDM image disk0: / asdm - 635.bin
don't allow no asdm history
ARP timeout 14400
NAT (inside, all) static source internal-net net internal static destination vpn client vpn client-Net
!
network obj_any object
NAT dynamic interface (indoor, outdoor)
Route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Labs-AAA protocol ldap LDAP-server
AAA-server Lab-LDAP (inside) host 192.168.223.41
Server-port 636
LDAP-base-dn dc = labs, dc = com
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn [email protected] / * /
enable LDAP over ssl
microsoft server type
Enable http server
http 192.168.223.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto ca trustpoint ASDM_TrustPoint0
registration auto

sslvpnkeypair key pair
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
ASDM_TrustPoint1 key pair
Configure CRL
string encryption ca ASDM_TrustPoint0 certificates

Telnet 192.168.223.0 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.223.0 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!

a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP 192.5.41.41 Server
NTP 192.5.41.40 Server
SSL-trust outside ASDM_TrustPoint1 point
WebVPN
allow outside
No anyconnect essentials
SVC disk0:/anyconnect-win-2.5.2017-k9.pkg 1 image
SVC disk0:/anyconnect-macosx-i386-3.0.0629-k9.pkg 2 image
Picture disk0:/anyconnect-linux-3.0.0629-k9.pkg 3 SVC
enable SVC
tunnel-group-list activate
internal SSLClientPolicy group strategy
attributes of Group Policy SSLClientPolicy
value of server DNS 192.168.223.41
VPN-tunnel-Protocol svc
Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list SplitTunnelNets

field default value Labs
split dns value Labs.com
the address value SSLClientPool pools
WebVPN
SVC Dungeon-Installer installed
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.223.41
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list SplitTunnelNets
coyotelabs.com value by default-field
type of remote access service
type tunnel-group SSLClientProfile remote access
attributes global-tunnel-group SSLClientProfile
CoyoteLabs-LDAP authentication-server-group
Group Policy - by default-SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
allow group-alias CoyoteLabs
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:95b7ff58b54e02948a14b225eec1a990
: end

The split tunnel access list must be standard access-list, not extended access list.

You must change the following:
FROM: SplitTunnelNets access-list extended ip to allow all 192.168.223.0 255.255.255.0
To: SplitTunnelNets standard access list allows 192.168.223.0 255.255.255.0

You should be able to reconnect again and will be able to access the Internet after you set up the standard access-list split tunnel.

Hope that helps.

Cisco ASA VPN Site to Site WITH NAT inside

Hello!

I have 2 ASA 5505 related to IPSEC Tunnel VPN Site to Site.

A 192.168.1.0/24 'remotely' inside the network and a local "192.168.200.0/24' inside the network (you can see the diagram)

The local host have 192.168.200.254 as default gateway.

I can't add static route to all army and I can't add static route to 192.168.200.254.

NAT the VPN entering as 192.168.200.1 or a 192.168.200.x free to connect my host correcly?

If my host sends packet to exit to the default gateway.

Thank you for your support

Best regards

Marco

The configuration must be applied on the SAA with the 192.168.200.0 subnet it is inside, there must be something like this:

permit 192.168.1.0 ip access list VPN_NAT 255.255.255.0 192.168.200.0 255.255.255.0

NAT (outside) X VPN_NAT outside access list

Global (inside) X Y.Y.Y.Y (where the Y.Y.Y.Y) is the ip address

If you have other traffic on the vpn through the tunnel that requires no nat, then you must add external nat exemption rules since these lines above obliges all traffic through the asa to have a nat statement.

See if it works for you, else post your config nat here.

ASA IPSEC site-to-site with NAT problem

Hello

I have what I thought was a simple configuration, but I saw the questions and could use a second set of eyes.

I have a site-to-site between two locations:

Site A is 192.168.0.0/24

Site B is 192.168.4.0/24

I was requested to NAT all communications between these sites for 10.57.4.0/24 and for a single static 192.168.0.112 NAT host at 10.57.4.50.

Tunnel is running, and I can ping through the link at the end to 192.168.4.20 host; no problems. But I'm having a problem application where it will be established communications. I suspect it's the reverse NAT, but I went through the configuration several times. All NAT connections would be 10.57.4.50 address should given to 192.168.0.112, no restrictions. All connections to 192.168.4.20, should be NAT should 10.57.4.50 to transverse tunnel.

The system of site B can also ping 10.57.4.50.

Here's the running configuration:

ASA 8.3 Version (2)

!

hostname fw1

domain name

activate the password encrypted

passwd encrypted

names of

!

interface Vlan1

Description city network internal

nameif inside

security-level 100

IP 192.168.9.1 255.255.255.0

!

interface Vlan2

Description Internet Public

nameif outside

security-level 0

IP 173.166.117.186 255.255.255.248

!

interface Vlan3

DMZ (CaTV) description

nameif dmz

security-level 50

IP 192.168.2.1 255.255.255.0

!

interface Vlan5

PD Network description

nameif PDNet

security level 95

the IP 192.168.0.1 255.255.255.0

!

interface Vlan10

Description Network Infrastructure

nameif InfraNet

security-level 100

IP 192.168.10.1 255.255.255.0

!

interface Vlan13

Description wireless comments

nameif Wireless-comments

security-level 25

IP 192.168.1.1 255.255.255.0

!

interface Vlan23

nameif StateNet

security-level 75

IP 10.63.198.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 1,5,10,13

switchport trunk vlan 1 native

switchport mode trunk

Speed 100

full duplex

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport trunk allowed vlan 1,10,13

switchport trunk vlan 1 native

switchport mode trunk

!

interface Ethernet0/5

switchport access vlan 23

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

switchport trunk allowed vlan 1

switchport trunk vlan 1 native

switchport mode trunk

Shutdown

!

exec banner restricted access

banner restricted access connection

passive FTP mode

clock timezone IS - 5

clock to summer time EDT recurring

DNS server-group DefaultDNS

domain name

permit same-security-traffic inter-interface

network obj_any object

subnet 0.0.0.0 0.0.0.0

service of the IMAPoverSSL object

destination eq 993 tcp service

IMAP over SSL description

service of the POPoverSSL object

tcp destination eq 995 service

POP3 over SSL description

service of the SMTPwTLS object

tcp destination eq 465 service

SMTP with TLS description

network object obj - 192.168.9.20

Home 192.168.9.20

object obj-claggett-https network

Home 192.168.9.20

network of object obj-claggett-imap4

Home 192.168.9.20

network of object obj-claggett-pop3

Home 192.168.9.20

network of object obj-claggett-smtp

Home 192.168.9.20

object obj-claggett-imapoverssl network

Home 192.168.9.20

object obj-claggett-popoverssl network

Home 192.168.9.20

object obj-claggett-smtpwTLS network

Home 192.168.9.20

network object obj - 192.168.9.120

Home 192.168.9.120

network object obj - 192.168.9.119

Home 192.168.9.119

network object obj - 192.168.9.121

Home 192.168.9.121

object obj-wirelessnet network

subnet 192.168.1.0 255.255.255.0

network of the Clients_sans_fil object

subnet 192.168.1.0 255.255.255.0

object obj-dmznetwork network

Subnet 192.168.2.0 255.255.255.0

network of the FD_Firewall object

Home 74.94.142.229

network of the FD_Net object

192.168.6.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.10.0_24 object

192.168.10.0 subnet 255.255.255.0

object obj-TownHallNet network

192.168.9.0 subnet 255.255.255.0

network obj_InfraNet object

192.168.10.0 subnet 255.255.255.0

network of the NETWORK_OBJ_192.168.0.0_24 object

192.168.0.0 subnet 255.255.255.0

network of the NHDOS_Firewall object

Home 72.95.124.69

network of the NHDOS_SpotsHub object

Home 192.168.4.20

network of the IMCMOBILE object

Home 192.168.0.112

network of the NHDOS_Net object

subnet 192.168.4.0 255.255.255.0

network of the NHSPOTS_Net object

10.57.4.0 subnet 255.255.255.0

network of the IMCMobile_NAT_IP object

Home 10.57.4.50

service EmailServices object-group

Description of e-mail Exchange Services / Normal

service-object, object IMAPoverSSL

service-object, object POPoverSSL

service-object, object SMTPwTLS

the purpose of the tcp destination eq https service

the purpose of the tcp destination eq imap4 service

the purpose of the tcp destination eq pop3 service

the purpose of the tcp destination eq smtp service

object-group service DM_INLINE_SERVICE_1

service-object, object IMAPoverSSL

service-object, object POPoverSSL

service-object, object SMTPwTLS

the purpose of the tcp destination eq pop3 service

the purpose of the tcp destination eq https service

the purpose of the tcp destination eq smtp service

object-group service DM_INLINE_SERVICE_2

service-object, object IMAPoverSSL

service-object, object POPoverSSL

service-object, object SMTPwTLS

the purpose of the tcp destination eq https service

the purpose of the tcp destination eq pop3 service

the purpose of the tcp destination eq smtp service

the obj_clerkpc object-group network

PCs of the clerk Description

network-object object obj - 192.168.9.119

network-object object obj - 192.168.9.120

network-object object obj - 192.168.9.121

the TownHall_Nets object-group network

object-network 192.168.10.0 255.255.255.0

network-object object obj-TownHallNet

the DM_INLINE_NETWORK_1 object-group network

object-network 192.168.10.0 255.255.255.0

object-network 192.168.9.0 255.255.255.0

the DOS_Networks object-group network

network-object 10.56.0.0 255.255.0.0

network-object, object NHDOS_Net

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_2 any external interface

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any host 192.168.9.20

StateNet_access_in list extended access permitted ip object-group obj_clerkpc one

permit access ip 192.168.0.0 scope list PDNet_access_in 255.255.255.0 192.168.10.0 255.255.255.0

PDNet_access_in list extended access allowed object IMCMobile_NAT_IP object-group DOS_Networks debug log ip

PDNet_access_in list extended access permitted ip object IMCMOBILE object-group DOS_Networks

outside_2_cryptomap extended access list permit ip DM_INLINE_NETWORK_1 object FD_Net object-group

outside_1_cryptomap extended access list permit ip object NHSPOTS_Net object-group DOS_Networks

pager lines 24

Enable logging

Test1 logging level list class debug vpn

logging of debug asdm

E-mail logging errors

address record

logging level -l errors ' address of the recipient

Within 1500 MTU

Outside 1500 MTU

MTU 1500 dmz

MTU 1500 Wireless-comments

MTU 1500 StateNet

MTU 1500 InfraNet

MTU 1500 PDNet

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 635.bin

don't allow no asdm history

ARP timeout 14400

NAT (InfraNet, outside) static static source to destination TownHall_Nets TownHall_Nets FD_Net FD_Net

NAT static TownHall_Nets TownHall_Nets destination (indoor, outdoor) static source FD_Net FD_Net

public static IMCMOBILE IMCMobile_NAT_IP destination NAT (all, outside) static source DOS_Networks DOS_Networks

!

network obj_any object

NAT static interface (indoor, outdoor)

object obj-claggett-https network

NAT (inside, outside) interface static tcp https https service

network of object obj-claggett-imap4

NAT (inside, outside) interface static tcp imap4 imap4 service

network of object obj-claggett-pop3

NAT (inside, outside) interface static tcp pop3 pop3 service

network of object obj-claggett-smtp

NAT (inside, outside) interface static tcp smtp smtp service

object obj-claggett-imapoverssl network

NAT (inside, outside) interface static tcp 993 993 service

object obj-claggett-popoverssl network

NAT (inside, outside) interface static tcp 995 995 service

object obj-claggett-smtpwTLS network

NAT (inside, outside) interface static tcp 465 465 service

network object obj - 192.168.9.120

NAT (inside, StateNet) 10.63.198.12 static

network object obj - 192.168.9.119

NAT (all, StateNet) 10.63.198.10 static

network object obj - 192.168.9.121

NAT (all, StateNet) 10.63.198.11 static

object obj-wirelessnet network

NAT (Wireless-Guest, outside) static interface

object obj-dmznetwork network

interface static NAT (all, outside)

network obj_InfraNet object

NAT (InfraNet, outside) static interface

Access-group outside_access_in in interface outside

Access-group StateNet_access_in in the StateNet interface

Access-group PDNet_access_in in interface PDNet

Route outside 0.0.0.0 0.0.0.0 173.x.x.x 1

Route StateNet 10.x.x.x 255.255.0.0 10.63.198.1 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

http server enable 5443

http 192.x.x.x 255.255.255.0 inside

http 7.x.x.x 255.255.255.255 outside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map 1 match address outside_1_cryptomap

card crypto outside_map 1 set 72.x.x.x counterpart

map outside_map 1 set of transformation-ESP-3DES-MD5 crypto

card crypto outside_map 2 match address outside_2_cryptomap

card crypto outside_map 2 set pfs

card crypto outside_map 2 peers set 173.x.x.x

card crypto outside_map 2 game of transformation-ESP-3DES-SHA

outside_map interface card crypto outside

crypto ISAKMP allow outside

crypto ISAKMP policy 10

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 30

preshared authentication

3des encryption

md5 hash

Group 2

life 86400

Telnet 192.168.9.0 255.255.255.0 inside

Telnet timeout 5

SSH 192.168.9.0 255.255.255.0 inside

SSH timeout 5

Console timeout 0

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd lease 10800

dhcpd outside auto_config

!

dhcpd address dmz 192.168.2.100 - 192.168.2.254

dhcpd dns 8.8.8.8 8.8.4.4 dmz interface

dhcpd enable dmz

!

dhcpd address 192.168.1.100 - 192.168.1.254 Wireless-comments

dhcpd enable Wireless-comments

!

a basic threat threat detection

a statistical threat detection host number rate 2

statistical threat detection port

Statistical threat detection Protocol

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP server 63.240.161.99 prefer external source

NTP server 207.171.30.106 prefer external source

NTP server 70.86.250.6 prefer external source

WebVPN

attributes of Group Policy DfltGrpPolicy

internal FDIPSECTunnel group strategy

attributes of Group Policy FDIPSECTunnel

VPN-idle-timeout no

Protocol-tunnel-VPN IPSec l2tp ipsec

support for username password encrypted privilege 15

tunnel-group 72.x.x.x type ipsec-l2l

72.x.x.x group of tunnel ipsec-attributes

pre-shared key *.

tunnel-group 173.x.x.x type ipsec-l2l

tunnel-group 173.x.x.x General-attributes

Group Policy - by default-FDIPSECTunnel

173.x.x.x group of tunnel ipsec-attributes

pre-shared key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns migrated_dns_map_1

parameters

message-length maximum 1024

Policy-map global_policy

class inspection_default

inspect the migrated_dns_map_1 dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

inspect the icmp

!

global service-policy global_policy

192.168.9.20 SMTP server

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:ad0f9ad192c3ee212172f5b00b12ce76

: end

If you do not have access to the remote site, you participate themselves to network and compare each other configurations. You will need to make sure that they see as 10.57.4.50 192.168.0.112 and their server responds to that and NOT the 192.168.0.112.

Cisco ASA 8.4.1 address Destination NAT?

I have a situation where I have a deployed asa5505 8.4.1 running.

The customer has a mail server existing which is located on their local network and has Port configured NAT for normal mail ports, etc. 25,110,993,587.

It works very well for incoming mail and any jerky mail user off the external server or by visiting the webmail from outside the network.

However when the users within the LAN to connect through the ASA test back entering the IP address on the external Interface of the ASA, they are unable to do so.

I came up with the solution is split DNS. well does he rely on users not changing their dns servers.

I was wondering if it is possible to make a sort of NAT that rewritten traffic destined to the above ports on the external IP address to the internal LAN Ip instead.

This is probably a stupid question, but I couldn't find an answer may I use the terms wrong to get one.

In any case, I was hoping someone here could point me in the right direction.

Thank you

You can only configure DNS rewrite rewrite if you have static NAT 1 to 1, with static PAT as advised, rewriting DNS is not supported because with PAT static, it is potentially different internal IP mapping, so the DNS rewrite is not exactly at the right address.

L2l between an ASA 5505 and WatchGuard XTM330 with dynamic IP

Hi guys,.

I looked for a solution on this one but can't find inappropriate, most of the discussions were old and with dead links to the solution.

We have an ASA 5505 with static IP address on the outside and a customer who have a WatchGuard XTM330 with dynamic IP address to the outside.

Is it possible to have an L2L VPN between our ASA and the WatchGuard when he has a dynamic IP?

I have no experience on the series of WatchGuard,

so, I am very grateful for any answer!

Thanks in advance and have a nice day

BR

Robin

Hi Robin,

Here are the links you can make reference when configuring static to the dynamic VPN tunnel: -.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-next-generation-firewalls/112075-dynamic-IPSec-ASA-router-CCP.html

This one is with Pix on the remote side, but the configuration will remain the same on the local side: -.
http://www.WatchGuard.com/docs/4-6-Firebox-CiscoPix.PDF

Kind regards
Dinesh Moudgil

PS Please rate helpful messages.

Ipsec/ipad ASA 5505 configuration

Hey had a few problems when configuring IPSEC/VPN on the asa 5505. I want to connect from the ipad with built in IPSec client...

Get these errors when I run the debug crypto isakmp

Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, username = Haq, IP = x.x.x.x, Tunnel rejected: conflicting protocols specified by tunnel-group and political group

Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, username = Haq, IP = x.x.x.x, fault QM WSF (P2 struct & 0xd5d5f3d8, mess id 0x295bc3a).

Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, username is Haq, IP = x.x.x.x, withdrawal homologous of correlator table failed, no match!

There are a lot of site-to-site vpn and ipsec vpn profiles configuration and these works very well... ?

Here is the config running sh run crypto:

Crypto ipsec transform-set of des-esp esp-md5-hmac

Crypto ipsec transform-set esp-3des esp-sha-hmac 3DES-TRANS

mode crypto ipsec transform-set 3DES-TRANS transport

Crypto ipsec transform-set AES aes - esp esp-sha-hmac

Crypto ipsec transform-set esp-3des esp-md5-hmac 3des

Crypto ipsec transform-set esp-3des esp-sha-hmac IPAD-IPSEC

Crypto ipsec transform-set IPAD IPSEC transport mode

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

life crypto ipsec security association seconds 28800

Crypto ipsec kilobytes of life - safety 4608000 association

Crypto-map dynamic Plandent 10 set transform-set ESP-AES-128-SHA ESP-AES-256-SHA ESP-AES-128-MD5 ESP-AES-256-MD5 OF THE 3des 3DES-TRANS

Crypto dynamic-map Plandent 10 the duration value of security-association seconds 84600

cryptographic kilobytes 300000 of life of the set - the security of Plandent 10 of the dynamic-map association

set of 5 IPAD-card dynamic-map crypto IPAD-IPSEC transform-set

Crypto 5 IPAD-card dynamic-plan the duration value of security-association seconds 28800

cryptographic kilobytes 4608000 life of the set - the association of security of the IPAD-card dynamic-map 5

card crypto PD_VPN 10 corresponds to the address ToGoteborg

card crypto PD_VPN 10 set peer PixGoteborg

card crypto PD_VPN 10 the transform-set value OF

card crypto PD_VPN set 10 security-association life seconds 84600

card crypto PD_VPN 10 set security-association kilobytes of life 4608000

card crypto PD_VPN 20 corresponds to the address ToMalmo

card crypto PD_VPN 20 set peer PixMalmo

card crypto PD_VPN 20 the transform-set value OF

card crypto PD_VPN 20 defined security-association life seconds 84600

card crypto PD_VPN 20 set security-association kilobytes of life 4608000

card crypto PD_VPN 30 corresponds to the address ToPlanmeca

PD_VPN 30 value crypto map peer ASA_HKI ASA_HKI_BACKUP

PD_VPN 30 value transform-set AES crypto card

card crypto PD_VPN 30 defined security-association life seconds 86400

card crypto PD_VPN 30 set security-association kilobytes of life 4608000

card crypto PD_VPN 100-isakmp dynamic ipsec Plandent

PD_VPN interface card crypto outside

crypto isakmp identity address

crypto ISAKMP allow outside

crypto ISAKMP policy 5

preshared authentication

3des encryption

sha hash

Group 2

life 86400

crypto ISAKMP policy 10

preshared authentication

aes encryption

sha hash

Group 2

lifetime 28800

crypto ISAKMP policy 30

preshared authentication

the Encryption

md5 hash

Group 2

life 86400

Anyone have tips and tricks on what may be the problem here, will be really appreciated

Thank you

Shane

Karsten, Shane,

Honestly thos MAY be from miconfig TG/GP, but I would check the full debugging of:

------

debugging cry isakmp 127

Debug aaa 100 Commons

-------

The reason for being quite a few questions, we saw some time where users were pushing class or group-AAA lock (which is the substitution of CLI).

M.

How to configure ASDM Cisco ASA 5505

I have a Cisco ASA 5505 firewall, and currently it is a command-line firewall. I want to configure ASDM so that I can use it as a Web based GUI interface.

I don't really know what to do. Can someone help me please how I can configure ASDM on my firewall.

Kind regards

Naushad Khan

Hi Naushad,

First of all, must load the image ASSDM on SAA and then use the command:

ASDM image dosk0: / asdm645.bin (if the image name is asdm645.bin)

then:

Enable http server

http 10.0.0.0 255.0.0.0 inside (if your machine is 10.0.0.0 subnet behind inside the inetrafce)

Go to the machine, open a browser and type:

https://

It will open the GUI.

Thank you

Varun

Please evaluate the useful messages.

ASA 5505 8.41 dynamic configuration NAT NAT/static

Similar Questions

Maybe you are looking for