ASA NAT 9.1 as object under standalone vs NAT command command

Hey guys,.

I'm setting up a few new 5515 X ASAs.

Are there major differences between the two methods of syntax NAT?  They both seem to work in a lab environment.  I find that the first method mentioned in the Cisco documentation for one-to-one NAT static execution, however.

Method 1:

network of the object Test-DMZ-Server_EXT
Home 172.25.1.2
network of the LOCAL-RANGE_EXT object
Home 172.17.1.2

network of LOCAL-RANGE object
host 192.168.10.2
NAT (inside, outside) static LOCAL-RANGE_EXT
network of the DMZ-Test Server object
Home 192.168.199.2
NAT (DMZ, all) public static Test-DMZ-Server_EXT
network of the ANY object
subnet 0.0.0.0 0.0.0.0
dynamic NAT (all, outside) interface

Method 2:

network of LOCAL-RANGE object
host 192.168.10.2
network of the DMZ-Test Server object
Home 192.168.199.2
network of the object Test-DMZ-Server_EXT
Home 172.25.1.2
network of the LOCAL-RANGE_EXT object
Home 172.17.1.2

NAT (DMZ, all) source static-DMZ-Server Test Test-DMZ-Server_EXT
NAT (insdie, outside) Shared source LOCAL-RANGE-LOCAL-RANGE_EXT

NAT (all, outside) source Dynamics one interface

Thank you

Hello

Both formats of configuration can achieve the same thing.

The first is Auto NAT / NAT network of the object where the user configures the configuration complete "nat" under the created 'object'. Generally, this format of configuration is used to configure static dynamic static NAT PAT and PAT at least.

The second configuration is twice the NAT / manual NAT who uses different configurations 'object' and ' object-group ' to list the addresses/actual in the NAT configurations. This "nat" configuration is not located under objects, but rather to use them. Generally, this format of configuration is used to configure the NAT type NAT0 configurations or policy.

While the two configuration to achieve the same there is a big difference between them. In the new NAT configuration format introduced in paragraph 8.3, NAT configurations are divided into 3 Sections which sets their priority in the "nat" configurations

They are as follows

  • Article 1 = manual NAT / twice by NAT
  • Section 2 = Auto NAT / NAT network object
  • Section 3 = manual NAT / twice by NAT
    • a parameter added "after the automatic termination" is required to move this Section 3 configuration

So depending on what format you use you might find yourself of the substitution of some other configuration by inserting article 1 configuration (what you are doing by using the manual NAT / double configuration NAT format). Well I would say that it becomes a problem that in some situations in simple firewall configurations. I would say that the problem the most common here on the forums is usually when a user has configured a dynamic PAT in the Section 1 and static PAT (Port Forward) in Section 2, and uses the same public IP as PAT address both. This creates a situation where all traffic from external networks is the dynamic configuration PAT in Section 1, rather than any static configuration PAT in Section 2.

Another big difference between NAT Auto and manual NAT is the fact that NAT Auto does that source address translation (which may seem odd depending on which side you are looking for the situation) while Manuel NAT can do the conversion for the source and destination IP address. But that you configure static NAT, it didn't really matter. The two formats NAT can achieve the same thing.

Ultimately nothing for example prevents you all just about everything using Section 1 Manual NAT if you wanted to. You can set up no matter what type of NAT you wanted on this stretch alone and would not use NAT Auto at all if it was your wish. But I would say that's not suggestable and even less so if you have a large NAT configuration.

My personal suggestion in brief is as follows

  • Article 1 = use of the configurations type NAT0 and static/dynamic policy NAT as these configurations are usually intended to replace typical NAT configurations.
  • Section 2 = use static and static NAT PAT that this provides the format of simpler configuration for the listed configurations and they are still quite high in priority being in Section 2. NAT configuration manual would require several configurations of 'object' to achieve the same.
  • Section 3 = Place all your Dynamic NAT/PAT or NAT + PAT configurations here because this should be the last connection NAT must match in all cases when it has nothing specifically designed for guests.

I find that with the above way you keep your severed much NAT configuration and know what where. The configuration is also a little less cluttered when configurations are not in the same Section.

If you want to read more about the new format of configuration NAT you can check out a document, I wrote here in 2013. Although it includes the things I mentioned above also.

https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation...

You can of course ask here in this discussion if you want :)

Remember to mark a reply as the answer if it answered your question.

Hope this helps :)

-Jouni

Tags: Cisco Security

Similar Questions

  • ASA NAT to 8.4

    I'm doing the VPN tunnel between router IOS and ASA 5505. The ASA has a dynamic IP address

    Everything would be ok, but I don't understand NAT in ASA's new orders. Can you tell me how to convert it to version 8.3 - 4?

    access-list no. - NAT allowed extended ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0

    Global 1 interface (outside)

    NAT (inside) - No. - NAT 0 access list

    NAT (inside) 1 0.0.0.0 0.0.0.0

    I use this link

    http://www.Cisco.com/c/en/us/support/docs/security/PIX-500-series-Securi...

    Thanks for any help.

    Take a look at the document, depending on where you can find almost everything on the new model of NAT:

    https://supportforums.Cisco.com/document/132066/ASA-NAT-83-NAT-operation-and-configuration-format-CLI

    Especially "NAT0 / NAT Exemption / identity NAT ' in part"TWICE-NAT-MANUAL-NAT"is relevant for this task.

  • CSCue51351 - ASA NAT huge config causes traceback because of the unbalanced tree p3

    Hi experts ASA

    CSCue51351 - ASA NAT huge config causes traceback because of the unbalanced tree p3

    I want to know that how huge?

    Below, this Condition of DDT is SSP60.

    ----------------------

    Symptom:

    Version 9 8.4 (4) current ASA code can generate a traceback with thread name: DATAPATH-7-2315 and reload.

    Conditions:

    Seen on ASA5585-SSP-60 running in the failover environment.

    Workaround solution:

    None

    ----------------------

    SSP60 can perform up to 10 000 000 simultaneous sessions.

    It's more than 10 000 000 simultaneous sessions?

    Kind regards.

    Word

    Hello Word,

    This flaw does not affect the number of concurrent sessions.

    Instead, this fault comes to play if you have a large number of statements NAT or ACL (say 25 k +) which you change and at the same time the unit treats a large number of new connections per second (say 20 k +), what then is there the possibility of hitting this issue.

    Sincerely,

    David.

  • Option of range & ASA 5510 - a group of objects

    Hello

    I have 3 ASA 5510 s; two of them are in production and the 3rd is new. I inherited two in production and was trying to set up this 3rd by using some of the existing network object-group statements.  The problem is that when I try to create a range of IP addresses in one of the groups of object; the range command is not available. One of the extracted statements from one of the ASAs production: network of the REMOTE object
    range 62.77.130.14 62.77.130.208

    The two ASAs have the same image of worm (asa842-k8).  Is there something I'm missing to enable the option in the range on the ASA News?

    Thanks in advance,

    ~ sK

    Hello

    Are you sure that the ASA News started the new 8.4 (2) software?

    There are

    • object-group network

      • accepts networks and addresses of host under it
    • network of the object
      • accept addresses from subnet, range and host under it

    Configuring "network object" came available in 8.3 software. Before that in the software 8.2 and earlier than the 'object-group network' (and other types of groups of objects") exist.

    Maybe you have several images start on the ASA News and its actually the old software still boot?

    What does the ' running shoe see the?

    If it lists both the command for old and new software then delete the old "system start" command, save the configuration and restart.

    I hope that the above information was useful

    -Jouni

  • Issue of ASA NAT and routing

    Hello

    I have a question about NAT and routing on the SAA. I'm relatively new to ASA and don't know if it works or not. I have a pool of public IP (209.x.x.x/28) that routes my ISP to the external interface of my ASA. IP was assigned address for the outside of the ASA is an address of 206.x.x.2/24 with a default GW of 206.x.x.1. I intend using NAT to allow my web/mail servers on the DMZ (192.168.x.x) use 209.x.x.x addresses. However, I do know how to make it work since I'm not arping on any interface for 209.x.x.x addresses as they will be sent to the 206.x.x.2 address by the ISP. Can I just set up a translation NAT (on the external interface?) of the 209.x.x.x on 192.168.x.x address and the ASA will figure it out?

    Thanks for the help.

    Todd

    The ASa will figure it out, he will answer ARP queries for all that he has set up in a "static" command As long as th PSIA routes 209.x.x.x directly to the ASA addresses then it should all work fine.

    You just need to add lines like the following:

    static (dmz, external) 209.x.x.x netmask 255.255.255.255 192.168.x.x

    for each of your internal servers in the DMZ. Then an access-list to allow only HTTP/SMTP/etc through these addresses 209.x.x.x.

    list of allowed inbound tcp access any host 209.x.x.x eq smtp

    list of allowed inbound tcp access any host 209.y.y.y eq http

    Access-group interface incoming outside

  • Clarification of the ASA NAT

    Hi all

    Please I need to be clear on one point:

    is

    static (Inside, Outside) 10.10.10.1 11.11.11.1 netmask 255.255.255.0

    the same thing that

    static (Outside, Inside) 11.11.11.1 10.10.10.1 netmask 255.255.255.0?

    No, they are not same.  The order of a static NAT device is:

    static (real_interface,mapped_interface) mapped_ip real_ip netmask mask

    What you do is: static (network more secure, less secure network).  If you can do one of these:

    static (DMZ, Outside) etc.

    static (Inside, DMZ) etc.

    static (Inside, Outside) etc.

    If your case you should do: static (inside address, external) 100.100.100.100 192.168.10.1 netmask 255.255.255.255

    This external address 100.100.100.100 inside NAT will address 192.168.10.1.

    HTH

  • No Version control under the file Menu command

    Version of program:  Adobe RoboHelp 8.0.2 / RoboSource Control 3.1

    Hello!

    I am very experienced with authoring in RoboHelp, but I'm trying to implement the version control for the first time and documentation (PDF version of the manual using Adobe RoboHelp 8, page 29, point 2) says "Choose file > Version Control > add to Version Control.

    I have not found a Version control on the file menu point, even if the menu was fully deployed.

    I found a toolbar icon that seemed to link to the command.

    It is not a big deal, because I could find the icon, but I have other problems with version control (which I will address in a separate post), and I wonder if there is something wrong with my software.  Everyone has the "Version Control" command in the file menu?

    Thank you!

    Andreah

    Hello

    Sometimes it takes to reset a menu. To do this, right click on your menu bar and choose Customize. This should be the tab toolbars at the front. If this is not the case, click it. Then make sure the highlight is on the menu bar. Click on the reset button. Dismiss all dialogs. It shows then?

    Here again, the Source code control is not my cup of witchcraft and I do not use it. So, I've never had a reason to pick up the order. Maybe it's just missing and the docs are wrong.

    See you soon... Rick

    Useful and practical links

    Wish to RoboHelp form/Bug report form

    Begin to learn RoboHelp HTML 7 or 8 days - $24.95!

    Adobe Certified RoboHelp HTML Training

    SorcerStone blog

    RoboHelp EBooks

  • ASA 8.4 (3) - applying NAT breaks my tunnel from site to site - "Routing failed.

    So I'm a few 5510 preconfiguration is before shipment to the site. I have my tunnel VPN from Site to Site and can ping of internal subnets between the sites. However, as soon as I configure NAT on my interface my pings die outside. I checked a guide very full config posted by TAC and I think the answer is to set up two times-NAT, which I believe I did. I don't always get no package in the tunnel.

    A hint, I found, is that I get the journaled message when NAT is applied & affecting routing "ASA-6-110003: routing could not locate the next hop for ICMP from Outside:10.56.8.4/512 to Internal:172.16.60.253/0.

    Output sh run object / run object-group sh / sh run nat / show the two ASA nat: -.

    SITE 1

    = sh run object
    network obj_any object
    subnet 0.0.0.0 0.0.0.0
    network of the BH-Asterisk object
    host x.x.x.x
    BG Hill Asterisk description
    network of the BH-Exchange object
    host x.x.x.x
    BG Hill Exchange Server description
    the DH - AV object network
    10.56.20.0 subnet 255.255.255.0
    Description AV DH
    the DH-Asterisk object network
    host x.x.x.x
    DH Asterisk description
    the object-Diffie-Hellman exchange network
    Home 10.56.1.253
    Description Exchange Diffie-Hellman
    the DH-guests object network
    10.56.8.0 subnet 255.255.255.0
    DH customers description
    the object DH ME network
    10.56.24.0 subnet 255.255.255.0
    DH ME description
    the DH-phones object network
    10.56.16.0 subnet 255.255.255.0
    Description phones DH
    network of the DH-security object
    10.56.32.0 subnet 255.255.255.0
    Description safety DH
    DH-internal object network
    10.56.1.0 subnet 255.255.255.0
    Description internal DH
    network object internally-BH
    10.60.1.0 subnet 255.255.255.0
    Description internal BH
    network of the BH-phones object
    10.60.16.0 subnet 255.255.255.0
    Description BH phones
    network of the BH-security object
    10.60.32.0 subnet 255.255.255.0
    BH Security description
    network of the BH - AV object
    10.60.20.0 subnet 255.255.255.0
    Description AV BH
    network of the BH-guests object
    10.60.8.0 subnet 255.255.255.0
    BH invited description
    network of the BH - ASA object
    host 1.1.1.1
    the DH - ASA object network
    host 1.1.1.2
    network of the BH-RAS object
    10.60.99.0 subnet 255.255.255.0
    the DH-RAS object network
    10.56.99.0 subnet 255.255.255.0
    network of the NETWORK_OBJ_10.56.99.0_26 object
    255.255.255.192 subnet 10.56.99.0
    network of the BH-UC560 object
    Home 172.16.60.253
    network of the DH-UC560 object
    Home 172.16.56.253

    = RJ5510-DOHA # sh run object-group
    the BGHill object-group network
    Description of subnets in BGHill
    BH-internal network-object
    network-object BH-phones
    network-object BH - AV
    network-object BH-security
    network-object BH-guests
    network-object BH-RAS
    BH-UC560 network-object
    object-group network DH
    Description of subnets in DH
    network-object DH - AV
    network-object DH-guests
    network-object DH ME
    network-object DH-phones
    network-object DH-security
    DH-internal network-object
    network-object DH-RAS
    network object-DH-UC560

    = RJ5510-DH # sh run nat
    NAT (AV, outdoors) static source DH DH static destination BGHill BGHill
    NAT (comments, outdoors) static source DH DH static destination BGHill BGHill
    NAT (inside, outside) static source DH DH static destination BGHill BGHill
    NAT (phones, outdoors) static source DH DH static destination BGHill BGHill
    NAT (safety, outdoors) static source DH DH static destination BGHill BGHill
    NAT (ME out) static source DH DH static destination BGHill BGHill
    !
    the DH - AV object network
    dynamic NAT interface (AV, outdoors)
    the object-Diffie-Hellman exchange network
    x.x.x.x static NAT (indoor, outdoor)
    the DH-guests object network
    dynamic NAT interface (comments, outdoors)
    the object DH ME network
    dynamic NAT interface (ME, outdoor)
    the DH-phones object network
    dynamic NAT interface (phones, outdoors)
    network of the DH-security object
    dynamic NAT interface (safety, outdoors)
    DH-internal object network
    dynamic NAT interface (indoor, outdoor)

    = HD-RJ5510 # see nat
    Manual NAT policies (Section 1)
    1 (f) (outdoor) static source DH DH destination static BGHill BGHill
    translate_hits = 0, untranslate_hits = 386
    2 (guest) (outdoor) static source DH DH destination static BGHill BGHill
    translate_hits = 180, untranslate_hits = 0
    3 (inside) (outside) static source DH DH destination static BGHill BGHill
    translate_hits = 0, untranslate_hits = 0
    4 (phones) (outdoor) static source DH DH destination static BGHill BGHill
    translate_hits = 0, untranslate_hits = 0
    5 (security) (outdoor) static source DH DH destination static BGHill BGHill
    translate_hits = 0, untranslate_hits = 0
    6 (ME) (outdoor) static source DH DH destination static BGHill BGHill
    translate_hits = 0, untranslate_hits = 0

    Auto NAT policies (Section 2)
    1 (outdoor) source static-Exchange Diffie-Hellman x.x.x.x (internal)
    translate_hits = 0, untranslate_hits = 0
    2 (internal) interface of DH-internal dynamics of the source (outdoor)
    translate_hits = 0, untranslate_hits = 0
    3 (comments) interface (outside) dynamic source DH-guests
    translate_hits = 2, untranslate_hits = 0
    4 (phones) to the dynamic interface of DH-phones of the source (outside)
    translate_hits = 0, untranslate_hits = 0
    5 (AV) to dynamic source DH - AV interface (outside)
    translate_hits = 0, untranslate_hits = 0
    6 (I) dynamic source DH-ME interface (outside)
    translate_hits = 0, untranslate_hits = 0
    7 (security) to DH-security dynamic interface of the source (outside)
    translate_hits = 0, untranslate_hits = 0

    SITE 2: -.

    = object # executed sh
    network obj_any object
    subnet 0.0.0.0 0.0.0.0
    network of the BH-Asterisk object
    host x.x.x.x
    BH Hill Asterisk description
    network of the BH-Exchange object
    Home 10.60.1.253
    BH Hill Exchange Server description
    the DH - AV object network
    10.56.20.0 subnet 255.255.255.0
    Description AV DH
    the DH-Asterisk object network
    host x.x.x.x
    DH Asterisk description
    the object-Diffie-Hellman exchange network
    host x.x.x.x
    Description Exchange Diffie-Hellman
    the DH-guests object network
    10.56.8.0 subnet 255.255.255.0
    DH customers description
    the object DH ME network
    10.56.24.0 subnet 255.255.255.0
    DH ME description
    the DH-phones object network
    10.56.16.0 subnet 255.255.255.0
    Description phones DH
    network of the DH-security object
    10.56.32.0 subnet 255.255.255.0
    Description safety DH
    DH-internal object network
    10.56.1.0 subnet 255.255.255.0
    Description internal DH
    network object internally-BH
    10.60.1.0 subnet 255.255.255.0
    Description internal BH
    network of the BH-phones object
    10.60.16.0 subnet 255.255.255.0
    Description BH phones
    network of the BH-security object
    10.60.32.0 subnet 255.255.255.0
    BH Security description
    network of the BH - AV object
    10.60.20.0 subnet 255.255.255.0
    Description AV BH
    network of the BH-guests object
    10.60.8.0 subnet 255.255.255.0
    BH invited description
    network of the BH - ASA object
    host 1.1.1.1
    the DH - ASA object network
    host 1.1.1.2
    network of the NETWORK_OBJ_10.60.99.0_26 object
    255.255.255.192 subnet 10.60.99.0
    network of the BH-RAS object
    10.60.99.0 subnet 255.255.255.0
    the DH-RAS object network
    10.56.99.0 subnet 255.255.255.0
    network of the BH-UC560 object
    Home 172.16.60.253
    network of the DH-UC560 object
    Home 172.16.56.253

    = # sh run object-group
    the BHHill object-group network
    Description of subnets in BH Hill
    BH-internal network-object
    network-object BH-phones
    network-object BH - AV
    network-object BH-security
    network-object BH-guests
    network-object BH-RAS
    BH-UC560 network-object
    object-group network DH
    Description of subnets in DH
    network-object DH - AV
    network-object DH-guests
    network-object DH ME
    network-object DH-phones
    network-object DH-security
    DH-internal network-object
    network-object DH-RAS
    network object-DH-UC560

    = # sh run nat
    NAT (inside, outside) static source BHHill BHHill static destination DH DH
    NAT (AV, outdoors) static source BHHill BHHill static destination DH DH
    NAT (comments, outdoors) static source BHHill BHHill static destination DH DH
    NAT (phones, outdoors) static source BHHill BHHill static destination DH DH
    NAT (safety, outdoors) static source BHHill BHHill static destination DH DH
    !
    network of the BH-Exchange object
    x.x.x.x static NAT (indoor, outdoor)
    network object internally-BH
    dynamic NAT interface (indoor, outdoor)
    network of the BH-phones object
    dynamic NAT interface (phones, outdoors)
    network of the BH-security object
    dynamic NAT interface (safety, outdoors)
    network of the BH - AV object
    dynamic NAT interface (AV, outdoors)
    network of the BH-guests object
    dynamic NAT interface (comments, outdoors)

    = # sh nat
    Manual NAT policies (Section 1)
    1 (inside) (outside) static source BHHill BHHill static destination DH DH
    translate_hits = 421, untranslate_hits = 178
    2 (AV) to (outside) static source BHHill BHHill static destination DH DH
    translate_hits = 0, untranslate_hits = 0
    3 (guest) (outdoor) static source BHHill BHHill static destination DH DH
    translate_hits = 0, untranslate_hits = 0
    4 (phones) (outdoor) static source BHHill BHHill static destination DH DH
    translate_hits = 0, untranslate_hits = 0
    5 (security) (outdoor) static source BHHill BHHill static destination DH DH
    translate_hits = 0, untranslate_hits = 0

    Auto NAT policies (Section 2)
    1 (outdoor) static source BH-Exchange x.x.x.x (internal)
    translate_hits = 0, untranslate_hits = 0
    2 (internal) interface of BH-internal dynamics of the source (outdoor)
    translate_hits = 0, untranslate_hits = 0
    3 (comments) interface (outside) dynamic source BH-guests
    translate_hits = 0, untranslate_hits = 0
    4 (phones) to the dynamic interface of BH-phones of the source (outside)
    translate_hits = 0, untranslate_hits = 0
    5 (AV) to dynamic source BH - AV interface (outside)
    translate_hits = 0, untranslate_hits = 0
    6 (security) at the interface of BH-security dynamic of the source (outdoor)
    translate_hits = 0, untranslate_hits = 0
    RJ5510-BH #.

    I admit that I am scoobied with this one, but I hope that someone will find the capture?

    Thank you

    In fact, the problem is with the NAT because because you use the same object on different States of NAT attached to different interfaces.

    The SAA can go crazy with it...

    I must leave now.

    As soon as I get back I'll explain this a little further.

    Kind regards

    Julio

    Note all useful posts

  • NAT-control over ASA 5540 v8.3.2?

    Is there an equivalent command in 8.3.2 disable NAT; That is to say. no control NAT?

    I think it was in v7.2 but can't find in in 8.3.2.   I use this stricktly 5540 for a VPN IPSec lan lan 2 head of tunnel and do not NAT at all. If I disable NAT, I won't have to deal with the obnoxious ACL nat_0 which grows and grows and grows. Is this possible in 8.3.2?

    Hello

    The control of nat command has been removed in version 8.3

    The command to control NAT is discouraged. In order to maintain the requirement that all traffic from a security interface than a security interface lower translate, a NAT rule will be inserted at the end of article 2 for each interface ban all remaining traffic. Nat-control command was used for NAT configurations defined with older versions of the Adaptive security appliance. The best practice is to use access rules to control access rather than rely on the absence of a NAT rule to prevent traffic through the Adaptive security device.

    Click on the following link for nat-control migration information:

    http://www.Cisco.com/en/us/partner/docs/security/ASA/asa83/upgrading/migrating.html#wp60212

    Federico.

  • VPN L2L ASA with NAT

    Hello, I was hoping someone might have an example of a site to site VPN configuration where the ASA is statically NATting its internal network. Basically the same configuration like this, but instead of "not nat", the ASA is NATting. So instead of the remote site, connect to the local network 10.10.10.0/24, ASA would be NAT at 172.16.17.0/24 for example.

    http://www.Cisco.com/en/us/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

    Thank you.

    Mike

    It's not very complicated, just keep in mind that NAT is done before the encryption.

    So if you your network 10.10.10.0/24 nat internal to 172.16.17.0/24:

    public static 172.16.17.0 (Interior, exterior) 10.10.10.0 netmask 255.255.255.0

    You can use the address translated into your crypto-ACL:

    REMOTE VPN ip 172.16.17.0 access list allow REMOTE-NET 255.255.255.0 255.255.255.0

    I suppose that you run ASA v8.3 + that you referred to an older document. If you have a more recent software, the logic is the same but the NAT commands differ.

    Sent by Cisco Support technique iPad App

  • Any technique to touch the object only under a transparent surface of a PNG image?

    What happens if I have a PNG file that is say a circular Chair; the file is well obviously a rectangle in which the part out of the circle is transparent... now if I put on the stage and set its index 1 and place my Hero under (index 0), I want to be able to click on my hero to kill him, but not when it is in the circle. Change the property mouse.enable of circular Chair true I can only touch my hero when it is not only the visible circle outside the rectangle. So is there a technique refuse and omit the transparent part in such situations and touch the objects under?

    convert a vector of the bitmap image (modify > bitmap > trace bitmap) and then convert the vector of a movieclip or button.

  • ASA 5505 possibly interfere/blocking calls Incound UC560

    ASA 5505 interfering with incoming calls - Cisco - Spiceworks #entry - 5716462 #entry - 5716462

    All,

    We had this problem the phone when we lose connectivity for some reason any.  Here is an example:

    We have an ASA 5505 before our UC560.  Power lost to ASA (power connector from main Board loose) primary did identical backup with config.  The layout-design is the following:

    UC560<--->ASA 5505 Cisco IAD24523<--->(provider)<---WAN(3 bonded="">

    After the passage of the ASAs, incoming calls have been piecemeal.  I can see the traffic on the firewall when the calls log, nothing otherwise.   OS on the device are:

    UC560 - 15.0 XA (1r).

    ASA 5505-4, 0000 38

    Contacted the provider and after calls debugging support have been expire with the 408 SIP error.

    Release with support from Cisco and after debugging UC is to launch the SIP 487 disconnect error.

    So based on the above and the only variable being the ASA, I'm fairly certain that it is indeed the ASA.  Here is the config ASA (it's pretty long, sorry):

    Output of the command: "show run".

    : Saved
    :
    : Serial number:
    : Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
    :
    ASA 4,0000 Version 38
    !
    XXXXX-CA hostname
    activate the encrypted password of WUGxGkjzJJSPhT9N
    volatile xlate deny tcp any4 any4
    volatile xlate deny tcp any4 any6
    volatile xlate deny tcp any6 any4
    volatile xlate deny tcp any6 any6
    volatile xlate deny udp any4 any4 eq field
    volatile xlate deny udp any4 any6 eq field
    volatile xlate deny udp any6 any4 eq field
    volatile xlate deny udp any6 any6 eq field
    WUGxGkjzJJSPhT9N encrypted passwd
    names of
    DNS-guard
    192.168.254.1 mask - local 192.168.254.25 pool XXXXX-Remote IP 255.255.255.0
    !
    interface Ethernet0/0
    Description-> Internet
    switchport access vlan 2
    !
    interface Ethernet0/1
    Description-> inside
    switchport access vlan 10
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface Vlan2
    Description-> Internet<>
    nameif outside
    security-level 0
    address IP XXX.XXX. XXX.242 255.255.255.240
    !
    interface Vlan10
    nameif inside
    security-level 100
    IP 10.0.1.1 255.255.255.0
    !
    exec banner * W A R N I N G *.
    banner exec unauthorised access prohibited. All access is
    banner exec monitored and the intruder may be continued
    exec banner to the extent of the law.
    connection of the banner * W A R N I N G *.
    banner connect unauthorized access prohibited. All access is
    connection banner monitored, and intruders will be prosecuted
    connection banner to the extent of the law.
    Banner motd! ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL ONLY!
    Banner motd this is a private computer system.
    Banner motd, access is allowed only by authorized employees or agents of the
    company banner motd.
    Banner motd system can be used only for the authorized company.
    Banner motd business management approval is required for all access privileges.
    Banner motd, as this system is equipped with a safety system designed to prevent
    Banner motd and attempts of unauthorized access record.
    Banner motd
    Banner motd unauthorized access or use is a crime under the law.
    banner asdm XXXXX Enterprises Inc. $(hostname)
    boot system Disk0: / asa904-38 - k8.bin
    boot system Disk0: / asa904-29 - k8.bin
    passive FTP mode
    clock timezone PST - 8
    clock summer-time recurring PDT
    DNS domain-lookup outside
    permit same-security-traffic intra-interface
    object obj voip network
    10.1.1.0 subnet 255.255.255.0
    network object obj - 192.168.254.0


    192.168.254.0 subnet 255.255.255.0
    pool of local addresses of description
    object obj cue-network
    10.1.10.0 subnet 255.255.255.0
    object obj priv-network
    192.168.10.0 subnet 255.255.255.0
    object obj data network
    subnet 10.0.1.0 255.255.255.0
    network object obj - 192.168.0.0
    192.168.0.0 subnet 255.255.255.0
    Description not used
    network object obj - 192.168.1.0
    subnet 192.168.1.0 255.255.255.0
    Description not used
    object obj nj-asa-private-network
    Subnet 192.168.2.0 255.255.255.0
    network obj object -? asa-private-network
    192.168.5.0 subnet 255.255.255.0
    network obj object -? asa-private-network
    192.168.6.0 subnet 255.255.255.0
    network obj object -? -asa - private-network
    subnet 192.168.3.0 255.255.255.0
    network obj object -? asa-priv-networl
    subnet 192.168.4.0 255.255.255.0
    network obj object -? asa-private-network
    192.168.7.0 subnet 255.255.255.0
    object obj-asa-Interior-voip-nic network
    host 10.1.1.1
    network obj_any object
    subnet 0.0.0.0 0.0.0.0
    network obj_any-01 object
    subnet 0.0.0.0 0.0.0.0
    network object obj - 0.0.0.0
    host 0.0.0.0
    object obj-vpn-nic network
    Home 192.168.10.20
    object obj XXXX-asa-private-network
    192.168.8.0 subnet 255.255.255.0
    House of XXXX description
    network obj object -? asa-private-network
    192.168.9.0 subnet 255.255.255.0
    object asa inside-network data
    subnet 10.0.1.0 255.255.255.0
    asa data-outside-network object
    subnet XXX.XXX. XXX.240 255.255.255.240
    network of china-education-and-research-network-center object
    Home 202.194.158.191
    Acl explicitly blocked description
    China unicom shandong network item
    60.214.232.0 subnet 255.255.255.0
    Acl explicitly blocked description
    pbx-cue-Interior-nic network object
    Home 10.1.10.2
    pbx-cue-outside-nic network object
    host 10.1.10.1
    telepacific-voip-trunk network object
    Home 64.60.66.250
    Description is no longer used
    us-la-mianbaodianying network object
    Home 68.64.168.46
    Acl explicitly blocked description
    object network cue
    10.1.10.0 subnet 255.255.255.0
    private-network data object
    192.168.10.0 subnet 255.255.255.0
    pbx-outside-data-nic network object
    host 10.0.1.2
    pbx-voip-Interior-nic network object
    host 10.1.1.1
    voip network object
    10.1.1.0 subnet 255.255.255.0
    vpn-server-nic network object
    Home 192.168.10.20
    asa-data-outside-nic network object
    host XXX.XXX. XXX.242
    asa-voip-ctl-outside-nic network object
    host XXX.XXX. XXX.244
    the object 192.168.0.0 network
    192.168.0.0 subnet 255.255.255.0
    Description not used
    the object 192.168.1.0 network
    subnet 192.168.1.0 255.255.255.0
    Description not used
    nj-asa-priv-netowrk network object
    Subnet 192.168.2.0 255.255.255.0
    network of the 192.168.254.0 object
    192.168.254.0 subnet 255.255.255.0
    pool of local addresses of description
    network of the object? -asa - private-network
    subnet 192.168.3.0 255.255.255.0
    network of the object? asa-private-network
    subnet 192.168.4.0 255.255.255.0
    network of the object? asa-private-network
    192.168.5.0 subnet 255.255.255.0
    network of the object? asa-private-network
    192.168.6.0 subnet 255.255.255.0
    network of the object? asa-private-network
    192.168.7.0 subnet 255.255.255.0
    network of the object? asa-private-network
    192.168.9.0 subnet 255.255.255.0
    the XXXX-asa-private-network object network
    192.168.8.0 subnet 255.255.255.0
    network object XXX.XXX. XXX.242
    host XXX.XXX. XXX.242
    service object 47
    tcp source eq eq 47 47 destination service
    object network dvr
    Home 192.168.10.16
    network dvr-nat-tcp8888 object
    Home 192.168.10.16
    network dvr-nat-tcp6036 object
    Home 192.168.10.16
    network dvr-nat-udp6036 object
    Home 192.168.10.16
    dvr-8888 service object
    destination eq 8888 tcp service
    object-group Protocol TCPUDP
    object-protocol udp
    object-tcp protocol
    object-group service dvr-6036-tcp - udp
    port-object eq 6036
    détermine access-list extended allow object to ip pbx-outside-data-nic any4 inactive
    détermine access-list extended allow ip pbx-outside-data-nic inactive object any4
    access-list extended testout allowed ip object asa-voip-ctl-outside-nic any4 inactive
    access-list extended testout allowed ip any4 object asa-voip-ctl-outside-nic inactive
    XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.0.1.0 255.255.255.0
    XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.1.0 255.255.255.0
    XXXXX-Remote_splitTunnelAcl-list of allowed access standard 10.1.10.0 255.255.255.0
    XXXXX-Remote_splitTunnelAcl-list of allowed access standard 192.168.10.0 255.255.255.0
    inside_nat0_outbound list extended access permitted ip network voip 192.168.254.0 object
    inside_nat0_outbound list extended access permitted ip object cue-network 192.168.254.0
    inside_nat0_outbound list extended access permits data-private-network ip object 192.168.254.0 object
    inside_nat0_outbound list extended access permitted ip object asa-data-inside-network 192.168.254.0
    inside_nat0_outbound list extended access permitted ip voip-network 192.168.0.0 idle object
    inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.0.0 object
    inside_nat0_outbound list extended access allowed object data-private-network 192.168.0.0 inactive ip
    inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.0.0 inactive ip
    inside_nat0_outbound list extended access permitted ip voip-network 192.168.1.0 idle object
    inside_nat0_outbound list extended access permitted ip inactive cue-network 192.168.1.0 object
    inside_nat0_outbound list extended access allowed object data-private-network 192.168.1.0 inactive ip
    inside_nat0_outbound list extended access allowed object asa-data-inside-network 192.168.1.0 inactive ip
    inside_nat0_outbound list extended access allowed object ip voip-network object nj-asa-priv-netowrk
    inside_nat0_outbound list extended access permitted ip cue-network object nj-asa-priv-netowrk object
    inside_nat0_outbound list extended access permitted ip object data-private-network nj-asa-priv-netowrk
    inside_nat0_outbound list extended access permitted ip object asa data-inside-network-nj-asa-priv-netowrk
    inside_nat0_outbound list extended access permitted ip cue-XXXX-asa-private-network network object
    inside_nat0_outbound extended access list permit ip object asa - Interior-data object XXXX-asa-private-network network
    inside_nat0_outbound list extended access permitted ip voip XXXX-asa-private-network network object
    inside_nat0_outbound list extended access allowed object of data-private-network ip XXXX-asa-private-network object
    ezvpn1 list standard access allowed 192.168.10.0 255.255.255.0
    ezvpn1 list standard access allowed 10.1.10.0 255.255.255.0
    ezvpn1 list standard access allowed 10.0.1.0 255.255.255.0
    ezvpn1 list standard access allowed 10.1.1.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.0.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.1.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.2.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.3.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.4.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.5.0 255.255.255.0
    ezvpn1 standard access list allow the 192.168.6.0 255.255.255.0
    ezvpn1 standard access list allow 192.168.7.0 255.255.255.0
    ezvpn1 standard access list allow 192.168.8.0 255.255.255.0
    ezvpn1 list standard access allowed 192.168.9.0 255.255.255.0
    access-list capout extended permitted udp object asa-data-outside-nic telepacific-voip-trunk inactive
    access-list capout extended permitted udp object telepacific-voip-trunk asa-data-outside-nic inactive
    allowed to capture access extended list ip pbx-cue-outside-nic object nj-asa-priv-netowrk
    allowed to capture access extended list ip pbx-cue-Interior-nic object nj-asa-priv-netowrk
    object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
    object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
    capture extensive list ip pbx object nj-asa-priv-netowrk-cue-exterieur-nic object access permits
    capture extensive list ip pbx object nj-asa-priv-netowrk-cue-interieur-nic object access permits
    object capture allowed extended ip access list? object - asa-private-network pbx-cue-outside-nic
    object capture allowed extended ip access list? object - asa-private-network pbx-cue-Interior-nic
    ciscotest list extended access allowed host ip network voip 192.168.5.41 idle object
    access-list extended ciscotest allowed host 192.168.5.41 voip inactive ip network object
    ciscotest list extended access allowed host ip network voip 192.168.5.43 idle object
    access-list extended ciscotest allowed host 192.168.5.43 voip inactive ip network object
    access-list out_in note remote access attempted
    out_in list extended access deny ip object China unicom shandong network any4
    access-list out_in note remote access attempted
    out_in list extended access deny ip object we-the-mianbaodianying any4
    out_in list extended access deny SIP pbx-voip-Interior-nic EQ udp object china-education-and-research-network-center object
    out_in list extended access allow icmp any4 object vpn-server-nic
    out_in list extended access permitted tcp any4 pptp vpn-server-nic eq of object
    out_in list extended access permitted tcp any4 object vpn-server-nic eq 47
    out_in list extended access allow accord any4 object vpn-server-nic
    out_in list extended access allow icmp any4 object pbx-voip-Interior-nic
    out_in list extended access permitted udp any4 object pbx-voip-Interior-nic eq tftp
    out_in list extended access permitted tcp any4 object pbx-voip-Interior-nic eq h323
    out_in list extended access permitted udp any4 sip pbx-voip-Interior-nic eq of object
    Comment from out_in-HTTPS access outside the access list
    out_in list extended access permitted tcp any4 object data-private-network eq https
    outside_access_in list extended access allow icmp host 192.168.10.20 any4
    access-list extended outside_access_in permit tcp host 192.168.10.20 any4 eq pptp
    outside_access_in list extended access allowed host any4 object 47 192.168.10.20
    outside_access_in list extended access allow accord any4 host 192.168.10.20
    outside_access_in list extended access permit tcp any object dvr dvr-6036 object-group
    outside_access_in list extended access permit udp any object dvr dvr-6036 object-group
    outside_access_in list extended access allowed object dvr-8888 any object dvr
    outside_access_in list extended access allow icmp any4 host 10.1.1.1
    access-list extended outside_access_in permit udp host 10.1.1.1 any4 eq tftp
    access-list extended outside_access_in permit tcp host 10.1.1.1 any4 eq h323
    access-list allowed outside_access_in extended udp any4 host 10.1.1.1 eq sip
    go to list of access outside_access_in note incoming https.
    outside_access_in list extended access permitted tcp any4 192.168.10.0 255.255.255.0 eq https
    pager lines 24
    Enable logging
    exploitation forest-size of the buffer 1048576
    monitor debug logging
    debug logging in buffered memory
    asdm of logging of information
    address record [email protected] / * /
    exploitation forest-address recipient [email protected] / * / level of errors
    exploitation forest flash-bufferwrap
    No registration message 106015
    No message logging 313001
    No registration message 313008
    no logging message 106023
    No message logging 710003
    no logging message 106100
    No message logging 302015
    No message recording 302014
    No message logging 302013
    No message logging 302018
    No message logging 302017
    No message logging 302016
    No message logging 302021
    No message logging 302020
    destination of exports flow inside 192.168.10.20 4432
    Outside 1500 MTU
    Within 1500 MTU
    ICMP unreachable rate-limit 3 burst-size 1
    ICMP allow any response of echo outdoors
    ICMP allow any echo outdoors
    ICMP allow any inaccessible outside
    ICMP permitted host 75.140.0.86 outside
    ICMP allow any inside
    ASDM image disk0: / asdm-715 - 100.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
    NAT (inside, all) static obj-data-network-obj-network destination static obj - 192.168.254.0 obj - 192.168.254.0 no-proxy-arp-search to itinerary
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.0.0 obj - 192.168.0.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static obj-data-network-obj-network source destination static obj - 192.168.1.0 obj - 192.168.1.0 to route non-proxy-arp-search inactive
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static obj-data-network-obj-network source destination static obj-nj-asa-private-network obj-nj-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static obj-data-network-obj-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj -? -asa - private - network obj -? -asa - private-network non-proxy-arp-route search
    static static obj obj-data-network-obj-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
    static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
    static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
    static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? -asa-priv-networl obj -? -asa-priv-networl non-proxy-arp-route search
    static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    NAT (inside, all) static obj-data-network-obj-network source destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static source network-voip-obj obj-voip-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static source network-cue-obj obj-cue-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
    NAT (inside, all) static source network-priv-obj obj-private-network destination static obj-XXXX-asa-private-network obj-XXXX-asa-private-network non-proxy-arp-search directions
    static static obj obj-data-network-obj-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-voip-network obj-voip-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-cue-network obj-cue-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    static static obj obj-private-network obj-private-network destination NAT (inside, all) source -? obj - asa-private-network -? -asa-private-network non-proxy-arp-route search
    !
    object obj-asa-Interior-voip-nic network
    NAT XXX.XXX static (inside, outside). XXX.244
    network obj_any object
    NAT dynamic interface (indoor, outdoor)
    network obj_any-01 object
    NAT (inside, outside) dynamic obj - 0.0.0.0
    object obj-vpn-nic network
    NAT XXX.XXX static (inside, outside). XXX.254
    network dvr-nat-tcp8888 object
    NAT (inside, outside) interface static 8888 8888 tcp service
    network dvr-nat-tcp6036 object
    NAT (inside, outside) interface static 6036 6036 tcp service
    network dvr-nat-udp6036 object
    NAT (inside, outside) interface static service udp 6036 6036
    Access-group outside_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 XXX.XXX. XXX.241 1
    Route inside 10.1.1.0 255.255.255.0 10.0.1.2 1
    Route inside 10.1.10.0 255.255.255.252 10.0.1.2 1
    Route inside 192.168.10.0 255.255.255.0 10.0.1.2 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    the ssh LOCAL console AAA authentication
    AAA authentication http LOCAL console
    AAA authentication enable LOCAL console
    LOCAL AAA authentication serial console
    AAA authentication LOCAL telnet console
    Enable http server
    http 192.168.10.0 255.255.255.0 inside
    http 10.0.1.0 255.255.255.0 inside
    http 192.168.254.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 outdoors
    authentication & encryption v3 private Server SNMP group
    SNMP server group No_Authentication_No_Encryption v3 /noauth
    SNMP-server host inside the 192.168.10.20 community *.
    Server SNMP Ontario, CA location
    SNMP Server contact [email protected] / * /
    Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec pmtu aging infinite - the security association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256

    -MD5-ESP-3DES-MD5 ESP-3DES-SHA SHA-DES-ESP ESP - THE - MD5
    Crypto dynamic-map myDYN-card 5 set transform-set ESP-DES-MD5 ikev1
    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    outside_map interface card crypto outside
    dynamic crypto isakmp 65535 ipsec myDYN-map myMAP map
    Crypto ca trustpoint CAP-RTP-001_trustpoint
    Terminal registration
    Configure CRL
    Crypto ca trustpoint CAP-RTP-002_trustpoint
    Terminal registration
    Configure CRL
    Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_0
    registration auto
    full domain name no
    name of the object cn = "_internal_ctl_phoneproxy_file_SAST_0"; UO = "STG"; o = "Cisco Inc."
    _internal_ctl_phoneproxy_file_SAST_0 key pair
    Configure CRL
    Crypto ca trustpoint _internal_ctl_phoneproxy_file_SAST_1
    registration auto
    full domain name no
    name of the object cn = "_internal_ctl_phoneproxy_file_SAST_1"; UO = "STG"; o = "Cisco Inc."
    _internal_ctl_phoneproxy_file_SAST_1 key pair
    Configure CRL
    Crypto ca trustpoint _internal_PP_ctl_phoneproxy_file
    registration auto
    full domain name no
    name of the object cn = "_internal_PP_ctl_phoneproxy_file"; UO = "STG"; o = "Cisco Inc."
    _internal_PP_ctl_phoneproxy_file key pair
    Configure CRL
    Crypto ca trustpoint Cisco-Mfg-CA
    Terminal registration
    Configure CRL
    Crypto ca trustpoint phoneproxy_trustpoint
    registration auto
    full domain name XXXXXXXXXX.com
    name of the object CN = XXXXXX - ASA
    phoneproxy_trustpoint key pair
    Configure CRL
    trustpool crypto ca policy
    string encryption CAP-RTP-001_trustpoint ca certificates
    certificate ca 7612f960153d6f9f4e42202032b72356
    quit smoking
    string encryption CAP-RTP-002_trustpoint ca certificates
    certificate ca 353fb24bd70f14a346c1f3a9ac725675
    quit smoking
    Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_0
    certificate e1aee24c
    CA
    quit smoking
    Crypto ca certificate chain _internal_ctl_phoneproxy_file_SAST_1
    certificate e4aee24c
    quit smoking
    Crypto ca certificate chain _internal_PP_ctl_phoneproxy_file
    certificate e8aee24c
    quit smoking
    a string of ca crypto Cisco-Mfg-CA certificates
    certificate ca 6a6967b3000000000003
    quit smoking
    Crypto ca certificate chain phoneproxy_trustpoint
    certificate 83cbe64c
    quit smoking
    Crypto ikev1 allow outside
    IKEv1 crypto policy 5
    preshared authentication
    the Encryption
    md5 hash
    Group 2
    life 86400
    IKEv1 crypto policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    Telnet timeout 5
    SSH 10.0.1.0 255.255.255.0 inside
    SSH 0.0.0.0 0.0.0.0 inside
    SSH timeout 60
    Console timeout 0
    management-access inside

    priority-queue outdoors
    TX-ring-limit of 256
    !
    maximum-session TLS-proxy 24
    !
    !
    TLS-proxy tls_proxy
    _internal_PP_ctl_phoneproxy_file point server trust
    CTL-file ctl_phoneproxy_file
    file-entry cucm-tftp trustpoint phoneproxy_trustpoint address 73.200.75.244
    !
    Media-termination asdm_media_termination
    address XXX.XXX. XXX.245 outside interface
    address interface inside 10.0.1.245

    !
    Phone-proxy asdm_phone_proxy
    Media-termination asdm_media_termination
    interface address 10.1.1.1 TFTP server on the inside
    TLS-proxy tls_proxy
    no settings disable service
    XXX.XXX proxy server address. Outside the xxx.242 80 interface
    a basic threat threat detection
    threat detection statistics
    a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
    NTP server 192.168.10.60 source inside
    internal group myGROUP strategy
    Group myGROUP policy attributes
    VPN-idle-timeout no
    VPN-session-timeout no
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list ezvpn1
    allow to NEM
    XXXXX group policy / internal remote
    attributes of group XXXXX policy / remote
    Ikev1 VPN-tunnel-Protocol
    Split-tunnel-policy tunnelspecified
    Split-tunnel-network-list value XXXXX-Remote_splitTunnelAcl
    fstorm encrypted EICAA5sjaiU.vh05 privilege 15 password username
    username fstorm attributes
    type of remote access service
    username password encrypted PPfytzRN94JBZlXh privilege 0 ciscotac
    username cisco password encrypted privilege 15 omWHH15zt6aLxWSr
    attributes username cisco
    type of remote access service
    username XXXXXu8 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu8 attributes
    type of remote access service
    username password uniadmin G72KWXo/GsACJLJ7 encrypted privilege 15
    username XXXXXU1 encrypted password privilege 0 rmZe1Ee0HeReQn6N
    username XXXXXU1 attributes
    Strategy Group-VPN-XXXXX / remote
    type of remote access service
    username XXXXXu3 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu3 attributes
    type of remote access service
    username XXXXXu2 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu2 attributes
    type of remote access service
    username XXXXXu5 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu5 attributes
    type of remote access service
    username XXXXXu4 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu4 attributes
    type of remote access service
    username XXXXXu7 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu7 attributes
    type of remote access service
    username XXXXXu6 encrypted password rmZe1Ee0HeReQn6N
    username XXXXXu6 attributes
    type of remote access service
    tunnel-group XXXXX type remote access / remote
    attributes global-tunnel-group XXXXX / remote
    XXXXX address pool / remote
    Group Policy - by default-XXXXX / remote
    IPSec-attributes tunnel-group XXXXX / remote
    IKEv1 pre-shared-key *.
    type tunnel-group mytunnel remote access
    tunnel-group mytunnel General-attributes
    strategy - by default-group myGROUP
    mytunnel group of tunnel ipsec-attributes
    IKEv1 pre-shared-key *.
    !
    class-card CM-VOICE-SIGNAL
    match dscp af31
    class-map-outside-phoneproxy
    match eq 2443 tcp port
    class-map inspection_default
    match default-inspection-traffic
    Class-map data
    match flow ip destination-address
    match tunnel-group mytunnel
    class-card CM-VOICE
    match dscp ef
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 1024
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    inspect the pptp
    inspect the icmp
    class class by default
    Statistical accounting of user
    flow-export-type of event all 192.168.10.20 destination
    outside-policy policy-map
    class outside-phoneproxy
    inspect the thin phone-proxy asdm_phone_proxy
    CM-VOICE class
    priority
    CM-VOICE-SIGNAL class
    priority
    World-Policy policy-map
    !
    global service-policy global_policy
    207.46.163.138 SMTP server
    context of prompt hostname
    no remote anonymous reporting call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    HPM topN enable
    Cryptochecksum:8bb3014c2a6deba7c80e5f897b3d34cb
    : end

    If someone could give a clue as to what could be the problem, I would appreciate it.

    / / / / o ? 0:o); ++ rc; c ++) a [c] .apply (i, r); var s = f [g [n]]; {return s & s.push ([m, n, r, i]), I} function p (e, t) {[e] w = l (e) .concat (t)} function l (e) {return [e] w |} []} function d (e) {return s [e] [e] s =: o (n)} function v (e, t) {c (e, function (e, n) {t = t |})} "" featured ", g [n] = t, f t | (f[t]=[])})} var w = {,} g = {}, m = {on: p, emit: n, get: d, listeners: l, context: t, buffer: v}; "return m} function i() {return new r} var a ='[email protected] / * /', u = e ("GDS"), (2) c = e, f is {}, s = {}, p is t.exports = o (); [p.backlog = f}, {}], gos: [function (e, t, n) {function r (e, t, n) {if (o.call (e, t)) e [t] return; var r = n (); if (Object.defineProperty & Object.keys) try {return Object.defineProperty (e t, {value: r, available in writing:! 0, countable:! 1}), r} catch (i) {return [t] = r, r e} var o = Object.prototype.hasOwnProperty; t.exports = r}, {}], handle: [function (e, t, n) {function r (e, t, n [{(, r) {o.buffer([e],r), o.emit(e,t,n)} var o = e("ee").get ("handle"); t.exports = r, r.ee = o}, {}], id: [function (e, t, n) {function r (e) {var t = typeof e; return! e |}}] "(» Object"!==t&&"function"!==t?-1:e===Window?0:a(e,i,Function() {return o ++})} var o = 1, I = "[email protected] / * /', a = e ("gos"); [t.exports = r}, {}], charger: [function (e, t, n) {function r() {if(!w++) {var e = v.info = NREUM.info, t = s.getElementsByTagName ("script") [0]; if(e&&e.licenseKey&&e.applicationID&&t) {c (l, function (t, n) {[t] e |})}}}}] (e [t] = n)}) ; var n = "https" = p.split (":") [0] | e.sslForHttp; v.proto = n? ([' https://":"http://",u("Mark",["OnLoad",a ()], null,"api"); var r = s.createElement ("script");r.src=v.proto+e.agent,t.parentNode.insertBefore(r,t)}}} function o() {"complete" = s.readyState & i ()} function i() {u ("mark", ["domContent", a ()], null, "api")} function a() {return (new Date) .getTime ()} var u = e ('handful'), c = e (2), f = window, s = f.document; NREUM.o = {ST:setTimeout, CT:clearTimeout, XHR:f.XMLHttpRequest, REQ:f.Request, EV:f.Event, PR:f.Promise, MO:f.MutationObserver}, e (1); var p=""+location,l={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net",agent:"js-agent.newrelic.com/nr-918.min.js"},d=window. XMLHttpRequest&&XMLHttpRequest.prototype&&XMLHttpRequest.prototype.addEventListener&&!/CriOS/.test (navigator.userAgent), v = t.exports = {offset: a (), original: p, features: {}, xhrWrappable:d}; s.addEventListener? (s.addEventListener("DOMContentLoaded",i,!1),f.addEventListener("load",r,!1)):(s.attachEvent("onreadystatechange",o),f.attachEvent("onload",r)),u("mark",["firstbyte",a ()], null, "api"); ({[var w = 0}, {}]}, {}, ["loader"]); // ]]> // // //

    Glad you were able to solve the problem! Also, thank you for taking the time to come back and post the solution here (+ 5 from me)!

    Now, given that your issue is resolved, you must mark the thread as "answered" :)

    Thank you for evaluating useful messages!

  • ASA, Anyconnect and DMZ

    Hello

    I had a little problem with my config to the asa.

    The asa is set up to allow anyconnect with local users.

    but after I added the NAT statement following ACL on the outside, I can not connect with Anyconnect.

    NAT (DMZ, OUTSIDE) interface static source HOST_DMZ-NAS-FTP

    OUTSIDE_access_in list extended access permitted tcp HOST_DMZ-NAS-FTP eq ftp objects

    How to make it work again?

    Hello

    You have a dominant NAT configuration.

    We should see a Phase of Nations United-NAT in the beginning before any other Phase of the ACCESS-LIST.

    You probably have a dynamic configuration PAT for the demilitarized zone in Section 1 Manual NAT which is at the origin of the problems

    Because you cannot share the configuration that I can not really anything else that try to give an alternative configuration, which should make it work but it is not the ideal configuration for your dynamic rule PAT shouldn't be to such priority anyway. That's if I'm wrong in my guess on the problem above.

    Remove NAT Auto / network object NAT I suggested

    network of the HOST_DMZ-NAS-FTP object

    no nat (DMZ, OUTSIDE) interface static 21 21 tcp service

    Note that we leave the 'host' under the 'object' statement yet. Only remove us the "nat" command.

    Then, you must add these

    Service FTP object

    tcp source eq 21 service

    service interface NAT (DMZ, outside) 1 static source HOST_DMZ-NAS-FTP FTP FTP

    Then try again.

    -Jouni

  • VPN overlapping NAT

    Here is my config complete.

    Here are a few notes

    IP, obtained from the VPN 10.250.128.X

    LAN IP 192.168.0.0/24

    My atm VPN works #1 for those who don't

    What I want to do is Nat my VPN for this

    Example I want to access the computer 192.168.0.2 on the LAN of the company

    I want to hit the PC (which is connected to the VPN) 192.168.200.2 and Cisco will convert 192.168.200.2 to 192.168.0.2 to be able to access my PC at work

    Of course, I think about being able to do the other side also. (192.168.0.2 to 192.168.200.2 to be able to send the package back (not sure on this)

    Can guys, help me, it's the ATM out of my knowledge and I

    ASA Version 8.2 (1)

    !

    Terminal width 250

    hostname hostname

    turn on d0/xPtlKePBzdYTe of encrypted password

    2KFQnbNIdI.2KYOU encrypted passwd

    names of

    !

    interface Vlan1

    nameif inside

    security-level 100

    IP 192.168.0.254 255.255.255.0

    !

    interface Vlan2

    nameif outside

    security-level 0

    IP 10.0.128.1 255.255.255.0

    !

    interface Ethernet0/0

    switchport access vlan 2

    10 speed

    full duplex

    !

    interface Ethernet0/1

    10 speed

    full duplex

    !

    interface Ethernet0/2

    !

    interface Ethernet0/3

    !

    interface Ethernet0/4

    !

    interface Ethernet0/5

    !

    interface Ethernet0/6

    !

    interface Ethernet0/7

    !

    boot system Disk0: / asa821 - k8.bin

    passive FTP mode

    grp_outside_in tcp service object-group

    Description Ports require for internal transfer

    EQ smtp port object

    EQ port ssh object

    access list inside-out extended ip allowed any one

    access list inside-out extended permit icmp any one

    permit no_nat to access extended list ip 192.168.0.0 255.255.0.0 10.250.128.0 255.255.255.0

    list access tunnel extended split ip 192.168.0.0 allow 255.255.20.0 10.250.128.0 255.255.255.0

    access-list extended 100 permit ip 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0

    access-list extended 100 permit icmp 10.250.128.0 255.255.255.0 192.168.0.0 255.255.255.0

    access list 101 scope ip allow a whole

    access-list 101 extended allow icmp a whole

    pager lines 34

    Enable logging

    timestamp of the record

    debug logging in buffered memory

    recording of debug trap

    asdm of logging of information

    Within 1500 MTU

    Outside 1500 MTU

    IP local pool mobilepool 10.250.128.100 - 10.250.128.130 mask 255.255.255.0

    ICMP unreachable rate-limit 1 burst-size 1

    ASDM image disk0: / asdm - 621.bin

    don't allow no asdm history

    ARP timeout 14400

    Global 1 interface (outside)

    NAT (inside) 0-list of access no_nat

    NAT (inside) 1 0.0.0.0 0.0.0.0

    NAT (outside) 1 0.0.0.0 0.0.0.0

    Route outside 0.0.0.0 0.0.0.0 10.0.128.2 1

    Timeout xlate 03:00

    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

    timeout tcp-proxy-reassembly 0:01:00

    dynamic-access-policy-registration DfltAccessPolicy

    the ssh LOCAL console AAA authentication

    Enable http server

    http 192.168.1.0 255.255.255.0 inside

    http 192.168.0.0 255.255.255.0 inside

    No snmp server location

    No snmp Server contact

    Server enable SNMP traps snmp authentication linkup, linkdown cold start

    Crypto ipsec transform-set esp-3des esp-md5-hmac floating

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    Crypto-map dynamic dyn1 1 set transform-set floating

    Crypto-map dynamic dyn1 1jeu reverse-road

    mobilemap 1 card crypto ipsec-isakmp dynamic dyn1

    mobilemap interface card crypto outside

    crypto ISAKMP allow outside

    crypto ISAKMP policy 1

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    Telnet timeout 5

    SSH 192.168.0.0 255.255.255.0 inside

    SSH 10.0.128.0 255.255.255.0 inside

    SSH timeout 5

    SSH version 2

    Console timeout 0

    dhcpd outside auto_config

    !

    a basic threat threat detection

    Statistics-list of access threat detection

    no statistical threat detection tcp-interception

    WebVPN

    internal vpn group policy

    attributes of vpn group policy

    VPN - 50 simultaneous connections

    VPN-idle-timeout 2000

    VPN-session-timeout 2000

    internal mobile_policy group policy

    attributes of the strategy of group mobile_policy

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value

    admin N2TJh8TeuGc7EOVu encrypted privilege 15 password username

    user1 gLGaPhl70GqS8DhN encrypted password username

    password encrypted user user2 Y7.fXmPk3FvKUGOO name

    type tunnel-group mobilegroup remote access

    tunnel-group mobilegroup General-attributes

    address mobilepool pool

    Group Policy - by default-mobile_policy

    mobilegroup group of tunnel ipsec-attributes

    pre-shared-key *.

    !

    Global class-card class

    match default-inspection-traffic

    inspection of the class-map

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    type of policy-card inspect dns preset_dns_map

    parameters

    message-length maximum 512

    Policy-map global_policy

    class inspection_default

    inspect the preset_dns_map dns

    inspect the ftp

    inspect h323 h225

    inspect the h323 ras

    inspect the rsh

    inspect the rtsp

    inspect esmtp

    inspect sqlnet

    inspect the skinny

    inspect sunrpc

    inspect xdmcp

    inspect the sip

    inspect the netbios

    inspect the tftp

    !

    global service-policy global_policy

    context of prompt hostname

    Cryptochecksum:012d58f20bdf997d1e7b6927431e0015

    : end

    Hi Mr. Gyslain,

    So, if I understand, you want the following things

    • Local NAT LAN 192.168.0.0/24 to 192.168.200.0/24 for VPN Client users to their local network does not overlap with your local network while they are connected

    To my knowledge, you should be able to handle this with the following changes to your configurations

    • Configure policy NAT
    • Changes to the rules of Tunnel from Split
    • Remove the existing NAT0 rule

    Here are some example configurations I think that need to manage the situation. Of course make sure you have the old configuration at hand if you need to return to the old

    Remove the NAT0 rule

    • no nat (inside) 0-list of access no_nat
    • No no_nat access ip 192.168.0.0 scope list allow 255.255.0.0 10.250.128.0 255.255.255.0

    By removing the above configuration, we want to avoid LAN projection with its originating IP address to the user from the VPN Client.

    Creating policy NAT

    • access list permit VPN-CLIENT-POLICY-NAT ip 192.168.0.0 255.255.255.0 10.250.128.0 255.255.255.0
    • public static 192.168.200.0 (inside, outside) - list of access VPN-CLIENT-POLICY-NAT netmask 255.255.255.0

    With the above configuration, we mean the ASA NAT your local 192.168.200.0/24 LAN 192.168.0.0/24 WHEN connections are established at network 10.250.128.0/24 destination which is the pool of the VPN Client. This natutally works in two ways. Also note that if your host LAN IP address is, for example, 192.168.0.100, there a 192.168.200.100 NAT address.

    Change the VPN Client Split tunnel

    • standard of TUNNEL VPN-SPLIT-access list permits 192.168.200.0 255.255.255.0
    • attributes of the strategy of group mobile_policy
      • Split-tunnel-network-list value TUNNEL VPN-SPLIT

    The above configuration is intended to change your configurations of client VPN Split Tunnel ACL to a Standard ACL that indicates which networks to send to the VPN to your customer. In this case, it would be the new teeth of politics of 192.168.200.0/24 network. After configuring the ACL you naturally set it up under the VPN settings.

    I don't know if you have split tunnel configured at all because the configuration does not appear the ACL name at least. I know that you can at least have the "tunnelspecified" configuration line without specifying the actual ACL but do not know if what follows is a copy/paste problem or typo that should work with complete tunnel also.

    With the above configuration, to my knowledge, everything should work.

    -Jouni

    EDIT: Some typos

    Edit2: Name group policy was wrong

  • NAT problem

    Hi Experts,

    One of my office have Cisco ASA 5510 with ios 8.4 (5). Everything is configured and works very well except the static NAT. I have a public IP block, I used to set up static NAT.  The internal server that is configured with the static NAT does not receive internet or anything. When I removed the static NAT, the internet is to learn (with the WAN IP interface). The server is placed in the DMZ. I left the server but it does not work.

    Kind regards

    MARTIN

    Hello

    In your case the configuration format static NAT for the server would be

    network of the object
    host
    NAT (DMZ, external) public static dns

    This would bind the local IP address of the public IP configured on the command "nat" . This means that outgoing connections would also use this public IP address. If you had a static configuration similar PAT already then you wouldn't really need that UNLESS you change the mapped/local port in the "nat" command.

    But set up static NAT would mean already that he would cancel the PAT Dynamics for outbound connections from this server. Naturally, there is a small chance according to your current configuration of NAT complete even this static NAT can be overridden, but I doubt it. If the above "packet - trace" is intended for the DMZ server in question then there should be no problem.

    -Jouni

Maybe you are looking for