Hello all.
I am working on a ASA 5510 after downgrading it to 8.2 from 8.3, no time to learn a new trick.
Everthing seems to be working except I cannot ping to a DNS server 68.4.16.30 on a workstation with a static at 10.1.1.4, but I can ping the dns from within the ASA.
Go figure, I must be missing something.
Any help would be much apreciated.
Scrubbed Config....(Non Production, I see other errors I must fix well), Alot of cut and pasting..
mullervpn# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname mullervpn
domain-name domain.com
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 207.X.X.129 255.255.255.224
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server 68.4.16.30
name-server 68.6.16.30
domain-name themullercompany.com
access-list outside_access_in extended permit tcp any host 207.X.X.132 eq smtp
access-list outside_access_in extended permit tcp any host 207.X.X.132 eq www
access-list outside_access_in extended permit tcp any host 207.X.X.132 eq pop3
access-list outside_access_in extended permit tcp any host 207.X.X.124 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.133 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.134 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.135 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.136 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.137 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.138 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.139 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.140 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.141 eq 3389
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 207.X.X.132
global (outside) 3 207.X.X.124
nat (inside) 3 10.1.1.4 255.255.255.255
nat (inside) 2 10.1.1.10 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 207.X.X.132 smtp 10.1.1.10 smtp netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.132 255.255.255.255
static (inside,outside) tcp 207.X.X.132 pop3 10.1.1.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.133 3389 10.1.1.53 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.134 3389 10.1.1.56 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.135 3389 10.1.1.57 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.136 3389 10.1.1.50 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.137 3389 10.1.1.62 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.138 3389 10.1.1.61 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.139 3389 10.1.1.15 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.140 3389 10.1.1.60 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.141 3389 10.1.1.63 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.142 3389 10.1.1.66 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.124 3389 10.1.1.4 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.X.X.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.5.5.0 255.255.255.0 inside
http 207.X.X.19 255.255.255.255 management
http 207.X.X.13 255.255.255.255 management
http 207.X.X.13 255.255.255.255 outside
http 207.X.X.19 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.5.5.0 255.255.255.0 inside
ssh 207.X.X.19 255.255.255.255 outside
ssh 207.X.X.13 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 152.2.21.1 source outside
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e541bedcceb1ee3f18626fa9f154877c
: end
mullervpn#
Thanks for your help
I am working on a ASA 5510 after downgrading it to 8.2 from 8.3, no time to learn a new trick.
Everthing seems to be working except I cannot ping to a DNS server 68.4.16.30 on a workstation with a static at 10.1.1.4, but I can ping the dns from within the ASA.
Go figure, I must be missing something.
Any help would be much apreciated.
Scrubbed Config....(Non Production, I see other errors I must fix well), Alot of cut and pasting..
mullervpn# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname mullervpn
domain-name domain.com
names
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 207.X.X.129 255.255.255.224
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup management
dns server-group DefaultDNS
name-server 68.4.16.30
name-server 68.6.16.30
domain-name themullercompany.com
access-list outside_access_in extended permit tcp any host 207.X.X.132 eq smtp
access-list outside_access_in extended permit tcp any host 207.X.X.132 eq www
access-list outside_access_in extended permit tcp any host 207.X.X.132 eq pop3
access-list outside_access_in extended permit tcp any host 207.X.X.124 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.133 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.134 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.135 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.136 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.137 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.138 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.139 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.140 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.141 eq 3389
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 207.X.X.132
global (outside) 3 207.X.X.124
nat (inside) 3 10.1.1.4 255.255.255.255
nat (inside) 2 10.1.1.10 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 207.X.X.132 smtp 10.1.1.10 smtp netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.132 255.255.255.255
static (inside,outside) tcp 207.X.X.132 pop3 10.1.1.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.133 3389 10.1.1.53 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.134 3389 10.1.1.56 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.135 3389 10.1.1.57 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.136 3389 10.1.1.50 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.137 3389 10.1.1.62 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.138 3389 10.1.1.61 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.139 3389 10.1.1.15 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.140 3389 10.1.1.60 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.141 3389 10.1.1.63 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.142 3389 10.1.1.66 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.124 3389 10.1.1.4 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.X.X.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.5.5.0 255.255.255.0 inside
http 207.X.X.19 255.255.255.255 management
http 207.X.X.13 255.255.255.255 management
http 207.X.X.13 255.255.255.255 outside
http 207.X.X.19 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.5.5.0 255.255.255.0 inside
ssh 207.X.X.19 255.255.255.255 outside
ssh 207.X.X.13 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 152.2.21.1 source outside
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e541bedcceb1ee3f18626fa9f154877c
: end
mullervpn#
Thanks for your help