Hello,
Just configured this asa and it is not allowing traffic through the VPN and not alloing traffic to any natt'd ports. If anyone could assist it would be greatly appreciated.
Config:
interface Ethernet0/0
nameif outside
security-level 0
ip address 166.x.x.157 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
object network obj_192.168.1
subnet 192.168.1.0 255.255.255.0
object network obj-sharepoint
host 192.168.1.2
object network obj-nagios
host 192.168.1.11
object network obj-crm
host 192.168.1.13
object network obj-remote
host 192.168.1.9
object network obj-apple
host 192.168.1.8
object network obj-ftp
host 192.168.1.223
object network sharepointHTTP
host 192.168.1.2
object network nagiosHTTPS
host 192.168.1.11
object network crmHTTP
host 192.168.1.13
object network remoteHTTPS
host 192.168.1.9
object network remoteHTTP
host 192.168.1.9
object network remoteRDP
host 192.168.1.9
object network appleTCP84
host 192.168.1.8
object network centosFTP
host 192.168.1.223
object network besFTP
host 192.168.1.4
object network barracudaspamSMTP
host 192.168.1.153
object network mailman01HTTP
host 192.168.1.14
object network mailman01HTTPS
host 192.168.1.14
object network crmCWRMOBILITY
host 192.168.1.13
object network phonesystem
host 192.168.1.157
object network ipphones
host 192.168.1.167
object network ipphonesSIP
host 192.168.1.167
object network exportLocal
subnet 192.168.1.0 255.255.255.0
object network borlandlocal
subnet 192.168.3.0 255.255.255.0
object network vegaslocal
subnet 192.168.2.0 255.255.255.0
access-list outside_access_in extended permit tcp any object sharepointHTTP eq www
access-list outside_access_in extended permit tcp any object besFTP eq ftp
access-list outside_access_in extended permit tcp any object appleTCP84 eq 84
access-list outside_access_in extended permit tcp any object remoteHTTP eq www
access-list outside_access_in extended permit tcp any object nagiosHTTPS eq https
access-list outside_access_in extended permit tcp any object crmCWRMOBILITY eq 5556
access-list outside_access_in extended permit tcp any object crmHTTP eq www
access-list outside_access_in extended permit tcp any object mailman01HTTP eq www
access-list outside_access_in extended permit tcp any object mailman01HTTPS eq https
access-list outside_access_in extended permit udp any object ipphones eq 59104
access-list outside_access_in extended permit udp any object ipphonesSIP eq sip
access-list outside_access_in extended permit tcp any object centosFTP eq ftp
access-list outside_access_in extended permit tcp any object remoteHTTPS eq https
access-list outside_access_in extended permit tcp any object remoteRDP eq 3389
access-list outside_access_in extended permit tcp any object barracudaspamSMTP eq smtp
access-list outside_access_in extended permit tcp any object phonesystem eq 59002
access-list outside_site2site extended permit ip object exportLocal object vegaslocal
access-list outside_cryptomap_2 extended permit ip object exportLocal object borlandlocal
pager lines 24
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static exportLocal exportLocal destination static borlandlocal borlandlocal
nat (inside,outside) source static exportLocal exportLocal destination static vegaslocal vegaslocal
!
object network obj_192.168.1
nat (inside,outside) dynamic interface
object network sharepointHTTP
nat (inside,outside) static 98.x.x.33 service tcp object network nagiosHTTPS
nat (inside,outside) static 98.x.x.34 service tcp https https
object network crmHTTP
nat (inside,outside) static 98.x.x.35 service tcp object network remoteHTTPS
nat (inside,outside) static 98.x.x.36 service tcp https https
object network remoteHTTP
nat (inside,outside) static 98.x.x.36 service tcp object network remoteRDP
nat (inside,outside) static 98.x.x.36 service tcp 3389 3389
object network appleTCP84
nat (inside,outside) static 98.x.x.37 service tcp 84 84
object network centosFTP
nat (inside,outside) static 98.x.x.38 service tcp ftp ftp
object network besFTP
nat (inside,outside) static interface service tcp ftp ftp
object network barracudaspamSMTP
nat (inside,outside) static interface service tcp smtp smtp
object network mailman01HTTP
nat (inside,outside) static interface service tcp object network mailman01HTTPS
nat (inside,outside) static interface service tcp https https
object network crmCWRMOBILITY
nat (inside,outside) static 98.x.x.35 service tcp 5556 5556
object network phonesystem
nat (inside,outside) static interface service tcp 59002 59002
object network ipphones
nat (inside,outside) static interface service udp 59104 59104
object network ipphonesSIP
nat (inside,outside) static interface service udp sip sip
route outside 0.0.0.0 0.0.0.0 166.x.x.158 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.255 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_site2site 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_site2site
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 75.x.x.14
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 24.x.x.82
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group point2point type ipsec-l2l
tunnel-group 24.x.x.82 type ipsec-l2l
tunnel-group 24.x.x.82 ipsec-attributes
tunnel-group 75.x.x.14 type ipsec-l2l
tunnel-group 75.x.x.14 ipsec-attributes
!
class-map inspection_default
match default-inspection-traffic
Just configured this asa and it is not allowing traffic through the VPN and not alloing traffic to any natt'd ports. If anyone could assist it would be greatly appreciated.
Config:
interface Ethernet0/0
nameif outside
security-level 0
ip address 166.x.x.157 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
object network obj_192.168.1
subnet 192.168.1.0 255.255.255.0
object network obj-sharepoint
host 192.168.1.2
object network obj-nagios
host 192.168.1.11
object network obj-crm
host 192.168.1.13
object network obj-remote
host 192.168.1.9
object network obj-apple
host 192.168.1.8
object network obj-ftp
host 192.168.1.223
object network sharepointHTTP
host 192.168.1.2
object network nagiosHTTPS
host 192.168.1.11
object network crmHTTP
host 192.168.1.13
object network remoteHTTPS
host 192.168.1.9
object network remoteHTTP
host 192.168.1.9
object network remoteRDP
host 192.168.1.9
object network appleTCP84
host 192.168.1.8
object network centosFTP
host 192.168.1.223
object network besFTP
host 192.168.1.4
object network barracudaspamSMTP
host 192.168.1.153
object network mailman01HTTP
host 192.168.1.14
object network mailman01HTTPS
host 192.168.1.14
object network crmCWRMOBILITY
host 192.168.1.13
object network phonesystem
host 192.168.1.157
object network ipphones
host 192.168.1.167
object network ipphonesSIP
host 192.168.1.167
object network exportLocal
subnet 192.168.1.0 255.255.255.0
object network borlandlocal
subnet 192.168.3.0 255.255.255.0
object network vegaslocal
subnet 192.168.2.0 255.255.255.0
access-list outside_access_in extended permit tcp any object sharepointHTTP eq www
access-list outside_access_in extended permit tcp any object besFTP eq ftp
access-list outside_access_in extended permit tcp any object appleTCP84 eq 84
access-list outside_access_in extended permit tcp any object remoteHTTP eq www
access-list outside_access_in extended permit tcp any object nagiosHTTPS eq https
access-list outside_access_in extended permit tcp any object crmCWRMOBILITY eq 5556
access-list outside_access_in extended permit tcp any object crmHTTP eq www
access-list outside_access_in extended permit tcp any object mailman01HTTP eq www
access-list outside_access_in extended permit tcp any object mailman01HTTPS eq https
access-list outside_access_in extended permit udp any object ipphones eq 59104
access-list outside_access_in extended permit udp any object ipphonesSIP eq sip
access-list outside_access_in extended permit tcp any object centosFTP eq ftp
access-list outside_access_in extended permit tcp any object remoteHTTPS eq https
access-list outside_access_in extended permit tcp any object remoteRDP eq 3389
access-list outside_access_in extended permit tcp any object barracudaspamSMTP eq smtp
access-list outside_access_in extended permit tcp any object phonesystem eq 59002
access-list outside_site2site extended permit ip object exportLocal object vegaslocal
access-list outside_cryptomap_2 extended permit ip object exportLocal object borlandlocal
pager lines 24
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static exportLocal exportLocal destination static borlandlocal borlandlocal
nat (inside,outside) source static exportLocal exportLocal destination static vegaslocal vegaslocal
!
object network obj_192.168.1
nat (inside,outside) dynamic interface
object network sharepointHTTP
nat (inside,outside) static 98.x.x.33 service tcp object network nagiosHTTPS
nat (inside,outside) static 98.x.x.34 service tcp https https
object network crmHTTP
nat (inside,outside) static 98.x.x.35 service tcp object network remoteHTTPS
nat (inside,outside) static 98.x.x.36 service tcp https https
object network remoteHTTP
nat (inside,outside) static 98.x.x.36 service tcp object network remoteRDP
nat (inside,outside) static 98.x.x.36 service tcp 3389 3389
object network appleTCP84
nat (inside,outside) static 98.x.x.37 service tcp 84 84
object network centosFTP
nat (inside,outside) static 98.x.x.38 service tcp ftp ftp
object network besFTP
nat (inside,outside) static interface service tcp ftp ftp
object network barracudaspamSMTP
nat (inside,outside) static interface service tcp smtp smtp
object network mailman01HTTP
nat (inside,outside) static interface service tcp object network mailman01HTTPS
nat (inside,outside) static interface service tcp https https
object network crmCWRMOBILITY
nat (inside,outside) static 98.x.x.35 service tcp 5556 5556
object network phonesystem
nat (inside,outside) static interface service tcp 59002 59002
object network ipphones
nat (inside,outside) static interface service udp 59104 59104
object network ipphonesSIP
nat (inside,outside) static interface service udp sip sip
route outside 0.0.0.0 0.0.0.0 166.x.x.158 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.255 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_site2site 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_site2site
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 75.x.x.14
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 24.x.x.82
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group point2point type ipsec-l2l
tunnel-group 24.x.x.82 type ipsec-l2l
tunnel-group 24.x.x.82 ipsec-attributes
tunnel-group 75.x.x.14 type ipsec-l2l
tunnel-group 75.x.x.14 ipsec-attributes
!
class-map inspection_default
match default-inspection-traffic