Cisco ASA 5510 multiple IP's on outside interface

[ComputerDuck]

I'm currently have a few issues with an ASA 5510 running version 8.0. We have 32 usable ip addresses for the outside but cannot seem to get any to work, i'm very rusty when it comes to cisco hardware. Do i need to set up a singular ip address on the interface and then a sub interface for the range of other useable ip's?


Current interface configuration is

 

[ComputerDuck]

ASA Version 8.0(5)
!
hostname ciscoasa
domain-name bnrings.com
enable password ************ encrypted
passwd ************* encrypted
dns-guard
!
interface Ethernet0/0
nameif outisde
security-level 0
ip address 81.144.154.162 255.255.255.224
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.100.100.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!

boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inet1
dns domain-lookup network
dns server-group DefaultDNS
name-server 194.72.6.57
name-server 194.73.82.242
domain-name bnrings.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rdp tcp-udp
port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
port-object eq 6000
port-object eq www
port-object eq 90
port-object eq 91
access-list website extended permit tcp any host 192.100.100.18 object-group DM_INLINE_TCP_1
access-list website extended permit ipinip any host 192.100.100.18
access-list website extended permit tcp any host 192.100.100.18 eq 6001
access-list VPN_splitTunnelAcl standard permit 192.100.100.0 255.255.255.0
access-list rdp extended permit ipinip any host 192.100.100.16
access-list rdp extended permit object-group TCPUDP any host 192.100.100.16 object-group rdp
access-list rdp extended permit tcp any host 192.100.100.81 eq 3390
access-list rdp extended permit ipinip any host 192.100.100.81
access-list network_nat0_outbound extended permit ip 192.100.100.0 255.255.255.0 VPN 255.255.255.0
access-list inet1_cryptomap extended permit ip any any
access-list inet1_acl extended permit tcp VPN 255.255.255.0 192.100.100.0 255.255.255.0 eq telnet
access-list inet1_acl extended permit ip any any
access-list inet1_access_in extended permit ip any any
access-list VPN_splitTunnelAcl_1 standard permit any
access-list management_nat0_outbound extended permit ip any VPN 255.255.255.192
access-list network_access_in extended permit tcp any any eq pptp
access-list network_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inet1 1500
mtu inet2 1500
mtu network 1500
mtu management 1500
ip local pool VPNPool 192.100.250.10-192.100.250.59 mask 255.255.255.192
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (inet1) 1 interface
nat (network) 0 access-list network_nat0_outbound
nat (network) 1 192.100.100.0 255.255.255.0
nat (management) 0 access-list management_nat0_outbound
static (inet1,network) tcp 192.100.100.16 3389 81.144.154.162 3389 netmask 255.255.255.255
static (inet1,network) tcp 192.100.100.81 3389 81.144.154.162 3390 netmask 255.255.255.255
static (inet1,network) tcp 192.100.100.18

http://www 81.144.154.162

http://www netmask

255.255.255.255
static (inet1,network) tcp 192.100.100.18 6000 81.144.154.162 6000 netmask 255.255.255.255
static (inet1,network) tcp 192.100.100.18 90 81.144.154.162 90 netmask 255.255.255.255
static (inet1,network) tcp 192.100.100.18 91 81.144.154.162 91 netmask 255.255.255.255
static (network,inet1) tcp interface 3389 192.100.100.16 3389 netmask 255.255.255.255
static (network,inet1) tcp interface 3390 192.100.100.81 3389 netmask 255.255.255.255
static (network,inet1) tcp interface

http://www 192.100.100.18

http://www netmask

255.255.255.255
static (network,inet1) tcp interface 6000 192.100.100.18 6000 netmask 255.255.255.255
static (network,inet1) tcp interface 90 192.100.100.18 90 netmask 255.255.255.255
static (network,inet1) tcp interface 91 192.100.100.18 91 netmask 255.255.255.255
static (inet1,network) tcp 192.100.100.18 6001 81.144.154.162 6001 netmask 255.255.255.255
static (inet1,network) tcp BNDCCORE 3389 test-IP 3389 netmask 255.255.255.255
static (network,inet1) tcp interface 6001 192.100.100.18 6001 netmask 255.255.255.255
access-group inet1_acl in interface inet1
access-group network_access_in in interface network
route inet1 0.0.0.0 0.0.0.0 81.144.154.161 1
route network 192.100.100.18 255.255.255.255 192.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.100.100.0 255.255.255.0 network
http 192.168.1.1 255.255.255.255 management
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inet1
sysopt noproxyarp network
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 40 set pfs group1
crypto dynamic-map dyn1 40 set transform-set ESP-3DES-SHA
crypto dynamic-map dyn1 100 set pfs group1
crypto dynamic-map dyn1 100 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map dyn1 120 set pfs group1
crypto dynamic-map dyn1 120 set transform-set ESP-3DES-SHA
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inet1
crypto isakmp enable inet1
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 432000
crypto isakmp nat-traversal 45
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 192.100.100.0 255.255.255.0 network
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.207.34.9 source inet1
group-policy DfltGrpPolicy attributes
dns-server value 192.100.100.11 192.100.100.20
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value BNRINGS.COM
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value VPNPool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
group-policy VPN internal
group-policy VPN attributes
wins-server value 192.100.100.11
dns-server value 192.100.100.11
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value BNRINGS.COM
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPNPool
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key *
tunnel-group-map enable rules
no tunnel-group-map enable ou
tunnel-group-map default-group VPN
!
class-map inspection-default
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
policy-map global-policy
!
service-policy global_policy global
prompt hostname context

 

[hairlessupportmonkey]

Your other IPs are used when configuring say 1 to 1 NAT rules, or when you use "Public Server" tool under "Firewall" in ASDM

Make sense?

ACSS - SME
General Geek

 

[ComputerDuck]

>Your other IPs are used when configuring say 1 to 1 NAT rules, or when you use "Public Server" tool under "Firewall" in ASDM

Do you mean something like static (inet1,network) tcp 81.144.154.166 3389 192.100.100.15 3389 netmask 255.255.255.255?

We have this rule set up using one of the other IP's in the block we were supplied but have had no luck in successfully connecting through it

 

[ComputerDuck]

Have tried using the public server tool with no success

 

[hairlessupportmonkey]

So you have a 255.255.255.224 subnet mask - 29 usable IP addresses.

in your Public Server tool, simply add private, public protocol. It will add the NAT and Firewall (ACL) rules for your normally

> Do you mean something like static (inet1,network) tcp 81.144.154.166 3389 192.100.100.15 3389 netmask 255.255.255.255? --> should work as long as you have the appropriate ACL



ACSS - SME
General Geek

 

[ComputerDuck]

tried both those solutions but neither seem to work for some reason, i get the feeling i'm missing something but i can't for the life of me think what, from your opinion the config i posted, is there anything i've not set or have set that could be causing this to fail?

 

[unclerico]

post your new scrubbed config

 

[ComputerDuck]

ASA Version 8.0(5)
!
hostname ciscoasa
domain-name bnrings.com
names
name 192.100.250.0 VPN
dns-guard
!
interface Ethernet0/0
nameif inet1
security-level 0
ip address 81.100.162162 255.255.255.224
!
interface Ethernet0/1
shutdown
nameif inet2
security-level 0
no ip address
!
interface Ethernet0/2
nameif network
security-level 100
ip address 192.168.11 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inet1
dns domain-lookup network
dns server-group DefaultDNS
name-server 194.72.6.57
name-server 194.73.82.242
domain-name bnrings.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rdp tcp-udp
port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
port-object eq 6000
port-object eq www
port-object eq 90
port-object eq 91
access-list website extended permit tcp any host 192.168.118 object-group DM_INLINE_TCP_1
access-list website extended permit ipinip any host 192.168.118
access-list website extended permit tcp any host 192.168.118 eq 6001
access-list VPN_splitTunnelAcl standard permit 192.168.10 255.255.255.0
access-list rdp extended permit ipinip any host 192.168.116
access-list rdp extended permit object-group TCPUDP any host 192.168.116 object-group rdp
access-list rdp extended permit tcp any host 192.168.181 eq 3390
access-list rdp extended permit ipinip any host 192.168.181
access-list network_nat0_outbound extended permit ip 192.168.10 255.255.255.0 VPN 255.255.255.0
access-list inet1_cryptomap extended permit ip any any
access-list inet1_acl extended permit object-group TCPUDP host 81.100.162166 host 192.168.184 object-group rdp
access-list inet1_acl extended permit tcp VPN 255.255.255.0 192.168.10 255.255.255.0 eq telnet
access-list inet1_acl extended permit ip any any
access-list inet1_access_in extended permit ip any any
access-list VPN_splitTunnelAcl_1 standard permit any
access-list management_nat0_outbound extended permit ip any VPN 255.255.255.192
access-list network_access_in extended permit tcp any any eq pptp
access-list network_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inet1 1500
mtu inet2 1500
mtu network 1500
mtu management 1500
ip local pool VPNPool 192.100.250.10-192.100.250.59 mask 255.255.255.192
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (inet1) 1 interface
nat (network) 0 access-list network_nat0_outbound
nat (network) 1 192.168.10 255.255.255.0
nat (management) 0 access-list management_nat0_outbound
static (inet1,network) tcp 192.168.116 3389 81.100.162162 3389 netmask 255.255.255.255
static (inet1,network) tcp 192.168.181 3389 81.100.162162 3390 netmask 255.255.255.255
static (inet1,network) tcp 192.168.118

http://www 81.100.162162

http://www netmask

255.255.255.255
static (inet1,network) tcp 192.168.118 6000 81.100.162162 6000 netmask 255.255.255.255
static (inet1,network) tcp 192.168.118 90 81.100.162162 90 netmask 255.255.255.255
static (inet1,network) tcp 192.168.118 91 81.100.162162 91 netmask 255.255.255.255
static (network,inet1) tcp interface 3389 192.168.116 3389 netmask 255.255.255.255
static (network,inet1) tcp interface 3390 192.168.181 3389 netmask 255.255.255.255
static (network,inet1) tcp interface

http://www 192.168.118

http://www netmask

255.255.255.255
static (network,inet1) tcp interface 6000 192.168.118 6000 netmask 255.255.255.255
static (network,inet1) tcp interface 90 192.168.118 90 netmask 255.255.255.255
static (network,inet1) tcp interface 91 192.168.118 91 netmask 255.255.255.255
static (inet1,network) tcp 192.168.118 6001 81.100.162162 6001 netmask 255.255.255.255
static (network,inet1) tcp interface 6001 192.168.118 6001 netmask 255.255.255.255
static (inet1,network) tcp 192.168.184 3389 81.100.162166 3389 netmask 255.255.255.255
access-group inet1_acl in interface inet1
route inet1 0.0.0.0 0.0.0.0 81.100.162161 1
route network 192.168.118 255.255.255.255 192.168.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.10 255.255.255.0 network
http 192.168.1.1 255.255.255.255 management
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inet1
sysopt noproxyarp network
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 40 set pfs group1
crypto dynamic-map dyn1 40 set transform-set ESP-3DES-SHA
crypto dynamic-map dyn1 100 set pfs group1
crypto dynamic-map dyn1 100 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map dyn1 120 set pfs group1
crypto dynamic-map dyn1 120 set transform-set ESP-3DES-SHA
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inet1
crypto isakmp enable inet1
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 432000
crypto isakmp nat-traversal 45
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 192.168.10 255.255.255.0 network
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.207.34.9 source inet1
group-policy DfltGrpPolicy attributes
dns-server value 192.168.111 192.168.120
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value BNRINGS.COM
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value VPNPool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
group-policy VPN internal
group-policy VPN attributes
wins-server value 192.168.111
dns-server value 192.168.111
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value BNRINGS.COM

 

[ComputerDuck]

Please see the config above, despite having what i think is a fairly correct setup it will not allow traffic from 166 through to the internal for rdp connection.

 

[ComputerDuck]

config was faulty, i had copied it out wrong. Its as if the external interface is not translating traffic coming through the other IP's i would have assumed that as long as the subnet accounts for multiple ip's the asa should be able to do the rest of the working out when another ip (81.100.162.166) is queried. no?

ASA Version 8.0(5)
!
hostname ciscoasa
domain-name bnrings.com
names
name 192.100.250.0 VPN
dns-guard
!
interface Ethernet0/0
nameif inet1
security-level 0
ip address 81.100.162.162 255.255.255.224
!
interface Ethernet0/1
shutdown
nameif inet2
security-level 0
no ip address
!
interface Ethernet0/2
nameif network
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inet1
dns domain-lookup network
dns server-group DefaultDNS
name-server 194.72.6.57
name-server 194.73.82.242
domain-name bnrings.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rdp tcp-udp
port-object eq 3389
object-group service DM_INLINE_TCP_1 tcp
port-object eq 6000
port-object eq www
port-object eq 90
port-object eq 91
access-list website extended permit tcp any host 192.168.1.18 object-group DM_INLINE_TCP_1
access-list website extended permit ipinip any host 192.168.1.18
access-list website extended permit tcp any host 192.168.1.18 eq 6001
access-list VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list rdp extended permit ipinip any host 192.168.1.16
access-list rdp extended permit object-group TCPUDP any host 192.168.1.16 object-group rdp
access-list rdp extended permit tcp any host 192.168.1.81 eq 3390
access-list rdp extended permit ipinip any host 192.168.1.81
access-list network_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 VPN 255.255.255.0
access-list inet1_cryptomap extended permit ip any any
access-list inet1_acl extended permit object-group TCPUDP host 81.100.162.166 host 192.168.1.84 object-group rdp
access-list inet1_acl extended permit tcp VPN 255.255.255.0 192.168.1.0 255.255.255.0 eq telnet
access-list inet1_acl extended permit ip any any
access-list inet1_access_in extended permit ip any any
access-list VPN_splitTunnelAcl_1 standard permit any
access-list network_access_in extended permit tcp any any eq pptp
access-list network_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inet1 1500
mtu inet2 1500
mtu network 1500

ip local pool VPNPool 192.100.250.10-192.100.250.59 mask 255.255.255.192
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
asdm history enable
arp timeout 14400
global (inet1) 1 interface
nat (network) 0 access-list network_nat0_outbound
nat (network) 1 192.168.1.0 255.255.255.0
static (inet1,network) tcp 192.168.1.16 3389 81.100.162.162 3389 netmask 255.255.255.255
static (inet1,network) tcp 192.168.1.81 3389 81.100.162.162 3390 netmask 255.255.255.255
static (inet1,network) tcp 192.168.1.18

http://www 81.100.162.162

http://www netmask

255.255.255.255
static (inet1,network) tcp 192.168.1.18 6000 81.100.162.162 6000 netmask 255.255.255.255
static (inet1,network) tcp 192.168.1.18 90 81.100.162.162 90 netmask 255.255.255.255
static (inet1,network) tcp 192.168.1.18 91 81.100.162.162 91 netmask 255.255.255.255
static (network,inet1) tcp interface 3389 192.168.1.16 3389 netmask 255.255.255.255
static (network,inet1) tcp interface 3390 192.168.1.81 3389 netmask 255.255.255.255
static (network,inet1) tcp interface

http://www 192.168.1.18

http://www netmask

255.255.255.255
static (network,inet1) tcp interface 6000 192.168.1.18 6000 netmask 255.255.255.255
static (network,inet1) tcp interface 90 192.168.1.18 90 netmask 255.255.255.255
static (network,inet1) tcp interface 91 192.168.1.18 91 netmask 255.255.255.255
static (inet1,network) tcp 192.168.1.18 6001 81.100.162.162 6001 netmask 255.255.255.255
static (network,inet1) tcp interface 6001 192.168.1.18 6001 netmask 255.255.255.255
static (inet1,network) tcp 192.168.1.84 3389 81.100.162.166 3389 netmask 255.255.255.255
access-group inet1_acl in interface inet1
route inet1 0.0.0.0 0.0.0.0 81.100.16262161 1
route network 192.168.1.18 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 network
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inet1
sysopt noproxyarp network
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 40 set pfs group1
crypto dynamic-map dyn1 40 set transform-set ESP-3DES-SHA
crypto dynamic-map dyn1 100 set pfs group1
crypto dynamic-map dyn1 100 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map dyn1 120 set pfs group1
crypto dynamic-map dyn1 120 set transform-set ESP-3DES-SHA
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inet1
crypto isakmp enable inet1
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 432000
crypto isakmp nat-traversal 45
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 network
ssh timeout 5
console timeout 0
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.207.34.9 source inet1
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.11 192.168.1.20
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value BNRINGS.COM
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value VPNPool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
group-policy VPN internal
group-policy VPN attributes
wins-server value 192.168.1.11
dns-server value 192.168.1.11
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value BNRINGS.COM

 

[ComputerDuck]

bit of a random situation here, have changed the external interface ip to 190 in the range and changed the rules over, all is good but for some reason 162 on the range i can now use as a secondary IP. This is obviously good news but... none of the ip's between 162 and 190 work when trying to assign rules...

 

[hairlessupportmonkey]

perhaps your ISP isnt routing correctly - have you asked them about it? Ive had it before.....

ACSS - SME
General Geek

 

[ComputerDuck]

Hmm.. i'll have a word, thanks for the push in the right direction,

 

[ComputerDuck]

ok after getting this sorted, i can now get external ip's to relate to internal... only problem is they work for about 18 hours then stop dead, the solution i've found is to enable the proxy arp for internal network but i don't think i should need to and when i do enable it, i find internal traffic to only the webserver is halted, every pc can still speak to other pc's on the network except the webserver, any ideas what could be causing this?