Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

No Internet Access if no static map

Status
Not open for further replies.
RMurr34

RMurr34

Technical User
Sep 10, 2008
66
US
Hello,

I have an ASA5510 configured that allows direct RDP to some servers. I'm only able to connect to the internet with servers that have a static map. If a server
does not have a static map I'm unable to do so. I would just create one but I've run out of available public IPs and I actually don't need these servers to be
accessible from outside. I just need to be able to connect for Windows updates and also some license server verification.

I'm sure it has something to do with the way the ASA is configured for two LANs. I have 18 servers on the ETH0/1 192.168.50.0 interface and 8 servers on the ETH0/2
192.168.102.0 interface. Can someone take a look at my config and let me know if there's something simple I can add where I can get internet access without having
to map it to a static IP?

Thanks for any help provided.


!
interface Ethernet0/0
nameif outside
security-level 0
ip address 108.xxx.xxx.162 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.50.129 255.255.255.192
!
interface Ethernet0/2
nameif inside2
security-level 100
ip address 192.168.102.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
clock timezone CST -6
same-security-traffic permit inter-interface
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp any host 108.xxx.xxx.114 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.115 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.116 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.117 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.118 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.119 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.120 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.121 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.122 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.123 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.124 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.126 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.125 eq 3389
access-list 101 extended permit tcp any host 108.xxx.xxx.120 eq ftp
access-list 101 extended permit tcp any host 108.xxx.xxx.121 eq https
access-list 101 extended permit tcp any host 108.xxx.xxx.115 eq https
access-list 120 extended permit ip 192.168.50.128 255.255.255.192 192.168.50.64 255.255.255.192
access-list 110 extended permit ip 192.168.50.128 255.255.255.192 192.168.50.0 255.255.255.192
access-list 100 extended permit ip 192.168.50.128 255.255.255.192 192.168.50.0 255.255.255.192
access-list 100 extended permit ip 192.168.50.128 255.255.255.192 192.168.50.64 255.255.255.192
access-list 100 extended permit ip 192.168.50.128 255.255.255.192 192.168.50.192 255.255.255.192
access-list 140 extended permit ip 192.168.50.128 255.255.255.192 192.168.50.192 255.255.255.192
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 access-list 100
nat (inside2) 1 0.0.0.0 0.0.0.0
static (inside2,inside) 192.168.102.0 192.168.102.0 netmask 255.255.255.0
static (inside,inside2) 192.168.50.0 192.168.50.0 netmask 255.255.255.192
static (inside2,outside) 108.xxx.xxx.116 192.168.102.4 netmask 255.255.255.255
static (inside2,outside) 108.xxx.xxx.114 192.168.102.5 netmask 255.255.255.255
static (inside,outside) 108.xxx.xxx.123 192.168.50.131 netmask 255.255.255.255
static (inside,outside) 108.xxx.xxx.120 192.168.50.135 netmask 255.255.255.255
static (inside,outside) 108.xxx.xxx.122 192.168.50.134 netmask 255.255.255.255
static (inside2,outside) 108.xxx.xxx.118 192.168.102.8 netmask 255.255.255.255
static (inside,outside) 108.xxx.xxx.121 192.168.50.132 netmask 255.255.255.255
static (inside,outside) 108.xxx.xxx.124 192.168.50.136 netmask 255.255.255.255
static (inside,outside) 108.xxx.xxx.125 192.168.50.137 netmask 255.255.255.255
static (inside,outside) 108.xxx.xxx.115 192.168.50.139 netmask 255.255.255.255
static (inside,outside) 108.xxx.xxx.119 192.168.50.138 netmask 255.255.255.255
static (inside,outside) 108.xxx.xxx.117 192.168.50.150 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 108.xxx.xxx.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.101.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server community dontmesswithtexas
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto map newmap 10 match address 110
crypto map newmap 10 set peer 209.xxx.xxx.34
crypto map newmap 10 set transform-set FirstSet
crypto map newmap 20 match address 120
crypto map newmap 20 set peer 168.xxx.xxx.29
crypto map newmap 20 set transform-set FirstSet
crypto map newmap 40 match address 140
crypto map newmap 40 set peer 69.xxx.xxx.82
crypto map newmap 40 set transform-set FirstSet
crypto map newmap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 14400
tunnel-group 209.xxx.xxx.34 type ipsec-l2l
tunnel-group 209.xxx.xxx.34 ipsec-attributes
pre-shared-key *
tunnel-group 168.xxx.xxx.29 type ipsec-l2l
tunnel-group 168.xxx.xxx.29 ipsec-attributes
pre-shared-key *
tunnel-group 69.xxx.xxx.82 type ipsec-l2l
tunnel-group 69.xxx.xxx.82 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
 
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
375
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
405
Shmid
Shmid
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
82
gbayi_omo
gbayi_omo
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
84
ChrisHirst
ChrisHirst
ttrsux
  • Locked
  • Question
No internet access on new LAN eth0/2 1
Replies
6
Views
142
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top