Cisco ASA 5520 Unable to access external IP on Internal Network
I have an internal network of 192.168.0.x and I have a server nat'd to an external IP address we have. I can't figure out how I need to change my configuration for this thing to get it to work. I'm not very good with the ASDM either. Any advice would be greatly appreciated.
Thanks
Here is my configuration
hostname xxx
domain-name xxxx.local
enable password xxxxx encrypted
passwd xxxxxencrypted
names
name 192.168.10.0 A-192.168.10.0 description SSL_ANYWHERE_DHCP_POOL
name 192.168.32.0 A-192.168.32.0 description Anaheim
name 192.168.0.25 BAMServer description BelManage Server
name 192.168.0.1 Cisco-ASDM description Cisco Firewall
name 192.168.0.4 DC description Primary Domain Controller
name 192.168.0.10 Intranet-Server description Internal Intranet and Forum
name 192.168.0.20 xxxxx description SQL Cognos Server
name 192.168.0.16 xxxxx description Outside Platinum
name 192.168.0.47 Printer-xxxx-Office description Is this still needed
name 192.168.0.2 WebServer description Web Server
name 192.168.0.213 xxxx-PC description Regina Salmon
name 192.168.0.21 xxxx description Nasdrive1
name 192.168.0.185 xxxx description Linux Webserver
dns-guard
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 209.192.2.61 255.255.255.248
!
interface GigabitEthernet0/0.2
vlan 2
nameif Secondary
security-level 0
ip address 66.0.128.222 255.255.255.240
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif Internal
security-level 100
ip address Cisco-ASDM 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.3.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Outside
dns domain-lookup Internal
dns server-group DefaultDNS
name-server 207.230.75.34
name-server DC
name-server 4.2.2.2
domain-name acthsv.local
same-security-traffic permit inter-interface
object-group service Webserver01
service-object tcp eq domain
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq pop3
service-object tcp eq smtp
service-object udp eq domain
service-object icmp
object-group service APC-FORUM
service-object icmp
service-object tcp eq domain
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq pop3
service-object tcp eq smtp
service-object udp eq domain
object-group service xxxx-HSV
service-object tcp eq www
service-object tcp eq telnet
service-object tcp source eq 3389 eq 3389
object-group service SQL
service-object tcp eq www
service-object udp eq www
object-group service DM_INLINE_SERVICE_1
service-object icmp
group-object SQL
object-group service DM_INLINE_SERVICE_2
group-object APC-FORUM
service-object tcp eq 3389
service-object icmp
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object tcp eq 3389
group-object APC-FORUM
object-group service DM_INLINE_SERVICE_4
group-object APC-FORUM
service-object tcp eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service smb tcp-udp
description smb
port-object eq domain
port-object eq 137
port-object eq 138
port-object eq 139
port-object eq 445
port-object eq 135
port-object eq 136
object-group service DM_INLINE_SERVICE_5
service-object tcp eq imap4
service-object tcp eq netbios-ssn
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
service-object ip
object-group service DM_INLINE_SERVICE_6
service-object tcp eq netbios-ssn
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
object-group service DM_INLINE_SERVICE_7
service-object tcp-udp eq www
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq https
service-object tcp eq smtp
service-object tcp eq ssh
service-object tcp eq telnet
object-group service DM_INLINE_SERVICE_8
service-object tcp-udp eq www
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq https
service-object tcp eq smtp
service-object tcp eq ssh
service-object tcp eq telnet
group-object Webserver01
object-group service DM_INLINE_SERVICE_10
service-object tcp-udp eq www
service-object tcp eq https
object-group service DM_INLINE_SERVICE_9
service-object tcp-udp eq www
service-object tcp eq https
service-object udp eq www
group-object APC-FORUM
object-group service DM_INLINE_SERVICE_0
service-object tcp-udp eq www
service-object tcp eq https
group-object APC-FORUM
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any host 66.0.128.214
access-list Outside_access_in extended permit object-group Webserver01 any host 209.192.2.58
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any host 209.192.2.59 inactive
access-list Outside_access_in extended permit object-group Liaison-HSV any host 209.192.2.60
access-list Outside_access_in extended permit object-group Webserver01 any host 209.192.2.62
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 66.0.128.210 inactive
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 66.0.128.211
access-list Outside_access_in extended permit tcp any host 66.0.128.212 eq 3389 inactive
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any host 66.0.128.213
access-list Outside_access_in extended permit ip any host 66.0.128.220
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp 192.168.0.0 255.255.255.0 host 66.0.128.213
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any host 209.192.2.62
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_8 any host xxxxx
access-list Outside_access_in extended permit object-group TCPUDP any host nasdrive object-group smb
access-list Outside_access_in extended permit object-group TCPUDP any host 66.0.128.215 object-group smb
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_10 host 66.0.128.214 192.168.0.0 255.255.255.0
access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 A-192.168.10.0 255.255.255.0
access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 A-192.168.32.0 255.255.255.0
access-list Internal_nat0_outbound extended permit ip host Cisco-ASDM host 64.206.230.230
access-list Outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 A-192.168.32.0 255.255.255.0
access-list Internal_access_in extended permit icmp any host 66.0.128.213
access-list Internal_access_in extended permit ip any any
access-list Internal_access_in extended permit icmp any any
access-list Internal_access_in extended permit icmp 192.168.0.0 255.255.255.0 host 66.0.128.213
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_6 any host 209.192.2.62
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_7 any host LinuxWebserver
access-list Internal_access_in extended permit object-group TCPUDP any host nasdrive object-group smb
access-list Internal_access_in extended permit object-group TCPUDP any host 66.0.128.215 object-group smb
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_9 192.168.0.0 255.255.255.0 host 66.0.128.214
access-list split-tunnel standard permit host Cisco-ASDM
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging ftp-server 192.168.0.13 \\backups acthsv\administrator ****
mtu Outside 1500
mtu Secondary 1500
mtu Internal 1500
mtu management 1500
ip local pool SSL_CLIENTLESS 192.168.11.1-192.168.11.25 mask 255.255.0.0
ip local pool SSL-ANYWHERE 192.168.10.1-192.168.10.25 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
global (Internal) 1 172.16.1.5 netmask 255.0.0.0
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 10 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (Internal,Outside) 66.0.128.213 xxxx-PC netmask 255.255.255.255
static (Internal,Secondary) 66.0.128.220 xxxx netmask 255.255.255.255
static (Internal,Outside) 209.192.2.58 xxxxx netmask 255.255.255.255
static (Internal,Secondary) 66.0.128.210 Intranet-Server netmask 255.255.255.255
static (Internal,Outside) 209.192.2.60 Printer-xxxxx-Office netmask 255.255.255.255
static (Internal,Outside) 66.0.128.215 xxxxx netmask 255.255.255.255
static (Internal,Outside) 66.0.128.212 xxxxx netmask 255.255.255.255
static (Internal,Outside) 66.0.128.211 xxxxx netmask 255.255.255.255
static (Internal,Outside) 209.192.2.59 Intranet-Server netmask 255.255.255.255
static (Internal,Outside) 66.0.128.214 xxxxx netmask 255.255.255.255 dns
access-group Outside_access_in in interface Outside
access-group Internal_access_in in interface Internal
route Outside 0.0.0.0 0.0.0.0 209.192.2.57 10
route Outside 0.0.0.0 0.0.0.0 66.0.128.209 20
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ASA protocol radius
accounting-mode simultaneous
max-failed-attempts 5
aaa-server ASA (Internal) host DC
timeout 5
key linex
aaa-server ASA (Internal) host 192.168.0.13
key linex
aaa-server ASA (Internal) host xxxx
key 12345
aaa local authentication attempts max-fail 16
http server enable
http 64.206.230.0 255.255.255.0 Outside
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set connection-type answer-only
crypto map Outside_map 1 set peer 64.206.230.230
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime seconds 28800
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside_map 1 set phase1-mode aggressive
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=LXHSV
keypair sslvpnkeypair
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 436fe04c
308201c3 3082012c a0030201 02020443 6fe04c30 0d06092a 864886f7 0d010104
05003026 310e300c 06035504 0313054c 58485356 31143012 06092a86 4886f70d
01090216 054c5848 5356301e 170d3130 31313134 32333232 34335a17 0d323031
31313132 33323234 335a3026 310e300c 06035504 0313054c 58485356 31143012
06092a86 4886f70d 01090216 054c5848 53563081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100be 29a7a6bf 34b85354 47cfbce4 dd5502ae
8a165e8e 12a032b5 c65b66e4 2beb54c8 cf93b5a9 74e76b53 c76264d9 8480bc29
2d2a3b04 2c24bc45 6141446f d58e0850 ebd9d374 15949267 c6103f41 c2f7df4c
4202b93d 9733080a 912655d6 e54b40a5 39e468b7 c9b7e432 3ce571cb b7d1b755
a63182df a60d2610 16a6b934 0d036b02 03010001 300d0609 2a864886 f70d0101
04050003 8181001e 6992eee9 c671e5d9 a773aa5c 89f44803 3526fa96 57d3d608
c8ce4855 69a96e55 68129b6e 14bdd3ca eeb015e2 2d892253 629d5d86 107658e9
3e40e057 729ce0bb f541bac8 7d62945c aeb5630a e3e3ea61 702ad41d f5bf8183
a4f14ac8 489cc63c 5b1ae590 93a749e5 9ba24ad0 c96de73a b9c4feee 05f72db7
3bd95a41 84a1dc
quit
crypto isakmp enable Outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 64.206.230.0 255.255.255.0 Outside
telnet 192.168.0.0 255.255.255.0 Internal
telnet timeout 5
ssh 192.168.0.81 255.255.255.255 Internal
ssh timeout 5
console timeout 0
dhcpd dns DC 207.230.75.34
dhcpd domain acthsv.local
dhcpd option 3 ip Cisco-ASDM
dhcpd option 6 ip Cisco-ASDM
!
dhcpd address 192.168.0.50-192.168.0.150 Internal
dhcpd dns 207.230.75.34 DC interface Internal
dhcpd wins DC interface Internal
!
dhcpd address 192.168.3.2-192.168.3.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 64.90.182.55 prefer
webvpn
enable Outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSL_CLIENTLESS_GP internal
group-policy SSL_CLIENTLESS_GP attributes
wins-server value 192.168.0.4
dns-server value 192.168.0.4 192.168.0.13
vpn-access-hours none
vpn-simultaneous-logins 20
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value ACTHSV.local
msie-proxy method no-proxy
vlan none
nac-settings none
address-pools value SSL_CLIENTLESS
client-firewall none
webvpn
svc ask enable default webvpn timeout 90
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol svc webvpn
group-policy timg internal
group-policy timg attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list value Tim
group-policy ANYCONNECT internal
group-policy ANYCONNECT attributes
dns-server value 192.168.0.4
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value acthsv.local
msie-proxy method no-modify
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ipsec-pass-thru
inspect pptp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7a70c57cd9f49151c1d993268c11f2ba
: end
Solution 1:
If the server is located in the same network subnet that you call the internal network (192.168.0.0.24) then:
- On ASA version older than 8.3:
It's impossible. This feature is not supported in old versions of Cisco ASA software due to the NAT hairpin issue.
- On ASA version prior to 8.3:
It can be configured using the following settings:
object network internal
range 192.168.0.1 192.168.0.254
object network external
host [IP address of your WAN interface]
object network server-internal
host [server internal IP address]
object network server-external
host [server external (NATted) IP address]
nat (internal, internal) source static internal external destination static server-external server-internal
You can check your ASA software version using the show version command.
Hope that it helps. If no, please provide much more details about the IP addresses being used by you, output from the configuration, etc.