Cisco ASA 5520 Unable to access external IP on Internal Network

nat cisco cisco-asa

I have an internal network of 192.168.0.x and I have a server nat'd to an external IP address we have. I can't figure out how I need to change my configuration for this thing to get it to work. I'm not very good with the ASDM either. Any advice would be greatly appreciated.

Thanks

Here is my configuration

hostname xxx
domain-name xxxx.local
enable password xxxxx encrypted
passwd xxxxxencrypted
names
name 192.168.10.0 A-192.168.10.0 description SSL_ANYWHERE_DHCP_POOL
name 192.168.32.0 A-192.168.32.0 description Anaheim
name 192.168.0.25 BAMServer description BelManage Server
name 192.168.0.1 Cisco-ASDM description Cisco Firewall
name 192.168.0.4 DC description Primary Domain Controller
name 192.168.0.10 Intranet-Server description Internal Intranet and Forum
name 192.168.0.20 xxxxx description SQL Cognos Server
name 192.168.0.16 xxxxx description Outside Platinum
name 192.168.0.47 Printer-xxxx-Office description Is this still needed
name 192.168.0.2 WebServer description Web Server
name 192.168.0.213 xxxx-PC description Regina Salmon
name 192.168.0.21 xxxx description Nasdrive1
name 192.168.0.185 xxxx description Linux Webserver
dns-guard
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 209.192.2.61 255.255.255.248 
!
interface GigabitEthernet0/0.2
 vlan 2
 nameif Secondary
 security-level 0
 ip address 66.0.128.222 255.255.255.240 
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif Internal
 security-level 100
 ip address Cisco-ASDM 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.3.1 255.255.255.0 
 management-only
!
boot system disk0:/asa804-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Outside
dns domain-lookup Internal
dns server-group DefaultDNS
 name-server 207.230.75.34
 name-server DC
 name-server 4.2.2.2
 domain-name acthsv.local
same-security-traffic permit inter-interface
object-group service Webserver01
 service-object tcp eq domain 
 service-object tcp eq ftp 
 service-object tcp eq www 
 service-object tcp eq pop3 
 service-object tcp eq smtp 
 service-object udp eq domain 
 service-object icmp 
object-group service APC-FORUM
 service-object icmp 
 service-object tcp eq domain 
 service-object tcp eq ftp 
 service-object tcp eq www 
 service-object tcp eq pop3 
 service-object tcp eq smtp 
 service-object udp eq domain 
object-group service xxxx-HSV
 service-object tcp eq www 
 service-object tcp eq telnet 
 service-object tcp source eq 3389 eq 3389 
object-group service SQL
 service-object tcp eq www 
 service-object udp eq www 
object-group service DM_INLINE_SERVICE_1
 service-object icmp 
 group-object SQL
object-group service DM_INLINE_SERVICE_2
 group-object APC-FORUM
 service-object tcp eq 3389 
 service-object icmp 
object-group service DM_INLINE_SERVICE_3
 service-object icmp 
 service-object tcp eq 3389 
 group-object APC-FORUM
object-group service DM_INLINE_SERVICE_4
 group-object APC-FORUM
 service-object tcp eq 3389 
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service smb tcp-udp
 description smb
 port-object eq domain
 port-object eq 137
 port-object eq 138
 port-object eq 139
 port-object eq 445
 port-object eq 135
 port-object eq 136
object-group service DM_INLINE_SERVICE_5
 service-object tcp eq imap4 
 service-object tcp eq netbios-ssn 
 service-object udp eq netbios-dgm 
 service-object udp eq netbios-ns 
 service-object ip 
object-group service DM_INLINE_SERVICE_6
 service-object tcp eq netbios-ssn 
 service-object udp eq netbios-dgm 
 service-object udp eq netbios-ns 
object-group service DM_INLINE_SERVICE_7
 service-object tcp-udp eq www 
 service-object tcp eq ftp 
 service-object tcp eq ftp-data 
 service-object tcp eq https 
 service-object tcp eq smtp 
 service-object tcp eq ssh 
 service-object tcp eq telnet 
object-group service DM_INLINE_SERVICE_8
 service-object tcp-udp eq www 
 service-object tcp eq ftp 
 service-object tcp eq ftp-data 
 service-object tcp eq https 
 service-object tcp eq smtp 
 service-object tcp eq ssh 
 service-object tcp eq telnet 
 group-object Webserver01
object-group service DM_INLINE_SERVICE_10
 service-object tcp-udp eq www 
 service-object tcp eq https 
object-group service DM_INLINE_SERVICE_9
 service-object tcp-udp eq www 
 service-object tcp eq https 
 service-object udp eq www 
 group-object APC-FORUM
object-group service DM_INLINE_SERVICE_0
 service-object tcp-udp eq www 
 service-object tcp eq https 
 group-object APC-FORUM
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any host 66.0.128.214 
access-list Outside_access_in extended permit object-group Webserver01 any host 209.192.2.58 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any host 209.192.2.59 inactive 
access-list Outside_access_in extended permit object-group Liaison-HSV any host 209.192.2.60 
access-list Outside_access_in extended permit object-group Webserver01 any host 209.192.2.62 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host 66.0.128.210 inactive 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 66.0.128.211 
access-list Outside_access_in extended permit tcp any host 66.0.128.212 eq 3389 inactive 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any host 66.0.128.213 
access-list Outside_access_in extended permit ip any host 66.0.128.220 
access-list Outside_access_in extended permit ip any any 
access-list Outside_access_in extended permit icmp 192.168.0.0 255.255.255.0 host 66.0.128.213 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_5 any host 209.192.2.62 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_8 any host xxxxx
access-list Outside_access_in extended permit object-group TCPUDP any host nasdrive object-group smb 
access-list Outside_access_in extended permit object-group TCPUDP any host 66.0.128.215 object-group smb 
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_10 host 66.0.128.214 192.168.0.0 255.255.255.0 
access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 A-192.168.10.0 255.255.255.0 
access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 A-192.168.32.0 255.255.255.0 
access-list Internal_nat0_outbound extended permit ip host Cisco-ASDM host 64.206.230.230 
access-list Outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 A-192.168.32.0 255.255.255.0 
access-list Internal_access_in extended permit icmp any host 66.0.128.213 
access-list Internal_access_in extended permit ip any any 
access-list Internal_access_in extended permit icmp any any 
access-list Internal_access_in extended permit icmp 192.168.0.0 255.255.255.0 host 66.0.128.213 
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_6 any host 209.192.2.62 
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_7 any host LinuxWebserver 
access-list Internal_access_in extended permit object-group TCPUDP any host nasdrive object-group smb 
access-list Internal_access_in extended permit object-group TCPUDP any host 66.0.128.215 object-group smb 
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_9 192.168.0.0 255.255.255.0 host 66.0.128.214 
access-list split-tunnel standard permit host Cisco-ASDM 
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
logging ftp-server 192.168.0.13 \\backups acthsv\administrator ****
mtu Outside 1500
mtu Secondary 1500
mtu Internal 1500
mtu management 1500
ip local pool SSL_CLIENTLESS 192.168.11.1-192.168.11.25 mask 255.255.0.0
ip local pool SSL-ANYWHERE 192.168.10.1-192.168.10.25 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
global (Internal) 1 172.16.1.5 netmask 255.0.0.0
nat (Internal) 0 access-list Internal_nat0_outbound
nat (Internal) 10 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (Internal,Outside) 66.0.128.213 xxxx-PC netmask 255.255.255.255 
static (Internal,Secondary) 66.0.128.220 xxxx netmask 255.255.255.255 
static (Internal,Outside) 209.192.2.58 xxxxx netmask 255.255.255.255 
static (Internal,Secondary) 66.0.128.210 Intranet-Server netmask 255.255.255.255 
static (Internal,Outside) 209.192.2.60 Printer-xxxxx-Office netmask 255.255.255.255 
static (Internal,Outside) 66.0.128.215 xxxxx netmask 255.255.255.255 
static (Internal,Outside) 66.0.128.212 xxxxx netmask 255.255.255.255 
static (Internal,Outside) 66.0.128.211 xxxxx netmask 255.255.255.255 
static (Internal,Outside) 209.192.2.59 Intranet-Server netmask 255.255.255.255 
static (Internal,Outside) 66.0.128.214 xxxxx netmask 255.255.255.255 dns 
access-group Outside_access_in in interface Outside
access-group Internal_access_in in interface Internal
route Outside 0.0.0.0 0.0.0.0 209.192.2.57 10
route Outside 0.0.0.0 0.0.0.0 66.0.128.209 20
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ASA protocol radius
 accounting-mode simultaneous
 max-failed-attempts 5
aaa-server ASA (Internal) host DC
 timeout 5
 key linex
aaa-server ASA (Internal) host 192.168.0.13
 key linex
aaa-server ASA (Internal) host xxxx
 key 12345
aaa local authentication attempts max-fail 16
http server enable
http 64.206.230.0 255.255.255.0 Outside
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs group1
crypto map Outside_map 1 set connection-type answer-only
crypto map Outside_map 1 set peer 64.206.230.230 
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 1 set security-association lifetime seconds 28800
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000
crypto map Outside_map 1 set phase1-mode aggressive 
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=LXHSV
 keypair sslvpnkeypair
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 436fe04c
    308201c3 3082012c a0030201 02020443 6fe04c30 0d06092a 864886f7 0d010104 
    05003026 310e300c 06035504 0313054c 58485356 31143012 06092a86 4886f70d 
    01090216 054c5848 5356301e 170d3130 31313134 32333232 34335a17 0d323031 
    31313132 33323234 335a3026 310e300c 06035504 0313054c 58485356 31143012 
    06092a86 4886f70d 01090216 054c5848 53563081 9f300d06 092a8648 86f70d01 
    01010500 03818d00 30818902 818100be 29a7a6bf 34b85354 47cfbce4 dd5502ae 
    8a165e8e 12a032b5 c65b66e4 2beb54c8 cf93b5a9 74e76b53 c76264d9 8480bc29 
    2d2a3b04 2c24bc45 6141446f d58e0850 ebd9d374 15949267 c6103f41 c2f7df4c 
    4202b93d 9733080a 912655d6 e54b40a5 39e468b7 c9b7e432 3ce571cb b7d1b755 
    a63182df a60d2610 16a6b934 0d036b02 03010001 300d0609 2a864886 f70d0101 
    04050003 8181001e 6992eee9 c671e5d9 a773aa5c 89f44803 3526fa96 57d3d608 
    c8ce4855 69a96e55 68129b6e 14bdd3ca eeb015e2 2d892253 629d5d86 107658e9 
    3e40e057 729ce0bb f541bac8 7d62945c aeb5630a e3e3ea61 702ad41d f5bf8183 
    a4f14ac8 489cc63c 5b1ae590 93a749e5 9ba24ad0 c96de73a b9c4feee 05f72db7 
    3bd95a41 84a1dc
  quit
crypto isakmp enable Outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 64.206.230.0 255.255.255.0 Outside
telnet 192.168.0.0 255.255.255.0 Internal
telnet timeout 5
ssh 192.168.0.81 255.255.255.255 Internal
ssh timeout 5
console timeout 0
dhcpd dns DC 207.230.75.34
dhcpd domain acthsv.local
dhcpd option 3 ip Cisco-ASDM
dhcpd option 6 ip Cisco-ASDM
!
dhcpd address 192.168.0.50-192.168.0.150 Internal
dhcpd dns 207.230.75.34 DC interface Internal
dhcpd wins DC interface Internal
!
dhcpd address 192.168.3.2-192.168.3.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 64.90.182.55 prefer
webvpn
 enable Outside
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSL_CLIENTLESS_GP internal
group-policy SSL_CLIENTLESS_GP attributes
 wins-server value 192.168.0.4
 dns-server value 192.168.0.4 192.168.0.13
 vpn-access-hours none
 vpn-simultaneous-logins 20
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list none
 default-domain value ACTHSV.local
 msie-proxy method no-proxy
 vlan none
 nac-settings none
 address-pools value SSL_CLIENTLESS
 client-firewall none
 webvpn
  svc ask enable default webvpn timeout 90
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol svc webvpn
group-policy timg internal
group-policy timg attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  url-list value Tim
group-policy ANYCONNECT internal
group-policy ANYCONNECT attributes
 dns-server value 192.168.0.4
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value acthsv.local
 msie-proxy method no-modify
 webvpn
  svc keep-installer installed
  svc rekey time 30
  svc rekey method ssl
  svc ask none default svc

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ipsec-pass-thru 
  inspect pptp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:7a70c57cd9f49151c1d993268c11f2ba
: end

Solution 1:

If the server is located in the same network subnet that you call the internal network (192.168.0.0.24) then:

  • On ASA version older than 8.3:

It's impossible. This feature is not supported in old versions of Cisco ASA software due to the NAT hairpin issue.

  • On ASA version prior to 8.3:

It can be configured using the following settings:

object network internal
 range 192.168.0.1 192.168.0.254
object network external
 host [IP address of your WAN interface]
object network server-internal
 host [server internal IP address]
object network server-external
 host [server external (NATted) IP address]
nat (internal, internal) source static internal external destination static server-external server-internal

You can check your ASA software version using the show version command.

Hope that it helps. If no, please provide much more details about the IP addresses being used by you, output from the configuration, etc.

Related

Outlook SSL Error after New Certificate Installation
Am I getting DDoSed, and what should I about it?
How to block Skype using Squid?
Linux EC2 Instance Security Consideration
Windows 2003 DC to Windows 2008 R2 DC with same name and same IP
Apache Dynamic Virtual Host with SSL [duplicate]
Using iptables to redirect incoming requests from port 2525 to port 25?
Exim: how to deliver locally and send a copy to another server
Two NICs, one server
Why does my SSH passphrase work with `plink` and not `ssh`?
Is it possible to have regular-expression CNAME record in DNS?
How to have a certificate which works with both example.com and subdomain.example.com in IIS?