- Posts: 5
- Thank you received: 0
NAT Problems with Cisco ASA 5501
17 years 1 month ago #20290
by sarangad
NAT Problems with Cisco ASA 5501 was created by sarangad
Hi all,
I recently configured a cisco ASA 5500 firewall with PAT & basic filters. Everything is ok other than DNS. I dont have any internal DNS servers I am using my ISPs DNS servers for name resolutions. In the nslookup utility of a client computer all the URLs are getting resolves perfectly. But I type the same URL in the browser it's not working. But if I type the IP address of the same URL in the browser it works perfectly. Wonder why this happen. Is this something to do with maximum DNS packet size or something else. Please let me know.
Thanks in advance
Sara
I recently configured a cisco ASA 5500 firewall with PAT & basic filters. Everything is ok other than DNS. I dont have any internal DNS servers I am using my ISPs DNS servers for name resolutions. In the nslookup utility of a client computer all the URLs are getting resolves perfectly. But I type the same URL in the browser it's not working. But if I type the IP address of the same URL in the browser it works perfectly. Wonder why this happen. Is this something to do with maximum DNS packet size or something else. Please let me know.
Thanks in advance
Sara
17 years 1 month ago #20291
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: NAT Problems with Cisco ASA 5501
Hi Sara and Welcome to the f.cx community.
Can you confirm what you have configured in the rule base around DNS ? It just seems odd that NSLOOKUP from the client works but not from a machine, the machines don't go through any proxy servers or anything do they ?
Can you confirm what you have configured in the rule base around DNS ? It just seems odd that NSLOOKUP from the client works but not from a machine, the machines don't go through any proxy servers or anything do they ?
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 1 month ago #20297
by sarangad
Replied by sarangad on topic Re: NAT Problems with Cisco ASA 5501
hi thanks for the reply, yes they dont go through any proxy.
Here is the running config
sh run
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ************
names
dns-guard
!
interface Ethernet0/0
description To the Internet gateway
nameif outside
security-level 0
ip address 203.x.y.z 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
<--- More --->
no security-level
no ip address
!
interface Ethernet0/3
description LAN
nameif inside
security-level 100
ip address 172.16.40.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.50 255.255.255.0
management-only
!
passwd ***************
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
<--- More --->
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0
route inside 172.16.0.0 255.255.0.0 172.16.40.2 1
route outside 0.0.0.0 0.0.0.0 203.115.26.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ************
http server enable
http 172.16.1.0 255.255.255.0 management
http 172.16.1.55 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
<--- More --->
management-access inside
dhcpd address 172.16.1.51-172.16.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default
Here are some logs
6|Mar 17 2007 10:55:46|605005: Login permitted from 172.16.1.52/3134 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:55:46|302013: Built inbound TCP connection 345 for management:172.16.1.52/3134 (172.16.1.52/3134) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:51:25|302014: Teardown TCP connection 344 for management:172.16.1.52/3132 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 977 TCP FINs
6|Mar 17 2007 10:51:25|605005: Login permitted from 172.16.1.52/3132 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:51:25|302013: Built inbound TCP connection 344 for management:172.16.1.52/3132 (172.16.1.52/3132) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:49:03|302014: Teardown TCP connection 343 for management:172.16.1.52/3130 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 964 TCP FINs
5|Mar 17 2007 10:49:03|111008: User 'cisco' executed the 'no domain-name' command.
5|Mar 17 2007 10:49:03|111007: Begin configuration: 172.16.1.52 reading from http [POST]
6|Mar 17 2007 10:49:03|605005: Login permitted from 172.16.1.52/3130 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:49:03|302013: Built inbound TCP connection 343 for management:172.16.1.52/3130 (172.16.1.52/3130) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:48:05|302014: Teardown TCP connection 342 for management:172.16.1.52/3128 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 852 TCP FINs
6|Mar 17 2007 10:48:05|605005: Login permitted from 172.16.1.52/3128 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:48:05|302013: Built inbound TCP connection 342 for management:172.16.1.52/3128 (172.16.1.52/3128) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:48:05|302014: Teardown TCP connection 341 for management:172.16.1.52/3126 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 852 TCP FINs
6|Mar 17 2007 10:48:05|605005: Login permitted from 172.16.1.52/3126 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:48:05|302013: Built inbound TCP connection 341 for management:172.16.1.52/3126 (172.16.1.52/3126) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:48:04|302014: Teardown TCP connection 340 for management:172.16.1.52/3124 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 852 TCP FINs
6|Mar 17 2007 10:48:04|605005: Login permitted from 172.16.1.52/3124 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:48:04|302013: Built inbound TCP connection 340 for management:172.16.1.52/3124 (172.16.1.52/3124) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:48:03|302014: Teardown TCP connection 339 for management:172.16.1.52/3122 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 852 TCP FINs
6|Mar 17 2007 10:48:03|605005: Login permitted from 172.16.1.52/3122 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:48:03|302013: Built inbound TCP connection 339 for management:172.16.1.52/3122 (172.16.1.52/3122) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:48:01|302014: Teardown TCP connection 338 for management:172.16.1.52/3120 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 852 TCP FINs
6|Mar 17 2007 10:48:01|605005: Login permitted from 172.16.1.52/3120 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:48:01|302013: Built inbound TCP connection 338 for management:172.16.1.52/3120 (172.16.1.52/3120) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:47:48|302014: Teardown TCP connection 337 for management:172.16.1.52/3117 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 897 TCP FINs
6|Mar 17 2007 10:47:48|302014: Teardown TCP connection 336 for management:172.16.1.52/3118 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 897 TCP FINs
6|Mar 17 2007 10:47:48|605005: Login permitted from 172.16.1.52/3117 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:47:48|605005: Login permitted from 172.16.1.52/3118 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:47:48|302013: Built inbound TCP connection 337 for management:172.16.1.52/3117 (172.16.1.52/3117) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:47:48|302013: Built inbound TCP connection 336 for management:172.16.1.52/3118 (172.16.1.52/3118) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:49|606001: ASDM session number 0 from 172.16.1.52 started
6|Mar 17 2007 10:46:49|605005: Login permitted from 172.16.1.52/3114 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:49|302013: Built inbound TCP connection 335 for management:172.16.1.52/3114 (172.16.1.52/3114) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:49|302014: Teardown TCP connection 334 for management:172.16.1.52/3112 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1185 TCP FINs
6|Mar 17 2007 10:46:49|605005: Login permitted from 172.16.1.52/3112 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:49|302013: Built inbound TCP connection 334 for management:172.16.1.52/3112 (172.16.1.52/3112) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:49|302014: Teardown TCP connection 333 for management:172.16.1.52/3110 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1089 TCP FINs
6|Mar 17 2007 10:46:49|605005: Login permitted from 172.16.1.52/3110 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:49|302013: Built inbound TCP connection 333 for management:172.16.1.52/3110 (172.16.1.52/3110) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:49|606003: ASDM logging session number 0 from 172.16.1.52 started
6|Mar 17 2007 10:46:49|605005: Login permitted from 172.16.1.52/3108 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:49|302013: Built inbound TCP connection 332 for management:172.16.1.52/3108 (172.16.1.52/3108) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:48|302014: Teardown TCP connection 331 for management:172.16.1.52/3106 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1433 TCP FINs
6|Mar 17 2007 10:46:48|605005: Login permitted from 172.16.1.52/3106 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:48|302013: Built inbound TCP connection 331 for management:172.16.1.52/3106 (172.16.1.52/3106) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:48|302014: Teardown TCP connection 330 for management:172.16.1.52/3104 to NP Identity Ifc:172.16.1.50/443 duration 0:00:01 bytes 26570 TCP FINs
6|Mar 17 2007 10:46:46|605005: Login permitted from 172.16.1.52/3104 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:46|302014: Teardown TCP connection 329 for management:172.16.1.52/3102 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1131 TCP FINs
6|Mar 17 2007 10:46:46|302013: Built inbound TCP connection 330 for management:172.16.1.52/3104 (172.16.1.52/3104) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:46|302013: Built inbound TCP connection 329 for management:172.16.1.52/3102 (172.16.1.52/3102) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:46|302014: Teardown TCP connection 328 for management:172.16.1.52/3100 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1444 TCP FINs
6|Mar 17 2007 10:46:46|605005: Login permitted from 172.16.1.52/3100 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:46|302013: Built inbound TCP connection 328 for management:172.16.1.52/3100 (172.16.1.52/3100) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:43|302014: Teardown TCP connection 327 for management:172.16.1.52/3098 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1417 TCP FINs
6|Mar 17 2007 10:46:43|605005: Login permitted from 172.16.1.52/3098 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:43|302014: Teardown TCP connection 326 for management:172.16.1.52/3096 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1139 TCP FINs
6|Mar 17 2007 10:46:43|302013: Built inbound TCP connection 327 for management:172.16.1.52/3098 (172.16.1.52/3098) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:43|302013: Built inbound TCP connection 326 for management:172.16.1.52/3096 (172.16.1.52/3096) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:42|302014: Teardown TCP connection 325 for management:172.16.1.52/3094 to NP Identity Ifc:172.16.1.50/443 duration 0:00:01 bytes 2908 TCP FINs
5|Mar 17 2007 10:46:42|111008: User 'cisco' executed the 'perfmon interval 10' command.
6|Mar 17 2007 10:46:41|605005: Login permitted from 172.16.1.52/3094 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:41|302013: Built inbound TCP connection 325 for management:172.16.1.52/3094 (172.16.1.52/3094) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:41|302014: Teardown TCP connection 324 for management:172.16.1.52/3092 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1275 TCP FINs
6|Mar 17 2007 10:46:40|302013: Built inbound TCP connection 324 for management:172.16.1.52/3092 (172.16.1.52/3092) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:38|302014: Teardown TCP connection 323 for management:172.16.1.52/3089 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 182024 TCP Reset-O
6|Mar 17 2007 10:46:38|605005: Login permitted from 172.16.1.52/3089 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:38|302013: Built inbound TCP connection 323 for management:172.16.1.52/3089 (172.16.1.52/3089) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:38|302014: Teardown TCP connection 322 for management:172.16.1.52/3087 to NP Identity Ifc:172.16.1.50/443 duration 0:00:01 bytes 1651 TCP FINs
6|Mar 17 2007 10:46:37|605005: Login permitted from 172.16.1.52/3087 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:36|302013: Built inbound TCP connection 322 for management:172.16.1.52/3087 (172.16.1.52/3087) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:32|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50763 to outside:203.115.26.122/1113 duration 0:00:30
6|Mar 17 2007 10:46:31|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50762 to outside:203.115.26.122/1112 duration 0:00:30
6|Mar 17 2007 10:46:28|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50761 to outside:203.115.26.122/1111 duration 0:00:30
6|Mar 17 2007 10:46:28|302016: Teardown UDP connection 297 for management:172.16.1.52/68 to NP Identity Ifc:172.16.1.50/67 duration 0:02:01 bytes 566
6|Mar 17 2007 10:46:28|302016: Teardown UDP connection 296 for management:0.0.0.0/68 to NP Identity Ifc:255.255.255.255/67 duration 0:02:01 bytes 618
6|Mar 17 2007 10:46:27|302016: Teardown UDP connection 295 for management:255.255.255.255/68 to NP Identity Ifc:172.16.1.50/67 duration 0:02:01 bytes 249
6|Mar 17 2007 10:46:27|302016: Teardown UDP connection 294 for management:172.16.1.51/68 to NP Identity Ifc:255.255.255.255/67 duration 0:02:01 bytes 306
6|Mar 17 2007 10:46:26|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50760 to outside:203.115.26.122/1110 duration 0:00:30
6|Mar 17 2007 10:46:26|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50758 to outside:203.115.26.122/1109 duration 0:00:30
6|Mar 17 2007 10:46:26|302014: Teardown TCP connection 321 for outside:209.132.177.50/80 to inside:172.16.20.11/50763 duration 0:00:24 bytes 12519 TCP FINs
6|Mar 17 2007 10:46:26|302014: Teardown TCP connection 318 for outside:209.132.177.50/80 to inside:172.16.20.11/50760 duration 0:00:29 bytes 54525 TCP FINs
6|Mar 17 2007 10:46:24|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50757 to outside:203.115.26.122/1108 duration 0:00:30
6|Mar 17 2007 10:46:24|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50756 to outside:203.115.26.122/1107 duration 0:00:30
6|Mar 17 2007 10:46:22|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50755 to outside:203.115.26.122/1106 duration 0:00:30
6|Mar 17 2007 10:46:21|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50754 to outside:203.115.26.122/1105 duration 0:00:30
6|Mar 17 2007 10:46:20|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50753 to outside:203.115.26.122/1104 duration 0:00:30
6|Mar 17 2007 10:46:19|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50752 to outside:203.115.26.122/1103 duration 0:00:30
6|Mar 17 2007 10:46:18|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50751 to outside:203.115.26.122/1102 duration 0:00:30
6|Mar 17 2007 10:46:16|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50750 to outside:203.115.26.122/1101 duration 0:00:30
6|Mar 17 2007 10:46:14|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50749 to outside:203.115.26.122/1100 duration 0:00:30
6|Mar 17 2007 10:46:13|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50748 to outside:203.115.26.122/1099 duration 0:00:30
6|Mar 17 2007 10:46:12|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50747 to outside:203.115.26.122/1098 duration 0:00:30
6|Mar 17 2007 10:46:12|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50746 to outside:203.115.26.122/1097 duration 0:00:30
6|Mar 17 2007 10:46:11|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50745 to outside:203.115.26.122/1096 duration 0:00:30
6|Mar 17 2007 10:46:11|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50744 to outside:203.115.26.122/1095 duration 0:00:30
6|Mar 17 2007 10:46:10|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50743 to outside:203.115.26.122/1094 duration 0:00:30
6|Mar 17 2007 10:46:09|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50742 to outside:203.115.26.122/1093 duration 0:00:30
6|Mar 17 2007 10:46:02|302014: Teardown TCP connection 320 for outside:209.132.177.50/80 to inside:172.16.20.11/50762 duration 0:00:00 bytes 777 TCP FINs
6|Mar 17 2007 10:46:02|302013: Built outbound TCP connection 321 for outside:209.132.177.50/80 (209.132.177.50/80) to inside:172.16.20.11/50763 (203.115.26.122/1113)
wonder why this happens
Sara
Here is the running config
sh run
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ************
names
dns-guard
!
interface Ethernet0/0
description To the Internet gateway
nameif outside
security-level 0
ip address 203.x.y.z 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
<--- More --->
no security-level
no ip address
!
interface Ethernet0/3
description LAN
nameif inside
security-level 100
ip address 172.16.40.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.50 255.255.255.0
management-only
!
passwd ***************
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
<--- More --->
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0
route inside 172.16.0.0 255.255.0.0 172.16.40.2 1
route outside 0.0.0.0 0.0.0.0 203.115.26.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ************
http server enable
http 172.16.1.0 255.255.255.0 management
http 172.16.1.55 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
<--- More --->
management-access inside
dhcpd address 172.16.1.51-172.16.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default
Here are some logs
6|Mar 17 2007 10:55:46|605005: Login permitted from 172.16.1.52/3134 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:55:46|302013: Built inbound TCP connection 345 for management:172.16.1.52/3134 (172.16.1.52/3134) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:51:25|302014: Teardown TCP connection 344 for management:172.16.1.52/3132 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 977 TCP FINs
6|Mar 17 2007 10:51:25|605005: Login permitted from 172.16.1.52/3132 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:51:25|302013: Built inbound TCP connection 344 for management:172.16.1.52/3132 (172.16.1.52/3132) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:49:03|302014: Teardown TCP connection 343 for management:172.16.1.52/3130 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 964 TCP FINs
5|Mar 17 2007 10:49:03|111008: User 'cisco' executed the 'no domain-name' command.
5|Mar 17 2007 10:49:03|111007: Begin configuration: 172.16.1.52 reading from http [POST]
6|Mar 17 2007 10:49:03|605005: Login permitted from 172.16.1.52/3130 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:49:03|302013: Built inbound TCP connection 343 for management:172.16.1.52/3130 (172.16.1.52/3130) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:48:05|302014: Teardown TCP connection 342 for management:172.16.1.52/3128 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 852 TCP FINs
6|Mar 17 2007 10:48:05|605005: Login permitted from 172.16.1.52/3128 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:48:05|302013: Built inbound TCP connection 342 for management:172.16.1.52/3128 (172.16.1.52/3128) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:48:05|302014: Teardown TCP connection 341 for management:172.16.1.52/3126 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 852 TCP FINs
6|Mar 17 2007 10:48:05|605005: Login permitted from 172.16.1.52/3126 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:48:05|302013: Built inbound TCP connection 341 for management:172.16.1.52/3126 (172.16.1.52/3126) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:48:04|302014: Teardown TCP connection 340 for management:172.16.1.52/3124 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 852 TCP FINs
6|Mar 17 2007 10:48:04|605005: Login permitted from 172.16.1.52/3124 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:48:04|302013: Built inbound TCP connection 340 for management:172.16.1.52/3124 (172.16.1.52/3124) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:48:03|302014: Teardown TCP connection 339 for management:172.16.1.52/3122 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 852 TCP FINs
6|Mar 17 2007 10:48:03|605005: Login permitted from 172.16.1.52/3122 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:48:03|302013: Built inbound TCP connection 339 for management:172.16.1.52/3122 (172.16.1.52/3122) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:48:01|302014: Teardown TCP connection 338 for management:172.16.1.52/3120 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 852 TCP FINs
6|Mar 17 2007 10:48:01|605005: Login permitted from 172.16.1.52/3120 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:48:01|302013: Built inbound TCP connection 338 for management:172.16.1.52/3120 (172.16.1.52/3120) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:47:48|302014: Teardown TCP connection 337 for management:172.16.1.52/3117 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 897 TCP FINs
6|Mar 17 2007 10:47:48|302014: Teardown TCP connection 336 for management:172.16.1.52/3118 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 897 TCP FINs
6|Mar 17 2007 10:47:48|605005: Login permitted from 172.16.1.52/3117 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:47:48|605005: Login permitted from 172.16.1.52/3118 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:47:48|302013: Built inbound TCP connection 337 for management:172.16.1.52/3117 (172.16.1.52/3117) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:47:48|302013: Built inbound TCP connection 336 for management:172.16.1.52/3118 (172.16.1.52/3118) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:49|606001: ASDM session number 0 from 172.16.1.52 started
6|Mar 17 2007 10:46:49|605005: Login permitted from 172.16.1.52/3114 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:49|302013: Built inbound TCP connection 335 for management:172.16.1.52/3114 (172.16.1.52/3114) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:49|302014: Teardown TCP connection 334 for management:172.16.1.52/3112 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1185 TCP FINs
6|Mar 17 2007 10:46:49|605005: Login permitted from 172.16.1.52/3112 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:49|302013: Built inbound TCP connection 334 for management:172.16.1.52/3112 (172.16.1.52/3112) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:49|302014: Teardown TCP connection 333 for management:172.16.1.52/3110 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1089 TCP FINs
6|Mar 17 2007 10:46:49|605005: Login permitted from 172.16.1.52/3110 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:49|302013: Built inbound TCP connection 333 for management:172.16.1.52/3110 (172.16.1.52/3110) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:49|606003: ASDM logging session number 0 from 172.16.1.52 started
6|Mar 17 2007 10:46:49|605005: Login permitted from 172.16.1.52/3108 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:49|302013: Built inbound TCP connection 332 for management:172.16.1.52/3108 (172.16.1.52/3108) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:48|302014: Teardown TCP connection 331 for management:172.16.1.52/3106 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1433 TCP FINs
6|Mar 17 2007 10:46:48|605005: Login permitted from 172.16.1.52/3106 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:48|302013: Built inbound TCP connection 331 for management:172.16.1.52/3106 (172.16.1.52/3106) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:48|302014: Teardown TCP connection 330 for management:172.16.1.52/3104 to NP Identity Ifc:172.16.1.50/443 duration 0:00:01 bytes 26570 TCP FINs
6|Mar 17 2007 10:46:46|605005: Login permitted from 172.16.1.52/3104 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:46|302014: Teardown TCP connection 329 for management:172.16.1.52/3102 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1131 TCP FINs
6|Mar 17 2007 10:46:46|302013: Built inbound TCP connection 330 for management:172.16.1.52/3104 (172.16.1.52/3104) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:46|302013: Built inbound TCP connection 329 for management:172.16.1.52/3102 (172.16.1.52/3102) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:46|302014: Teardown TCP connection 328 for management:172.16.1.52/3100 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1444 TCP FINs
6|Mar 17 2007 10:46:46|605005: Login permitted from 172.16.1.52/3100 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:46|302013: Built inbound TCP connection 328 for management:172.16.1.52/3100 (172.16.1.52/3100) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:43|302014: Teardown TCP connection 327 for management:172.16.1.52/3098 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1417 TCP FINs
6|Mar 17 2007 10:46:43|605005: Login permitted from 172.16.1.52/3098 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:43|302014: Teardown TCP connection 326 for management:172.16.1.52/3096 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1139 TCP FINs
6|Mar 17 2007 10:46:43|302013: Built inbound TCP connection 327 for management:172.16.1.52/3098 (172.16.1.52/3098) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:43|302013: Built inbound TCP connection 326 for management:172.16.1.52/3096 (172.16.1.52/3096) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:42|302014: Teardown TCP connection 325 for management:172.16.1.52/3094 to NP Identity Ifc:172.16.1.50/443 duration 0:00:01 bytes 2908 TCP FINs
5|Mar 17 2007 10:46:42|111008: User 'cisco' executed the 'perfmon interval 10' command.
6|Mar 17 2007 10:46:41|605005: Login permitted from 172.16.1.52/3094 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:41|302013: Built inbound TCP connection 325 for management:172.16.1.52/3094 (172.16.1.52/3094) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:41|302014: Teardown TCP connection 324 for management:172.16.1.52/3092 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 1275 TCP FINs
6|Mar 17 2007 10:46:40|302013: Built inbound TCP connection 324 for management:172.16.1.52/3092 (172.16.1.52/3092) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:38|302014: Teardown TCP connection 323 for management:172.16.1.52/3089 to NP Identity Ifc:172.16.1.50/443 duration 0:00:00 bytes 182024 TCP Reset-O
6|Mar 17 2007 10:46:38|605005: Login permitted from 172.16.1.52/3089 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:38|302013: Built inbound TCP connection 323 for management:172.16.1.52/3089 (172.16.1.52/3089) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:38|302014: Teardown TCP connection 322 for management:172.16.1.52/3087 to NP Identity Ifc:172.16.1.50/443 duration 0:00:01 bytes 1651 TCP FINs
6|Mar 17 2007 10:46:37|605005: Login permitted from 172.16.1.52/3087 to management:172.16.1.50/https for user "cisco"
6|Mar 17 2007 10:46:36|302013: Built inbound TCP connection 322 for management:172.16.1.52/3087 (172.16.1.52/3087) to NP Identity Ifc:172.16.1.50/443 (172.16.1.50/443)
6|Mar 17 2007 10:46:32|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50763 to outside:203.115.26.122/1113 duration 0:00:30
6|Mar 17 2007 10:46:31|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50762 to outside:203.115.26.122/1112 duration 0:00:30
6|Mar 17 2007 10:46:28|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50761 to outside:203.115.26.122/1111 duration 0:00:30
6|Mar 17 2007 10:46:28|302016: Teardown UDP connection 297 for management:172.16.1.52/68 to NP Identity Ifc:172.16.1.50/67 duration 0:02:01 bytes 566
6|Mar 17 2007 10:46:28|302016: Teardown UDP connection 296 for management:0.0.0.0/68 to NP Identity Ifc:255.255.255.255/67 duration 0:02:01 bytes 618
6|Mar 17 2007 10:46:27|302016: Teardown UDP connection 295 for management:255.255.255.255/68 to NP Identity Ifc:172.16.1.50/67 duration 0:02:01 bytes 249
6|Mar 17 2007 10:46:27|302016: Teardown UDP connection 294 for management:172.16.1.51/68 to NP Identity Ifc:255.255.255.255/67 duration 0:02:01 bytes 306
6|Mar 17 2007 10:46:26|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50760 to outside:203.115.26.122/1110 duration 0:00:30
6|Mar 17 2007 10:46:26|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50758 to outside:203.115.26.122/1109 duration 0:00:30
6|Mar 17 2007 10:46:26|302014: Teardown TCP connection 321 for outside:209.132.177.50/80 to inside:172.16.20.11/50763 duration 0:00:24 bytes 12519 TCP FINs
6|Mar 17 2007 10:46:26|302014: Teardown TCP connection 318 for outside:209.132.177.50/80 to inside:172.16.20.11/50760 duration 0:00:29 bytes 54525 TCP FINs
6|Mar 17 2007 10:46:24|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50757 to outside:203.115.26.122/1108 duration 0:00:30
6|Mar 17 2007 10:46:24|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50756 to outside:203.115.26.122/1107 duration 0:00:30
6|Mar 17 2007 10:46:22|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50755 to outside:203.115.26.122/1106 duration 0:00:30
6|Mar 17 2007 10:46:21|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50754 to outside:203.115.26.122/1105 duration 0:00:30
6|Mar 17 2007 10:46:20|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50753 to outside:203.115.26.122/1104 duration 0:00:30
6|Mar 17 2007 10:46:19|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50752 to outside:203.115.26.122/1103 duration 0:00:30
6|Mar 17 2007 10:46:18|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50751 to outside:203.115.26.122/1102 duration 0:00:30
6|Mar 17 2007 10:46:16|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50750 to outside:203.115.26.122/1101 duration 0:00:30
6|Mar 17 2007 10:46:14|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50749 to outside:203.115.26.122/1100 duration 0:00:30
6|Mar 17 2007 10:46:13|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50748 to outside:203.115.26.122/1099 duration 0:00:30
6|Mar 17 2007 10:46:12|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50747 to outside:203.115.26.122/1098 duration 0:00:30
6|Mar 17 2007 10:46:12|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50746 to outside:203.115.26.122/1097 duration 0:00:30
6|Mar 17 2007 10:46:11|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50745 to outside:203.115.26.122/1096 duration 0:00:30
6|Mar 17 2007 10:46:11|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50744 to outside:203.115.26.122/1095 duration 0:00:30
6|Mar 17 2007 10:46:10|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50743 to outside:203.115.26.122/1094 duration 0:00:30
6|Mar 17 2007 10:46:09|305012: Teardown dynamic TCP translation from inside:172.16.20.11/50742 to outside:203.115.26.122/1093 duration 0:00:30
6|Mar 17 2007 10:46:02|302014: Teardown TCP connection 320 for outside:209.132.177.50/80 to inside:172.16.20.11/50762 duration 0:00:00 bytes 777 TCP FINs
6|Mar 17 2007 10:46:02|302013: Built outbound TCP connection 321 for outside:209.132.177.50/80 (209.132.177.50/80) to inside:172.16.20.11/50763 (203.115.26.122/1113)
wonder why this happens
Sara
17 years 1 month ago #20298
by sarangad
Replied by sarangad on topic Re: NAT Problems with Cisco ASA 5501
SOrry some parts are missing in previous running config
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ***********
names
dns-guard
!
interface Ethernet0/0
description To the Internet gateway
nameif outside
security-level 0
ip address 203.x.y.z 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
<--- More --->
no security-level
no ip address
!
interface Ethernet0/3
description LAN
nameif inside
security-level 100
ip address 172.16.40.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.50 255.255.255.0
management-only
!
passwd *************
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
<--- More --->
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0
route inside 172.16.0.0 255.255.0.0 172.16.40.2 1
route outside 0.0.0.0 0.0.0.0 203.115.26.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ************
http server enable
http 172.16.1.0 255.255.255.0 management
http 172.16.1.55 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
<--- More --->
management-access inside
dhcpd address 172.16.1.51-172.16.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
<--- More --->
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:fd9ae6ae00d0f3cf272ceeb433c5774f
: end
ciscoasa#
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ***********
names
dns-guard
!
interface Ethernet0/0
description To the Internet gateway
nameif outside
security-level 0
ip address 203.x.y.z 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
<--- More --->
no security-level
no ip address
!
interface Ethernet0/3
description LAN
nameif inside
security-level 100
ip address 172.16.40.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.50 255.255.255.0
management-only
!
passwd *************
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
<--- More --->
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0
route inside 172.16.0.0 255.255.0.0 172.16.40.2 1
route outside 0.0.0.0 0.0.0.0 203.115.26.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username cisco password ************
http server enable
http 172.16.1.0 255.255.255.0 management
http 172.16.1.55 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
<--- More --->
management-access inside
dhcpd address 172.16.1.51-172.16.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
<--- More --->
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:fd9ae6ae00d0f3cf272ceeb433c5774f
: end
ciscoasa#
17 years 1 month ago #20299
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: NAT Problems with Cisco ASA 5501
Well the config looks ok.
Routing looks good.
NAT looks good
Traffic must be flowing ok from inside to outside (without access-lists) otherwise the nslookup and using the IP in the web browser would not work.
Can you quickly setup an allow all access list to just double check that side of things, then once tested make sure you remove the settings again to ensure its secure again ?
A quick word of advise though, never post the running configs with the Password HASH as there are tools that can perform brute force attacks on them reletively simply. Also, i wouldn't post the real ip addresses to ensure no-one tries to compromise the equipment. I have sorted this out for ya in both your posts
Routing looks good.
NAT looks good
Traffic must be flowing ok from inside to outside (without access-lists) otherwise the nslookup and using the IP in the web browser would not work.
Can you quickly setup an allow all access list to just double check that side of things, then once tested make sure you remove the settings again to ensure its secure again ?
A quick word of advise though, never post the running configs with the Password HASH as there are tools that can perform brute force attacks on them reletively simply. Also, i wouldn't post the real ip addresses to ensure no-one tries to compromise the equipment. I have sorted this out for ya in both your posts
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 1 month ago #20300
by Smurf
By real i mean the Public Addresses, inside ones aren't too bad.
Access-list wise i mean something like this
access-list 110 extended permit ip any any
access-group 110 in interface inside
access-group 110 in interface outside
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: NAT Problems with Cisco ASA 5501
Also, i wouldn't post the real ip addresses to ensure no-one tries to compromise the equipment. I have sorted this out for ya in both your posts
By real i mean the Public Addresses, inside ones aren't too bad.
Access-list wise i mean something like this
access-list 110 extended permit ip any any
access-group 110 in interface inside
access-group 110 in interface outside
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.150 seconds