Missing something in config not able to access ssh/ping from other vlan or network

Discussion in 'other firewalls' started by wafa, May 8, 2015.

  1. wafa

    wafa Registered Member

    Joined:
    May 8, 2015
    Posts:
    1
    I am confused, how come this is not working.. only thing i want to access the asa management from 10.109.32.6.0

    I have remote asa.there is a mpls link between both sites. I am behind 10.109.32.6 and asa is behind 10.109.35.11.asa and mpls route is connected (VLAN2 10.4.1.0) see below configuration, any suggestion what i am doing wrong? I have added additional config to allow ping and ssh from my site
    ssh VLAN12 255.255.255.0 inside
    ssh 10.109.32.6 255.255.255.192 MPLS
    http server enable http VLAN12 255.255.255.0 inside
    http 10.109.32.6 255.255.255.192 MPLS
    icmp permit any inside
    icmp permit any MPLS

    inspect icmp

    inspect icmp error

    name x.x.x.x InternetGateway description Internet Gateway
    name x.x.x.x IS description Fidelity Information Systems MPLS IP Range
    name 10.109.0.0 MPLS description MPLS IP Range
    name 10.4.3.3 MPLSGateway description MPLS Gateway
    name 10.5.1.0 VLAN12 description Internal user LAN
    name 10.4.3.0 VLAN80 description MPLS third party network
    !
    interface Ethernet0/0
    !
    interface Ethernet0/1
    switchport access vlan 3
    ! interface Ethernet0/2
    switchport access vlan 2
    !
    interface Ethernet0/3
    ! interface Ethernet0/4
    ! interface Ethernet0/5
    ! interface Ethernet0/6
    ! interface Ethernet0/7
    !
    interface Vlan1
    description Internal LAN
    nameif inside
    security-level 100
    ip address 10.5.1.1 255.255.255.0
    !
    interface Vlan2
    description Internet Access
    nameif outside
    security-level 0
    ip address x.x.x.x x.x.x.x
    !
    interface Vlan3
    description LaSer Group MPLS
    no forward interface Vlan2
    nameif MPLS
    security-level 0
    ip address 10.4.1.4 255.255.255.0
    !
    ftp mode passive
    clock timezone GMT/BST 0
    clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
    dns server-group DefaultDNS
    domain-name X.X.X.X
    object-group network gMPLS
    description MPLS Destinations
    network-object MPLS 255.255.0.0
    network-object IS 255.255.0.0
    access-list inside_nat_outbound_1 remark Traffic to internet hidden behind X.X.X.X
    access-list inside_nat_outbound_1 extended permit ip VLAN12 255.255.255.0 any
    access-list inside_nat_outbound remark Traffic to MPLS hidden behind 10.109.35.11
    access-list inside_nat_outbound extended permit ip VLAN12 255.255.255.0 object-group gMPLS
    pager lines 24 logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu MPLS 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 X.X.X.X netmask 255.0.0.0
    global (MPLS) 2 10.109.35.11 netmask 255.0.0.0
    nat (inside) 2 access-list inside_nat_outbound
    nat (inside) 1 access-list inside_nat_outbound_1
    route outside 0.0.0.0 0.0.0.0 InternetGateway 1
    route outside 0.0.0.0 255.255.255.255 InternetGateway 255
    route MPLS MPLS 255.255.0.0 10.4.1.1 1
    route MPLS IS 255.255.0.0 10.4.1.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:

    • 00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL
    http server enable
    http VLAN12 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh VLAN12 255.255.255.0 inside
    ssh 10.109.32.6 255.255.255.192 MPLS
    ssh timeout 5
    console timeout 0

    dhcpd auto_config outside
    ! dhcpd address 10.5.1.5-10.5.1.254 inside
    dhcpd dns 1.1.1.1 1.1.1.1 interface inside
    dhcpd domain xxxx interface inside
    dhcpd enable inside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous

    : end
     
    wafa, May 8, 2015
    #1
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...