https://community.cisco.com/t5/network-security/setting-up-the-asa-to-reach-the-internet/m-p/2997840#M1049922 <P>Hello Guys!&nbsp; This is a simple question about setting up my ASA for internet access.&nbsp; In can PING anything in the internet from my OUTSIDE interface and I can PING anything from my INSIDE interface on hte private side.&nbsp; BUT I can reach teh internet from the workstation.&nbsp; I thought my 'route' was clear as this is a simple config for a&nbsp; test scenario.&nbsp; Its too simple to call TAC for so I'm looking for a little assistance from the community&nbsp; Below is my config:</P> <P>Result of the command: "sh conf"<BR /><BR />: Saved<BR />: <BR />: Serial Number: JMX2040Y1A3<BR />: Hardware:&nbsp;&nbsp; ASA5505, 512 MB RAM, CPU Geode 500 MHz<BR />: Written by PPPPPPPP at 00:55:32.298 UTC Sat Sep 6 2008<BR />!<BR />ASA Version 9.1(6) <BR />!<BR />hostname TRCLOUD<BR />enable password 8Ry2YjIyt7RRXU24 encrypted<BR />names<BR />!<BR />interface Ethernet0/0<BR />&nbsp;switchport access vlan 2<BR />!<BR />interface Ethernet0/1<BR />!<BR />interface Ethernet0/2<BR />!<BR />interface Ethernet0/3<BR />!<BR />interface Ethernet0/4<BR />!<BR />interface Ethernet0/5<BR />!<BR />interface Ethernet0/6<BR />!<BR />interface Ethernet0/7<BR />!<BR />interface Vlan1<BR />&nbsp;nameif INTERNAL<BR />&nbsp;security-level 100<BR />&nbsp;ip address 172.20.3.1 255.255.255.248 <BR />!<BR />interface Vlan2<BR />&nbsp;nameif EXTERNAL<BR />&nbsp;security-level 0<BR />&nbsp;ip address 12.27.64.33 255.255.255.192 <BR />!<BR />ftp mode passive<BR />object network obj_any<BR />&nbsp;subnet 0.0.0.0 0.0.0.0<BR />object network NETWORK_OBJ_10.9.0.0_16<BR />&nbsp;subnet 10.9.0.0 255.255.0.0<BR />object network NETWORK_OBJ_172.20.3.0_29<BR />&nbsp;subnet 172.20.3.0 255.255.255.248<BR />object-group icmp-type ALLOW_ICMP<BR />&nbsp;icmp-object echo<BR />&nbsp;icmp-object echo-reply<BR />&nbsp;icmp-object traceroute<BR />&nbsp;icmp-object unreachable<BR />&nbsp;icmp-object time-exceeded<BR />access-list INBOUND extended permit icmp any any object-group ALLOW_ICMP <BR />access-list EXTERNAL_cryptomap extended permit ip 172.20.3.0 255.255.255.248 10.9.0.0 255.255.0.0 <BR />access-list EXTERNAL_cryptomap_1 extended permit ip 172.20.3.0 255.255.255.248 object NETWORK_OBJ_10.9.0.0_16 <BR />pager lines 24<BR />logging enable<BR />logging asdm informational<BR />mtu INTERNAL 1500<BR />mtu EXTERNAL 1500<BR />ip verify reverse-path interface EXTERNAL<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />!<BR />object network obj_any<BR />&nbsp;nat (INTERNAL,EXTERNAL) dynamic interface<BR />route EXTERNAL 0.0.0.0 0.0.0.0 12.27.64.1 1 <BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />dynamic-access-policy-record DfltAccessPolicy<BR />user-identity default-domain LOCAL<BR />http server enable<BR />http 192.168.1.0 255.255.255.0 INTERNAL<BR />http 0.0.0.0 0.0.0.0 INTERNAL<BR />http 0.0.0.0 0.0.0.0 EXTERNAL<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart<BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport<BR />crypto ipsec ikev2 ipsec-proposal DES<BR />&nbsp;protocol esp encryption des<BR />&nbsp;protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal 3DES<BR />&nbsp;protocol esp encryption 3des<BR />&nbsp;protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES<BR />&nbsp;protocol esp encryption aes<BR />&nbsp;protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES192<BR />&nbsp;protocol esp encryption aes-192<BR />&nbsp;protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES256<BR />&nbsp;protocol esp encryption aes-256<BR />&nbsp;protocol esp integrity sha-1 md5<BR />crypto ipsec security-association pmtu-aging infinite<BR />crypto map EXTERNAL_map 2 match address EXTERNAL_cryptomap<BR />crypto map EXTERNAL_map 2 set peer 209.237.229.123 <BR />crypto map EXTERNAL_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5<BR />crypto map EXTERNAL_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256<BR />crypto map EXTERNAL_map 3 match address EXTERNAL_cryptomap_1<BR />crypto map EXTERNAL_map 3 set peer 209.237.229.123 <BR />crypto map EXTERNAL_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5<BR />crypto map EXTERNAL_map interface EXTERNAL<BR />crypto ca trustpool policy<BR />crypto ikev2 policy 1<BR />&nbsp;encryption aes-256<BR />&nbsp;integrity sha<BR />&nbsp;group 5 2<BR />&nbsp;prf sha<BR />&nbsp;lifetime seconds 86400<BR />crypto ikev2 policy 10<BR />&nbsp;encryption aes-192<BR />&nbsp;integrity sha<BR />&nbsp;group 5 2<BR />&nbsp;prf sha<BR />&nbsp;lifetime seconds 86400<BR />crypto ikev2 policy 20<BR />&nbsp;encryption aes<BR />&nbsp;integrity sha<BR />&nbsp;group 5 2<BR />&nbsp;prf sha<BR />&nbsp;lifetime seconds 86400<BR />crypto ikev2 policy 30<BR />&nbsp;encryption 3des<BR />&nbsp;integrity sha<BR />&nbsp;group 5 2<BR />&nbsp;prf sha<BR />&nbsp;lifetime seconds 86400<BR />crypto ikev2 policy 40<BR />&nbsp;encryption des<BR />&nbsp;integrity sha<BR />&nbsp;group 5 2<BR />&nbsp;prf sha<BR />&nbsp;lifetime seconds 86400<BR />crypto ikev2 enable INTERNAL<BR />crypto ikev2 enable EXTERNAL<BR />crypto ikev1 enable INTERNAL<BR />crypto ikev1 enable EXTERNAL<BR />crypto ikev1 policy 10<BR />&nbsp;authentication pre-share<BR />&nbsp;encryption 3des<BR />&nbsp;hash sha<BR />&nbsp;group 2<BR />&nbsp;lifetime 86400<BR />telnet 0.0.0.0 0.0.0.0 INTERNAL<BR />telnet timeout 5<BR />no ssh stricthostkeycheck<BR />ssh 0.0.0.0 0.0.0.0 INTERNAL<BR />ssh 0.0.0.0 0.0.0.0 EXTERNAL<BR />ssh timeout 5<BR />ssh key-exchange group dh-group1-sha1<BR />console timeout 0<BR /><BR />dhcpd auto_config EXTERNAL<BR />!<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />username quintin password Al6EjJ9p.JqnQYTA encrypted privilege 15<BR />username enable password FAdq8Y/jR1Akq8Vi encrypted privilege 15<BR />!<BR />class-map inspection_default<BR />&nbsp;match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />&nbsp;parameters<BR />&nbsp; message-length maximum client auto<BR />&nbsp; message-length maximum 512<BR />policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect dns preset_dns_map <BR />&nbsp; inspect ftp <BR />&nbsp; inspect h323 h225 <BR />&nbsp; inspect h323 ras <BR />&nbsp; inspect rsh <BR />&nbsp; inspect rtsp <BR />&nbsp; inspect esmtp <BR />&nbsp; inspect sqlnet <BR />&nbsp; inspect skinny &nbsp;<BR />&nbsp; inspect sunrpc <BR />&nbsp; inspect xdmcp <BR />&nbsp; inspect sip &nbsp;<BR />&nbsp; inspect netbios <BR />&nbsp; inspect tftp <BR />&nbsp; inspect ip-options <BR />!<BR />service-policy global_policy global<BR />prompt hostname context <BR />no call-home reporting anonymous<BR />Cryptochecksum:5561715cb929fb68558a53af740d5f8e</P> <P></P> <P>Can anyone provide a clear answer to why this is NOT working correctly as designed please</P> Fri, 21 Feb 2020 13:59:07 GMT qt_williams 2020-02-21T13:59:07Z https://community.cisco.com/t5/network-security/setting-up-the-asa-to-reach-the-internet/m-p/2997840#M1049922 <P>Hello Guys!&nbsp; This is a simple question about setting up my ASA for internet access.&nbsp; In can PING anything in the internet from my OUTSIDE interface and I can PING anything from my INSIDE interface on hte private side.&nbsp; BUT I can reach teh internet from the workstation.&nbsp; I thought my 'route' was clear as this is a simple config for a&nbsp; test scenario.&nbsp; Its too simple to call TAC for so I'm looking for a little assistance from the community&nbsp; Below is my config:</P> <P>Result of the command: "sh conf"<BR /><BR />: Saved<BR />: <BR />: Serial Number: JMX2040Y1A3<BR />: Hardware:&nbsp;&nbsp; ASA5505, 512 MB RAM, CPU Geode 500 MHz<BR />: Written by PPPPPPPP at 00:55:32.298 UTC Sat Sep 6 2008<BR />!<BR />ASA Version 9.1(6) <BR />!<BR />hostname TRCLOUD<BR />enable password 8Ry2YjIyt7RRXU24 encrypted<BR />names<BR />!<BR />interface Ethernet0/0<BR />&nbsp;switchport access vlan 2<BR />!<BR />interface Ethernet0/1<BR />!<BR />interface Ethernet0/2<BR />!<BR />interface Ethernet0/3<BR />!<BR />interface Ethernet0/4<BR />!<BR />interface Ethernet0/5<BR />!<BR />interface Ethernet0/6<BR />!<BR />interface Ethernet0/7<BR />!<BR />interface Vlan1<BR />&nbsp;nameif INTERNAL<BR />&nbsp;security-level 100<BR />&nbsp;ip address 172.20.3.1 255.255.255.248 <BR />!<BR />interface Vlan2<BR />&nbsp;nameif EXTERNAL<BR />&nbsp;security-level 0<BR />&nbsp;ip address 12.27.64.33 255.255.255.192 <BR />!<BR />ftp mode passive<BR />object network obj_any<BR />&nbsp;subnet 0.0.0.0 0.0.0.0<BR />object network NETWORK_OBJ_10.9.0.0_16<BR />&nbsp;subnet 10.9.0.0 255.255.0.0<BR />object network NETWORK_OBJ_172.20.3.0_29<BR />&nbsp;subnet 172.20.3.0 255.255.255.248<BR />object-group icmp-type ALLOW_ICMP<BR />&nbsp;icmp-object echo<BR />&nbsp;icmp-object echo-reply<BR />&nbsp;icmp-object traceroute<BR />&nbsp;icmp-object unreachable<BR />&nbsp;icmp-object time-exceeded<BR />access-list INBOUND extended permit icmp any any object-group ALLOW_ICMP <BR />access-list EXTERNAL_cryptomap extended permit ip 172.20.3.0 255.255.255.248 10.9.0.0 255.255.0.0 <BR />access-list EXTERNAL_cryptomap_1 extended permit ip 172.20.3.0 255.255.255.248 object NETWORK_OBJ_10.9.0.0_16 <BR />pager lines 24<BR />logging enable<BR />logging asdm informational<BR />mtu INTERNAL 1500<BR />mtu EXTERNAL 1500<BR />ip verify reverse-path interface EXTERNAL<BR />icmp unreachable rate-limit 1 burst-size 1<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />!<BR />object network obj_any<BR />&nbsp;nat (INTERNAL,EXTERNAL) dynamic interface<BR />route EXTERNAL 0.0.0.0 0.0.0.0 12.27.64.1 1 <BR />timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />dynamic-access-policy-record DfltAccessPolicy<BR />user-identity default-domain LOCAL<BR />http server enable<BR />http 192.168.1.0 255.255.255.0 INTERNAL<BR />http 0.0.0.0 0.0.0.0 INTERNAL<BR />http 0.0.0.0 0.0.0.0 EXTERNAL<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart<BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport<BR />crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac <BR />crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport<BR />crypto ipsec ikev2 ipsec-proposal DES<BR />&nbsp;protocol esp encryption des<BR />&nbsp;protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal 3DES<BR />&nbsp;protocol esp encryption 3des<BR />&nbsp;protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES<BR />&nbsp;protocol esp encryption aes<BR />&nbsp;protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES192<BR />&nbsp;protocol esp encryption aes-192<BR />&nbsp;protocol esp integrity sha-1 md5<BR />crypto ipsec ikev2 ipsec-proposal AES256<BR />&nbsp;protocol esp encryption aes-256<BR />&nbsp;protocol esp integrity sha-1 md5<BR />crypto ipsec security-association pmtu-aging infinite<BR />crypto map EXTERNAL_map 2 match address EXTERNAL_cryptomap<BR />crypto map EXTERNAL_map 2 set peer 209.237.229.123 <BR />crypto map EXTERNAL_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5<BR />crypto map EXTERNAL_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256<BR />crypto map EXTERNAL_map 3 match address EXTERNAL_cryptomap_1<BR />crypto map EXTERNAL_map 3 set peer 209.237.229.123 <BR />crypto map EXTERNAL_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5<BR />crypto map EXTERNAL_map interface EXTERNAL<BR />crypto ca trustpool policy<BR />crypto ikev2 policy 1<BR />&nbsp;encryption aes-256<BR />&nbsp;integrity sha<BR />&nbsp;group 5 2<BR />&nbsp;prf sha<BR />&nbsp;lifetime seconds 86400<BR />crypto ikev2 policy 10<BR />&nbsp;encryption aes-192<BR />&nbsp;integrity sha<BR />&nbsp;group 5 2<BR />&nbsp;prf sha<BR />&nbsp;lifetime seconds 86400<BR />crypto ikev2 policy 20<BR />&nbsp;encryption aes<BR />&nbsp;integrity sha<BR />&nbsp;group 5 2<BR />&nbsp;prf sha<BR />&nbsp;lifetime seconds 86400<BR />crypto ikev2 policy 30<BR />&nbsp;encryption 3des<BR />&nbsp;integrity sha<BR />&nbsp;group 5 2<BR />&nbsp;prf sha<BR />&nbsp;lifetime seconds 86400<BR />crypto ikev2 policy 40<BR />&nbsp;encryption des<BR />&nbsp;integrity sha<BR />&nbsp;group 5 2<BR />&nbsp;prf sha<BR />&nbsp;lifetime seconds 86400<BR />crypto ikev2 enable INTERNAL<BR />crypto ikev2 enable EXTERNAL<BR />crypto ikev1 enable INTERNAL<BR />crypto ikev1 enable EXTERNAL<BR />crypto ikev1 policy 10<BR />&nbsp;authentication pre-share<BR />&nbsp;encryption 3des<BR />&nbsp;hash sha<BR />&nbsp;group 2<BR />&nbsp;lifetime 86400<BR />telnet 0.0.0.0 0.0.0.0 INTERNAL<BR />telnet timeout 5<BR />no ssh stricthostkeycheck<BR />ssh 0.0.0.0 0.0.0.0 INTERNAL<BR />ssh 0.0.0.0 0.0.0.0 EXTERNAL<BR />ssh timeout 5<BR />ssh key-exchange group dh-group1-sha1<BR />console timeout 0<BR /><BR />dhcpd auto_config EXTERNAL<BR />!<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />username quintin password Al6EjJ9p.JqnQYTA encrypted privilege 15<BR />username enable password FAdq8Y/jR1Akq8Vi encrypted privilege 15<BR />!<BR />class-map inspection_default<BR />&nbsp;match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />&nbsp;parameters<BR />&nbsp; message-length maximum client auto<BR />&nbsp; message-length maximum 512<BR />policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect dns preset_dns_map <BR />&nbsp; inspect ftp <BR />&nbsp; inspect h323 h225 <BR />&nbsp; inspect h323 ras <BR />&nbsp; inspect rsh <BR />&nbsp; inspect rtsp <BR />&nbsp; inspect esmtp <BR />&nbsp; inspect sqlnet <BR />&nbsp; inspect skinny &nbsp;<BR />&nbsp; inspect sunrpc <BR />&nbsp; inspect xdmcp <BR />&nbsp; inspect sip &nbsp;<BR />&nbsp; inspect netbios <BR />&nbsp; inspect tftp <BR />&nbsp; inspect ip-options <BR />!<BR />service-policy global_policy global<BR />prompt hostname context <BR />no call-home reporting anonymous<BR />Cryptochecksum:5561715cb929fb68558a53af740d5f8e</P> <P></P> <P>Can anyone provide a clear answer to why this is NOT working correctly as designed please</P> Fri, 21 Feb 2020 13:59:07 GMT https://community.cisco.com/t5/network-security/setting-up-the-asa-to-reach-the-internet/m-p/2997840#M1049922 qt_williams 2020-02-21T13:59:07Z https://community.cisco.com/t5/network-security/setting-up-the-asa-to-reach-the-internet/m-p/2997841#M1049925 <P>Wasn't clear on the above - Can your Clients ping their own DG, which I assume is -&nbsp;<SPAN> 172.20.3.1.</SPAN></P> <P>What are the clients using for DNS?</P> Fri, 23 Dec 2016 09:34:34 GMT https://community.cisco.com/t5/network-security/setting-up-the-asa-to-reach-the-internet/m-p/2997841#M1049925 GRANT3779 2016-12-23T09:34:34Z https://community.cisco.com/t5/network-security/setting-up-the-asa-to-reach-the-internet/m-p/2997842#M1049926 <P>Currently there is only a single station and it's using LMHOST files for DNS.&nbsp; The wkstn can ping the IP address 172.20.3.1 with no problem.&nbsp; BUT I should add the DN server group or at least the name servers (8.8.8.8, etc.)</P> Fri, 23 Dec 2016 18:58:38 GMT https://community.cisco.com/t5/network-security/setting-up-the-asa-to-reach-the-internet/m-p/2997842#M1049926 qt_williams 2016-12-23T18:58:38Z https://community.cisco.com/t5/network-security/setting-up-the-asa-to-reach-the-internet/m-p/2997843#M1049927 <P>I am not entirely sure but i think if you tried to access an external web page via IP it would work. If it does you know the issue is DNS.</P> Fri, 23 Dec 2016 19:10:37 GMT https://community.cisco.com/t5/network-security/setting-up-the-asa-to-reach-the-internet/m-p/2997843#M1049927 GRANT3779 2016-12-23T19:10:37Z