topic Re: No internet access in Network Security

No internet access

gasparmenendez — Fri, 21 Feb 2020 14:32:22 GMT

hi friends, my ASA 5580 has an INSIDE interface with 192.168.62.254 ip add. and that interf. is connected to a Switch through vlan62 with 192.168.62.253 ip addr. When I connect a PC to vlan62 with a static ip add. (192.168.62.40) and set GW as 192.168.62.253 or 192.168.62.254 for the PC in both cases I can access the internet without any problem. So far so good....

Now I'm trying to do the same with another interface but I can't. The other inter. has 192.168.51.254 ip add and is connected to Swich through vlan51 with 192.168.51.253 ip add. When I use GW 192.168.51.254 in the PC I can access internet without problem, but when I use 192.168.51.253 as GW I can't...and the problem is that I need to use 192.168.51.253 as GW...can anybody help me please??? is this a conf. problem on the ASA ??? Thanks in advance.

Re: No internet access

Dean Romanelli — Thu, 19 Oct 2017 18:20:15 GMT

Could you post your ASA configs for us please?

Re: No internet access

gasparmenendez — Thu, 19 Oct 2017 18:35:08 GMT

here it is:

ASA5580# sh running-config
: Saved
:
: Serial Number: USE00
: Hardware:   ASA5580-20, 8192 MB RAM, CPU AMD Opteron 2600 MHz, 2 CPUs (4 cores)
:
ASA Version 9.1(7)19
!
hostname ASA5580
enable password TFyi2xrxZ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool pool-vpn-prueba 192.168.239.1-192.168.239.100 mask 255.255.255.0
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.0.44 255.255.255.0
!
interface Management0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/2
nameif CARRIERS
security-level 30
ip address 10.227.224.3 255.255.252.0
!
interface GigabitEthernet3/3
nameif INSIDE_Prueba
security-level 40
ip address 192.168.62.254 255.255.255.0
!
interface TenGigabitEthernet5/0
nameif CMTS
security-level 50
ip address 192.168.61.9 255.255.255.0
!
interface TenGigabitEthernet5/1
nameif FTTH
security-level 50
ip address 192.168.51.254 255.255.255.0
!
interface TenGigabitEthernet7/0
nameif OUTSIDE
security-level 0
ip address 170.X.X.2 255.255.255.240
!
interface TenGigabitEthernet7/1
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-19-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 10.19.0.0
subnet 10.19.0.0 255.255.0.0
object network 170.X.X.3
host 170.X.X.3
object network 170.X.X.4
host 170.X.X.4
object network 170.X.X.5
host 170.X.X.5
object network 170.X.X.6
host 170.X.X.6
object network 170.X.X.7
host 170.X.X.7
object network 170.X.X.8
host 170.X.X.8
object network 170.X.X.9
host 170.X.X.9
object network 170.X.X.10
host 170.X.X.10
object network 170.X.X.11
host 170.X.X.11
object network 170.X.X.12
host 170.X.X.12
object network 170.X.X.13
host 170.X.X.13
object network 170.X.X.14
host 170.X.X.14
object network 10.27.0.0
subnet 10.27.0.0 255.255.0.0
object network 10.25.0.0
subnet 10.25.0.0 255.255.0.0
object network 10.9.0.0
subnet 10.9.0.0 255.255.0.0
object network 10.39.0.0
subnet 10.39.0.0 255.255.0.0
object network 10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network 10.35.0.0
subnet 10.35.0.0 255.255.0.0
object network 10.33.0.0
subnet 10.33.0.0 255.255.0.0
object network 10.13.0.0
subnet 10.13.0.0 255.255.0.0
object network 10.17.0.0
subnet 10.17.0.0 255.255.0.0
object network 10.37.0.0
subnet 10.37.0.0 255.255.0.0
object network 10.41.0.0
subnet 10.41.0.0 255.255.0.0
object network 10.45.0.0
subnet 10.45.0.0 255.255.0.0
object network 170.X.X.16
host 170.X.X.16
object network 170.X.X.17
host 170.X.X.17
object network 170.X.X.18
host 170.X.X.18
object network 170.X.X.19
host 170.X.X.19
object network 170.X.X.20
host 170.X.X.20
object network 170.X.X.21
host 170.X.X.21
object network 170.X.X.22
host 170.X.X.22
object network 170.X.X.23
host 170.X.X.23
object network 170.X.X.24
host 170.X.X.24
object network 170.X.X.25
host 170.X.X.25
object network 10.47.0.0
subnet 10.47.0.0 255.255.0.0
object network 170.X.X.26
host 170.X.X.26
object network 170.X.X.27
host 170.X.X.27
object network 170.X.X.28
host 170.X.X.28
object network 170.X.X.29
host 170.X.X.29
object network 170.X.X.30
host 170.X.X.30
object network 170.X.X.31
host 170.X.X.31
object network 10.49.0.0
subnet 10.49.0.0 255.255.0.0
object network Prueba-10.227.225.210
host 10.227.225.210
object network 10.227.225.210
host 10.227.225.210
object network 172.16.99.0
subnet 172.16.99.0 255.255.255.0
object network 172.16.99.22
host 172.16.99.22
object network 10.50.0.0
subnet 10.50.0.0 255.255.0.0
object network 10.51.0.0
subnet 10.51.0.0 255.255.0.0
object network 10.227.225.20
host 10.227.225.20
object network CentroValle_1930
host 10.227.225.20
object network CentroValle_1946
host 10.227.225.20
object network 170.X.X.2
host 170.X.X.2
object network Stgo4646_3050
host 10.44.0.130
object network 10.44.0.130
host 10.44.0.130
object network 192.168.199.0
subnet 192.168.199.0 255.255.255.0
object network 10.227.225.41
host 10.227.225.41
object network Administracion_FTTH_NuevoIdeal
subnet 10.16.10.0 255.255.255.0
description Administracion FTTH Nuevo Ideal
object network 10.228.0.0
subnet 10.228.0.0 255.255.240.0
description 10.228.0.0
object network 192.168.239.0
subnet 192.168.239.0 255.255.255.128
description 192.168.239.0
object network NETWORK_OBJ_192.168.239.0_25
subnet 192.168.239.0 255.255.255.128
object network pool-vpn-prueba
subnet 192.168.239.0 255.255.255.128
object network Pool_CMTS_Stgo
range 170.X.X.8 170.X.X.9
object network 10.227.225.12
host 10.227.225.12
object network AutopartesStgo_Suc_NI_81
host 10.227.225.12
object network AutopartesStgo_Suc_NI_554
host 10.227.225.12
object network AutopartesStgo_Suc_NI_8000
host 10.227.225.12
object network 10.227.225.31
host 10.227.225.31
object network Ferrepisos_NI_3389
host 10.227.225.31
object network Ferrepisos_NI_8081
host 10.227.225.31
object network 10.227.225.21
host 10.227.225.21
object network 10.227.225.22
host 10.227.225.22
object network 170.X.X.80
host 170.X.X.80
object network 170.X.X.81
host 170.X.X.81
object network 170.X.X.82
host 170.X.X.82
object network 10.227.225.29
host 10.227.225.29
object network 10.227.225.39
host 10.227.225.39
object network 170.X.X.83
host 170.X.X.83
object network 170.X.X.84
host 170.X.X.84
object network 170.X.X.85
host 170.X.X.85
object network 192.168.199.29
host 192.168.199.29
description Gaspar
object network 10.227.224.11
host 10.227.224.11
description CACTI_Carrier
object network CACTI_Carrier
host 10.227.224.11
object network 10.227.224.0
subnet 10.227.224.0 255.255.252.0
object network ALTAI
host 172.16.99.22
object network VPN-POOL
range 192.168.239.1 192.168.239.100
object network Pool_CMTS_Victoria
range 170.X.X.11 170.X.X.12
object network INSIDE-TEST
subnet 192.168.62.0 255.255.255.0
object network Servidor_Comcast
host 192.168.51.100
object network FTTH-network
subnet 192.168.51.0 255.255.255.0
object network 10.30.0.0
subnet 10.30.0.0 255.255.0.0
description 10.30.0.0
object-group network redvpn
network-object object 192.168.199.0
access-list CARRIERS_access_in extended permit ip 10.227.224.0 255.255.252.0 any4
access-list CARRIERS_access_out extended permit ip any4 10.227.224.0 255.255.252.0
access-list CARRIERS_access_out extended permit ip 192.168.199.0 255.255.255.0 10.227.224.0 255.255.252.0
access-list OUTSIDE_access_in remark ALTAI
access-list OUTSIDE_access_in extended permit ip any4 object 172.16.99.22
access-list OUTSIDE_access_in remark Centro Valle
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.20 eq 1930
access-list OUTSIDE_access_in remark Centro Valle
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.20 eq 1946
access-list OUTSIDE_access_in remark Stgo Contrato 4646
access-list OUTSIDE_access_in extended permit tcp any4 object 10.44.0.130 eq 3050
access-list OUTSIDE_access_in remark Prueba
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.210
access-list OUTSIDE_access_in remark Gasolinera Holanda
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.41
access-list OUTSIDE_access_in remark AutopartesStgo_Suc_NI
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.12 eq 81
access-list OUTSIDE_access_in remark AutopartesStgo_Suc_NI
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.12 eq rtsp
access-list OUTSIDE_access_in remark AutopartesStgo_Suc_NI
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.12 eq 8000
access-list OUTSIDE_access_in remark Ferrepisos_NI
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.31 eq 3389
access-list OUTSIDE_access_in remark Ferrepisos_NI
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.31 eq 8081
access-list OUTSIDE_access_in remark Gasolinera Samantha
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.21
access-list OUTSIDE_access_in remark Gasolinera CM
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.22
access-list OUTSIDE_access_in remark Farmacia Economica NI
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.39
access-list OUTSIDE_access_in remark Caja Hipodromo NI
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.29
access-list OUTSIDE_access_in remark CACTI_Carrier
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.224.11
access-list OUTSIDE_access_in extended permit ip any4 any4
access-list INSIDE_Prueba_access_in extended permit ip 192.168.62.0 255.255.255.0 any4
access-list INSIDE_Prueba_access_in extended permit ip object 172.16.99.0 any4
access-list INSIDE_Prueba_access_in extended permit ip object 192.168.199.0 any4
access-list INSIDE_Prueba_access_in extended permit ip object 10.228.0.0 any4
access-list INSIDE_Prueba_access_in extended permit ip 10.227.224.0 255.255.252.0 192.168.199.0 255.255.255.0
access-list INSIDE_Prueba_access_in extended permit ip 192.168.199.0 255.255.255.0 192.168.239.0 255.255.255.128
access-list ACL-tunel-vpn-prueba standard permit 192.168.199.0 255.255.255.0
access-list ACL-tunel-vpn-prueba standard permit 192.168.239.0 255.255.255.0
access-list ACL-tunel-vpn-prueba standard permit 192.168.62.0 255.255.255.0
access-list INSIDE_Prueba_access_out extended permit ip 10.227.224.0 255.255.252.0 any4
access-list INSIDE_Prueba_access_out extended permit ip 192.168.199.0 255.255.255.0 any4
access-list INSIDE_Prueba_access_out extended permit ip any4 object 172.16.99.0
access-list INSIDE_Prueba_access_out extended permit ip 192.168.239.0 255.255.255.128 192.168.199.0 255.255.255.0
access-list TEST extended permit ip 192.168.199.0 255.255.255.0 192.168.239.0 255.255.255.128
access-list TEST extended permit ip 192.168.239.0 255.255.255.128 192.168.199.0 255.255.255.0
access-list FTTH_access_in extended permit ip 192.168.51.0 255.255.255.0 any4
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu CARRIERS 1500
mtu INSIDE_Prueba 1500
mtu CMTS 1500
mtu OUTSIDE 1500
mtu FTTH 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any CARRIERS
icmp permit any echo CARRIERS
icmp permit any echo-reply CARRIERS
icmp permit any OUTSIDE
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (CMTS,OUTSIDE) source dynamic 10.19.0.0 170.X.X.16
nat (CMTS,OUTSIDE) source dynamic 10.27.0.0 pat-pool Pool_CMTS_Victoria
nat (CMTS,OUTSIDE) source dynamic 10.25.0.0 170.X.X.18
nat (CMTS,OUTSIDE) source dynamic 10.39.0.0 170.X.X.20
nat (CMTS,OUTSIDE) source dynamic 10.35.0.0 170.X.X.22
nat (CMTS,OUTSIDE) source dynamic 10.33.0.0 170.X.X.23
nat (CMTS,OUTSIDE) source dynamic 10.13.0.0 170.X.X.13
nat (CMTS,OUTSIDE) source dynamic 10.17.0.0 170.X.X.25
nat (CMTS,OUTSIDE) source dynamic 10.37.0.0 170.X.X.26
nat (CMTS,OUTSIDE) source dynamic 10.41.0.0 170.X.X.27
nat (CMTS,OUTSIDE) source dynamic 10.33.0.0 170.X.X.29
nat (CMTS,OUTSIDE) source dynamic 10.47.0.0 170.X.X.21
nat (CMTS,OUTSIDE) source dynamic 10.49.0.0 170.X.X.24
nat (CARRIERS,OUTSIDE) source static 10.227.225.210 170.X.X.3
nat (CARRIERS,OUTSIDE) source static 10.227.225.41 170.X.X.82 description Gasolinera Holanda
nat (INSIDE_Prueba,OUTSIDE) source dynamic 10.228.0.0 170.X.X.10
nat (CMTS,OUTSIDE) source dynamic 10.51.0.0 pat-pool Pool_CMTS_Stgo
nat (CARRIERS,OUTSIDE) source static 10.227.225.21 170.X.X.80 description Gasolinera Samantha
nat (CARRIERS,OUTSIDE) source static 10.227.225.22 170.X.X.81 description Gasolinera CM
nat (CARRIERS,OUTSIDE) source static 10.227.225.39 170.X.X.83
nat (CARRIERS,OUTSIDE) source static 10.227.225.29 170.X.X.84
nat (INSIDE_Prueba,OUTSIDE) source static INSIDE-TEST INSIDE-TEST destination static NETWORK_OBJ_192.168.239.0_25 NETWORK_OBJ_192.168.239.0_25 no-proxy-arp route-lookup
nat (INSIDE_Prueba,OUTSIDE) source static redvpn redvpn destination static pool-vpn-prueba pool-vpn-prueba no-proxy-arp route-lookup
nat (OUTSIDE,OUTSIDE) source static pool-vpn-prueba pool-vpn-prueba destination static pool-vpn-prueba pool-vpn-prueba no-proxy-arp route-lookup
nat (FTTH,OUTSIDE) source dynamic any 170.X.X.10
nat (FTTH,OUTSIDE) source dynamic 10.30.0.0 170.X.X.10
!
object network CentroValle_1930
nat (CARRIERS,OUTSIDE) static interface service tcp 1930 11930
object network CentroValle_1946
nat (CARRIERS,OUTSIDE) static interface service tcp 1946 11946
object network Stgo4646_3050
nat (CMTS,OUTSIDE) static 170.X.X.28 service tcp 3050 13050
object network AutopartesStgo_Suc_NI_81
nat (CARRIERS,OUTSIDE) static interface service tcp 81 10081
object network AutopartesStgo_Suc_NI_554
nat (CARRIERS,OUTSIDE) static interface service tcp rtsp 10554
object network AutopartesStgo_Suc_NI_8000
nat (CARRIERS,OUTSIDE) static interface service tcp 8000 18000
object network Ferrepisos_NI_3389
nat (CARRIERS,OUTSIDE) static interface service tcp 3389 13389
object network Ferrepisos_NI_8081
nat (CARRIERS,OUTSIDE) static interface service tcp 8081 18081
object network CACTI_Carrier
nat (CARRIERS,OUTSIDE) static 170.X.X.6
object network ALTAI
nat (INSIDE_Prueba,OUTSIDE) static 170.X.X.4
!
nat (CARRIERS,OUTSIDE) after-auto source dynamic any interface
nat (INSIDE_Prueba,OUTSIDE) after-auto source dynamic any interface
nat (CMTS,OUTSIDE) after-auto source dynamic 10.45.0.0 170.X.X.28
nat (OUTSIDE,OUTSIDE) after-auto source static pool-vpn-prueba interface no-proxy-arp
access-group CARRIERS_access_in in interface CARRIERS
access-group CARRIERS_access_out out interface CARRIERS
access-group INSIDE_Prueba_access_out out interface INSIDE_Prueba
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 170.X.X.1 1
route CMTS 10.8.0.0 255.255.0.0 192.168.61.102 1
route CMTS 10.9.0.0 255.255.0.0 192.168.61.102 1
route CMTS 10.10.0.0 255.255.0.0 192.168.61.101 1
route CMTS 10.11.0.0 255.255.0.0 192.168.61.101 1
route CMTS 10.12.0.0 255.255.0.0 192.168.61.114 1
route CMTS 10.13.0.0 255.255.0.0 192.168.61.114 1
route CMTS 10.16.0.0 255.255.0.0 192.168.61.112 1
route CMTS 10.17.0.0 255.255.0.0 192.168.61.112 1
route CMTS 10.18.0.0 255.255.0.0 192.168.61.111 1
route CMTS 10.19.0.0 255.255.0.0 192.168.61.111 1
route CMTS 10.24.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.25.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.26.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.27.0.0 255.255.0.0 192.168.61.123 1
route FTTH 10.30.0.0 255.255.0.0 192.168.51.50 1
route CMTS 10.32.0.0 255.255.0.0 192.168.61.130 1
route CMTS 10.33.0.0 255.255.0.0 192.168.61.130 1
route CMTS 10.34.0.0 255.255.0.0 192.168.61.131 1
route CMTS 10.35.0.0 255.255.0.0 192.168.61.131 1
route CMTS 10.36.0.0 255.255.0.0 192.168.61.132 1
route CMTS 10.37.0.0 255.255.0.0 192.168.61.132 1
route CMTS 10.38.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.39.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.40.0.0 255.255.0.0 192.168.61.134 1
route CMTS 10.41.0.0 255.255.0.0 192.168.61.134 1
route CMTS 10.44.0.0 255.255.0.0 192.168.61.135 1
route CMTS 10.45.0.0 255.255.0.0 192.168.61.135 1
route CMTS 10.46.0.0 255.255.0.0 192.168.61.137 1
route CMTS 10.47.0.0 255.255.0.0 192.168.61.137 1
route CMTS 10.48.0.0 255.255.0.0 192.168.61.138 1
route CMTS 10.49.0.0 255.255.0.0 192.168.61.138 1
route CMTS 10.50.0.0 255.255.0.0 192.168.61.139 1
route CMTS 10.51.0.0 255.255.0.0 192.168.61.139 1
route INSIDE_Prueba 10.228.0.0 255.255.0.0 192.168.62.253 1
route INSIDE_Prueba 172.16.99.0 255.255.255.0 192.168.62.253 1
route INSIDE_Prueba 192.168.199.0 255.255.255.0 192.168.62.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
snmp-server host management 192.168.0.2 community ***** udp-port 161
snmp-server location Site-Dg
no snmp-server contact
snmp-server community *****
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpool policy
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.255.0 management
ssh 192.168.0.0 255.255.255.0 INSIDE_Prueba
ssh 200.Y.Y.3 255.255.255.255 OUTSIDE
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access INSIDE_Prueba
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy policiy-tunel-vpn-prueba-all internal
group-policy policiy-tunel-vpn-prueba-all attributes
dns-server value 209.244.0.3 209.244.0.4
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelall
group-policy policiy-tunel-vpn-prueba-split internal
group-policy policiy-tunel-vpn-prueba-split attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL-tunel-vpn-prueba
username fermin password vWzyma2s encrypted privilege 15
username gaspar password uFhUHyhgi encrypted privilege 15
username extra password Mgi9n5y3x encrypted privilege 15
tunnel-group tunel-vpn-prueba type remote-access
tunnel-group tunel-vpn-prueba general-attributes
address-pool pool-vpn-prueba
default-group-policy policiy-tunel-vpn-prueba-split
tunnel-group tunel-vpn-prueba ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 7
subscribe-to-alert-group configuration periodic monthly 7
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a33559ffa672a6fb650
: end
ASA5580#

Re: No internet access

Dean Romanelli — Thu, 19 Oct 2017 18:54:43 GMT

Does your switch have any static routes configured? I suspect I may know the issue.

Could you please port the output of the following command from your switch:

show run | section ip route

Re: No internet access

gasparmenendez — Thu, 19 Oct 2017 19:10:51 GMT

Sorry, I forgot to mention that both interfaces are connected to diffrent switches, INSIDE is connected to 3750 Switch and FFTH is connected to 3850 Switch. Supposing you want me to run the command in 3850 here you go:

SW3850_Core#show run | section ip route
ip route 0.0.0.0 0.0.0.0 192.168.60.254
ip route 10.26.0.0 255.255.0.0 192.168.61.123
ip route 10.27.0.0 255.255.0.0 192.168.61.123
ip route 172.16.8.0 255.255.255.0 192.168.60.254
ip route 172.30.0.0 255.255.254.0 192.168.60.254
ip route 192.168.61.0 255.255.255.0 192.168.61.254
ip route 192.168.62.0 255.255.255.0 192.168.20.223

Re: No internet access

Dean Romanelli — Thu, 19 Oct 2017 19:22:38 GMT

Where is 192.168.60.254 in physical relation to the 3850 and the ASA?

Re: No internet access

gasparmenendez — Thu, 19 Oct 2017 19:27:08 GMT

is in another ASA (5540)...

Re: No internet access

Dean Romanelli — Thu, 19 Oct 2017 20:04:03 GMT

Is that ASA 5540 in between the core switch and the ASA 5580?

Re: No internet access

gasparmenendez — Thu, 19 Oct 2017 20:15:51 GMT

not between, is connected to another port in 3850, like the 5580...

5540 is in port g1/0/1 and 5580 in port t1/1/3....

besides that, I ran some test in the 5580:

ASA5580# packet-tracer input ftTH tcp 192.168.51.40 1024 8.8.8.8 3389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (FTTH,OUTSIDE) source dynamic any 170.X.X.10
Additional Information:
Dynamic translate 192.168.51.40/1024 to 170.X.X.10/1024

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (FTTH,OUTSIDE) source dynamic any 170.X.X.10
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2128048568, packet dispatched to next module

Result:
input-interface: FTTH
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

and in the way around:

ASA5580# packet-tracer input ouTSIDE tcp 8.8.8.8 12345 170.X.X.10 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 170.X.X.0 255.255.255.240 OUTSIDE

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

Re: No internet access

mikael.lahtela — Fri, 20 Oct 2017 08:07:01 GMT

Hi,

Looks like the 5580 is working as expected, but you are default routing everything to the 5540 in the 3850.
Is that what you want?
If so the problem is probably in the 5540 and not in the 5580.
If you do a packet capture on the 5540, do you see the client traffic there?

# to capture traffic, need to change X to correct interface.
capture A interface X match ip host 192.168.51.40 host 8.8.8.8
# to see the capture
show capture A

br, Micke

Re: No internet access

gasparmenendez — Fri, 20 Oct 2017 14:12:20 GMT

thanks my friend, I solved already.... Just added a route to the 5580 and now everything is ok.

Thanks!