topic Problem accessing internet through ASA 5540 in Network Security

Problem accessing internet through ASA 5540

gasparmenendez — Tue, 12 Mar 2019 08:33:30 GMT

Hello, I´m setting up an ASA 5540 from scratch. Right now is only for testing and understanding purposes, so the configuration is very simple. My problem is that I have a PC in my LAN that can´t reach internet through the ASA. I can´t see what I´m missing, like I said the configuration is very simple so this shouldn´t be an issue. Here´s the configuration:

ciscoasa# show running-config
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password X encrypted
passwd X encrypted
names
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 200.X.X.194 255.255.255.252
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.227.225.1 255.255.252.0
!
interface GigabitEthernet0/2
nameif FTTH
security-level 50
ip address 10.229.0.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif CMTS
security-level 50
ip address 192.168.61.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.22 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
same-security-traffic permit intra-interface
object network CACTI
host 10.227.224.11
object network ip120
host 200.X.X.120
object network ip101
host 200.X.X.101
object network ip102
host 200.X.X.102
object network ip121
host 200.X.X.121
object network ip122
host 200.X.X.122
object network ip123
host 200.X.X.123
object network ip124
host 200.X.X.124
object network ip125
host 200.X.X.125
object network ip126
host 200.X.X.126
object network ip127
host 200.X.X.127
object network Caja_Hipodromo
host 10.227.225.29
object network Farma_Eco_NI
host 10.227.255.3
object network Gas_Holanda
host 10.227.225.41
object network Gasolinera_CM
host 10.227.225.22
object network Gasolinera_Samantha
host 10.227.225.21
object network Notigram
host 10.227.224.225
object network Odoo
host 10.227.224.226
object network AutopartesStgo_SucNI_81
host 10.227.225.12
object network AutopartesStgo_SucNI_554
host 10.227.225.12
object network AutopartesStgo_SucNI_8000
host 10.227.225.12
access-list INSIDE_nat_outbound extended permit ip 10.227.224.0 255.255.252.0 any
access-list OUTSIDE_access_in remark Cacti
access-list OUTSIDE_access_in extended permit ip any object ip120 log disable
access-list OUTSIDE_access_in remark Caja Hipodromo
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.123 log disable
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10443 inactive
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10500 inactive
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 14500 inactive
access-list OUTSIDE_access_in remark Farmacia Economica NI
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.102
access-list OUTSIDE_access_in remark puerto Ferrepisos NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 13389
access-list OUTSIDE_access_in remark Gasolinera Samantha
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.127 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10081 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10554 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 18000 log disable
access-list OUTSIDE_access_in remark caja popular progreso
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10587 log disable
access-list OUTSIDE_access_in remark caja popular progreso
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10110
access-list OUTSIDE_access_in extended permit udp 200.X.X.0 255.255.255.0 any range 10000 20000 log disable
access-list OUTSIDE_access_in remark Odoo Felipe
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.121 log disable
access-list OUTSIDE_access_in remark Gasolinera Holanda
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.101 log disable
access-list OUTSIDE_access_in remark Servidor Notigram
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.122 log disable
access-list OUTSIDE_access_in remark Gasolinera CM
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.124 log disable
access-list CMTS_nat_outbound extended permit ip 10.39.0.0 255.255.0.0 any
access-list CMTS_nat_outbound_1 extended permit ip 10.27.0.0 255.255.0.0 any
access-list CMTS_nat_outbound_2 extended permit ip 10.25.0.0 255.255.0.0 any
access-list FTTH_nat_outbound_1 extended permit ip 10.229.0.0 255.255.255.0 any
access-list FTTH_nat_outbound_1 extended permit ip 10.228.0.0 255.255.240.0 any
access-list INSIDE_access_in extended permit ip 10.227.224.0 255.255.252.0 any
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu FTTH 1500
mtu CMTS 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network AutopartesStgo_SucNI_81
nat (INSIDE,OUTSIDE) static interface service tcp 81 10081
object network AutopartesStgo_SucNI_554
nat (INSIDE,OUTSIDE) static interface service tcp rtsp 10554
object network AutopartesStgo_SucNI_8000
nat (INSIDE,OUTSIDE) static interface service tcp 8000 18000
!
nat (INSIDE,OUTSIDE) after-auto source static CACTI ip120
nat (INSIDE,OUTSIDE) after-auto source static Gas_Holanda ip101
nat (INSIDE,OUTSIDE) after-auto source static Farma_Eco_NI ip102
nat (INSIDE,OUTSIDE) after-auto source static Odoo ip121
nat (INSIDE,OUTSIDE) after-auto source static Notigram ip122
nat (INSIDE,OUTSIDE) after-auto source static Caja_Hipodromo ip123
nat (INSIDE,OUTSIDE) after-auto source static Gasolinera_CM ip124
nat (INSIDE,OUTSIDE) after-auto source static Gasolinera_Samantha ip127
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.X.X.193 1
route CMTS 10.24.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.25.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.26.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.27.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.38.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.39.0.0 255.255.0.0 192.168.61.133 1
route FTTH 10.228.0.0 255.255.240.0 10.229.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
snmp-server location X
snmp-server contact X
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username X password X encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:X
: end

Right now I'm only using INSIDE and OUTSIDE interfaces, the rest are disconnected. PC have ip address 10.227.224.228, Mask 255.255.252.0, GW 10.227.225.1, DNS publics. PC can ping INSIDE interface 10.227.225.1. Any ideas what I´m doing wrong??? Can anybody help please??

Hi there,

cofee — Sat, 19 Nov 2016 22:09:19 GMT

Hi there,

Did you look at the ASA logs what it's doing with the outbound packet originated by the PC? you can do "logging on" and "logging console 7" you can safely use these commands as you mentioned this ASA is not live yet. Also, I would look at the xlate table when you send outbound traffic to make sure it's getting Nated with the right address "sh xlate".

You have this nat rule configured and it doesn't look right:

nat (INSIDE,OUTSIDE) static interface service tcp 81 10081 ( can you remove service tcp 81 10081) and then check if it works. I assume you have a DNS server configured.

You can also use the packet tracer command to see if the traffic is allowed and if not what's the issue-

packet-tracer input inside tcp "pc address" 1024 (random port number) destination address port number (for destination address you can choose any public address that's reachable via your outside interface)

I hope this helps.

Looks like a NAT issue. You

Oliver Kaiser — Sun, 20 Nov 2016 12:17:22 GMT

Looks like a NAT issue. You have multiple static NAT rules configured but in case your source ip does not match the address specified in your nat rules it will not translate to the ip address of your outside interface.

You may configure PAT to NAT all traffic from inside to your outside interface ip address

nat (inside,outside) dynamic interface

As cofee has already pointed out you may want to check your translation table using show xlate to verify your traffic is correctly NATed and use the packet-tracer command to simulate a flow to verify which ACL and which NAT rule would match.

First of all thank you both

gasparmenendez — Mon, 21 Nov 2016 18:52:04 GMT

First of all thank you both for your help.

Today's hollyday on my country so I can't run the tests you're suggesting coz I'm not at office, but tomorrow morning first thing will be check what you're telling me.

I just want to tell you that I have an ASA 5520 in production and working fine. My idea is to replace that 5520 with the 5540 mentioned before, once it's running well. Because that, the 5540 have some configurations from the 5520 that I tried to clone from one to another. Maybe isn't right??

Thanks in advance.

I tried what you both told me

gasparmenendez — Tue, 22 Nov 2016 16:02:42 GMT

I tried what you both told me, without any luck. Firstly I removed nat (INSIDE,OUTSIDE) static interface service tcp 81 10081 and then show xlate, here's the result:

ciscoasa(config)# show xlate
10 in use, 11 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from INSIDE:10.227.225.12 554-554 to OUTSIDE:200.X.X.194 10554-10554
    flags sr idle 92:13:11 timeout 0:00:00
TCP PAT from INSIDE:10.227.225.12 8000-8000 to OUTSIDE:200.X.X.194 18000-18000
    flags sr idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.224.11 to OUTSIDE:200.X.X.120
    flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.225.41 to OUTSIDE:200.X.X.101
    flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.255.3 to OUTSIDE:200.X.X.102
    flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.224.226 to OUTSIDE:200.X.X.121
    flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.224.225 to OUTSIDE:200.X.X.122
    flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.225.29 to OUTSIDE:200.X.X.123
    flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.225.22 to OUTSIDE:200.X.X.124
    flags s idle 92:13:11 timeout 0:00:00
NAT from INSIDE:10.227.225.21 to OUTSIDE:200.X.X.127
    flags s idle 92:13:11 timeout 0:00:00

After that I tried packet-tracer. Here's the result:

ciscoasa(config)# packet-tracer input inSIDE tcp 10.227.224.228 1024 8.8.8.8 8080

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit ip 10.227.224.0 255.255.252.0 any
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 32580, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

I tried to do nat (inSIDE,ouTSIDE) source dynamic interface but returns error. I also tried "logging on" and "logging console 7" but nothing happens.

I have public DNS configured in my PC.

Any other ideas please?

Nat syntax:

cofee — Tue, 22 Nov 2016 16:32:50 GMT

Nat syntax:

nat (inside,outside) source dynamic pc interface (pc is object that you need create and call it. like I said you can name it whatever)

Create object network PC (you can name it whatever):

object network pc

subnet 10.227.224.0 255.255.252.0

Instead of subnet you can also just specify a single node with host command. Also check the logs to see if you see any deny when you generate traffic for outside from the pc. Can you do a nslookup from the pc and make sure it can resolve things like yahoo and google.com

Excellent my friend!!! now is

gasparmenendez — Tue, 22 Nov 2016 17:15:56 GMT

Excellent my friend!!! now is working fine... Cause this is for testing I'll run one more test, this time changing the outside interface. Keep in touch.

BR,

Hi folks!! Now I have a new

gasparmenendez — Tue, 22 Nov 2016 20:14:07 GMT

Hi folks!! Now I have a new problem, now in this new scenario:

I have a Cablemodem connected directly to internet through the WAN interface and in the LAN interface it has ip address 192.168.1.1 and it's not serving DHCP. When I connect my PC directly to de CM I setup a static ip address (192.168.1.3) and can reach the internet without problem. So far so good.

Now I configured one of the ASA interfaces with that ip address (192.168.1.3), named CM and connected the Cablemodem to it. Right after I do "nat (INSIDE,OUTSIDE) source dynamic PC interface" and make "nat (INSIDE,CM) source dynamic PC interface but the PC isn't reaching internet.

What I'm doing wrong?? Can anybody helpme please??

I didn't see this new block

cofee — Tue, 22 Nov 2016 20:23:20 GMT

I didn't see this new block 192.168.1.x/24 anywhere in the configuration you sent earlier. Can you send how you are Nating this address and how is it getting routed to internet? also if you can send the route table.

Sorry my friend, here's the

gasparmenendez — Tue, 22 Nov 2016 21:30:42 GMT

Sorry my friend, here's the new configuration:

ciscoasa# show running-config
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password X encrypted
passwd X encrypted
names
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 200.X.X.194 255.255.255.252
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.227.225.1 255.255.252.0
!
interface GigabitEthernet0/2
nameif CM
security-level 50
ip address 192.168.1.3 255.255.255.0
!
interface GigabitEthernet0/3
nameif CMTS
security-level 50
ip address 192.168.61.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.22 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
same-security-traffic permit intra-interface
object network CACTI
host 10.227.224.11
object network ip120
host 200.X.X.120
object network ip101
host 200.X.X.101
object network ip102
host 200.X.X.102
object network ip121
host 200.X.X.121
object network ip122
host 200.X.X.122
object network ip123
host 200.X.X.123
object network ip124
host 200.X.X.124
object network ip125
host 200.X.X.125
object network ip126
host 200.X.X.126
object network ip127
host 200.X.X.127
object network Caja_Hipodromo
host 10.227.225.29
object network Farma_Eco_NI
host 10.227.255.3
object network Gas_Holanda
host 10.227.225.41
object network Gasolinera_CM
host 10.227.225.22
object network Gasolinera_Samantha
host 10.227.225.21
object network Notigram
host 10.227.224.225
object network Odoo
host 10.227.224.226
object network AutopartesStgo_SucNI_81
host 10.227.225.12
object network AutopartesStgo_SucNI_554
host 10.227.225.12
object network AutopartesStgo_SucNI_8000
host 10.227.225.12
object network PC
subnet 10.227.224.0 255.255.252.0
access-list INSIDE_nat_outbound extended permit ip object PC any
access-list OUTSIDE_access_in remark Cacti
access-list OUTSIDE_access_in extended permit ip any object ip120 log disable
access-list OUTSIDE_access_in remark Caja Hipodromo
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.123 log disable
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10443 inactive
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10500 inactive
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 14500 inactive
access-list OUTSIDE_access_in remark Farmacia Economica NI
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.102
access-list OUTSIDE_access_in remark puerto Ferrepisos NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 13389
access-list OUTSIDE_access_in remark Gasolinera Samantha
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.127 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10081 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10554 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 18000 log disable
access-list OUTSIDE_access_in remark caja popular progreso
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10587 log disable
access-list OUTSIDE_access_in remark caja popular progreso
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10110
access-list OUTSIDE_access_in extended permit udp 200.X.X.0 255.255.255.0 any range 10000 20000 log disable
access-list OUTSIDE_access_in remark Odoo Felipe
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.121 log disable
access-list OUTSIDE_access_in remark Gasolinera Holanda
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.101 log disable
access-list OUTSIDE_access_in remark Servidor Notigram
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.122 log disable
access-list OUTSIDE_access_in remark Gasolinera CM
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.124 log disable
access-list OUTSIDE_access_in extended permit ip any any
access-list CMTS_nat_outbound extended permit ip 10.39.0.0 255.255.0.0 any
access-list CMTS_nat_outbound_1 extended permit ip 10.27.0.0 255.255.0.0 any
access-list CMTS_nat_outbound_2 extended permit ip 10.25.0.0 255.255.0.0 any
access-list FTTH_nat_outbound_1 extended permit ip 10.229.0.0 255.255.255.0 any
access-list FTTH_nat_outbound_1 extended permit ip 10.228.0.0 255.255.240.0 any
access-list INSIDE_access_in extended permit ip object PC any
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu CM 1500
mtu CMTS 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (INSIDE,CM) source dynamic PC interface
!
object network AutopartesStgo_SucNI_81
nat (INSIDE,OUTSIDE) static interface service tcp 81 10081
object network AutopartesStgo_SucNI_554
nat (INSIDE,OUTSIDE) static interface service tcp rtsp 10554
object network AutopartesStgo_SucNI_8000
nat (INSIDE,OUTSIDE) static interface service tcp 8000 18000
!
nat (INSIDE,OUTSIDE) after-auto source static CACTI ip120
nat (INSIDE,OUTSIDE) after-auto source static Gas_Holanda ip101
nat (INSIDE,OUTSIDE) after-auto source static Farma_Eco_NI ip102
nat (INSIDE,OUTSIDE) after-auto source static Odoo ip121
nat (INSIDE,OUTSIDE) after-auto source static Notigram ip122
nat (INSIDE,OUTSIDE) after-auto source static Caja_Hipodromo ip123
nat (INSIDE,OUTSIDE) after-auto source static Gasolinera_CM ip124
nat (INSIDE,OUTSIDE) after-auto source static Gasolinera_Samantha ip127
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.X.X.193 1
route CMTS 10.24.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.25.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.26.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.27.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.38.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.39.0.0 255.255.0.0 192.168.61.133 1
route CM 10.228.0.0 255.255.240.0 10.229.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
snmp-server location Site-X
snmp-server contact X
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username X password X encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:X
: end

I only changed:

interface GigabitEthernet0/2
nameif CM
security-level 50
ip address 192.168.1.3 255.255.255.0

and:

nat (INSIDE,CM) source dynamic PC interface

Regarding route table:

ciscoasa# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 200.X.X.193 to network 0.0.0.0

C    200.X.X.192 255.255.255.252 is directly connected, OUTSIDE
C    10.227.224.0 255.255.252.0 is directly connected, INSIDE
S    10.228.0.0 255.255.240.0 [1/0] via 10.229.0.2, CM
C    192.168.0.0 255.255.255.0 is directly connected, management
C    192.168.1.0 255.255.255.0 is directly connected, CM
S*   0.0.0.0 0.0.0.0 [1/0] via 200.X.X.193, OUTSIDE

The only thing I need is that traffic from PC reach internet through CM interface, without affecting other routes that wil reach internet through the OUTSIDE interface.

Does this help you?

You want to NAT your inside

cofee — Tue, 22 Nov 2016 21:51:46 GMT

You want to NAT your inside network to CM (192.168.1.x) but you have outside interface configured as the default gateway therefore it doesn't know how to get out.

Since destination address won't be specific you can't configure a route pointing to CM and you can't have dual default gateways. I will have to look it up if there is a way to do it. In the meantime may be someone else can assist you with this.

create another default router

cofee — Tue, 22 Nov 2016 21:57:53 GMT

create another default router using cm interface:

route cm 0.0.0.0 0.0.0.0 next hop

see if that works

Sorry these are 2 different

cofee — Tue, 22 Nov 2016 22:09:01 GMT

Sorry these are 2 different interfaces so ASA won't accept dual default gateways. Yeah don't install this route because it will remove your current default gateway. I can't think of a solution for this right now.

I really apreciate your help

gasparmenendez — Tue, 22 Nov 2016 23:07:47 GMT

I really apreciate your help very much cofee@0400.

I'm totally agree with you about what you say regarding the 2 default gateways.

I have only 1 doubt: since the inside network is NATed to CM interface, is not the Cablemodem it self who works as gateway for everything incoming to the LAN port??

The problem is that your ASA

Oliver Kaiser — Tue, 22 Nov 2016 23:17:30 GMT

The problem is that your ASA can only use one default route. If traffic from your inside network is received, ASA will determine which outbound interface should be used to route the traffic to.

In case no specific route is found, it will fall back to your configured default route and route traffic according to your configuration. In case you would like to utilize source-based routing (e.g. route traffic from Subnet A to Internet via Uplink CM) PBR would be needed which is available since 9.5.x

Is there any reason you want to route traffic destined to the internet to different interfaces?

According to the latest route

cofee — Wed, 23 Nov 2016 00:10:39 GMT

According to the latest route table that you sent CM is not the gateway for your Inside network because your inside network is directly connected to the firewall and you are NATing your inside network to CM network hoping that it will route traffic destined to internet using CM interface.

Think of it like this - source address - 10.x.x.x , destination 98.x.x.x (random public address) , NAted address - 192.168.1.3

Now if you look at the route table you don't have a specific route for 98.x.x.x so it will fall back to default route which is the outside interface in your case.

So may be you will be able to accomplish that using PBR like Kaisero has recommended. I don't know if you would also need to configure a floating default route pointing to CM for PBR to work. But Per Kaisero this is only supported since 9.5 so you may want to think about upgrading your firewall since it's not live yet. I think minimum flash requirement for post ASA 8.3 is 2GB, so make sure you meet that requirement if you decide to go that route.

I will try to mock this in the lab tonight if I get time. Not sure if I have 9.5. Will let you know.

Aight guys I just tested PBR

cofee — Wed, 23 Nov 2016 04:00:45 GMT

Aight guys I just tested PBR in ASA 9.5 and it will do the job you are looking for. Thanks to Kaisero for pointing this out because I didn't know that PBR was supported by ASA now. I didn't have to create floating default route to make it work cause I guess next hop is specified inside the route-map. But this was tested in a virtual lab so if for some reason it doesn't work you can create this ( route cm 0.0.0.0 0.0.0.0 192.168.1.3 2 )

So if your management really wants to implement this then upgrading your firewall to 9.5 ( I think 9.4 also supports but be safe and upgrade to 9.5) and use policy based routing is your only option.

For troubleshooting - debug policy-route

* NAT is already there from inside to CM so you are good there.

This is what you will need to do:
* Create access list for interesting traffic:
access-list inside_to_cm permit ip 10.x.x.x 255.x.x.x any log
!
* Create route-map
route-map PBR permit 10
match ip address inside_to_cm
set ip next-hop 192.168.1.3 (ip for wan interface)

* Apply route-map to inside interface
interface g.xx ( this will be applied to your inside interface)
policy-route route-map PBR
!

Thank you all guys for your

gasparmenendez — Wed, 23 Nov 2016 15:45:16 GMT

Thank you all guys for your help. I already tried to upgrade my ASA once but it wasn't possible due to the cost of the license.

Again thank you very much for your help.

I'll continue running some tests.

Keep in touch.

BR.

Hi folks, me again...

gasparmenendez — Tue, 29 Nov 2016 19:46:42 GMT

Hi folks, me again...

I'm still running tests in the ASA 5540. My problem now is that I can't see the log, don't know how...

In the ASDM at the bottom I can see the "Latest ASDM Syslog Messages" but are show so fast that I can't see them. In the CLI I don't even have a clue about how to see the log. Can anybody helpme please???

Thanks in advance.

Inside the ASDM portal click

cofee — Tue, 29 Nov 2016 20:03:12 GMT

Inside the ASDM portal click on monitoring (at the top) - logging (at the bottom of screen) - view ( on this page you can filter the traffic you want to monitor)

CLI - show log ( show log | inc ip address (address you want to monitor.