topic Re: Clients behind ASA 5505 cannot connect to internet in Network Security https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359666#M308268 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>could you add on the 2811:</P><P></P><P>ip route 0.0.0.0 0.0.0.0 15.0.0.1</P><P></P><P>also, kindly post <STRONG>show version</STRONG> and <STRONG>show route</STRONG> from the 5505.</P></BODY></HTML> Tue, 26 Nov 2013 06:34:22 GMT johnlloyd_13 2013-11-26T06:34:22Z Clients behind ASA 5505 cannot connect to internet https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359665#M308267 <P>Good day,</P><P></P><P>I configure Router 2811 behind ASA 5505, ASA outside&nbsp; interface can got ip address from ISP but clients in inside interface&nbsp; cannot connect to internet, anyone can help me ?</P><P></P><P>Thank you very much.</P><P></P><P>Here is my network diagram :</P><P></P><P>Internet --- &gt; (Outside)&nbsp; ASA 5505&nbsp;&nbsp; (Inside)&nbsp; ---&gt;&nbsp; R2811&nbsp; --&gt; Sw2950</P><P></P><P>Internet --- &gt;&nbsp;&nbsp;&nbsp; ASA 5505&nbsp;&nbsp;&nbsp;&nbsp; ---&gt;&nbsp;&nbsp;&nbsp; R2811&nbsp;&nbsp;&nbsp;&nbsp; --&gt;&nbsp; Sw2950</P><P></P><P>----------------------------------------------------------------------------------&nbsp; ----<BR /><STRONG>ASA Configuration</STRONG></P><P></P><P>ASA Version 8.4(7)<BR />!<BR />hostname ciscoasa<BR />domain-name bvn.local<BR />enable password 8Ry2YjIyt7RRXU24 encrypted<BR />passwd 2KFQnbNIdI.2KYOU encrypted<BR />names<BR />!<BR />interface Ethernet0/0<BR /> switchport access vlan 2<BR />!<BR />interface Ethernet0/1<BR /> switchport access vlan 3<BR />!<BR />interface Ethernet0/2<BR />!<BR />interface Ethernet0/3<BR />!<BR />interface Ethernet0/4<BR /> switchport access vlan 12<BR />!<BR />interface Ethernet0/5<BR />!<BR />interface Ethernet0/6<BR />!<BR />interface Ethernet0/7<BR />!<BR />interface Vlan1<BR /> nameif Management<BR /> security-level 100<BR />ip address ..<BR />!<BR />interface Vlan2<BR /> nameif outside<BR /> security-level 0<BR /> pppoe client vpdn group DIALER-GROUP<BR /> ip address pppoe setroute<BR />!<BR />interface Vlan3<BR /> nameif inside<BR /> security-level 100<BR /> ip address 15.0.0.1 255.0.0.0<BR />!<BR />interface Vlan12<BR /> nameif DMZ<BR /> security-level 50<BR /> no ip address<BR />!<BR />boot system disk0:/asa847-k8.bin<BR />ftp mode passive</P><P></P><P>dns domain-lookup outside<BR />dns domain-lookup inside</P><P></P><P><STRONG>dns server-group DefaultDNS<BR /> name-server 8.8.8.8<BR /> name-server 8.8.4.4<BR /> domain-name bvn.local<BR /><BR />object network obj-network-R2811<BR /> host 15.0.0.2<BR /><BR />object network obj-Inside-Network<BR /> subnet 15.0.0.0 255.0.0.0<BR /><BR />object-group service obj-service-R2811<BR /> description "Services for Cisco R2811"<BR /> service-object tcp source range 55554 55559<BR /> service-object tcp source eq 3366<BR /><BR />access-list ACL-OUTSIDE-TO-INSIDE extended permit object-group obj-service-R2811 any object obj-network-R2811<BR /></STRONG></P><P></P><P>pager lines 24<BR />logging asdm informational<BR />mtu Management 1500<BR />mtu outside 1492<BR />mtu inside 1500<BR />mtu DMZ 1500<BR />no failover<BR />icmp unreachable rate-limit 1 burst-size 1<BR />asdm image disk0:/asdm-714.bin<BR />no asdm history enable<BR />arp timeout 14400<BR />no arp permit-nonconnected<BR />!<BR /><STRONG>object network obj-Inside-Network<BR /> nat (inside,outside) dynamic interface</STRONG></P><P></P><P>timeout xlate 3:00:00<BR />timeout pat-xlate 0:00:30<BR />timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02<BR />timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00<BR />timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00<BR />timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute<BR />timeout tcp-proxy-reassembly 0:01:00<BR />timeout floating-conn 0:00:00<BR />dynamic-access-policy-record DfltAccessPolicy<BR />user-identity default-domain LOCAL<BR />aaa authentication enable console LOCAL<BR />aaa authentication ssh console LOCAL<BR />http server enable<BR />no snmp-server location<BR />no snmp-server contact<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart<BR />telnet timeout 5<BR />ssh 192.168.10.0 255.255.255.0 Management<BR />ssh timeout 60<BR />ssh version 2<BR />ssh key-exchange group dh-group1-sha1<BR />console timeout 0<BR />vpdn group DIALER-GROUP request dialout pppoe<BR />vpdn group DIALER-GROUP localname xxxxxxxxxxxx<BR />vpdn group DIALER-GROUP ppp authentication pap<BR />vpdn username xxxxxxxxxx password ***** store-local</P><P></P><P>dhcpd auto_config outside<BR />!<BR />!<BR />tls-proxy maximum-session 24<BR />!<BR />threat-detection basic-threat<BR />threat-detection statistics access-list<BR />no threat-detection statistics tcp-intercept<BR />webvpn<BR /> anyconnect-essentials<BR />username admin password J.TJIa8ig6Y7fCBj encrypted privilege 15<BR />!<BR />class-map inspection_default<BR /> match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR /> parameters<BR /> message-length maximum client auto<BR /> message-length maximum 512<BR />policy-map global_policy<BR /> class inspection_default<BR /> inspect dns preset_dns_map<BR /> inspect ftp<BR /> inspect h323 h225<BR /> inspect h323 ras<BR /> inspect rsh<BR /> inspect rtsp<BR /> inspect esmtp<BR /> inspect sqlnet<BR /> inspect skinny<BR /> inspect sunrpc<BR /> inspect xdmcp<BR /> inspect sip<BR /> inspect netbios<BR /> inspect tftp<BR /> inspect ip-options<BR />!<BR />service-policy global_policy global<BR />prompt hostname context<BR />no call-home reporting anonymous<BR />Cryptochecksum:1f99c5818d8fbc47e40068c4568fa911<BR />: end<BR />ciscoasa#</P><P></P><P><STRONG>R2811 Configuration</STRONG></P><P></P><P>R2811#show run<BR />Building configuration...</P><P></P><P>Current configuration : 9145 bytes<BR />!<BR />! Last configuration change at 10:35:58 gmt Tue Nov 26 2013 by admin<BR />! NVRAM config last updated at 09:50:24 gmt Tue Nov 26 2013 by admin<BR />!<BR />version 12.4<BR />service timestamps debug datetime msec<BR />service timestamps log datetime msec<BR />no service password-encryption<BR />service sequence-numbers<BR />!<BR />hostname R2811<BR />!<BR />boot-start-marker<BR />boot system flash:/c2800nm-advipservicesk9-mz.124-15.T17.bin<BR />boot-end-marker<BR />!<BR />logging buffered 4096<BR />no logging console<BR />no logging monitor<BR />!<BR />aaa new-model<BR />!<BR />!<BR />aaa authentication login default group radius local<BR />aaa authorization exec default group radius local if-authenticated<BR />aaa authorization network default group radius local if-authenticated<BR />!<BR />!<BR />aaa session-id common<BR />clock timezone gmt 7<BR />dot11 syslog<BR />!<BR />!<BR />ip cef<BR />ip dhcp database flash:/dhcp_binding write-delay 60 timeout 10<BR /><SPAN>ip dhcp database t</SPAN><A class="jive-link-external-small" href="ftp://192.168.30.200/dhcp_binding" target="_blank">ftp://192.168.30.200/dhcp_binding</A><SPAN> write-delay 60 timeout 10</SPAN><BR />no ip dhcp use vrf connected<BR />ip dhcp excluded-address 192.168.10.200 192.168.10.254<BR />ip dhcp excluded-address 192.168.20.200 192.168.20.254<BR />ip dhcp excluded-address 192.168.30.200 192.168.30.254<BR />ip dhcp excluded-address 192.168.20.1 192.168.20.10<BR />ip dhcp excluded-address 192.168.10.1 192.168.10.100<BR />ip dhcp excluded-address 192.168.30.1 192.168.30.100<BR />!<BR />ip dhcp pool VLAN30<BR /> network 192.168.30.0 255.255.255.0<BR /> default-router 192.168.30.1<BR /> dns-server 8.8.8.8<BR />!<BR />ip dhcp pool default<BR /> network 192.168.10.0 255.255.255.0<BR /> default-router 192.168.10.1<BR /> dns-server 8.8.8.8<BR />!<BR />ip dhcp pool VLAN20<BR /> network 192.168.20.0 255.255.255.0<BR /> default-router 192.168.20.1<BR /> dns-server 8.8.8.8<BR />!<BR />ip dhcp pool VLAN50<BR /> network 192.168.50.0 255.255.255.0<BR /> default-router 192.168.50.1<BR /> dns-server 8.8.8.8<BR />!<BR />!<BR />ip domain name bvn.local<BR /><STRONG>ip name-server 8.8.8.8</STRONG><BR />!<BR />multilink bundle-name authenticated<BR />!<BR />!<BR />crypto pki trustpoint my-trustpoint<BR /> enrollment selfsigned<BR /> subject-name O=IT,CN=<A href="http://www.bvn.local" target="_blank">www.bvn.local</A><BR /> revocation-check crl<BR /> rsakeypair my-rsa-keys<BR />!<BR />!<BR />crypto pki certificate chain my-trustpoint<BR /> certificate self-signed 02<BR /> 3082026F 308201D8 A0030201 02020102 300D0609 2A864886 F70D0101 04050030<BR /> 45311630 14060355 0403130D 7777772E 62766E2E 6C6F6361 6C310B30 09060355<BR /> 040A1302 4954311E 301C0609 2A864886 F70D0109 02160F52 32383131 2E62766E<BR /> 2E6C6F63 616C301E 170D3133 31313137 30343535 34345A17 0D323030 31303130<BR /> 30303030 305A3045 31163014 06035504 03130D77 77772E62 766E2E6C 6F63616C<BR /> 310B3009 06035504 0A130249 54311E30 1C06092A 864886F7 0D010902 160F5232<BR /> 3831312E 62766E2E 6C6F6361 6C30819F 300D0609 2A864886 F70D0101 01050003<BR /> 818D0030 81890281 81008C50 B07554E2 256C1E2D F4DBA9B1 45CCE4CD 7A469780<BR /> A4A50706 50A24300 CD1CA5A7 B9388ACD AE9A1D66 1EA5FEA6 A26E48DC 7D06E733<BR /> E554146D 64E22EB5 30750CEB 67C0286A 12FBEFE5 BEF2BEBC E6849354 C31AF749<BR /> 729BFA77 F081A88E E2420DC9 0BB0E827 CF6B885C 6DA8BEB8 002BBE30 76E134FB<BR /> BB5DADA7 455687AE 4B4F0203 010001A3 6F306D30 0F060355 1D130101 FF040530<BR /> 030101FF 301A0603 551D1104 13301182 0F523238 31312E62 766E2E6C 6F63616C<BR /> 301F0603 551D2304 18301680 14ECF478 D7A73A3C 3DB4A58F 072FD138 72A95737<BR /> 9F301D06 03551D0E 04160414 ECF478D7 A73A3C3D B4A58F07 2FD13872 A957379F<BR /> 300D0609 2A864886 F70D0101 04050003 8181002B 810C5936 F1C79ABE F58C6ACE<BR /> 5CA04136 AF768927 CB2DC3F8 CBFA1A68 87054270 3557400C 47B0BB99 42A98A57<BR /> 43202C33 89E06619 F527CDD4 029AA76B A8631AE7 65059A62 BDD1289D C1B83FFD<BR /> 02432B90 E5671FBB ABE3F5E1 39D4B707 D8580226 E6C60148 2D22A5C4 40FA7809<BR /> 151D66D3 497CE907 E62FA8CC A59A2645 D3D7CD<BR /> quit<BR />!<BR />!<BR />archive<BR /> log config<BR /> hidekeys<BR /><SPAN> path t</SPAN><A class="jive-link-external-small" href="ftp://192.168.30.200/CiscoArchive" target="_blank">ftp://192.168.30.200/CiscoArchive</A><BR /> write-memory<BR /> time-period 1440<BR />!<BR />!<BR />!<BR />!<BR />ip ftp username abc<BR />ip ftp password 123<BR />!<BR />!<BR />!<BR />!<BR />interface Loopback1<BR /> no ip address<BR />!<BR />interface FastEthernet0/0<BR /> description CONNECT to ASA<BR /> ip address 15.0.0.2 255.0.0.0<BR /> ip nat outside<BR /> ip virtual-reassembly<BR /> duplex full<BR /> speed auto<BR />!<BR />interface FastEthernet0/1<BR /> description LAN<BR /> no ip address<BR /> duplex full<BR /> speed auto<BR /> no cdp enable<BR />!<BR />interface FastEthernet0/1.1<BR /> description DEFAULT<BR /> encapsulation dot1Q 1 native<BR /> ip address 192.168.10.1 255.255.255.0<BR /> ip nat inside<BR /> ip virtual-reassembly<BR />!<BR />interface FastEthernet0/1.2<BR /> description FINANCE_DEPT<BR /> encapsulation dot1Q 20<BR /> ip address 192.168.20.1 255.255.255.0<BR /> ip nat inside<BR /> ip virtual-reassembly<BR />!<BR />interface FastEthernet0/1.3<BR /> description IT_DEPT<BR /> encapsulation dot1Q 30<BR /> ip address 192.168.30.1 255.255.255.0<BR /> ip helper-address 192.168.10.10<BR /> ip nat inside<BR /> ip virtual-reassembly<BR />!<BR />interface FastEthernet0/1.4<BR /> description HR_DEPT<BR /> encapsulation dot1Q 40<BR /> ip address 192.168.40.1 255.255.255.0<BR /> ip helper-address 192.168.10.10<BR /> ip nat inside<BR /> ip virtual-reassembly<BR />!<BR />interface FastEthernet0/1.5<BR /> encapsulation dot1Q 50<BR /> ip address 192.168.50.1 255.255.255.0<BR /> ip access-group 101 in<BR /> ip nat inside<BR /> ip virtual-reassembly<BR />!<BR />interface Dialer0<BR /> no ip address<BR />!</P><P></P><P>ip forward-protocol nd<BR />no ip forward-protocol udp tftp<BR />no ip forward-protocol udp netbios-ns<BR />no ip forward-protocol udp netbios-dgm<BR />no ip forward-protocol udp tacacs<BR />!<BR />!<BR />ip http server<BR />ip http authentication local<BR />ip http secure-server<BR />ip nat inside source static tcp 192.168.20.254 3366 interface&nbsp; FastEthernet0/0&nbsp; 3366</P><P></P><P><STRONG>ip nat inside source list 101 interface FastEthernet0/0 overload</STRONG></P><P></P><P>!</P><P></P><P>logging facility local6<BR />logging 192.168.30.200<BR />access-list 101 permit ip any any</P><P></P><P>!<BR />!<BR />!<BR />!<BR />radius-server host 192.168.10.11 auth-port 1645 acct-port 1646<BR />radius-server key 123456<BR />!<BR />control-plane<BR />!<BR />!</P><P></P><P>banner exec ^C<BR />Session established to $(hostname) on line $(line)^C<BR />!<BR />line con 0<BR /> exec-timeout 0 0<BR />line aux 0<BR />line vty 0 4<BR /> access-class abc in<BR /> exec-timeout 0 0<BR /> privilege level 15<BR /> logging synchronous<BR /> transport input telnet ssh<BR />line vty 5 15<BR /> access-class abc in<BR /> exec-timeout 0 0<BR /> logging synchronous<BR /> transport input telnet ssh<BR />!<BR />no scheduler allocate<BR />ntp clock-period 17180068<BR />ntp update-calendar<BR />ntp server 14.0.18.136<BR />!<BR />!<BR />end</P><P></P><P>R2811#</P><P></P><P>----------------------------------------------------------------------------------&nbsp; ----</P> Tue, 12 Mar 2019 03:09:37 GMT https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359665#M308267 bvn63 2019-03-12T03:09:37Z Re: Clients behind ASA 5505 cannot connect to internet https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359666#M308268 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>could you add on the 2811:</P><P></P><P>ip route 0.0.0.0 0.0.0.0 15.0.0.1</P><P></P><P>also, kindly post <STRONG>show version</STRONG> and <STRONG>show route</STRONG> from the 5505.</P></BODY></HTML> Tue, 26 Nov 2013 06:34:22 GMT https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359666#M308268 johnlloyd_13 2013-11-26T06:34:22Z Clients behind ASA 5505 cannot connect to internet https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359667#M308269 <HTML><HEAD></HEAD><BODY><P>Hi johnlloyd,</P><P></P><P>Thank for your replying.</P><P></P><P>I put route command (ip route 0.0.0.0 0.0.0.0 15.0.0.1) on R2811 but clients can't connect to internet</P><P></P><P>Here is my ASA information:</P><P></P><P><STRONG>ciscoasa# show route</STRONG></P><P></P><P>Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; * - candidate default, U - per-user static route, o - ODR</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; P - periodic downloaded static route</P><P></P><P>Gateway of last resort is 123.28.28.1 to network 0.0.0.0</P><P></P><P>C&nbsp;&nbsp;&nbsp; 15.0.0.0 255.0.0.0 is directly connected, inside</P><P>S*&nbsp;&nbsp; 0.0.0.0 0.0.0.0 [1/0] via 123.20.27.1, outside</P><P></P><P></P><P><STRONG>ciscoasa# show ver</STRONG></P><P></P><P>Cisco Adaptive Security Appliance Software Version 8.4(7) </P><P>Device Manager Version 7.1(4)</P><P></P><P>Compiled on Fri 30-Aug-13 19:48 by builders</P><P>System image file is "disk0:/asa847-k8.bin"</P><P>Config file at boot was "startup-config"</P><P></P><P>ciscoasa up 22 hours 52 mins</P><P></P><P>Hardware:&nbsp;&nbsp; ASA5505, 512 MB RAM, CPU Geode 500 MHz</P><P>Internal ATA Compact Flash, 128MB</P><P>BIOS Flash M50FW016 @ 0xfff00000, 2048KB</P><P></P><P>Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Boot microcode&nbsp;&nbsp; : CN1000-MC-BOOT-2.00 </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IPSec microcode&nbsp; : CNlite-MC-IPSECm-MAIN-2.06</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Number of accelerators: 1</P><P></P><P> 0: Int: Internal-Data0/0&nbsp;&nbsp;&nbsp; : address is 2894.0f0f.34de, irq 11</P><P> 1: Ext: Ethernet0/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : address is 2894.0f0f.34d6, irq 255</P><P> 2: Ext: Ethernet0/1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : address is 2894.0f0f.34d7, irq 255</P><P> 3: Ext: Ethernet0/2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : address is 2894.0f0f.34d8, irq 255</P><P> 4: Ext: Ethernet0/3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : address is 2894.0f0f.34d9, irq 255</P><P> 5: Ext: Ethernet0/4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : address is 2894.0f0f.34da, irq 255</P><P> 6: Ext: Ethernet0/5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : address is 2894.0f0f.34db, irq 255</P><P> 7: Ext: Ethernet0/6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : address is 2894.0f0f.34dc, irq 255</P><P> 8: Ext: Ethernet0/7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : address is 2894.0f0f.34dd, irq 255</P><P> 9: Int: Internal-Data0/1&nbsp;&nbsp;&nbsp; : address is 0000.0003.0002, irq 255</P><P>10: Int: Not used&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : irq 255</P><P>11: Int: Not used&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : irq 255</P><P></P><P>Licensed features for this platform:</P><P>Maximum Physical Interfaces&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>VLANs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 20&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DMZ Unrestricted</P><P>Dual ISPs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>VLAN Trunk Ports&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>Inside Hosts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Unlimited&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>Failover&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Active/Standby perpetual</P><P>VPN-DES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>VPN-3DES-AES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>AnyConnect Premium Peers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>AnyConnect Essentials&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>Other VPN Peers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>Total VPN Peers&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 25&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>Shared License&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>AnyConnect for Mobile&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>AnyConnect for Cisco VPN Phone&nbsp;&nbsp;&nbsp; : Enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>Advanced Endpoint Assessment&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>UC Phone Proxy Sessions&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>Total UC Proxy Sessions&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>Botnet Traffic Filter&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Enabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P>Intercompany Media Engine&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Disabled&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; perpetual</P><P></P><P>This platform has an ASA 5505 Security Plus license.</P><P></P><P></P><P>- After I changing network-group service and put access-list into interface vlan2 as follows :</P><P></P><P>object-group service obj-service-R2811</P><P> description "Services for Cisco R2811"</P><P> service-object tcp source eq 3389 </P><P> service-object tcp source eq 3366 </P><P> service-object tcp source eq 3377 </P><P> service-object tcp source eq 3399 </P><P> service-object tcp source eq 51413 </P><P> service-object tcp source range 55554 55559 </P><P> service-object tcp source eq 8080 </P><P> service-object icmp </P><P> service-object tcp source eq domain </P><P> service-object udp source eq domain </P><P> service-object tcp source eq www </P><P></P><P>access-list ACL-OUTSIDE-TO-INSIDE extended permit object-group obj-service-R2811 any object obj-network-R2811 </P><P></P><P>interface vlan 2</P><P> access-group ACL-OUTSIDE-TO-INSIDE in interface outside</P><P></P><P>- on R2811 can ping to any domain and ip address but clients can only ping to 8.8.8.8 and can't web page access.</P><P></P><P></P><P>Thank you very much.</P></BODY></HTML> Tue, 26 Nov 2013 08:14:32 GMT https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359667#M308269 bvn63 2013-11-26T08:14:32Z Clients behind ASA 5505 cannot connect to internet https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359668#M308270 <HTML><HEAD></HEAD><BODY><P>Is there a reason you are doing NAT at the router and at the firewall?</P></BODY></HTML> Tue, 26 Nov 2013 10:10:28 GMT https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359668#M308270 rfalconer.sffcu 2013-11-26T10:10:28Z Clients behind ASA 5505 cannot connect to internet https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359669#M308271 <HTML><HEAD></HEAD><BODY><P>Please check logs on the ASA and see if the connection from your client is getting to the ASA</P><P></P><P></P><P>Value our effort and rate the assistance!</P></BODY></HTML> Tue, 26 Nov 2013 14:52:50 GMT https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359669#M308271 jumora 2013-11-26T14:52:50Z Clients behind ASA 5505 cannot connect to internet https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359670#M308272 <HTML><HEAD></HEAD><BODY><P> Hello,</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Why you are NATing in Router and then firewall. In router you can add one default route to firewall and from firewall you add return Route to router interface for all the INSIDE network Subnets.</P><P>Then in firewall Create one object group and add all the inside subnets and do NAT for that group and try.</P></BODY></HTML> Tue, 26 Nov 2013 18:35:47 GMT https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359670#M308272 SHIBI V DEV 2013-11-26T18:35:47Z Clients behind ASA 5505 cannot connect to internet https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359671#M308273 <HTML><HEAD></HEAD><BODY><P>Did you check logs as indicated????<SPAN __jive_emoticon_name="plain" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P></P><P></P><P>Value our effort and rate the assistance!</P></BODY></HTML> Wed, 27 Nov 2013 04:30:41 GMT https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359671#M308273 jumora 2013-11-27T04:30:41Z Re: Clients behind ASA 5505 cannot connect to internet https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359672#M308274 <HTML><HEAD></HEAD><BODY><P>Good day,</P><P></P><P>Thanks <SPAN class="active_link">johnlloyd</SPAN>, Robert, Shibi, jumora.</P><P></P><P>As SHIBI's suggest, I have configured route on router R2811 and ASA, It's working now.</P><P></P><P></P><P>Thank you very much.</P><P></P><P></P><P>Here my configuration after I changing route command on R2811 and ASA 5505</P><P></P><P></P><P><STRONG>R2811</STRONG></P><P></P><P>hostname R2811</P><P>!</P><P>boot-start-marker</P><P>boot system flash:/c2800nm-advipservicesk9-mz.124-15.T17.bin</P><P>boot-end-marker</P><P>!</P><P>logging buffered 4096</P><P>no logging console</P><P>no logging monitor</P><P>!</P><P>aaa new-model</P><P>!</P><P>!</P><P>aaa authentication login default group radius local</P><P>aaa authorization exec default group radius local if-authenticated </P><P>aaa authorization network default group radius local if-authenticated </P><P>!</P><P>!</P><P>aaa session-id common</P><P>clock timezone gmt 7</P><P>dot11 syslog</P><P>!</P><P>!</P><P>ip cef</P><P>ip dhcp database flash:/dhcp_binding write-delay 60 timeout 10</P><P><SPAN>ip dhcp database t</SPAN><A class="jive-link-external-small" href="ftp://192.168.30.200/dhcp_binding" rel="nofollow">ftp://192.168.30.200/dhcp_binding</A><SPAN> write-delay 60 timeout 10</SPAN></P><P>no ip dhcp use vrf connected</P><P>ip dhcp excluded-address 192.168.10.200 192.168.10.254</P><P>ip dhcp excluded-address 192.168.20.200 192.168.20.254</P><P>ip dhcp excluded-address 192.168.30.200 192.168.30.254</P><P>ip dhcp excluded-address 192.168.20.1 192.168.20.10</P><P>ip dhcp excluded-address 192.168.10.1 192.168.10.100</P><P>ip dhcp excluded-address 192.168.30.1 192.168.30.100</P><P>!</P><P>ip dhcp pool VLAN30</P><P>&nbsp;&nbsp; network 192.168.30.0 255.255.255.0</P><P>&nbsp;&nbsp; default-router 192.168.30.1 </P><P>&nbsp;&nbsp; dns-server 8.8.8.8 </P><P>!</P><P>ip dhcp pool default</P><P>&nbsp;&nbsp; network 192.168.10.0 255.255.255.0</P><P>&nbsp;&nbsp; default-router 192.168.10.1 </P><P>&nbsp;&nbsp; dns-server 8.8.8.8 </P><P>!</P><P>ip dhcp pool VLAN20</P><P>&nbsp;&nbsp; network 192.168.20.0 255.255.255.0</P><P>&nbsp;&nbsp; default-router 192.168.20.1 </P><P>&nbsp;&nbsp; dns-server 8.8.8.8 </P><P>!</P><P>ip dhcp pool VLAN50</P><P>&nbsp;&nbsp; network 192.168.50.0 255.255.255.0</P><P>&nbsp;&nbsp; default-router 192.168.50.1 </P><P>&nbsp;&nbsp; dns-server 8.8.8.8 </P><P>!</P><P>!</P><P>ip domain name bvn.local</P><P>ip name-server 8.8.8.8</P><P>!</P><P>multilink bundle-name authenticated</P><P>!</P><P>!</P><P>crypto pki trustpoint my-trustpoint</P><P> enrollment selfsigned</P><P> subject-name O=IT,CN=www.bvn.local</P><P> revocation-check crl</P><P> rsakeypair my-rsa-keys</P><P>!</P><P>!</P><P>crypto pki certificate chain my-trustpoint</P><P> certificate self-signed 02</P><P>&nbsp; 3082026F 308201D8 A0030201 02020102 300D0609 2A864886 F70D0101 04050030 </P><P>&nbsp; 45311630 14060355 0403130D 7777772E 62766E2E 6C6F6361 6C310B30 09060355 </P><P>&nbsp; 040A1302 4954311E 301C0609 2A864886 F70D0109 02160F52 32383131 2E62766E </P><P>&nbsp; 2E6C6F63 616C301E 170D3133 31313137 30343535 34345A17 0D323030 31303130 </P><P>&nbsp; 30303030 305A3045 31163014 06035504 03130D77 77772E62 766E2E6C 6F63616C </P><P>&nbsp; 310B3009 06035504 0A130249 54311E30 1C06092A 864886F7 0D010902 160F5232 </P><P>&nbsp; 3831312E 62766E2E 6C6F6361 6C30819F 300D0609 2A864886 F70D0101 01050003 </P><P>&nbsp; 818D0030 81890281 81008C50 B07554E2 256C1E2D F4DBA9B1 45CCE4CD 7A469780 </P><P>&nbsp; A4A50706 50A24300 CD1CA5A7 B9388ACD AE9A1D66 1EA5FEA6 A26E48DC 7D06E733 </P><P>&nbsp; E554146D 64E22EB5 30750CEB 67C0286A 12FBEFE5 BEF2BEBC E6849354 C31AF749 </P><P>&nbsp; 729BFA77 F081A88E E2420DC9 0BB0E827 CF6B885C 6DA8BEB8 002BBE30 76E134FB </P><P>&nbsp; BB5DADA7 455687AE 4B4F0203 010001A3 6F306D30 0F060355 1D130101 FF040530 </P><P>&nbsp; 030101FF 301A0603 551D1104 13301182 0F523238 31312E62 766E2E6C 6F63616C </P><P>&nbsp; 301F0603 551D2304 18301680 14ECF478 D7A73A3C 3DB4A58F 072FD138 72A95737 </P><P>&nbsp; 9F301D06 03551D0E 04160414 ECF478D7 A73A3C3D B4A58F07 2FD13872 A957379F </P><P>&nbsp; 300D0609 2A864886 F70D0101 04050003 8181002B 810C5936 F1C79ABE F58C6ACE </P><P>&nbsp; 5CA04136 AF768927 CB2DC3F8 CBFA1A68 87054270 3557400C 47B0BB99 42A98A57 </P><P>&nbsp; 43202C33 89E06619 F527CDD4 029AA76B A8631AE7 65059A62 BDD1289D C1B83FFD </P><P>&nbsp; 02432B90 E5671FBB ABE3F5E1 39D4B707 D8580226 E6C60148 2D22A5C4 40FA7809 </P><P>&nbsp; 151D66D3 497CE907 E62FA8CC A59A2645 D3D7CD</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; quit</P><P>!</P><P>interface Loopback1</P><P> no ip address</P><P>!</P><P>interface FastEthernet0/0</P><P> description CONNECT to ASA</P><P> ip address 15.0.0.2 255.0.0.0</P><P> ip virtual-reassembly</P><P> duplex full</P><P> speed auto</P><P>!</P><P>interface FastEthernet0/1</P><P> description LAN</P><P> no ip address</P><P> duplex full</P><P> speed auto</P><P> no cdp enable</P><P>!</P><P>interface FastEthernet0/1.1</P><P> description DEFAULT</P><P> encapsulation dot1Q 1 native</P><P> ip virtual-reassembly</P><P>!</P><P>interface FastEthernet0/1.2</P><P> description FINANCE_DEPT</P><P> encapsulation dot1Q 20</P><P> ip address 192.168.20.1 255.255.255.0</P><P> ip virtual-reassembly</P><P>!</P><P>interface FastEthernet0/1.3</P><P> description IT_DEPT</P><P> encapsulation dot1Q 30</P><P> ip address 192.168.30.1 255.255.255.0</P><P> ip virtual-reassembly</P><P>!</P><P>interface FastEthernet0/1.4</P><P> description HR_DEPT</P><P> encapsulation dot1Q 40</P><P> ip address 192.168.40.1 255.255.255.0</P><P> ip virtual-reassembly</P><P>!</P><P>interface FastEthernet0/1.5</P><P> encapsulation dot1Q 50</P><P> ip address 192.168.50.1 255.255.255.0</P><P> ip virtual-reassembly</P><P>!</P><P>!</P><P>ip forward-protocol nd</P><P>no ip forward-protocol udp tftp</P><P>no ip forward-protocol udp netbios-ns</P><P>no ip forward-protocol udp netbios-dgm</P><P>no ip forward-protocol udp tacacs</P><P></P><P><STRONG>ip route 0.0.0.0 0.0.0.0 15.0.0.1</STRONG></P><P></P><P>!</P><P>!</P><P>ip http server</P><P>ip http authentication local</P><P>ip http secure-server</P><P></P><P>=================================</P><P><STRONG>ASA</STRONG></P><P></P><P>ASA Version 8.4(7) </P><P>!</P><P>hostname ciscoasa</P><P>domain-name bvn.local</P><P>enable password 8Ry2YjIyt7RRXU24 encrypted</P><P>passwd 2KFQnbNIdI.2KYOU encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P> switchport access vlan 3</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P> switchport access vlan 12</P><P>!</P><P>interface Ethernet0/5</P><P>!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!</P><P>interface Vlan1</P><P> nameif Management</P><P> security-level 100</P><P> no ip address</P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> pppoe client vpdn group DIALER-GROUP</P><P> ip address pppoe setroute </P><P>!</P><P>interface Vlan3</P><P> nameif inside</P><P> security-level 100</P><P> ip address 15.0.0.1 255.0.0.0 </P><P>!</P><P>interface Vlan12</P><P> nameif DMZ</P><P> security-level 50</P><P> no ip address</P><P>!</P><P>boot system disk0:/asa847-k8.bin</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> name-server 8.8.8.8</P><P> name-server 8.8.4.4</P><P> domain-name bvn.local</P><P></P><P><STRONG>object network obj-Inside-Network</STRONG></P><P><STRONG> subnet 192.168.0.0 255.255.0.0</STRONG></P><P></P><P>pager lines 24</P><P>logging asdm informational</P><P>mtu Management 1500</P><P>mtu outside 1492</P><P>mtu inside 1500</P><P>mtu DMZ 1500</P><P>mtu test 1500 </P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-714.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>no arp permit-nonconnected</P><P>!</P><P></P><P><STRONG>object network obj-Inside-Network</STRONG></P><P><STRONG> nat (inside,outside) dynamic interface</STRONG></P><P></P><P></P><P><STRONG>route inside 192.168.0.0 255.255.0.0 15.0.0.2 1</STRONG></P><P></P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>user-identity default-domain LOCAL</P><P>aaa authentication enable console LOCAL </P><P>aaa authentication ssh console LOCAL </P><P>http server enable</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>telnet timeout 5</P><P>ssh timeout 60</P><P>ssh version 2</P><P>ssh key-exchange group dh-group1-sha1</P><P>console timeout 0</P><P>vpdn group DIALER-GROUP request dialout pppoe</P><P>vpdn group DIALER-GROUP localname xxxxx</P><P>vpdn group DIALER-GROUP ppp authentication pap</P><P>vpdn username xxxxx password ***** store-local</P><P></P><P>dhcpd auto_config outside</P><P>!</P><P>!</P><P>tls-proxy maximum-session 24</P><P>!</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>webvpn&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P> anyconnect-essentials</P><P>username admin password J.TJIa8ig6Y7fCBj encrypted privilege 15</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect ip-options </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>no call-home reporting anonymous</P><P>Cryptochecksum:7473f9d7099ca0380fac148a144c7030</P><P>: end</P></BODY></HTML> Wed, 27 Nov 2013 05:15:21 GMT https://community.cisco.com/t5/network-security/clients-behind-asa-5505-cannot-connect-to-internet/m-p/2359672#M308274 bvn63 2013-11-27T05:15:21Z