https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321675#M310569 <HTML><HEAD></HEAD><BODY><P>I forgot to indicate, you have a static NAT configuration that maps the inside network to the internal_LAN </P><P></P><P>static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0 </P><P></P><P>name 192.168.1.0 Inside_Subnet</P><P></P><P>If you need the Internal_LAN network to be able to access anything on the inside I would rather configure the NAT exemption that states that you will not require NAT from the inside interface network to the internal_LAN network but that is all up to you if you want to configure it or not.</P><P></P><P>access-list inside_nat0_outbound permit ip any 172.168.1.0 255.255.255.0</P><P></P><P>NOTE: The line above is part of the next configuration that applies the NAT exemption on the inside interface:</P><P></P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P></P><P>So the configuration would like this:</P><P></P><P>enable</P><P></P><P>config t</P><P></P><P>interface Vlan8</P><P></P><P>security-level 90</P><P></P><P>nat (Internal_LAN) 8 172.168.1.0 255.255.255.0</P><P></P><P>global (outside) 8 12.18.13.X</P></BODY></HTML> Tue, 22 Oct 2013 22:04:18 GMT jumora 2013-10-22T22:04:18Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321667#M310556 <P>Hi everybody,</P><P>I am unable to access internet with one of the vlan. i have two vlans</P><P>VLAN 2&nbsp;&nbsp; 192.168.1.0</P><P>VLAN 8&nbsp;&nbsp; 172.168.1.0</P><P>When i am on vlan 2 i can access to internet. when i work with vlan 8, i cannot access to internet. As a matter of fact VLAN 8 (172.168.1.0) is new. I need to know what else i need to configure to get access. the following is the configuration of my cisco ASA firewall. Any help will be apprieciated.</P><P>Thanks</P><P></P><P></P><P></P><P></P><P></P><P></P><P></P><P>!</P><P>hostname abcASA1</P><P>domain-name abc.com</P><P>enable password .4rNnGSuheRe encrypted</P><P>passwd 2KFQnbNIdI.2K encrypted</P><P>names</P><P>name 192.168.1.3 Email_DNS</P><P>name 192.168.1.4 SQLServer</P><P>name 192.168.2.2 VPN_3005</P><P>name 192.168.2.0 DMZ_Subnet</P><P>name 192.168.3.0 VPN_Subnet</P><P>name 192.168.1.0 Inside_Subnet</P><P>name 192.168.3.5 VPNNET_DNS</P><P>name 128.8.10.90 D_Root</P><P>name 192.5.5.241 F_Root</P><P>name 198.41.0.10 J_Root</P><P>name 192.33.4.12 C_Root</P><P>name 193.0.14.129 K_Root</P><P>name 198.32.64.12 L_Root</P><P>name 192.36.148.17 I_Root</P><P>name 192.112.36.4 G_Root</P><P>name 128.63.2.53 H_Root</P><P>name 128.9.0.107 B_Root</P><P>name 198.41.0.4 A_Root</P><P>name 202.12.27.33 M_Root</P><P>name 192.203.230.10 E_Root</P><P>name 12.183.68.51 ATT_DNS_2</P><P>name 12.183.68.50 ATT_DNS_1</P><P>name 192.168.1.6 FileServer_NAS</P><P>name 192.168.2.6 abc_WEB</P><P>name 199.130.197.153 CA_Mgmt_USDA</P><P>name 199.130.197.19 CA_Roaming_USDA</P><P>name 199.130.214.49 CA_CRLChk_USDA</P><P>name 199.134.134.133 CA_Mgmt_USDA_</P><P>name 199.134.134.135 CA_Roaming_USDA2</P><P>name 192.168.2.9 PublicDNS2</P><P>name 192.168.2.8 PublicDNS</P><P>name 192.168.1.11 abc02EX2</P><P>name 162.140.109.7 GPO_PKI_DIR</P><P>name 162.140.9.10 GPO_PKI</P><P>name 192.168.1.12 Patchlink</P><P>name 192.168.1.10 abcSLIMPS1</P><P>name 192.168.1.7 FileServer_DNS</P><P>name 192.168.1.15 abc06ex2</P><P>name 192.168.101.0 NEW_VPN_SUBNET</P><P>name 192.168.77.0 NEW_VPN_POOL description NEW_VPN_POOL</P><P>name 192.168.1.16 VTC description LifeSize VTC</P><P>name 12.18.13.16 VTC_Outside</P><P>name 192.168.2.50 Email_Gateway</P><P>name 192.168.1.20 Exch10</P><P>name 192.168.1.8 SharePoint</P><P>name 192.168.1.19 abc09ic description Web Servr</P><P>name 192.168.1.180 ExternalDNS</P><P>name 192.168.2.223 abc11ids</P><P>name 192.168.50.0 inside_new_Network</P><P>dns-guard</P><P>!</P><P>interface Vlan1</P><P> nameif outside</P><P> security-level 0</P><P> ip address 12.18.13.20 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P> nameif inside</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P>!</P><P>interface Vlan3</P><P> nameif dmz</P><P> security-level 10</P><P> ip address 192.168.2.1 255.255.255.0 </P><P>!</P><P>interface Vlan4</P><P> nameif vpnnet</P><P> security-level 75</P><P> ip address 192.168.3.1 255.255.255.0 </P><P>!</P><P>interface Vlan5</P><P> nameif asainside</P><P> security-level 50</P><P> ip address 192.168.4.1 255.255.255.0 </P><P>!</P><P>interface Vlan6</P><P> nameif testinside</P><P> security-level 50</P><P> ip address 192.168.5.1 255.255.255.0 </P><P> ipv6 address 2001:ab1:5::/64 eui-64</P><P>!</P><P>interface Vlan7</P><P> description New Local Area Network for Server</P><P> nameif inside_new</P><P> security-level 50</P><P> ip address 192.168.50.1 255.255.255.0 </P><P>!</P><P>interface Vlan8</P><P> description abcdone Server VLAN</P><P> nameif Internal_LAN</P><P> security-level 100</P><P> ip address 172.168.1.254 255.255.255.0 </P><P>!</P><P>interface Vlan16</P><P> description out of band</P><P> nameif oobnet</P><P> security-level 100</P><P> ip address 172.16.1.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P> speed 100</P><P> duplex full</P><P>!</P><P>interface Ethernet0/2</P><P> switchport access vlan 3</P><P>!</P><P>interface Ethernet0/3</P><P> switchport access vlan 7</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P> switchport trunk allowed vlan 1-10</P><P> switchport mode trunk</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P></P><P></P><P>boot system disk0:/asa802-k8.bin</P><P>ftp mode passive</P><P>clock timezone EST -5</P><P>clock summer-time EDT recurring</P><P>dns domain-lookup inside</P><P>dns domain-lookup vpnnet</P><P>dns server-group DefaultDNS</P><P> name-server 192.168.1.2</P><P> name-server Email_DNS</P><P> domain-name abc.com</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group network Inside_Server_Group</P><P> description EmailServer, FileServer, SQLServer</P><P> network-object Email_DNS 255.255.255.255</P><P> network-object SQLServer 255.255.255.255</P><P> network-object 192.168.1.2 255.255.255.255</P><P> network-object FileServer_NAS 255.255.255.255</P><P> network-object host abc02EX2</P><P> network-object host abc06ex2</P><P>object-group network Inside_Server_Group_ref</P><P> network-object 192.168.3.73 255.255.255.255</P><P> network-object 192.168.3.74 255.255.255.255</P><P> network-object 192.168.3.72 255.255.255.255</P><P> network-object 192.168.3.76 255.255.255.255</P><P>object-group service DNS tcp-udp</P><P> description DNS Service both TCP/UDP</P><P> port-object eq domain</P><P>object-group network InternetDNS</P><P> network-object A_Root 255.255.255.255</P><P> network-object B_Root 255.255.255.255</P><P> network-object C_Root 255.255.255.255</P><P> network-object D_Root 255.255.255.255</P><P> network-object E_Root 255.255.255.255</P><P> network-object F_Root 255.255.255.255</P><P> network-object G_Root 255.255.255.255</P><P> network-object H_Root 255.255.255.255</P><P> network-object I_Root 255.255.255.255</P><P> network-object J_Root 255.255.255.255</P><P> network-object K_Root 255.255.255.255</P><P> network-object L_Root 255.255.255.255</P><P> network-object M_Root 255.255.255.255</P><P> network-object ATT_DNS_2 255.255.255.255</P><P> network-object ATT_DNS_1 255.255.255.255</P><P>object-group network USDA-PKI-Users</P><P> description GAO PKI User Group</P><P> network-object 192.168.1.51 255.255.255.255</P><P> network-object 192.168.1.52 255.255.255.255</P><P> network-object 192.168.1.53 255.255.255.255</P><P> network-object 192.168.1.54 255.255.255.255</P><P> network-object 192.168.1.55 255.255.255.255</P><P> network-object 192.168.1.56 255.255.255.255</P><P> network-object 192.168.1.57 255.255.255.255</P><P> network-object 192.168.1.58 255.255.255.255</P><P> network-object 192.168.1.59 255.255.255.255</P><P> network-object 192.168.1.60 255.255.255.255</P><P> network-object host 192.168.1.61</P><P> network-object host 192.168.1.62</P><P> network-object host 192.168.1.63</P><P>object-group network CITABCDAS</P><P> network-object 192.168.3.241 255.255.255.255</P><P> network-object 192.168.3.242 255.255.255.255</P><P> network-object 192.168.3.243 255.255.255.255</P><P> network-object 192.168.3.244 255.255.255.255</P><P> network-object 192.168.3.245 255.255.255.255</P><P> network-object VPNNET_DNS 255.255.255.255</P><P>object-group service Virginia.edu tcp</P><P> description blackboard java classroom</P><P> port-object range 8010 8012</P><P>object-group network PDASB1-VPN-Inside</P><P> network-object host abcPLIasd1</P><P> network-object host 192.168.3.10</P><P>object-group service http-https tcp</P><P> port-object range https https</P><P> port-object range www www</P><P>object-group protocol TCPUDP</P><P> protocol-object udp</P><P> protocol-object tcp</P><P>object-group service VTC tcp-udp</P><P> description LifeSize</P><P> port-object range 60000 64999</P><P>object-group service DM_INLINE_TCP_1 tcp</P><P> port-object eq 3268</P><P> port-object eq ldap</P><P>object-group service EmailGateway udp</P><P> description TrustManager</P><P> port-object eq 19200</P><P> port-object eq 8007</P><P>object-group service DM_INLINE_TCP_2 tcp</P><P> port-object eq 990</P><P> port-object eq ftp</P><P> port-object range 2000 5000</P><P>object-group service Barracuda tcp</P><P> port-object eq 5124</P><P> port-object eq 5126</P><P>object-group service barracuda udp</P><P> port-object eq 5124</P><P> port-object eq 5126</P><P>object-group service IMAP tcp</P><P> port-object eq 993</P><P> port-object eq imap4</P><P>object-group service DM_INLINE_SERVICE_0</P><P> service-object tcp eq domain </P><P> service-object udp eq domain </P><P>access-list inside_access_in extended permit ip any any </P><P>access-list inside_access_in extended permit object-group TCPUDP any object-group InternetDNS object-group DNS </P><P>access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_0 any host 12.18.13.222 </P><P>access-list outside_access_in remark Website</P><P>access-list outside_access_in extended permit tcp any host 12.18.13.19 eq 8090 </P><P>access-list outside_access_in remark Allow ICMP replies to inside</P><P>access-list outside_access_in extended permit icmp any host 12.18.13.21 echo-reply </P><P>access-list outside_access_in remark VTC</P><P>access-list outside_access_in extended permit tcp any host VTC_Outside eq h323 </P><P>access-list outside_access_in remark VTC</P><P>access-list outside_access_in extended permit object-group TCPUDP any host VTC_Outside eq sip </P><P>access-list outside_access_in extended permit icmp any host VTC_Outside </P><P>access-list outside_access_in remark Barracuda</P><P>access-list outside_access_in extended permit tcp any host 192.168.1.25 object-group Barracuda </P><P>access-list outside_access_in remark Barracuda</P><P>access-list outside_access_in extended permit udp any host 192.168.1.25 object-group barracuda </P><P>access-list outside_access_in remark VTC</P><P>access-list outside_access_in extended permit udp any host VTC_Outside range 60000 64999 </P><P>access-list outside_access_in remark VTC</P><P>access-list outside_access_in extended permit tcp any host VTC_Outside range 60000 64999 </P><P>access-list outside_access_in remark for Public DNS2</P><P>access-list outside_access_in extended permit udp any host 12.18.13.223 eq domain </P><P>access-list outside_access_in remark for Public DNS2</P><P>access-list outside_access_in extended permit tcp any host 12.18.13.223 eq domain </P><P>access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.224 eq www </P><P>access-list outside_access_in remark NTP from Router to DMZ</P><P>access-list outside_access_in extended permit udp host 12.18.13.1 host 12.18.13.15 eq ntp </P><P>access-list outside_access_in remark Syslog from Router</P><P>access-list outside_access_in extended permit udp host 12.18.13.1 gt 1023 host 12.18.13.13 eq syslog </P><P>access-list outside_access_in remark Inbound Email SMTP to DMZ Host 192.168.2.50</P><P>access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.13 eq smtp </P><P>access-list outside_access_in remark VPNNET IPSec ESP</P><P>access-list outside_access_in extended permit esp any host 12.18.13.31 </P><P>access-list outside_access_in remark VPNNET IPSec AH</P><P>access-list outside_access_in extended permit ah any host 12.18.13.31 </P><P>access-list outside_access_in remark VPNNET IPSec Port 4500</P><P>access-list outside_access_in extended permit udp any eq 4500 host 12.18.13.31 eq 4500 </P><P>access-list outside_access_in remark VPNNET IPSec ISAKMP</P><P>access-list outside_access_in extended permit udp any eq isakmp host 12.18.13.31 eq isakmp </P><P>access-list outside_access_in remark VPNNET IPSec over UDP port 10000</P><P>access-list outside_access_in extended permit udp any eq 10000 host 12.18.13.31 eq 10000 </P><P>access-list outside_access_in remark Sharepoint1</P><P>access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.42 eq https </P><P>access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.31 eq https </P><P>access-list outside_access_in remark Access Rule to Webmail</P><P>access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.32 eq https </P><P>access-list outside_access_in remark SLIMPSdev</P><P>access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.33 object-group http-https </P><P>access-list outside_access_in remark Inbound Website</P><P>access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.19 eq www </P><P>access-list outside_access_in remark Inbound SharePoint</P><P>access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.42 eq www </P><P>access-list outside_access_in remark Inbound WEb Traffic to ISA server-SLIMPS</P><P>access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.41 eq www </P><P>access-list outside_access_in remark Inbound Secure Web Traffic to ISA server-SLIMPS</P><P>access-list outside_access_in extended permit tcp any gt 1023 host 12.18.13.41 eq https </P><P>access-list outside_access_in remark Inbound FTP abc_web</P><P>access-list outside_access_in extended permit tcp any host 12.18.13.14 object-group DM_INLINE_TCP_2 </P><P>access-list outside_access_in remark DNS1</P><P>access-list outside_access_in remark for Public DNS2</P><P>access-list outside_access_in remark for Public DNS2</P><P>access-list outside_access_in remark NTP from Router to DMZ</P><P>access-list outside_access_in remark Syslog from Router</P><P>access-list outside_access_in remark Inbound Email SMTP to DMZ Host 192.168.2.5</P><P>access-list outside_access_in remark VPNNET IPSec ESP</P><P>access-list outside_access_in remark VPNNET IPSec AH</P><P>access-list outside_access_in remark VPNNET IPSec Port 4500</P><P>access-list outside_access_in remark VPNNET IPSec ISAKMP</P><P>access-list outside_access_in remark VPNNET IPSec over UDP port 10000</P><P>access-list outside_access_in remark Inbound WEb Traffic to Facilitate Web Server in DMZ</P><P>access-list outside_access_in remark Inbound Secure Web Traffic to Facilitate Web Server in DMZ</P><P>access-list outside_access_in remark Access Rule to FE Server</P><P>access-list outside_access_in remark SLIMPSdev</P><P>access-list outside_access_in remark Inbound WEb Traffic to ISA server-SLIMPS</P><P>access-list outside_access_in remark Inbound Secure Web Traffic to ISA server-SLIMPS</P><P>access-list outside_access_in remark Inbound port 93 to ISA server-SLIMPS</P><P>access-list outside_access_in remark Explicit Deny All</P><P>access-list vpnnet_access_in remark Patrica RDP</P><P>access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.53 eq 3389 </P><P>access-list vpnnet_access_in remark Berry RDP</P><P>access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.51 eq 3389 </P><P>access-list vpnnet_access_in remark John Tsai RDP</P><P>access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.156 eq 3389 </P><P>access-list vpnnet_access_in remark Chopper RDP</P><P>access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.128 eq 3389 </P><P>access-list vpnnet_access_in remark Ms Ballard RDP</P><P>access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.58 eq 3389 </P><P>access-list vpnnet_access_in remark Wakita</P><P>access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.153 eq 3389 </P><P>access-list vpnnet_access_in remark Amy RDP</P><P>access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.124 eq 3389 </P><P>access-list vpnnet_access_in remark KC RDP</P><P>access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.57 eq 3389 </P><P>access-list vpnnet_access_in remark Eyang RDP</P><P>access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.161 eq 3389 </P><P>access-list vpnnet_access_in remark SLIMPS doc</P><P>access-list vpnnet_access_in extended permit tcp VPN_Subnet 255.255.255.0 host 192.168.1.13 eq 3389 </P><P>access-list vpnnet_access_in extended deny ip any any </P><P>access-list vpnnet_access_in remark for SLIMPS APP</P><P>access-list vpnnet_access_in remark for SLIMPS APP</P><P>access-list vpnnet_access_in remark for SLIMPS APP</P><P>access-list vpnnet_access_in remark FOR SLIMPS Application</P><P>access-list vpnnet_access_in remark SLIMPS Production Workflow</P><P>access-list vpnnet_access_in remark SLIMPS</P><P>access-list vpnnet_access_in remark FOR SLIMPS Application</P><P>access-list vpnnet_access_in remark SLIMPS VPN access to SLIMPSTEST2 Alpha website</P><P>access-list vpnnet_access_in remark SLIMPS VPN access to abc02SLIMPS1</P><P>access-list vpnnet_access_in remark SLIMPS VPN access to abc02SLIMPS2</P><P>access-list vpnnet_access_in remark for abc06SLIMPS1</P><P>access-list vpnnet_access_in remark for abc06SLIMPS1</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 135 Netbios</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 137 Netbios Name Service</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 138 Netbios Datagram</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 139 Netbios Session Service</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 445 Server Message Block</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 389 Lightweight Directory Access Protocol</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 389 Lightweight Directory Access Protocol</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 88 Kerberos</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 88 Kerberos</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 1433 Windows Sql Server</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 9000 Static RPC Port</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 9000 Static RPC Port</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 9001 Static RPC Port</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 9001 Static RPC Port</P><P>access-list vpnnet_access_in remark VPNNET Windows Port 4000 Status NTDS Port</P><P>access-list vpnnet_access_in remark VPNNET Windows TCP Domain Name Service</P><P>access-list vpnnet_access_in remark VPNNET Windows UDP Domain Name Service</P><P>access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS</P><P>access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS</P><P>access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS</P><P>access-list vpnnet_access_in remark VPNNET DNS Forwarding to DMZ DNS</P><P>access-list vpnnet_access_in remark VPNNET Outbound Web</P><P>access-list vpnnet_access_in remark VPNNET Outbound Secure Web</P><P>access-list vpnnet_access_in remark VPNNET Outbound FTP</P><P>access-list vpnnet_access_in remark VPNNET ICMP Echo</P><P>access-list vpnnet_access_in remark VPNNET ICMP Echo-Reply</P><P>access-list vpnnet_access_in remark RDP for ISA</P><P>access-list vpnnet_access_in remark Allow access after Exemption from nat to inside network</P><P>access-list vpnnet_access_in remark talin test</P><P>access-list dmz_access_in remark isa to SLIMPS1 vote portal</P><P>access-list dmz_access_in extended permit tcp host 192.168.2.20 host 192.168.2.10 eq 8200 </P><P>access-list dmz_access_in extended permit udp host 192.168.2.101 host 12.18.13.1 eq ntp </P><P>access-list dmz_access_in remark ISA to SLIMPS Dev</P><P>access-list dmz_access_in extended permit tcp host 192.168.2.14 host 12.18.13.33 eq www inactive </P><P>access-list dmz_access_in remark ClearSwift TRUSTmanager Reputations server &amp;</P><P>access-list dmz_access_in remark Broadcasting of greylisting data to peer Gateway</P><P>access-list dmz_access_in extended permit udp host Email_Gateway any eq 8007 </P><P>access-list dmz_access_in remark ClearSwift TRUSTmanager Reputations server &amp;</P><P>access-list dmz_access_in remark Broadcasting of greylisting data to peer Gateway</P><P>access-list dmz_access_in extended permit udp host Email_Gateway any eq 19200 </P><P>access-list dmz_access_in remark NTP Email Gateway</P><P>access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 host FileServer_DNS eq ntp </P><P>access-list dmz_access_in remark FTP</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway host FileServer_DNS eq ftp </P><P>access-list dmz_access_in remark ldap</P><P>access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 host 192.168.2.78 </P><P>access-list dmz_access_in remark ldap</P><P>access-list dmz_access_in extended permit udp host SharePoint gt 1023 host 192.168.2.78 </P><P>access-list dmz_access_in remark HTTP for Email_Gateway</P><P>access-list dmz_access_in extended permit object-group TCPUDP host Email_Gateway host FileServer_DNS object-group DNS </P><P>access-list dmz_access_in remark HTTP for Email_Gateway</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway host FileServer_DNS eq ldap </P><P>access-list dmz_access_in remark HTTP for Email_Gateway</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 host 192.168.2.78 eq www inactive </P><P>access-list dmz_access_in remark HTTPS access to the Clearswift Update Server</P><P>access-list dmz_access_in extended permit tcp Inside_Subnet 255.255.255.0 gt 1023 host Email_Gateway eq https inactive </P><P>access-list dmz_access_in remark HTTP for SharePoint</P><P>access-list dmz_access_in extended permit tcp host SharePoint host FileServer_DNS eq ldap </P><P>access-list dmz_access_in remark LDAP Communication for Email Gateway</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 host 192.168.2.78 object-group DM_INLINE_TCP_1 </P><P>access-list dmz_access_in remark LDAP Communication</P><P>access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.78 eq 3268 </P><P>access-list dmz_access_in remark DMZ DNS Forwarding to Outside</P><P>access-list dmz_access_in extended permit udp host PublicDNS object-group InternetDNS object-group DNS </P><P>access-list dmz_access_in remark DMZ DNS Forwarding to Outside for Email Gateway</P><P>access-list dmz_access_in extended permit udp host Email_Gateway gt 1023 object-group InternetDNS object-group DNS </P><P>access-list dmz_access_in remark DMZ ISA DNS Forwarding to Outside</P><P>access-list dmz_access_in extended permit udp host 192.168.2.15 gt 1023 object-group InternetDNS object-group DNS </P><P>access-list dmz_access_in remark DMZ DNS Forwarding to Outside</P><P>access-list dmz_access_in extended permit udp host SharePoint gt 1023 object-group InternetDNS object-group DNS </P><P>access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)</P><P>access-list dmz_access_in extended permit udp host abc_WEB gt 1023 object-group InternetDNS object-group DNS </P><P>access-list dmz_access_in remark DMZ DNS Forwarding to Outside for Email Gateway</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 object-group InternetDNS object-group DNS </P><P>access-list dmz_access_in remark DMZ DNS Forwarding to Outside</P><P>access-list dmz_access_in extended permit tcp host SharePoint gt 1023 object-group InternetDNS object-group DNS inactive </P><P>access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)</P><P>access-list dmz_access_in extended permit tcp host PublicDNS gt 1023 any eq https </P><P>access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)</P><P>access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 any eq https </P><P>access-list dmz_access_in remark DMZ DNS Outbound https Web</P><P>access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 object-group InternetDNS object-group DNS inactive </P><P>access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address</P><P>access-list dmz_access_in extended permit udp host PublicDNS gt 1023 object-group InternetDNS object-group DNS </P><P>access-list dmz_access_in remark Public DNS server.</P><P>access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 object-group InternetDNS object-group DNS </P><P>access-list dmz_access_in remark Public DNS Server</P><P>access-list dmz_access_in extended permit tcp host PublicDNS gt 1023 any eq www </P><P>access-list dmz_access_in remark Public DNS Server</P><P>access-list dmz_access_in extended permit tcp host PublicDNS2 gt 1023 any eq www </P><P>access-list dmz_access_in remark DMZ Public DNS Outbound Web</P><P>access-list dmz_access_in remark DMZ Public DNS Outbound Web</P><P>access-list dmz_access_in remark DMZ Public&nbsp; DNS to Outside</P><P>access-list dmz_access_in remark DMZ DNS to Outside</P><P>access-list dmz_access_in remark DMZ Public DNS Outbound Web</P><P>access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq www </P><P>access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address</P><P>access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq www </P><P>access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address</P><P>access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.75 eq www </P><P>access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address</P><P>access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.75 eq www </P><P>access-list dmz_access_in remark DMZ DNS FTP for Email Gateway</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq ftp </P><P>access-list dmz_access_in remark DMZ DNS Outbound Web for Email Gateway</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq www </P><P>access-list dmz_access_in remark DMZ ISA DNS Outbound Web</P><P>access-list dmz_access_in extended permit tcp host 192.168.2.15 gt 1023 any eq www </P><P>access-list dmz_access_in remark DMZ DNS Outbound Web</P><P>access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq www </P><P>access-list dmz_access_in remark For Email&nbsp; Gateway</P><P>access-list dmz_access_in extended permit icmp host Email_Gateway host 12.18.13.1 </P><P>access-list dmz_access_in remark ISA</P><P>access-list dmz_access_in extended permit icmp host 192.168.2.15 host 12.18.13.1 </P><P>access-list dmz_access_in extended permit icmp host SharePoint host 12.18.13.1 </P><P>access-list dmz_access_in remark DMZ DNS Outbound Web</P><P>access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq www </P><P>access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 any eq www </P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address</P><P>access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq ftp inactive </P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address</P><P>access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq ftp </P><P>access-list dmz_access_in remark DMZ DNS Outbound FTP</P><P>access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq ftp inactive </P><P>access-list dmz_access_in remark DMZ DNS Outbound FTP</P><P>access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq ftp </P><P>access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP</P><P>access-list dmz_access_in extended permit tcp host SharePoint host 192.168.2.73 eq smtp </P><P>access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway host 192.168.2.77 eq smtp </P><P>access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway host Exch10 eq smtp </P><P>access-list dmz_access_in remark DMZ DNS Inbound Email Gateway SMTP</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway host abc06ex2 eq smtp </P><P>access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP</P><P>access-list dmz_access_in extended permit tcp host SharePoint host abc06ex2 eq smtp inactive </P><P>access-list dmz_access_in remark DMZ DNS Inbound Web Shield Relay SMTP</P><P>access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.75 eq smtp inactive </P><P>access-list dmz_access_in remark Mailsweeper access to FE Server</P><P>access-list dmz_access_in extended permit tcp host SharePoint gt 1023 host 192.168.2.11 eq smtp inactive </P><P>access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 host 192.168.2.73 eq smtp </P><P>access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 host 192.168.2.75 eq smtp </P><P>access-list dmz_access_in remark DMZ EMail Gateway outbound delivery</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway any eq smtp </P><P>access-list dmz_access_in remark DMZ Mail Sweeper outbound delivery</P><P>access-list dmz_access_in extended permit tcp host SharePoint any eq smtp inactive </P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address</P><P>access-list dmz_access_in extended deny tcp host SharePoint gt 1023 host 192.168.2.73 eq https inactive </P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address</P><P>access-list dmz_access_in extended deny tcp host abc_WEB gt 1023 host 192.168.2.73 eq https </P><P>access-list dmz_access_in remark DMZ DNS Outbound HTTPS for Email Gateway</P><P>access-list dmz_access_in extended permit udp host Email_Gateway object-group EmailGateway any eq 8007 </P><P>access-list dmz_access_in remark DMZ DNS Outbound HTTPS for Email Gateway</P><P>access-list dmz_access_in extended permit tcp host Email_Gateway gt 1023 any eq https </P><P>access-list dmz_access_in remark DMZ DNS Outbound HTTPS</P><P>access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq https </P><P>access-list dmz_access_in remark DMZ DNS Outbound HTTPS</P><P>access-list dmz_access_in extended permit tcp host abc_WEB gt 1023 any eq https inactive </P><P>access-list dmz_access_in extended permit tcp host 192.168.2.7 gt 1023 any eq https inactive </P><P>access-list dmz_access_in remark DMZ DNS Outbound SMTP to Internet</P><P>access-list dmz_access_in extended permit tcp host SharePoint gt 1023 any eq smtp inactive </P><P>access-list dmz_access_in remark for ISA</P><P>access-list dmz_access_in extended permit tcp host 192.168.2.20 gt 1023 any eq www </P><P>access-list dmz_access_in remark for ISA</P><P>access-list dmz_access_in extended permit tcp host 192.168.2.20 gt 1023 any eq https </P><P>access-list dmz_access_in extended permit object-group TCPUDP host SharePoint Inside_Subnet 255.255.255.0 eq domain </P><P>access-list dmz_access_in extended permit icmp host SharePoint Inside_Subnet 255.255.255.0 </P><P>access-list dmz_access_in extended permit ip host abc11ids any </P><P>access-list dmz_access_in extended permit ip Inside_Subnet 255.255.255.0 any </P><P>access-list dmz_access_in remark Explicit Rule</P><P>access-list dmz_access_in extended deny ip any any </P><P>access-list dmz_access_in remark isa to SLIMPS1 vote portal</P><P>access-list dmz_access_in remark ISA to SLIMPS Dev</P><P>access-list dmz_access_in remark ldap</P><P>access-list dmz_access_in remark LDAP Communication</P><P>access-list dmz_access_in remark DMZ DNS Forwarding to Outside</P><P>access-list dmz_access_in remark DMZ DNS Forwarding to Outside</P><P>access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)</P><P>access-list dmz_access_in remark DMZ DNS Forwarding to Outside</P><P>access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)</P><P>access-list dmz_access_in remark DMZ DNS Forwarding to UUNET DNS (Zone Tranfer)</P><P>access-list dmz_access_in remark DMZ DNS Outbound https Web</P><P>access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address</P><P>access-list dmz_access_in remark Public DNS server.</P><P>access-list dmz_access_in remark Public DNS Server</P><P>access-list dmz_access_in remark Public DNS Server</P><P>access-list dmz_access_in remark DMZ Public DNS Outbound Web</P><P>access-list dmz_access_in remark DMZ Public&nbsp; DNS to Outside</P><P>access-list dmz_access_in remark DMZ DNS to Outside</P><P>access-list dmz_access_in remark DMZ Public DNS Outbound Web</P><P>access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Email Static Address</P><P>access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address</P><P>access-list dmz_access_in remark (DENY) DMZ DNS to DMZ Inside Web Shield Static Address</P><P>access-list dmz_access_in remark DMZ DNS Outbound Web</P><P>access-list dmz_access_in remark DMZ DNS Outbound Web</P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address</P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address</P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address</P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address</P><P>access-list dmz_access_in remark DMZ DNS Outbound FTP</P><P>access-list dmz_access_in remark DMZ DNS Outbound FTP</P><P>access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP</P><P>access-list dmz_access_in remark DMZ DNS Inbound Email Relay SMTP</P><P>access-list dmz_access_in remark DMZ DNS Inbound Web Shield Relay SMTP</P><P>access-list dmz_access_in remark Mailsweeper access to FE Server</P><P>access-list dmz_access_in remark DMZ Mail Sweeper outbound delivery</P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address</P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Email Static Address</P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address</P><P>access-list dmz_access_in remark (DENY) DMZ DNS Outbound to DMZ Inside Web Shield Static Address</P><P>access-list dmz_access_in remark DMZ DNS Outbound HTTPS</P><P>access-list dmz_access_in remark DMZ DNS Outbound HTTPS</P><P>access-list dmz_access_in remark DMZ DNS Outbound SMTP to Internet</P><P>access-list dmz_access_in remark for ISA</P><P>access-list dmz_access_in remark for ISA</P><P>access-list dmz_access_in remark Explicit Deny All</P><P>access-list testinside_access_in remark Deny IP Traffic from Test to Production DMZ</P><P>access-list testinside_access_in remark Allow all other Traffic to Outside</P><P>access-list testinside_access_in remark Deny IP Traffic from Test to Production DMZ</P><P>access-list testinside_access_in remark Allow all other Traffic to Outside</P><P>access-list vpnnet_nat0_outbound extended permit ip VPN_Subnet 255.255.255.0 Inside_Subnet 255.255.255.0 </P><P>access-list vpnnet_nat0_outbound extended permit ip VPN_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host Email_Gateway </P><P>access-list inside_nat0_outbound remark SharePoint</P><P>access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host SharePoint </P><P>access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0 </P><P>access-list dmz_nat0_outbound remark For Email Gateway</P><P>access-list dmz_nat0_outbound extended permit ip host Email_Gateway Inside_Subnet 255.255.255.0 </P><P>access-list dmz_nat0_outbound remark Sharepoint</P><P>access-list dmz_nat0_outbound extended permit ip host SharePoint Inside_Subnet 255.255.255.0 </P><P>access-list dmz_nat0_outbound extended permit ip DMZ_Subnet 255.255.255.0 NEW_VPN_SUBNET 255.255.255.0 </P><P>access-list dmz_nat0_outbound extended permit ip DMZ_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0 </P><P>access-list capture_acl extended permit ip host 12.18.13.33 host 12.18.13.180 </P><P>access-list capture_acl extended permit ip host 12.18.13.180 host 12.18.13.33 </P><P>access-list cap_acl extended permit ip host 192.168.2.14 host 12.18.13.180 </P><P>access-list cap_acl extended permit ip host 12.18.13.180 host 192.168.2.14 </P><P>access-list 213 extended permit ip host SharePoint host 192.168.2.21 </P><P>access-list asainside_access_in remark permit traffic from the new ASA</P><P>access-list asainside_access_in extended permit ip 192.168.100.0 255.255.255.0 Inside_Subnet 255.255.255.0 </P><P>access-list asainside_access_in extended permit ip 192.168.4.0 255.255.255.0 Inside_Subnet 255.255.255.0 </P><P>access-list asainside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 Inside_Subnet 255.255.255.0 </P><P>access-list asainside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 Inside_Subnet 255.255.255.0 </P><P>access-list acl_cap extended permit ip host 192.168.100.1 host 192.168.4.1 </P><P>access-list acl_cap extended permit ip host 192.168.4.1 host 192.168.100.1 </P><P>access-list abcdONE_splitTunnelAcl standard permit Inside_Subnet 255.255.255.0 </P><P>access-list abcdONE_splitTunnelAcl standard permit DMZ_Subnet 255.255.255.0 </P><P>access-list abcdONE_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0 </P><P>access-list oobnet_access_in extended permit ip any Inside_Subnet 255.255.255.0 </P><P>access-list VMman_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 Inside_Subnet 255.255.255.0 </P><P>access-list Internal_LAN_access_in extended permit object-group TCPUDP any object-group InternetDNS object-group DNS </P><P>access-list Internal_LAN_access_in extended permit ip any any </P><P>!</P><P>snmp-map mysnmpmap</P><P>!</P><P>pager lines 30</P><P>logging enable</P><P>logging timestamp</P><P>logging monitor informational</P><P>logging buffered informational</P><P>logging trap debugging</P><P>logging history warnings</P><P>logging asdm debugging</P><P>logging mail informational</P><P><SPAN>logging from-address </SPAN><A class="jive-link-email-small" href="mailto:mkaramat@abcdone.com" target="_blank">mkaramat@abcdone.com</A></P><P><SPAN>logging recipient-address </SPAN><A class="jive-link-email-small" href="mailto:mkaramat@abcdone.com" target="_blank">mkaramat@abcdone.com</A><SPAN> level errors</SPAN></P><P>logging device-id ipaddress outside</P><P>logging host vpnnet VPNNET_DNS</P><P>logging host inside abc09ic</P><P>logging host inside 192.168.1.60</P><P>mtu outside 1500</P><P>mtu inside 1500</P><P>mtu dmz 1500</P><P>mtu vpnnet 1500</P><P>mtu asainside 1500</P><P>mtu testinside 1500</P><P>mtu inside_new 1500</P><P>mtu Internal_LAN 1500</P><P>mtu oobnet 1500</P><P>ip local pool VPNPOOL 192.168.101.1-192.168.101.254 mask 255.255.255.0</P><P>ip local pool NEW_VPN_POOL 192.168.77.10-192.168.77.240 mask 255.255.255.0</P><P>ip verify reverse-path interface outside</P><P>ip verify reverse-path interface inside</P><P>ip verify reverse-path interface dmz</P><P>ip verify reverse-path interface vpnnet</P><P>ip verify reverse-path interface asainside</P><P>ip audit name Outside attack action drop</P><P>ip audit interface outside Outside</P><P>no failover</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any outside</P><P>asdm image disk0:/asdm-621.bin</P><P>asdm history enable</P><P>arp outside 12.18.13.20 0024.c4e9.4764 </P><P>arp timeout 14400</P><P>global (outside) 1 12.18.13.21 netmask 255.255.255.255</P><P>global (outside) 2 12.18.13.22 netmask 255.255.255.255</P><P>global (outside) 3 12.18.13.23 netmask 255.255.255.255</P><P>global (outside) 4 12.18.13.24 netmask 255.255.255.255</P><P>global (outside) 5 12.18.13.25 netmask 255.255.255.255</P><P>global (inside) 1 interface</P><P>global (dmz) 1 192.168.2.21 netmask 255.255.255.255</P><P>global (dmz) 3 192.168.2.23 netmask 255.255.255.255</P><P>global (dmz) 4 192.168.2.24 netmask 255.255.255.255</P><P>global (dmz) 5 192.168.2.25 netmask 255.255.255.255</P><P>global (vpnnet) 1 192.168.3.21 netmask 255.255.255.255</P><P>nat (outside) 1 NEW_VPN_POOL 255.255.255.0</P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P>nat (inside) 1 Inside_Subnet 255.255.255.0</P><P>nat (dmz) 0 access-list dmz_nat0_outbound</P><P>nat (dmz) 2 DMZ_Subnet 255.255.255.0</P><P>nat (vpnnet) 0 access-list vpnnet_nat0_outbound</P><P>nat (vpnnet) 3 VPN_Subnet 255.255.255.0</P><P>nat (asainside) 0 access-list asainside_nat0_outbound</P><P>nat (asainside) 1 192.168.4.0 255.255.255.0</P><P>nat (oobnet) 0 access-list VMman_nat0_outbound</P><P>static (dmz,outside) 12.18.13.31 VPN_3005 netmask 255.255.255.255 </P><P>static (inside,vpnnet) 192.168.3.72 FileServer_DNS netmask 255.255.255.255 </P><P>static (inside,vpnnet) 192.168.3.74 SQLServer netmask 255.255.255.255 </P><P>static (inside,vpnnet) 192.168.3.73 Email_DNS netmask 255.255.255.255 </P><P>static (inside,vpnnet) 192.168.3.76 FileServer_NAS netmask 255.255.255.255 dns </P><P>static (inside,vpnnet) 192.168.3.80 abcSLIMPS1 netmask 255.255.255.255 dns </P><P>static (inside,dmz) 192.168.2.73 Email_DNS netmask 255.255.255.255 </P><P>static (inside,dmz) 192.168.2.77 abc06ex2 netmask 255.255.255.255 </P><P>static (dmz,outside) 12.18.13.13 Email_Gateway netmask 255.255.255.255 </P><P>static (dmz,outside) 12.18.13.14 abc_WEB netmask 255.255.255.255 </P><P>static (outside,inside) VTC VTC_Outside netmask 255.255.255.255 </P><P>static (dmz,outside) 12.18.13.15 192.168.2.101 netmask 255.255.255.255 </P><P>static (inside,outside) 12.18.13.19 abc09ic netmask 255.255.255.255 </P><P>static (inside,outside) 12.18.13.42 SharePoint netmask 255.255.255.255 </P><P>static (inside,dmz) 192.168.2.78 FileServer_DNS netmask 255.255.255.255 </P><P>static (inside,outside) 12.18.13.32 Exch10 netmask 255.255.255.255 </P><P>static (inside,dmz) 192.168.2.10 abcSLIMPS1 netmask 255.255.255.255 </P><P>static (inside,dmz) 192.168.2.11 abc02EX2 netmask 255.255.255.255 </P><P>static (inside,vpnnet) 192.168.3.11 abc02EX2 netmask 255.255.255.255 </P><P>static (inside,vpnnet) 192.168.3.81 192.168.1.155 netmask 255.255.255.255 </P><P>static (inside,vpnnet) 192.168.3.82 192.168.1.28 netmask 255.255.255.255 dns </P><P>static (inside,dmz) 192.168.2.13 192.168.1.13 netmask 255.255.255.255 </P><P>static (inside,outside) VTC_Outside VTC netmask 255.255.255.255 </P><P>static (inside,outside) 12.18.13.33 192.168.1.13 netmask 255.255.255.255 </P><P>static (inside,outside) 12.18.13.41 abcSLIMPS1 netmask 255.255.255.255 </P><P>static (inside,outside) 12.18.13.222 ExternalDNS netmask 255.255.255.255 </P><P>static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0 </P><P>static (Internal_LAN,inside) 172.168.1.0 172.168.1.0 netmask 255.255.255.255 </P><P>access-group outside_access_in in interface outside</P><P>access-group inside_access_in in interface inside</P><P>access-group dmz_access_in in interface dmz</P><P>access-group vpnnet_access_in in interface vpnnet</P><P>access-group asainside_access_in in interface asainside</P><P>access-group Internal_LAN_access_in in interface Internal_LAN</P><P>access-group oobnet_access_in in interface oobnet</P><P>route outside 0.0.0.0 0.0.0.0 12.18.13.1 1</P><P>route asainside 192.168.100.0 255.255.255.0 192.168.4.2 1</P><P>timeout xlate 1:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>aaa-server TACACS+ protocol tacacs+</P><P>aaa-server RADIUS protocol radius</P><P>aaa-server abc.com protocol nt</P><P>aaa-server abc.com (inside) host 192.168.1.2</P><P> nt-auth-domain-controller abc12dc1</P><P>aaa-server abc.com (inside) host Email_DNS</P><P> nt-auth-domain-controller abc12dc2</P><P>aaa authentication ssh console LOCAL </P><P>aaa authentication enable console LOCAL </P><P>http server enable</P><P>http 10.0.0.0 255.255.255.0 outside</P><P>http Inside_Subnet 255.255.255.0 outside</P><P>http Inside_Subnet 255.255.255.0 inside</P><P>http VPN_Subnet 255.255.255.0 vpnnet</P><P>snmp-server group Authentication_Only v3 auth </P><P>snmp-server group Authentication&amp;Encryption v3 priv </P><P>snmp-server user mkaramat Authentication&amp;Encryption v3 encrypted auth md5 25:57:33:8a:86:b0:fc:71:36:5f:de:3d:83:35:eb:d4 priv aes 128 25:57:33:8a:86:b0:fc:71:36:5f:de:3d:83:35:eb:d4 </P><P>snmp-server host inside 192.168.1.60 version 3 mkaramat udp-port 161</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community *****</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>no service resetoutbound interface outside</P><P>no service resetoutbound interface inside</P><P>no service resetoutbound interface dmz</P><P>no service resetoutbound interface vpnnet</P><P>no service resetoutbound interface asainside</P><P>no service resetoutbound interface testinside</P><P>crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map outside_map interface outside</P><P>crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map inside_map interface inside</P><P>crypto map oobnet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP</P><P>crypto map oobnet_map interface oobnet</P><P>crypto isakmp enable outside</P><P>crypto isakmp enable inside</P><P>crypto isakmp enable inside_new</P><P>crypto isakmp enable oobnet</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>no crypto isakmp nat-traversal</P><P>telnet 12.18.13.0 255.255.255.0 outside</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 outside</P><P>ssh Inside_Subnet 255.255.255.0 inside</P><P>ssh VPN_Subnet 255.255.255.0 vpnnet</P><P>ssh timeout 30</P><P>ssh version 1</P><P>console timeout 0</P><P>dhcpd auto_config inside</P><P>!</P><P>dhcpd dns 192.168.1.2 Email_DNS interface oobnet</P><P>dhcpd domain abc.com interface oobnet</P><P>dhcpd option 3 ip 172.16.0.1 interface oobnet</P><P>!</P><P></P><P></P><P>threat-detection basic-threat</P><P>threat-detection statistics</P><P>threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200</P><P>ntp server 192.43.244.18 source outside prefer</P><P>tftp-server vpnnet 192.168.3.10 /</P><P>webvpn</P><P>group-policy DfltGrpPolicy attributes</P><P> vpn-idle-timeout 60</P><P>group-policy abcdONEVPN internal</P><P>group-policy abcdONEVPN attributes</P><P> dns-server value 192.168.1.7 192.168.1.3</P><P> vpn-tunnel-protocol IPSec </P><P> default-domain value abc</P><P>group-policy abcdONE internal</P><P>group-policy abcdONE attributes</P><P></P><P> dns-server value 192.168.1.7 192.168.1.3</P><P> vpn-idle-timeout 30</P><P> vpn-tunnel-protocol IPSec l2tp-ipsec </P><P> split-tunnel-policy tunnelall</P><P> split-tunnel-network-list value abcdONE_splitTunnelAcl</P><P> default-domain value abc.com</P><P> service-type remote-access</P><P>service-type remote-access</P><P>tunnel-group abcdONE type remote-access</P><P>tunnel-group abcdONE general-attributes</P><P> address-pool NEW_VPN_POOL</P><P> default-group-policy abcdONE</P><P>tunnel-group abcdONE ipsec-attributes</P><P> pre-shared-key *</P><P> isakmp keepalive disable</P><P>tunnel-group abcdONE ppp-attributes</P><P> authentication pap</P><P> authentication ms-chap-v2</P><P> authentication eap-proxy</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>policy-map type inspect ipsec-pass-thru VPN</P><P> parameters</P><P>&nbsp; esp </P><P>&nbsp; ah </P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect http </P><P>&nbsp; inspect icmp </P><P>policy-map type inspect dns migrated_dns_map_1</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:02e178404b46bb8758b23aea638d2f24</P><P>: end</P><P>asdm image disk0:/asdm-621.bin</P><P>asdm location NEW_VPN_POOL 255.255.255.0 inside</P><P>asdm location abc09ic 255.255.255.255 inside</P><P>asdm location VTC 255.255.255.255 inside</P><P>asdm location Email_Gateway 255.255.255.255 inside</P><P>asdm location Exch10 255.255.255.255 inside</P><P>asdm location ExternalDNS 255.255.255.255 inside</P><P>asdm location abc11ids 255.255.255.255 inside</P><P>asdm history enable</P> Tue, 12 Mar 2019 02:54:49 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321667#M310556 macboy276 2019-03-12T02:54:49Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321668#M310559 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I dont see any <STRONG>"nat"</STRONG> statement for interface <STRONG>"Internal_LAN"</STRONG></P><P></P><P><STRONG>nat (Internal_LAN) <ID number=""> 172.168.1.0 255.255.255.0 </ID></STRONG></P><P></P><P>The ID number mentioned you can choose yourself since you seem to use multiple different public IP addresses for Dynamic PAT configurations.</P><P></P><P>The above would enable Dynamic PAT for the users behind <STRONG>"Internal_LAN"</STRONG> interface and therefore enable Internet connectivity.</P><P></P><P>It seems to me that this network is actually a public network and not one belonging to the private network range.</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 22 Oct 2013 18:54:40 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321668#M310559 Jouni Forss 2013-10-22T18:54:40Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321669#M310562 <HTML><HEAD></HEAD><BODY><P>Does this nat command will have any issues with vlan 2. There is also no nat for vlan 2 available, how it is getting internet access.</P></BODY></HTML> Tue, 22 Oct 2013 19:46:06 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321669#M310562 macboy276 2013-10-22T19:46:06Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321670#M310564 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The above command doesnt really refer to the interface <STRONG>"inside" </STRONG>at all so it doesnt really have effect on it.</P><P></P><P>The Internet works from behind<STRONG> "inside"</STRONG> interface even with the NAT0 configuration because the NAT0 is not configured for every destination address. The NAT0 applies only when the destination networks are those configured in the ACL below</P><P></P><P><STRONG>access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host Email_Gateway </STRONG></P><P><STRONG>access-list inside_nat0_outbound remark SharePoint</STRONG></P><P><STRONG>access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 host SharePoint </STRONG></P><P><STRONG>access-list inside_nat0_outbound extended permit ip Inside_Subnet 255.255.255.0 NEW_VPN_POOL 255.255.255.0 </STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 22 Oct 2013 19:51:13 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321670#M310564 Jouni Forss 2013-10-22T19:51:13Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321671#M310565 <HTML><HEAD></HEAD><BODY><P>I have used the following command</P><P><STRONG style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">nat (Internal_LAN) 8 172.168.1.0 255.255.255.0</STRONG></P><P></P><P>the above command is giving me the following error and no internet.</P><P></P><P></P><P>305006|Email_DNS|53|||portmap translation creation failed for udp src Internal_LAN:172.168.1.72/55035 dst inside:Email_DNS/53</P><P></P><P>When i use </P><P><STRONG style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">no nat (Internal_LAN) 8 172.168.1.0 255.255.255.0</STRONG></P><P>the following error appears in log</P><P></P><P>Teardown TCP connection 1307075 for outside:108.59.5.130/443 to Internal_LAN:172.168.1.72/2273 duration 0:00:00 bytes 0 TCP Reset-O</P></BODY></HTML> Tue, 22 Oct 2013 20:17:29 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321671#M310565 macboy276 2013-10-22T20:17:29Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321672#M310566 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>To have a complete Dynamic PAT configuration you would need a <STRONG>"global"</STRONG> command with ID 8 also.</P><P></P><P>Or you can replace the ID 8 in the above command with something that already has a <STRONG>"global"</STRONG> command</P><P></P><P>Like these</P><P></P><P><STRONG>global (outside) 1 12.18.13.21 netmask 255.255.255.255</STRONG></P><P><STRONG>global (outside) 2 12.18.13.22 netmask 255.255.255.255</STRONG></P><P><STRONG>global (outside) 3 12.18.13.23 netmask 255.255.255.255</STRONG></P><P><STRONG>global (outside) 4 12.18.13.24 netmask 255.255.255.255</STRONG></P><P><STRONG>global (outside) 5 12.18.13.25 netmask 255.255.255.255</STRONG></P><P></P><P>The first log message you post is a problem between <STRONG>"Internal_LAN"</STRONG> and <STRONG>"inside"</STRONG>. That might probably be corrected by adding</P><P></P><P><STRONG>static (inside,Internal_LAN) 192.168.1.0 192.168.1.0 netmask 255.255.255.0</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Tue, 22 Oct 2013 20:28:53 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321672#M310566 Jouni Forss 2013-10-22T20:28:53Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321673#M310567 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P></P><P></P><P>So I was checking your configuration, I understand the security levels are set to 100 on both inside and Internal_LAN, if you change the security level on Internal_LAN to something lower than 100 you should be able to access everything as you were and also add the PAT configuration that your previous collaborator indicated.</P><P></P><P>Configuration:</P><P></P><P>enable</P><P></P><P>config t</P><P></P><P>interface Vlan8</P><P></P><P>security-level 90</P><P></P><P>nat (Internal_LAN) 8 172.168.1.0 255.255.255.0</P><P></P><P>Try it out, that way you don't need to add additional NAT configuration.</P></BODY></HTML> Tue, 22 Oct 2013 20:55:16 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321673#M310567 jumora 2013-10-22T20:55:16Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321674#M310568 <HTML><HEAD></HEAD><BODY><P>I try using&nbsp; the following config but it is still not working.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">interface Vlan8</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">security-level 90</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">nat (Internal_LAN) 8 172.168.1.0 255.255.255.0</P></BODY></HTML> Tue, 22 Oct 2013 22:03:12 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321674#M310568 macboy276 2013-10-22T22:03:12Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321675#M310569 <HTML><HEAD></HEAD><BODY><P>I forgot to indicate, you have a static NAT configuration that maps the inside network to the internal_LAN </P><P></P><P>static (inside,Internal_LAN) Inside_Subnet Inside_Subnet netmask 255.255.255.0 </P><P></P><P>name 192.168.1.0 Inside_Subnet</P><P></P><P>If you need the Internal_LAN network to be able to access anything on the inside I would rather configure the NAT exemption that states that you will not require NAT from the inside interface network to the internal_LAN network but that is all up to you if you want to configure it or not.</P><P></P><P>access-list inside_nat0_outbound permit ip any 172.168.1.0 255.255.255.0</P><P></P><P>NOTE: The line above is part of the next configuration that applies the NAT exemption on the inside interface:</P><P></P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P></P><P>So the configuration would like this:</P><P></P><P>enable</P><P></P><P>config t</P><P></P><P>interface Vlan8</P><P></P><P>security-level 90</P><P></P><P>nat (Internal_LAN) 8 172.168.1.0 255.255.255.0</P><P></P><P>global (outside) 8 12.18.13.X</P></BODY></HTML> Tue, 22 Oct 2013 22:04:18 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321675#M310569 jumora 2013-10-22T22:04:18Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321676#M310570 <HTML><HEAD></HEAD><BODY><P>follwing error is logged</P><P></P><P></P><TABLE><TBODY><TR><TD><BR /></TD><TD><BR /></TD><TD><BR /></TD><TD>305006</TD><TD>95.211.37.197</TD><TD>80</TD><TD><BR /></TD><TD><BR /></TD><TD>portmap translation creation failed for tcp src Internal_LAN:172.168.1.72/1807 dst outside:95.211.37.197/80</TD></TR></TBODY></TABLE></BODY></HTML> Tue, 22 Oct 2013 22:04:43 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321676#M310570 macboy276 2013-10-22T22:04:43Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321677#M310571 <HTML><HEAD></HEAD><BODY><P>that&nbsp; means with this new config i will still be able to connect to inside network and have internet access.</P><P>global (outside) 8 12.18.13.X</P><P>With what X has to be replaced</P></BODY></HTML> Tue, 22 Oct 2013 22:12:41 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321677#M310571 macboy276 2013-10-22T22:12:41Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321678#M310572 <HTML><HEAD></HEAD><BODY><P>I put an X meaning an IP of your choice if you still have available IP addresses but if you do not and you do not care if it goes out with the same global IP address as the people on the inside then you can just add the next line but remember to change the security levels.</P><P></P><P>nat (Internal_LAN) 1 172.168.1.0 255.255.255.0</P></BODY></HTML> Tue, 22 Oct 2013 22:17:48 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321678#M310572 jumora 2013-10-22T22:17:48Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321679#M310573 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Could you let me know if you&nbsp; have tried the configuration I originally suggested. I mean creating a&nbsp; <STRONG>"nat"</STRONG> statement for the <STRONG>"Internal_LAN"</STRONG> thats ID number matches one of&nbsp; the existing <STRONG>"global"</STRONG> or make a new <STRONG>"global"</STRONG> for&nbsp; it. And also if the <STRONG>"Internal_LAN"</STRONG> needs to access <STRONG>"inside"</STRONG> you could&nbsp; have added the <STRONG>"static"</STRONG> command suggested.</P><P></P><P>It seems there has been some&nbsp; other suggestions in between that&nbsp; have again suggested completely&nbsp; different things. I would have been&nbsp; interested to know what the&nbsp; situation is after the suggested changes&nbsp; before going and&nbsp; doing something completely different.</P><P></P><P>If you are changing a lot of NAT configurations for the new <STRONG>"Internal_LAN"</STRONG> interface I would suggest checking the output of</P><P></P><P><STRONG>show xlate | inc 172.168.1</STRONG></P><P></P><P>To see if you need to use some&nbsp; variant of the <STRONG>"clear xlate"</STRONG> command to clear old translations still&nbsp; active on the firewall. You should not use the <STRONG>"clear xlate"</STRONG> without&nbsp; additional parameters as otherwise it clears all&nbsp; translations on the firewall in the mentioned form of the command</P><P></P><P>You can use</P><P></P><P><STRONG>clear xlate ?</STRONG></P><P></P><P>To view the different optional parameters for the command</P><P></P><P> - Jouni</P></BODY></HTML> Wed, 23 Oct 2013 14:58:42 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321679#M310573 Jouni Forss 2013-10-23T14:58:42Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321680#M310574 <HTML><HEAD></HEAD><BODY><P>Hi Jumora</P><P></P><P>Result of the command: "nat (Internal_LAN) 1 172.168.1.0 255.255.255.0"</P><P></P><P></P><P>Duplicate NAT entry</P></BODY></HTML> Wed, 23 Oct 2013 17:08:24 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321680#M310574 macboy276 2013-10-23T17:08:24Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321681#M310575 <HTML><HEAD></HEAD><BODY><P>Please send me the next: </P><P></P><P>show run nat</P><P></P><P>and </P><P></P><P>show run nat | in Internal_LAN</P></BODY></HTML> Wed, 23 Oct 2013 17:16:23 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321681#M310575 jumora 2013-10-23T17:16:23Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321682#M310576 <HTML><HEAD></HEAD><BODY><P>Did you remove the "nat (Internal_LAN) 8 172.168.1.0 255.255.255.0", you need to remove it before adding "nat (Internal_LAN) 1 172.168.1.0 255.255.255.0"</P></BODY></HTML> Wed, 23 Oct 2013 17:17:53 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321682#M310576 jumora 2013-10-23T17:17:53Z https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321683#M310577 <HTML><HEAD></HEAD><BODY><P>I removed the old nat and add </P><P>nat (Internal_LAN) 1 172.168.1.0 255.255.255.0</P><P>interface vlan8</P><P>security-level 90</P><P></P><P>It worked. Now i have internet access.</P></BODY></HTML> Wed, 23 Oct 2013 19:31:49 GMT https://community.cisco.com/t5/network-security/no-internet-access/m-p/2321683#M310577 macboy276 2013-10-23T19:31:49Z