topic ASA 5510 vlan cannot reach wan in Network Security https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966362#M435608 <P>Hi everyone,</P><P></P><P>i'm setting up vlan and inter-vlan routing in my lab. My vlan work well (routing between them and dhcp relay) on the LAN side of the ASA but they cannot reach internet trough the ASA.</P><P></P><P>I read a lot about this issue and tried different configurations but i can't solve it...</P><P></P><P><A _jive_internal="true" href="https://community.cisco.com/thread/2112611" target="_blank">Exemple of what i read and tried </A></P><P></P><P>Here my ASA settings :</P><P></P><P><EM><STRONG>Note : I know that the physical interface musn't have an <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/455803">@ip</a> but my present network needs one to work. I'll fix this during my next tests.</STRONG></EM></P><P>: Saved</P><P>:</P><P>ASA Version 8.2(1)</P><P>!</P><P>hostname CISCOASA</P><P>domain-name MEDIAMEETING</P><P>enable password *********** encrypted</P><P>passwd ********** encrypted</P><P>names</P><P>name 192.168.0.2 mediaserv</P><P>name 192.168.2.200 Routeur-Fullsave description Routeur Fullsave</P><P>name 91.197.164.8 Serveur-streaming description Serveur de streaming distant</P><P>name 193.252.220.135 FM47</P><P>name 79.174.207.220 SNCF</P><P>name 80.13.227.86 TLSEFM</P><P>name 79.174.204.201 ALTITUDE</P><P>name 212.234.48.67 BDX</P><P>name 192.168.4.254 Freebox description Freebox</P><P>dns-guard</P><P>!</P><P>interface Ethernet0/0</P><P> nameif WAN_FREE</P><P> security-level 10</P><P> ip address 192.168.4.253 255.255.255.0 standby 192.168.4.250</P><P> !</P><P> interface Ethernet0/1</P><P> description connexion vers le LAN via switch cisco</P><P> nameif LAN</P><P> security-level 100</P><P> ip address 192.168.0.4 255.255.255.0 standby 192.168.0.6</P><P>!</P><P>interface Ethernet0/1.31</P><P> vlan 31</P><P> nameif vlan_postes</P><P> security-level 100</P><P> ip address 192.168.31.254 255.255.255.0</P><P>!</P><P>interface Ethernet0/1.200</P><P> vlan 200</P><P> nameif vlan_winradio</P><P> security-level 100</P><P> ip address 192.168.200.250 255.255.255.0</P><P>!</P><P>interface Ethernet0/2</P><P> description Connexion Free et fibre</P><P> speed 100</P><P> duplex full</P><P> nameif WAN_Fibre</P><P> security-level 10</P><P>&nbsp; ip address 192.168.2.253 255.255.255.0 standby 192.168.2.250</P><P>!</P><P>interface Ethernet0/3</P><P> description LAN Failover Interface</P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0</P><P> management-only</P><P>!</P><P><SPAN>boot system t</SPAN><A class="jive-link-external-small" href="ftp://192.168.0.2/modifpass" target="_blank">ftp://192.168.0.2/modifpass</A></P><P>boot system disk0:/asa821-k8.bin</P><P>ftp mode passive</P><P>clock timezone CEST 1</P><P>clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00</P><P>dns server-group DefaultDNS</P><P> domain-name MEDIAMEETING</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group network Acces-distant</P><P> network-object host FM47</P><P> network-object host SNCF</P><P> network-object host TLSEFM</P><P> network-object host BDX</P><P>object-group network MM-Acces-distant</P><P> network-object 192.168.0.0 255.255.255.0</P><P>object-group service RAdmin tcp</P><P> description Port RAdmin</P><P> port-object eq 4899</P><P>access-list LAN_pnat_outbound extended permit ip host 192.168.0.56 171.16.135.216 255.255.255.248</P><P>access-list LAN_nat0_outbound extended permit ip 192.168.97.80 255.255.255.248 171.16.135.216 255.255.255.248</P><P>access-list LAN_nat0_outbound extended permit ip any 192.168.0.128 255.255.255.128</P><P>access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.128 255.255.255.128</P><P>access-list LAN_nat0_outbound extended permit ip host 192.168.0.187 192.168.248.0 255.255.255.0 inactive</P><P>access-list LAN_nat0_outbound extended permit ip host 192.168.0.56 192.168.248.0 255.255.255.0 inactive</P><P>access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.128</P><P>access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0</P><P>access-list LAN_nat0_inbound extended permit ip any 192.168.0.128 255.255.255.128</P><P>access-list Mediameet_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0</P><P>access-list Mediameet_splitTunnelAcl standard permit 192.168.31.0 255.255.255.0</P><P>access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 3389 inactive</P><P>access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 3390 inactive</P><P>access-list WAN_Access_In2 remark Acces RAdmin Principal</P><P>access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 4899</P><P>access-list WAN_Access_In2 remark Acces RAdmin Principal</P><P>access-list LAN_nat0_inbound.20 extended permit ip any 192.168.3.0 255.255.255.128</P><P>access-list global_mpc_1 remark exemple priorisation Prise de main Ã&nbsp; distance</P><P>access-list global_mpc_1 extended permit ip object-group MM-Acces-distant object-group Acces-distant</P><P>access-list global_mpc_1 remark exemple priorisation Prise de main Ã&nbsp; distance</P><P>access-list streaming extended permit ip any host Serveur-streaming</P><P>access-list Mediameet_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.255.0</P><P>access-list WAN_FREE_access_in_1 remark Acces RAdmin de secours</P><P>access-list WAN_FREE_access_in_1 extended permit tcp any host 192.168.4.253 eq 4899</P><P>access-list WAN_FREE_access_in_1 remark Acces RAdmin de secours</P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>logging from-address ******</P><P>logging recipient-address ******</P><P>mtu WAN_FREE 1500</P><P>mtu LAN 1500</P><P>mtu WAN_Fibre 1500</P><P>mtu vlan_postes 1500</P><P>mtu vlan_winradio 1500</P><P>mtu management 1500</P><P>ip local pool RemoteConn 192.168.3.1-192.168.3.128 mask 255.255.255.0</P><P>failover</P><P> failover lan unit primary</P><P>failover lan interface STATEFUL Ethernet0/3</P><P>failover replication http</P><P>failover interface ip STATEFUL 10.0.0.1 255.255.255.252 standby 10.0.0.2</P><P>no monitor-interface management</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-641.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (WAN_FREE) 1 interface</P><P>global (WAN_Fibre) 1 interface</P><P>nat (LAN) 0 access-list LAN_nat0_outbound</P><P>nat (LAN) 0 access-list LAN_nat0_inbound outside</P><P>nat (LAN) 1 0.0.0.0 0.0.0.0</P><P>nat (vlan_postes) 1 192.168.31.0 255.255.255.0</P><P>nat (vlan_postes) 1 0.0.0.0 0.0.0.0</P><P>static (LAN,WAN_Fibre) tcp interface 4899 192.168.0.56 4899 netmask 255.255.255.255</P><P>static (vlan_postes,WAN_Fibre) 192.168.31.0 192.168.31.0 netmask 255.255.255.0</P><P>static (WAN_Fibre,vlan_postes) 192.168.2.0 192.168.2.0 netmask 255.255.255.0</P><P>access-group WAN_FREE_access_in_1 in interface WAN_FREE</P><P>access-group WAN_Access_In2 in interface WAN_Fibre</P><P>route WAN_Fibre 0.0.0.0 0.0.0.0 Routeur-Fullsave 64 track 1</P><P>route WAN_FREE 0.0.0.0 0.0.0.0 Freebox 62</P><P>timeout xlate 3:00:00</P><P> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 management</P><P>http 192.168.0.0 255.255.0.0 LAN</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sla monitor 1</P><P>type echo protocol ipIcmpEcho Routeur-Fullsave interface WAN_Fibre</P><P>sla monitor schedule 1 life forever start-time now</P><P>service resetoutside</P><P>crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac</P><P>crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac</P><P>crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac</P><P>crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac</P><P>crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac</P><P>crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac</P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac</P><P>crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac</P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map WAN_dyn_map 20 set pfs group1</P><P>crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map WAN_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map WAN_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map WAN_dyn_map 40 set security-association lifetime seconds 28800</P><P>crypto dynamic-map WAN_dyn_map 40 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map WAN_dyn_map 60 set security-association lifetime seconds 28800</P><P>crypto dynamic-map WAN_dyn_map 60 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map FREE_dyn_map 20 match address LAN_nat0_inbound.20</P><P>crypto dynamic-map FREE_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map FREE_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map FREE_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map WAN_map_FREE 20 ipsec-isakmp dynamic FREE_dyn_map</P><P>crypto map WAN_map_FREE interface WAN_Fibre</P><P>!</P><P>crypto ca trustpoint ASDM_SSLMM</P><P> enrollment terminal</P><P> subject-name CN=CISCOASA</P><P>&nbsp; crl configure</P><P>crypto ca trustpoint localtrust_Free</P><P>&nbsp; [...]</P><P>crypto ca trustpoint localtrust_Fibre</P><P> [...]</P><P>!</P><P>crypto ca certificate chain localtrust_Free</P><P> [...]</P><P>&nbsp; quit</P><P>crypto ca certificate chain localtrust_Fibre</P><P> [...]</P><P>&nbsp; quit</P><P>crypto isakmp identity hostname</P><P>crypto isakmp enable WAN_Fibre</P><P>crypto isakmp enable management</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>!</P><P>track 1 rtr 1 reachability</P><P>client-update enable</P><P>no vpn-addr-assign aaa</P><P>no vpn-addr-assign dhcp</P><P>telnet 192.168.0.0 255.255.255.0 LAN</P><P>telnet 192.168.3.0 255.255.255.128 LAN</P><P>telnet timeout 10</P><P>ssh timeout 5</P><P>console timeout 0</P><P>management-access LAN</P><P>dhcpd address 192.168.1.2-192.168.1.254 management</P><P>!</P><P>dhcprelay server 192.168.0.1 LAN</P><P>dhcprelay enable vlan_postes</P><P>dhcprelay enable vlan_winradio</P><P>dhcprelay timeout 60</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200</P><P>ssl trust-point localtrust_Fibre WAN_Fibre</P><P>ssl trust-point localtrust_Free WAN_FREE</P><P>webvpn</P><P> [...]</P><P>group-policy DfltGrpPolicy attributes</P><P> [...]</P><P>group-policy Mediameet internal</P><P>group-policy Mediameet attributes</P><P>&nbsp; [...]</P><P>group-policy Mediameet_1 internal</P><P>group-policy Mediameet_1 attributes</P><P>&nbsp; [...]</P><P>group-policy MediaSSL internal</P><P>group-policy MediaSSL attributes</P><P>&nbsp; [...]</P><P>username ******* password ****** encrypted privilege 0</P><P>username ********* attributes</P><P> vpn-group-policy Mediameet</P><P> [...]</P><P>!</P><P>class-map WinRadio-class</P><P> description limitation bande Passante Ã&nbsp; 1Mbits/s</P><P> match any</P><P>class-map global-class</P><P> match default-inspection-traffic</P><P>class-map Streaming-class</P><P> match any</P><P>class-map SITES-DISTANTS</P><P> description exemple priorisation Prise de main Ã&nbsp; distance</P><P> match access-list global_mpc_1</P><P>class-map global-class1</P><P> description exemple priorisation Prise de main Ã&nbsp; distance</P><P> match port tcp range 3389 3390</P><P>class-map global-class2</P><P> description Préparation streaming 2mbps</P><P> match port tcp range 9252 9256</P><P>!</P><P>!</P><P>policy-map type inspect dns migrated_dns_map_1</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>&nbsp; message-length maximum client auto</P><P> policy-map global-policy</P><P> description default_inspection</P><P> class global-class1</P><P>&nbsp; priority</P><P> class global-class2</P><P>&nbsp; police input 2097000 1500</P><P>&nbsp; police output 2097000 1500</P><P> class SITES-DISTANTS</P><P>&nbsp; priority</P><P> class global-class</P><P>&nbsp; inspect dns migrated_dns_map_1</P><P>&nbsp; inspect esmtp</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225</P><P>&nbsp; inspect h323 ras</P><P>&nbsp; inspect icmp</P><P>&nbsp; inspect netbios</P><P>&nbsp; inspect pptp</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect rtsp</P><P>&nbsp; inspect sip</P><P>&nbsp; inspect skinny</P><P>&nbsp; inspect sqlnet</P><P>&nbsp; inspect sunrpc</P><P>&nbsp;&nbsp; inspect tftp</P><P>&nbsp; inspect xdmcp</P><P>policy-map WinRadio-policy</P><P> class WinRadio-class</P><P>&nbsp; police input 1024000 1500</P><P>&nbsp; police output 1024000 1500</P><P>policy-map Streaming-policy</P><P> class Streaming-class</P><P>&nbsp; police input 1024000 1500</P><P>&nbsp; police output 3072000 1536</P><P>!</P><P>prompt hostname priority state</P><P>Cryptochecksum:*************</P><P>: end</P><P></P><P>I apologize for my english and thank you for your interest.</P> Mon, 11 Mar 2019 23:12:35 GMT Mediadeshaies 2019-03-11T23:12:35Z ASA 5510 vlan cannot reach wan https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966362#M435608 <P>Hi everyone,</P><P></P><P>i'm setting up vlan and inter-vlan routing in my lab. My vlan work well (routing between them and dhcp relay) on the LAN side of the ASA but they cannot reach internet trough the ASA.</P><P></P><P>I read a lot about this issue and tried different configurations but i can't solve it...</P><P></P><P><A _jive_internal="true" href="https://community.cisco.com/thread/2112611" target="_blank">Exemple of what i read and tried </A></P><P></P><P>Here my ASA settings :</P><P></P><P><EM><STRONG>Note : I know that the physical interface musn't have an <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/455803">@ip</a> but my present network needs one to work. I'll fix this during my next tests.</STRONG></EM></P><P>: Saved</P><P>:</P><P>ASA Version 8.2(1)</P><P>!</P><P>hostname CISCOASA</P><P>domain-name MEDIAMEETING</P><P>enable password *********** encrypted</P><P>passwd ********** encrypted</P><P>names</P><P>name 192.168.0.2 mediaserv</P><P>name 192.168.2.200 Routeur-Fullsave description Routeur Fullsave</P><P>name 91.197.164.8 Serveur-streaming description Serveur de streaming distant</P><P>name 193.252.220.135 FM47</P><P>name 79.174.207.220 SNCF</P><P>name 80.13.227.86 TLSEFM</P><P>name 79.174.204.201 ALTITUDE</P><P>name 212.234.48.67 BDX</P><P>name 192.168.4.254 Freebox description Freebox</P><P>dns-guard</P><P>!</P><P>interface Ethernet0/0</P><P> nameif WAN_FREE</P><P> security-level 10</P><P> ip address 192.168.4.253 255.255.255.0 standby 192.168.4.250</P><P> !</P><P> interface Ethernet0/1</P><P> description connexion vers le LAN via switch cisco</P><P> nameif LAN</P><P> security-level 100</P><P> ip address 192.168.0.4 255.255.255.0 standby 192.168.0.6</P><P>!</P><P>interface Ethernet0/1.31</P><P> vlan 31</P><P> nameif vlan_postes</P><P> security-level 100</P><P> ip address 192.168.31.254 255.255.255.0</P><P>!</P><P>interface Ethernet0/1.200</P><P> vlan 200</P><P> nameif vlan_winradio</P><P> security-level 100</P><P> ip address 192.168.200.250 255.255.255.0</P><P>!</P><P>interface Ethernet0/2</P><P> description Connexion Free et fibre</P><P> speed 100</P><P> duplex full</P><P> nameif WAN_Fibre</P><P> security-level 10</P><P>&nbsp; ip address 192.168.2.253 255.255.255.0 standby 192.168.2.250</P><P>!</P><P>interface Ethernet0/3</P><P> description LAN Failover Interface</P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0</P><P> management-only</P><P>!</P><P><SPAN>boot system t</SPAN><A class="jive-link-external-small" href="ftp://192.168.0.2/modifpass" target="_blank">ftp://192.168.0.2/modifpass</A></P><P>boot system disk0:/asa821-k8.bin</P><P>ftp mode passive</P><P>clock timezone CEST 1</P><P>clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00</P><P>dns server-group DefaultDNS</P><P> domain-name MEDIAMEETING</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group network Acces-distant</P><P> network-object host FM47</P><P> network-object host SNCF</P><P> network-object host TLSEFM</P><P> network-object host BDX</P><P>object-group network MM-Acces-distant</P><P> network-object 192.168.0.0 255.255.255.0</P><P>object-group service RAdmin tcp</P><P> description Port RAdmin</P><P> port-object eq 4899</P><P>access-list LAN_pnat_outbound extended permit ip host 192.168.0.56 171.16.135.216 255.255.255.248</P><P>access-list LAN_nat0_outbound extended permit ip 192.168.97.80 255.255.255.248 171.16.135.216 255.255.255.248</P><P>access-list LAN_nat0_outbound extended permit ip any 192.168.0.128 255.255.255.128</P><P>access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.128 255.255.255.128</P><P>access-list LAN_nat0_outbound extended permit ip host 192.168.0.187 192.168.248.0 255.255.255.0 inactive</P><P>access-list LAN_nat0_outbound extended permit ip host 192.168.0.56 192.168.248.0 255.255.255.0 inactive</P><P>access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.128</P><P>access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0</P><P>access-list LAN_nat0_inbound extended permit ip any 192.168.0.128 255.255.255.128</P><P>access-list Mediameet_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0</P><P>access-list Mediameet_splitTunnelAcl standard permit 192.168.31.0 255.255.255.0</P><P>access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 3389 inactive</P><P>access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 3390 inactive</P><P>access-list WAN_Access_In2 remark Acces RAdmin Principal</P><P>access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 4899</P><P>access-list WAN_Access_In2 remark Acces RAdmin Principal</P><P>access-list LAN_nat0_inbound.20 extended permit ip any 192.168.3.0 255.255.255.128</P><P>access-list global_mpc_1 remark exemple priorisation Prise de main Ã&nbsp; distance</P><P>access-list global_mpc_1 extended permit ip object-group MM-Acces-distant object-group Acces-distant</P><P>access-list global_mpc_1 remark exemple priorisation Prise de main Ã&nbsp; distance</P><P>access-list streaming extended permit ip any host Serveur-streaming</P><P>access-list Mediameet_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.255.0</P><P>access-list WAN_FREE_access_in_1 remark Acces RAdmin de secours</P><P>access-list WAN_FREE_access_in_1 extended permit tcp any host 192.168.4.253 eq 4899</P><P>access-list WAN_FREE_access_in_1 remark Acces RAdmin de secours</P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>logging from-address ******</P><P>logging recipient-address ******</P><P>mtu WAN_FREE 1500</P><P>mtu LAN 1500</P><P>mtu WAN_Fibre 1500</P><P>mtu vlan_postes 1500</P><P>mtu vlan_winradio 1500</P><P>mtu management 1500</P><P>ip local pool RemoteConn 192.168.3.1-192.168.3.128 mask 255.255.255.0</P><P>failover</P><P> failover lan unit primary</P><P>failover lan interface STATEFUL Ethernet0/3</P><P>failover replication http</P><P>failover interface ip STATEFUL 10.0.0.1 255.255.255.252 standby 10.0.0.2</P><P>no monitor-interface management</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-641.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (WAN_FREE) 1 interface</P><P>global (WAN_Fibre) 1 interface</P><P>nat (LAN) 0 access-list LAN_nat0_outbound</P><P>nat (LAN) 0 access-list LAN_nat0_inbound outside</P><P>nat (LAN) 1 0.0.0.0 0.0.0.0</P><P>nat (vlan_postes) 1 192.168.31.0 255.255.255.0</P><P>nat (vlan_postes) 1 0.0.0.0 0.0.0.0</P><P>static (LAN,WAN_Fibre) tcp interface 4899 192.168.0.56 4899 netmask 255.255.255.255</P><P>static (vlan_postes,WAN_Fibre) 192.168.31.0 192.168.31.0 netmask 255.255.255.0</P><P>static (WAN_Fibre,vlan_postes) 192.168.2.0 192.168.2.0 netmask 255.255.255.0</P><P>access-group WAN_FREE_access_in_1 in interface WAN_FREE</P><P>access-group WAN_Access_In2 in interface WAN_Fibre</P><P>route WAN_Fibre 0.0.0.0 0.0.0.0 Routeur-Fullsave 64 track 1</P><P>route WAN_FREE 0.0.0.0 0.0.0.0 Freebox 62</P><P>timeout xlate 3:00:00</P><P> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 management</P><P>http 192.168.0.0 255.255.0.0 LAN</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sla monitor 1</P><P>type echo protocol ipIcmpEcho Routeur-Fullsave interface WAN_Fibre</P><P>sla monitor schedule 1 life forever start-time now</P><P>service resetoutside</P><P>crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac</P><P>crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac</P><P>crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac</P><P>crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac</P><P>crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac</P><P>crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac</P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac</P><P>crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac</P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac</P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map WAN_dyn_map 20 set pfs group1</P><P>crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map WAN_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map WAN_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map WAN_dyn_map 40 set security-association lifetime seconds 28800</P><P>crypto dynamic-map WAN_dyn_map 40 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map WAN_dyn_map 60 set security-association lifetime seconds 28800</P><P>crypto dynamic-map WAN_dyn_map 60 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map FREE_dyn_map 20 match address LAN_nat0_inbound.20</P><P>crypto dynamic-map FREE_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map FREE_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map FREE_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map WAN_map_FREE 20 ipsec-isakmp dynamic FREE_dyn_map</P><P>crypto map WAN_map_FREE interface WAN_Fibre</P><P>!</P><P>crypto ca trustpoint ASDM_SSLMM</P><P> enrollment terminal</P><P> subject-name CN=CISCOASA</P><P>&nbsp; crl configure</P><P>crypto ca trustpoint localtrust_Free</P><P>&nbsp; [...]</P><P>crypto ca trustpoint localtrust_Fibre</P><P> [...]</P><P>!</P><P>crypto ca certificate chain localtrust_Free</P><P> [...]</P><P>&nbsp; quit</P><P>crypto ca certificate chain localtrust_Fibre</P><P> [...]</P><P>&nbsp; quit</P><P>crypto isakmp identity hostname</P><P>crypto isakmp enable WAN_Fibre</P><P>crypto isakmp enable management</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>!</P><P>track 1 rtr 1 reachability</P><P>client-update enable</P><P>no vpn-addr-assign aaa</P><P>no vpn-addr-assign dhcp</P><P>telnet 192.168.0.0 255.255.255.0 LAN</P><P>telnet 192.168.3.0 255.255.255.128 LAN</P><P>telnet timeout 10</P><P>ssh timeout 5</P><P>console timeout 0</P><P>management-access LAN</P><P>dhcpd address 192.168.1.2-192.168.1.254 management</P><P>!</P><P>dhcprelay server 192.168.0.1 LAN</P><P>dhcprelay enable vlan_postes</P><P>dhcprelay enable vlan_winradio</P><P>dhcprelay timeout 60</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200</P><P>ssl trust-point localtrust_Fibre WAN_Fibre</P><P>ssl trust-point localtrust_Free WAN_FREE</P><P>webvpn</P><P> [...]</P><P>group-policy DfltGrpPolicy attributes</P><P> [...]</P><P>group-policy Mediameet internal</P><P>group-policy Mediameet attributes</P><P>&nbsp; [...]</P><P>group-policy Mediameet_1 internal</P><P>group-policy Mediameet_1 attributes</P><P>&nbsp; [...]</P><P>group-policy MediaSSL internal</P><P>group-policy MediaSSL attributes</P><P>&nbsp; [...]</P><P>username ******* password ****** encrypted privilege 0</P><P>username ********* attributes</P><P> vpn-group-policy Mediameet</P><P> [...]</P><P>!</P><P>class-map WinRadio-class</P><P> description limitation bande Passante Ã&nbsp; 1Mbits/s</P><P> match any</P><P>class-map global-class</P><P> match default-inspection-traffic</P><P>class-map Streaming-class</P><P> match any</P><P>class-map SITES-DISTANTS</P><P> description exemple priorisation Prise de main Ã&nbsp; distance</P><P> match access-list global_mpc_1</P><P>class-map global-class1</P><P> description exemple priorisation Prise de main Ã&nbsp; distance</P><P> match port tcp range 3389 3390</P><P>class-map global-class2</P><P> description Préparation streaming 2mbps</P><P> match port tcp range 9252 9256</P><P>!</P><P>!</P><P>policy-map type inspect dns migrated_dns_map_1</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>&nbsp; message-length maximum client auto</P><P> policy-map global-policy</P><P> description default_inspection</P><P> class global-class1</P><P>&nbsp; priority</P><P> class global-class2</P><P>&nbsp; police input 2097000 1500</P><P>&nbsp; police output 2097000 1500</P><P> class SITES-DISTANTS</P><P>&nbsp; priority</P><P> class global-class</P><P>&nbsp; inspect dns migrated_dns_map_1</P><P>&nbsp; inspect esmtp</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225</P><P>&nbsp; inspect h323 ras</P><P>&nbsp; inspect icmp</P><P>&nbsp; inspect netbios</P><P>&nbsp; inspect pptp</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect rtsp</P><P>&nbsp; inspect sip</P><P>&nbsp; inspect skinny</P><P>&nbsp; inspect sqlnet</P><P>&nbsp; inspect sunrpc</P><P>&nbsp;&nbsp; inspect tftp</P><P>&nbsp; inspect xdmcp</P><P>policy-map WinRadio-policy</P><P> class WinRadio-class</P><P>&nbsp; police input 1024000 1500</P><P>&nbsp; police output 1024000 1500</P><P>policy-map Streaming-policy</P><P> class Streaming-class</P><P>&nbsp; police input 1024000 1500</P><P>&nbsp; police output 3072000 1536</P><P>!</P><P>prompt hostname priority state</P><P>Cryptochecksum:*************</P><P>: end</P><P></P><P>I apologize for my english and thank you for your interest.</P> Mon, 11 Mar 2019 23:12:35 GMT https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966362#M435608 Mediadeshaies 2019-03-11T23:12:35Z ASA 5510 vlan cannot reach wan https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966363#M435609 <HTML><HEAD></HEAD><BODY><P>which particular vlan can't access the Internet?</P><P>you would need to have a NAT statement for those vlans so it gets PATed to the WAN_FREE interface IP Address (public IP) to be able to reach the internet.</P><P></P><P>So far, only the following interface will have access to the internet:</P><P>LAN and vlan_postes:</P><P></P><P>nat (LAN) 1 0.0.0.0 0.0.0.0</P><P>nat (vlan_postes) 1 192.168.31.0 255.255.255.0</P><P>nat (vlan_postes) 1 0.0.0.0 0.0.0.0</P></BODY></HTML> Mon, 28 May 2012 07:56:57 GMT https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966363#M435609 Jennifer Halim 2012-05-28T07:56:57Z ASA 5510 vlan cannot reach wan https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966364#M435610 <HTML><HEAD></HEAD><BODY><P>Hello Jennifer Halim,</P><P></P><P>Actually, only vlan_postes needs to access the internet. So i set the NAT but it doesn't work.</P><P></P><P>I don't understand very well what you mean by </P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P> so it gets PATed to the WAN_FREE interface IP Address (public IP) to be able to reach the internet.</P></PRE><P>Do i have to set something more than </P><P style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">nat (LAN) 1 0.0.0.0 0.0.0.0</P><P style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">nat (vlan_postes) 1 192.168.31.0 255.255.255.0</P><P style="background-color: #f7fafb; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">nat (vlan_postes) 1 0.0.0.0 0.0.0.0</P><P><BR />? </P><P>Or may my ACL be the problem ?</P></BODY></HTML> Mon, 28 May 2012 08:19:45 GMT https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966364#M435610 Mediadeshaies 2012-05-28T08:19:45Z ASA 5510 vlan cannot reach wan https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966365#M435611 <HTML><HEAD></HEAD><BODY><P>you have not applied the global-policy yet:</P><P><STRONG>service-policy global-policy global</STRONG></P><P></P><P>Then try to ping 4.2.2.2 and see if you get a reply.</P></BODY></HTML> Mon, 28 May 2012 09:29:25 GMT https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966365#M435611 Jennifer Halim 2012-05-28T09:29:25Z ASA 5510 vlan cannot reach wan https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966366#M435612 <HTML><HEAD></HEAD><BODY><P>Hello Jennifer Halim,</P><P></P><P>i tried to apply what you said, it displayed this message:</P><P><EM>ERROR: Class global-class1 has 'priority' set without 'priority-queue' in any interface</EM></P><P><EM><BR /></EM></P><P>So i tried this : </P><P></P><P><STRONG>CISCOASA/pri/act(config)# policy-map global-policy</STRONG></P><P><STRONG>CISCOASA/pri/act(config)# no class global-cass1</STRONG></P><P></P><P>And it displayed : </P><P><EM>ERROR: % class-map global-class1 is being used</EM></P><P></P><P>My knowledge about ASA and policy in general is really poor. So i'm a bit lost <SPAN __jive_emoticon_name="cool" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN></P><P></P><P>Do you have any idea?</P><P></P><P>Thank you</P></BODY></HTML> Mon, 28 May 2012 12:12:23 GMT https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966366#M435612 Mediadeshaies 2012-05-28T12:12:23Z ASA 5510 vlan cannot reach wan https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966367#M435613 <HTML><HEAD></HEAD><BODY><P>Just create a new policy and apply it as follows:</P><P></P><P> policy-map global_policy</P><P>class global-class</P><P>&nbsp; inspect dns migrated_dns_map_1</P><P>&nbsp; inspect esmtp</P><P>&nbsp; inspect ftp</P><P>&nbsp; inspect h323 h225</P><P>&nbsp; inspect h323 ras</P><P>&nbsp; inspect icmp</P><P>&nbsp; inspect netbios</P><P>&nbsp; inspect pptp</P><P>&nbsp; inspect rsh</P><P>&nbsp; inspect rtsp</P><P>&nbsp; inspect sip</P><P>&nbsp; inspect skinny</P><P>&nbsp; inspect sqlnet</P><P>&nbsp; inspect sunrpc</P><P>&nbsp;&nbsp; inspect tftp</P><P>&nbsp; inspect xdmcp</P><P> service-policy global_policy global</P></BODY></HTML> Mon, 28 May 2012 12:18:54 GMT https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966367#M435613 Jennifer Halim 2012-05-28T12:18:54Z Re: ASA 5510 vlan cannot reach wan https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966368#M435614 <HTML><HEAD></HEAD><BODY><P>Hello Jennifer Halim,</P><P></P><P>here the configuration after i tried your solution. New lines appeared but ping still not working (4.2.2.2 or 8.8.8.8).</P><P></P><P>Note : i removed the @IP from the physical interface ethernet 0/1 before to do the test</P><P></P><P>: Saved</P><P>: Written by enable_15 at 10:19:52.898 CEDT Tue May 29 2012</P><P>!</P><P>ASA Version 8.2(1) </P><P>!</P><P>hostname CISCOASA</P><P>domain-name MEDIAMEETING</P><P>enable password *********** encrypted</P><P>passwd *********** encrypted</P><P>names</P><P>name 192.168.0.2 mediaserv</P><P>name 192.168.2.200 Routeur-Fullsave description Routeur Fullsave</P><P>name 91.197.164.8 Serveur-streaming description Serveur de streaming distant</P><P>name 193.252.220.135 FM47</P><P>name 79.174.207.220 SNCF</P><P>name 80.13.227.86 TLSEFM</P><P>name 79.174.204.201 ALTITUDE</P><P>name 212.234.48.67 BDX</P><P>name 192.168.4.254 Freebox description Freebox</P><P>dns-guard</P><P>!</P><P>interface Ethernet0/0</P><P> description Ex liaison Altitude Telecom</P><P> nameif WAN_FREE</P><P> security-level 10</P><P> ip address 192.168.4.253 255.255.255.0 standby 192.168.4.250 </P><P>!</P><P>interface Ethernet0/1</P><P> description connexion vers le LAN via switch cisco</P><P> nameif LAN</P><P> security-level 100</P><P> no ip address </P><P>!</P><P>interface Ethernet0/1.31</P><P> vlan 31</P><P> nameif vlan_postes</P><P> security-level 100</P><P> ip address 192.168.31.254 255.255.255.0 </P><P>!</P><P>interface Ethernet0/1.200</P><P> vlan 200</P><P> nameif vlan_winradio</P><P> security-level 100</P><P> ip address 192.168.200.250 255.255.255.0 </P><P>!</P><P>interface Ethernet0/2</P><P> description Connexion Free et fibre</P><P> speed 100</P><P> duplex full</P><P> nameif WAN_Fibre</P><P> security-level 10</P><P> ip address 192.168.2.253 255.255.255.0 standby 192.168.2.250 </P><P>!</P><P>interface Ethernet0/3</P><P> description LAN Failover Interface</P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 192.168.1.1 255.255.255.0 </P><P> management-only</P><P>!</P><P><SPAN>boot system t</SPAN><A class="jive-link-external-small" href="ftp://192.168.0.2/modifpass" rel="nofollow">ftp://192.168.0.2/modifpass</A></P><P>boot system disk0:/asa821-k8.bin</P><P>ftp mode passive</P><P>clock timezone CEST 1</P><P>clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00</P><P>dns server-group DefaultDNS</P><P> domain-name MEDIAMEETING</P><P>same-security-traffic permit inter-interface</P><P>same-security-traffic permit intra-interface</P><P>object-group network Acces-distant</P><P> network-object host FM47</P><P> network-object host SNCF</P><P> network-object host TLSEFM</P><P> network-object host BDX</P><P>object-group network MM-Acces-distant</P><P> network-object 192.168.0.0 255.255.255.0</P><P>object-group service RAdmin tcp</P><P> description Port RAdmin</P><P> port-object eq 4899</P><P>access-list LAN_pnat_outbound extended permit ip host 192.168.0.56 171.16.135.216 255.255.255.248 </P><P>access-list WAN_FIBRE_access_in remark AccÂ&#143;s RAdmin depuis WAN - Principal</P><P>access-list WAN_FIBRE_access_in remark AccÂ&#143;s RAdmin depuis WAN - Principal</P><P>access-list LAN_nat0_outbound extended permit ip 192.168.97.80 255.255.255.248 171.16.135.216 255.255.255.248 </P><P>access-list LAN_nat0_outbound extended permit ip any 192.168.0.128 255.255.255.128 </P><P>access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.128 255.255.255.128 </P><P>access-list LAN_nat0_outbound extended permit ip host 192.168.0.187 192.168.248.0 255.255.255.0 inactive </P><P>access-list LAN_nat0_outbound extended permit ip host 192.168.0.56 192.168.248.0 255.255.255.0 inactive </P><P>access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.128 </P><P>access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 </P><P>access-list WAN_FREE_access_in remark AccÂ&#143;s RAdmin depuis WAN - Secours</P><P>access-list WAN_FREE_access_in remark AccÂ&#143;s RAdmin depuis WAN - Secours</P><P>access-list LAN_nat0_inbound extended permit ip any 192.168.0.128 255.255.255.128 </P><P>access-list Mediameet_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 </P><P>access-list Mediameet_splitTunnelAcl standard permit 192.168.31.0 255.255.255.0 </P><P>access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 3389 inactive </P><P>access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 3390 inactive </P><P>access-list WAN_Access_In2 remark Acces RAdmin Principal</P><P>access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 4899 </P><P>access-list WAN_Access_In2 remark Acces RAdmin Principal</P><P>access-list LAN_nat0_inbound.20 extended permit ip any 192.168.3.0 255.255.255.128 </P><P>access-list global_mpc_1 remark exemple priorisation Prise de main Ã&nbsp; distance</P><P>access-list global_mpc_1 extended permit ip object-group MM-Acces-distant object-group Acces-distant </P><P>access-list global_mpc_1 remark exemple priorisation Prise de main Ã&nbsp; distance</P><P>access-list streaming extended permit ip any host Serveur-streaming </P><P>access-list Mediameet_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.255.0 </P><P>access-list WAN_FREE_access_in_1 remark Acces RAdmin de secours</P><P>access-list WAN_FREE_access_in_1 extended permit tcp any host 192.168.4.253 eq 4899 </P><P>access-list WAN_FREE_access_in_1 remark Acces RAdmin de secours</P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>logging from-address *****************</P><P>logging recipient-address **************level emergencies</P><P>mtu WAN_FREE 1500</P><P>mtu LAN 1500</P><P>mtu vlan_postes 1500</P><P>mtu vlan_winradio 1500</P><P>mtu WAN_Fibre 1500</P><P>mtu management 1500</P><P>ip local pool RemoteConn 192.168.3.1-192.168.3.128 mask 255.255.255.0</P><P>failover</P><P>failover lan unit primary</P><P>failover lan interface STATEFUL Ethernet0/3</P><P>failover replication http</P><P>failover interface ip STATEFUL 10.0.0.1 255.255.255.252 standby 10.0.0.2</P><P>no monitor-interface management</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-641.bin</P><P>asdm location ALTITUDE 255.255.255.255 LAN</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (WAN_FREE) 1 interface</P><P>global (WAN_Fibre) 1 interface</P><P>nat (LAN) 0 access-list LAN_nat0_outbound</P><P>nat (LAN) 0 access-list LAN_nat0_inbound outside</P><P>nat (LAN) 1 0.0.0.0 0.0.0.0</P><P>nat (vlan_postes) 1 192.168.31.0 255.255.255.0</P><P>nat (vlan_postes) 1 0.0.0.0 0.0.0.0</P><P>static (LAN,WAN_Fibre) tcp interface 4899 192.168.0.56 4899 netmask 255.255.255.255 </P><P>static (vlan_postes,WAN_Fibre) 192.168.31.0 192.168.31.0 netmask 255.255.255.0 </P><P>static (WAN_Fibre,vlan_postes) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 </P><P>access-group WAN_FREE_access_in_1 in interface WAN_FREE</P><P>access-group WAN_Access_In2 in interface WAN_Fibre</P><P>route WAN_Fibre 0.0.0.0 0.0.0.0 Routeur-Fullsave 64 track 1</P><P>route WAN_FREE 0.0.0.0 0.0.0.0 Freebox 128</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>http server enable</P><P>http 192.168.1.0 255.255.255.0 management</P><P>http 192.168.0.0 255.255.0.0 LAN</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>sla monitor 1</P><P> type echo protocol ipIcmpEcho Routeur-Fullsave interface WAN_Fibre</P><P>sla monitor schedule 1 life forever start-time now</P><P>service resetoutside</P><P>crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map WAN_dyn_map 20 set pfs group1</P><P>crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map WAN_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map WAN_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map WAN_dyn_map 40 set security-association lifetime seconds 28800</P><P>crypto dynamic-map WAN_dyn_map 40 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map WAN_dyn_map 60 set security-association lifetime seconds 28800</P><P>crypto dynamic-map WAN_dyn_map 60 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map FREE_dyn_map 20 match address LAN_nat0_inbound.20</P><P>crypto dynamic-map FREE_dyn_map 20 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map FREE_dyn_map 20 set security-association lifetime seconds 28800</P><P>crypto dynamic-map FREE_dyn_map 20 set security-association lifetime kilobytes 4608000</P><P>crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map WAN_map_FREE 20 ipsec-isakmp dynamic FREE_dyn_map</P><P>crypto map WAN_map_FREE interface WAN_Fibre</P><P>crypto ca trustpoint ASDM_SSLMM</P><P> enrollment terminal</P><P> subject-name CN=CISCOASA</P><P> crl configure</P><P>crypto ca trustpoint localtrust_Free</P><P> enrollment self</P><P> fqdn ************</P><P> email ****************</P><P> subject-name CN=ssl.666.mediameeting.net</P><P> ip-address ******************</P><P> keypair ****************</P><P> crl configure</P><P>crypto ca trustpoint localtrust_Fibre</P><P> enrollment self</P><P> fqdn *******************</P><P> email ******************</P><P> subject-name CN=**************</P><P> ip-address ***************</P><P> keypair **************</P><P> crl configure</P><P>crypto ca certificate chain localtrust_Free</P><P> certificate cbdcbd4f</P><P>&nbsp;&nbsp;&nbsp; 30820247 308201b0 a0030201 020204cb dcbd4f30 0d06092a 864886f7 0d010104 </P><P>*******</P><P>&nbsp; quit</P><P>crypto ca certificate chain localtrust_Fibre</P><P> certificate b5debd4f</P><P>&nbsp;&nbsp;&nbsp; 3082023f 308201a8 a0030201 020204b5 debd4f30 0d06092a 864886f7 0d010104 </P><P>******</P><P>&nbsp; quit</P><P>crypto isakmp identity hostname </P><P>crypto isakmp enable WAN_Fibre</P><P>crypto isakmp enable management</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>!</P><P>track 1 rtr 1 reachability</P><P>client-update enable</P><P>no vpn-addr-assign aaa</P><P>no vpn-addr-assign dhcp</P><P>telnet 192.168.0.0 255.255.255.0 LAN</P><P>telnet 192.168.3.0 255.255.255.128 LAN</P><P>telnet timeout 10</P><P>ssh timeout 5</P><P>console timeout 0</P><P>management-access LAN</P><P>dhcpd address 192.168.1.2-192.168.1.254 management</P><P>!</P><P>dhcprelay server 192.168.0.1 LAN</P><P>dhcprelay enable vlan_postes</P><P>dhcprelay enable vlan_winradio</P><P>dhcprelay timeout 60</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200</P><P>ssl trust-point localtrust_Free WAN_FREE</P><P>ssl trust-point localtrust_Fibre WAN_Fibre</P><P>webvpn</P><P> enable WAN_FREE</P><P> enable WAN_Fibre</P><P> svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1</P><P> svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2 regex "Intel Mac OS X"</P><P> svc image disk0:/anyconnect-linux-2.5.3055-k9.pkg 3 regex "Linux"</P><P> svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 4</P><P> svc profiles DefaultProfile disk0:/defaultprofile.xml</P><P> svc enable</P><P> tunnel-group-list enable</P><P>group-policy DfltGrpPolicy attributes</P><P> dns-server value 192.168.0.1 8.8.8.8</P><P>group-policy Mediameet internal</P><P>group-policy Mediameet attributes</P><P> dns-server value 192.168.0.2 192.168.0.1</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value Mediameet_splitTunnelAcl</P><P> default-domain value MEDIAMEETING</P><P>group-policy Mediameet_1 internal</P><P>group-policy Mediameet_1 attributes</P><P> wins-server none</P><P> dns-server value 192.168.0.1 8.8.8.8</P><P> vpn-tunnel-protocol IPSec </P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value Mediameet_splitTunnelAcl_1</P><P> default-domain value MEDIAMEETING</P><P>group-policy MediaSSL internal</P><P>group-policy MediaSSL attributes</P><P> dns-server value 192.168.0.1 8.8.8.8</P><P> vpn-tunnel-protocol svc webvpn</P><P> split-tunnel-policy tunnelspecified</P><P> split-tunnel-network-list value Mediameet_splitTunnelAcl</P><P> default-domain value MEDIAMEETING.local</P><P> msie-proxy method no-modify</P><P> vlan none</P><P> address-pools value RemoteConn</P><P> webvpn</P><P>&nbsp; url-list none</P><P>&nbsp; svc keep-installer installed</P><P>&nbsp; svc modules value dart,vpngina</P><P>&nbsp; svc ask enable default webvpn timeout 30</P><P>username j.deshaies password LO5lB1rnyhGb/fvs encrypted privilege 0</P><P>username j.deshaies attributes</P><P> vpn-group-policy Mediameet</P><P>username jl.simonet password AGYq7x1Zyk3V2dQJ encrypted privilege 0</P><P>username jl.simonet attributes</P><P> vpn-group-policy Mediameet</P><P>username b.niberon password GK4IufRVHvPpPLoX encrypted privilege 0</P><P>username b.niberon attributes</P><P> vpn-group-policy Mediameet</P><P>username s.ternoir password mYWJMd1aRkM.1tjc encrypted privilege 0</P><P>username s.ternoir attributes</P><P> vpn-group-policy Mediameet</P><P>username c.casse password MdCJ1tgbh5jQIiXJ encrypted privilege 15</P><P>username c.casse attributes</P><P> service-type admin</P><P> webvpn</P><P>&nbsp; svc profiles value DefaultProfile</P><P>username a.hugounenq password ItUfDhv1D9cwmFvZ encrypted privilege 15</P><P>tunnel-group ********* type ipsec-l2l</P><P>tunnel-group ************* ipsec-attributes</P><P> pre-shared-key *</P><P>tunnel-group Mediameet type remote-access</P><P>tunnel-group Mediameet general-attributes</P><P> address-pool RemoteConn</P><P> default-group-policy Mediameet_1</P><P>tunnel-group Mediameet ipsec-attributes</P><P> pre-shared-key Amandine0804</P><P>tunnel-group ******** type ipsec-l2l</P><P>tunnel-group ********** ipsec-attributes</P><P> pre-shared-key MeD1A!!M2ET1ng</P><P>tunnel-group SSL_MM type remote-access</P><P>tunnel-group SSL_MM general-attributes</P><P> address-pool RemoteConn</P><P> authentication-server-group (LAN) LOCAL</P><P> default-group-policy MediaSSL</P><P>tunnel-group SSL_MM webvpn-attributes</P><P> group-alias PostesDistants enable</P><P>tunnel-group-map default-group Mediameet</P><P>!</P><P>class-map WinRadio-class</P><P> description limitation bande Passante Ã&nbsp; 1Mbits/s</P><P> match any</P><P>class-map global-class</P><P> match default-inspection-traffic</P><P>class-map Streaming-class</P><P> match any</P><P>class-map SITES-DISTANTS</P><P> description exemple priorisation Prise de main Ã&nbsp; distance</P><P> match access-list global_mpc_1</P><P>class-map global-class1</P><P> description exemple priorisation Prise de main Ã&nbsp; distance</P><P> match port tcp range 3389 3390</P><P>class-map global-class2</P><P> description Préparation streaming 2mbps</P><P> match port tcp range 9252 9256</P><P>!</P><P>!</P><P>policy-map type inspect dns migrated_dns_map_1</P><P> parameters</P><P>&nbsp; message-length maximum 512</P><P>&nbsp; message-length maximum client auto</P><P>policy-map global_policy</P><P> class global-class</P><P>&nbsp; inspect dns migrated_dns_map_1 </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect icmp </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect pptp </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect xdmcp </P><P>policy-map global-policy</P><P> description default_inspection</P><P> class global-class1</P><P>&nbsp; priority</P><P> class global-class2</P><P>&nbsp; police input 2097000 1500</P><P>&nbsp; police output 2097000 1500</P><P> class SITES-DISTANTS</P><P>&nbsp; priority</P><P> class global-class</P><P>&nbsp; inspect dns migrated_dns_map_1 </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect icmp </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect pptp </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect xdmcp </P><P>policy-map WinRadio-policy</P><P> class WinRadio-class</P><P>&nbsp; police input 1024000 1500</P><P>&nbsp; police output 1024000 1500</P><P>policy-map Streaming-policy</P><P> class Streaming-class</P><P>&nbsp; police input 1024000 1500</P><P>&nbsp; police output 3072000 1536</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname priority state </P><P>Cryptochecksum:dd605e032202ff6791c19afc056b3757</P><P>: end</P><P></P><P>My host ipconfig (the one which execute ping) :</P><P></P><P>@IP: 192.168.31.2</P><P>Defaut gateway : 192.168.31.254</P><P>DHCP : 192.168.0.1</P><P>DNS : 192.168.0.1</P><P>secondary DNS : 8.8.8.8</P><P></P><P>Thank you for your attention.</P></BODY></HTML> Tue, 29 May 2012 09:13:49 GMT https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966368#M435614 Mediadeshaies 2012-05-29T09:13:49Z Re: ASA 5510 vlan cannot reach wan https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966369#M435615 <HTML><HEAD></HEAD><BODY><P>The reason why you can't ping is because you have the following configured:</P><P>static (vlan_postes,WAN_Fibre) 192.168.31.0 192.168.31.0 netmask 255.255.255.0 </P><P>static (WAN_Fibre,vlan_postes) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 </P><P></P><P>I believe that you need that for your VPN, so please configure Nonat instead:</P><P>access-list vlan_postes_nonat permit ip 192.168.31.0 255.255.255.0 192.168.3.0 255.255.255.0</P><P>nat (vlan_postes) 0 access-list vlan_postes_nonat</P><P></P><P>And remove the above static NAT statements. </P><P></P><P>Then "clear xlate". Ping should work after the above changes.</P></BODY></HTML> Tue, 29 May 2012 11:34:49 GMT https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966369#M435615 Jennifer Halim 2012-05-29T11:34:49Z ASA 5510 vlan cannot reach wan https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966370#M435616 <HTML><HEAD></HEAD><BODY><P>Hello Jennifer Halim,</P><P></P><P>it works! Thank you very much for your help <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN> </P><P></P><P>Have a good day</P></BODY></HTML> Tue, 29 May 2012 12:14:44 GMT https://community.cisco.com/t5/network-security/asa-5510-vlan-cannot-reach-wan/m-p/1966370#M435616 Mediadeshaies 2012-05-29T12:14:44Z