Cannot Access External Network after upgrading to 9.2

jljones — Fri, 21 Feb 2020 15:36:58 GMT

After Upgrading from one ASA 5505 to another with a newer build I can no longer connect to the internet. Anyone have any suggestions? Below is attached config:

: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
!
ASA Version 9.2(4)
!
hostname ASA-5505
domain-name ats.local
names
name 192.168.200.0 ATS-VOICE-NET description ATS Internal Voice Network
name 10.1.10.0 ATS-Voice-SE description ATS Voice Service Module
name 192.168.1.0 ATS-Net description ATS Internal Data Network
name 172.30.29.0 ATS-VPN-Clients description ATS VPN Clients
name 71.240.169.171 ATS-PDC-NAT description NAT outside IP address for ATS-PDC
name 192.168.1.22 ATS-PDC description ATS PDC Server
name 71.240.169.172 VMS-Outside
name 192.168.100.20 VMS-SERVER
ip local pool ATS-VPN-Pool 172.30.29.2-172.30.29.14 mask 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
switchport access vlan 3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description DMZ network
nameif inside
security-level 100
ip address 172.23.10.1 255.255.255.0
ospf cost 10
!
interface Vlan2
description Outside interface to Verizon FIOS
nameif outside
security-level 0
ip address 71.240.169.170 255.255.255.248
ospf cost 10
!
interface Vlan3
description Fail-Over Network
nameif failover
security-level 0
ip address 10.10.10.2 255.255.255.0
ospf cost 10
!
interface Vlan12
description Video Camera Network
no nameif
security-level 100
no ip address
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name ats.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-71.240.169.170
host 71.240.169.170
object network obj-10.1.10.1-OUT
host 10.1.10.1
object network obj-71.240.169.172
host 71.240.169.172
object network ATS-PDC-NAT
host 71.240.169.171
object network obj-172.30.29.0
object network ATS-Net
subnet 192.168.1.0 255.255.255.0
description ATS Internal Data Network
object network ATS-PDC
host 192.168.1.22
description ATS PDC Server
object network ATS-VOICE-NET
subnet 192.168.200.0 255.255.255.0
description ATS Internal Voice Network
object network ATS-Voice-SE
subnet 10.1.10.0 255.255.255.0
description ATS Voice Service Module
object network ATS-VPN-Clients
subnet 172.30.29.0 255.255.255.240
description ATS VPN Clients
object network VMS-Outside
host 71.240.169.172
object network VMS-SERVER
host 192.168.100.20
description 255.2555.255.255
object network 192.168.0.0
subnet 192.168.0.0 255.255.0.0
object network 192.168.0.0-24
subnet 192.168.0.0 255.255.255.0
object network 192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network 172.23.10.2
host 172.23.10.2
object network 172.23.10.20
host 172.23.10.20
object service ssh-PAT
service tcp source eq ssh destination eq 333
object service SSH
service tcp source eq ssh destination eq 333
object service ssh-service
service tcp destination eq ssh
object service http
service tcp destination eq www
object service https
service tcp destination eq https
object service 22609-Service
service tcp destination eq 22609
object service ssh-23
service tcp destination eq telnet
object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
object network INSIDE-NET
subnet 172.23.10.0 255.255.255.0
object-group network ATS-Networks
description ATS Internal Networks
network-object object ATS-Net
network-object object ATS-VOICE-NET
network-object object ATS-Voice-SE
object-group service DM_INLINE_SERVICE_1
service-object icmp echo
service-object tcp destination eq ftp
service-object tcp destination eq ssh
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in remark Allow FTP, SSH, and ICMP Echo protocols to PDC server
access-list outside_access_in extended permit tcp 69.15.59.192 255.255.255.240 interface outside eq 333
access-list outside_access_in extended permit tcp 69.15.59.192 255.255.255.240 interface outside eq www
access-list outside_access_in remark Video
access-list outside_access_in extended permit icmp any interface outside echo-reply
access-list outside_access_in extended permit ip any object VMS-Outside
access-list outside_access_in extended permit tcp any object VMS-Outside eq 22069
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 71.240.169.171
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit object ssh-service any any
access-list outside_access_in extended permit object ssh-PAT any any
access-list outside_access_in remark Allow FTP, SSH, and ICMP Echo protocols to PDC server
access-list outside_access_in remark Video
access-list outside_access_in remark Allow FTP, SSH, and ICMP Echo protocols to PDC server
access-list outside_access_in remark Video
access-list outside_access_in remark Video
access-list ATS_VPN_splitTunnelAcl remark ATS Internal Data Network
access-list ATS_VPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list ATS_VPN_splitTunnelAcl standard permit 172.23.10.0 255.255.255.0
access-list ATS_VPN_splitTunnelAcl remark ATS Internal Voice Network
access-list ATS_VPN_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
access-list ATS_VPN_splitTunnelAcl remark ATS Voice Service Module
access-list ATS_VPN_splitTunnelAcl standard permit 10.1.10.0 255.255.255.0
access-list ATS_VPN_splitTunnelAcl remark ATS Internal Data Network
access-list ATS_VPN_splitTunnelAcl remark ATS Internal Voice Network
access-list ATS_VPN_splitTunnelAcl remark ATS Voice Service Module
access-list ATS_VPN_splitTunnelAcl remark ATS Internal Data Network
access-list ATS_VPN_splitTunnelAcl remark ATS Internal Voice Network
access-list ATS_VPN_splitTunnelAcl remark ATS Voice Service Module
access-list inside_nat0_outbound remark NAT for ATS Internal Networks
access-list inside_nat0_outbound extended permit ip 172.23.10.0 255.255.255.0 192.168.240.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.23.10.0 255.255.255.0 192.168.241.0 255.255.255.0
access-list inside_nat0_outbound remark NAT for ATS Internal Networks
access-list inside_nat0_outbound extended permit ip 172.23.10.0 255.255.255.0 object ATS-VPN-Clients
access-list inside_nat0_outbound extended permit ip object ATS-Net 192.168.240.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object ATS-VOICE-NET 192.168.240.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object ATS-Voice-SE 192.168.240.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object ATS-Net 192.168.241.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object ATS-VOICE-NET 192.168.241.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object ATS-Voice-SE 192.168.241.0 255.255.255.0
access-list inside_nat0_outbound remark NAT for ATS Internal Networks
access-list inside_nat0_outbound remark NAT for ATS Internal Networks
access-list inside_nat0_outbound remark NAT for ATS Internal Networks
access-list inside_nat0_outbound remark NAT for ATS Internal Networks
access-list inside_nat0_outbound extended permit ip object-group ATS-Networks object ATS-VPN-Clients
access-list inside_nat0_outbound remark NAT for ATS Internal Networks
access-list inside_nat0_outbound remark NAT for ATS Internal Networks
access-list inside_nat0_outbound remark NAT for ATS Internal Networks
access-list inside_nat0_outbound remark NAT for ATS Internal Networks
access-list VMS_access_in extended permit ip 71.240.169.0 255.255.255.0 any
access-list cap extended permit tcp any host 68.37.198.17
access-list cap extended permit tcp host 68.37.198.17 any
access-list cap extended permit icmp any host 68.37.198.17
access-list cap extended permit icmp host 68.37.198.17 any
access-list split_tunnel extended permit ip 172.23.10.0 255.255.255.0 192.168.240.0 255.255.255.0
access-list split_tunnel extended permit ip 192.168.241.0 255.255.255.0 192.168.240.0 255.255.255.0
access-list split_tunnel extended permit ip object ATS-Net 192.168.240.0 255.255.255.0
access-list split_tunnel extended permit ip object ATS-VOICE-NET 192.168.240.0 255.255.255.0
access-list split_tunnel extended permit ip object ATS-Voice-SE 192.168.240.0 255.255.255.0
access-list split_tunnel_1 extended permit ip 172.23.10.0 255.255.255.0 192.168.241.0 255.255.255.0
access-list split_tunnel_1 extended permit ip 192.168.240.0 255.255.255.0 192.168.241.0 255.255.255.0
access-list split_tunnel_1 extended permit ip object ATS-Net 192.168.241.0 255.255.255.0
access-list split_tunnel_1 extended permit ip object ATS-VOICE-NET 192.168.241.0 255.255.255.0
access-list split_tunnel_1 extended permit ip object ATS-Voice-SE 192.168.241.0 255.255.255.0
access-list outside_cryptomap_10.10 extended permit ip any4 any4
access-list outside_cryptomap_65535 extended permit ip any4 any4
no pager
logging enable
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm warnings
logging host inside 172.23.10.100
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302016
no logging message 302021
no logging message 302020
mtu inside 1500
mtu outside 1500
mtu failover 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit ATS-Net 255.255.255.0 inside
icmp permit 172.23.10.0 255.255.255.0 inside
icmp permit ATS-VPN-Clients 255.255.255.240 inside
icmp permit ATS-VOICE-NET 255.255.255.0 inside
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any outside
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static 172.23.10.2 interface service ssh-service ssh-PAT
nat (inside,outside) source static 172.23.10.20 VMS-Outside service 22609-Service 22609-Service
nat (inside,outside) source static obj-10.1.10.1-OUT obj-10.1.10.1-OUT service http http no-proxy-arp
nat (inside,outside) source static obj-10.1.10.1-OUT obj-10.1.10.1-OUT service https https no-proxy-arp
nat (inside,outside) source static 172.23.10.20 172.23.10.20 service http http no-proxy-arp
nat (inside,outside) source static 172.23.10.20 172.23.10.20 service https https no-proxy-arp
nat (inside,outside) source static ATS-PDC ATS-PDC-NAT
nat (inside,any) source static any any service SSH SSH
nat (any,any) source static any any service ssh-23 ssh-23
nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
!
object network obj_any
nat (inside,outside) dynamic interface
object network INSIDE-NET
nat (inside,outside) dynamic interface
access-group outside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.240.169.1 1
route outside 0.0.0.0 0.0.0.0 ATS-PDC-NAT 1
route inside ATS-Voice-SE 255.255.255.0 172.23.10.2 1
route inside ATS-Net 255.255.255.0 172.23.10.2 1
route inside ATS-VOICE-NET 255.255.255.0 172.23.10.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http ATS-Net 255.255.255.0 inside
http 172.23.10.0 255.255.255.0 inside
http 74.7.110.168 255.255.255.248 outside
http 66.180.118.88 255.255.255.248 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set vpn_set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set vpn_set
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 match address outside_cryptomap_10.10
crypto dynamic-map dynmap 10 set ikev1 transform-set vpn_set
crypto dynamic-map dynmap 10 set security-association lifetime seconds 2147483647
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 2147483647
crypto map outside_map 10 ipsec-isakmp dynamic dynmap
crypto map outside_map 65535 match address outside_cryptomap_65535
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 15
ssh scopy enable
no ssh stricthostkeycheck
ssh 172.23.10.0 255.255.255.0 inside
ssh ATS-Net 255.255.255.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 172.23.10.5-172.23.10.129 inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.113.32.5
ntp server 18.26.4.105
ssl encryption rc4-sha1 aes128-sha1 3des-sha1
webvpn
anyconnect-essentials
group-policy ATS_VPN_1 internal
group-policy ATS_VPN_1 attributes
dns-server value 192.168.1.20 208.180.42.100
vpn-tunnel-protocol ikev1 ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_1
nem enable
group-policy ATS_VPN internal
group-policy ATS_VPN attributes
dns-server value 192.168.1.20 208.180.42.100
vpn-tunnel-protocol ikev1 ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
tunnel-group ATS_VPN type remote-access
tunnel-group ATS_VPN general-attributes
address-pool ATS-VPN-Pool
default-group-policy ATS_VPN
tunnel-group ATS_VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group ATS_VPN_1 type remote-access
tunnel-group ATS_VPN_1 general-attributes
address-pool ATS-VPN-Pool
default-group-policy ATS_VPN_1
tunnel-group ATS_VPN_1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

Re: Cannot Access External Network after upgrading to 9.2

Seb Rupik — Tue, 10 Apr 2018 07:40:25 GMT

Hi there,

What is the output of:

packet-tracer intput inside tcp 172.23.10.2 45000 8.8.8.8 80

Also are both of your default route next-hops reachable from the ASA:

71.240.169.1

71.240.169.171

cheers,

Seb.

Re: Cannot Access External Network after upgrading to 9.2

jljones — Tue, 10 Apr 2018 20:05:10 GMT

nothing is reachable on the outside interface including next hop. Nothing for tracert.

Re: Cannot Access External Network after upgrading to 9.2

Seb Rupik — Wed, 11 Apr 2018 08:45:35 GMT

Sounds like you may have an issue between your ASA and your gateway devices.

Do you have a switch positioned between the ASA and the two routers?

What is the output of sh arp on the ASA?

Re: Cannot Access External Network after upgrading to 9.2

joshualochjones — Fri, 13 Apr 2018 01:24:57 GMT

Hi, thanks, here are the details and items to be considered. From the config above the outside interface subnet is 255.255.255.0. There is a hub connected to the external ISP and connected to it are the ASA5505 and a laptop. The laptop has no issue with internet access using an IP of .173.

When I run a SH ARP command from the ASA I get:

ASA-5505(config)# SH ARP
outside 71.240.169.173 0026.b916.e134 11
outside 71.240.169.1 f4b5.2f04.b0c3 76

When I run an ARP /A command from the laptop i get:

D:\Users\steve>ARP /A

Interface: 71.240.169.173 --- 0xa
Internet Address      Physical Address      Type
71.240.169.1          f4-b5-2f-04-b0-c3     dynamic
71.240.169.170        6c-41-6a-7f-dc-aa     dynamic
71.240.169.255        ff-ff-ff-ff-ff-ff     static
224.0.0.22            01-00-5e-00-00-16     static
224.0.0.251           01-00-5e-00-00-fb     static
224.0.0.252           01-00-5e-00-00-fc     static
239.255.255.250       01-00-5e-7f-ff-fa     static
255.255.255.255       ff-ff-ff-ff-ff-ff     static

Again, both are connected to the same hub that is also connected to ISP, laptop has no issues getting outside.

best,

Josh

Re: Cannot Access External Network after upgrading to 9.2

Seb Rupik — Fri, 13 Apr 2018 07:43:40 GMT

Hi Josh,

I think you should remove the second equal cost default route:

!
no route outside 0.0.0.0 0.0.0.0 ATS-PDC-NAT 1
!

ATS-PDC-NAT is an IP used by one of your static NAT statements to translate outside traffic to ATS-PDC (192.168.1.22), which incidentally you do not have a specific route for. Did you clear the config on this ASA before applying this new build??

Once you remove the static route, please can you post the output of:

packet-tracer intput inside tcp 172.23.10.2 45000 8.8.8.8 80

cheers,

Seb.

topic Re: Cannot Access External Network after upgrading to 9.2 in Network Security

Cannot Access External Network after upgrading to 9.2

Re: Cannot Access External Network after upgrading to 9.2

Re: Cannot Access External Network after upgrading to 9.2

Re: Cannot Access External Network after upgrading to 9.2

Re: Cannot Access External Network after upgrading to 9.2

Re: Cannot Access External Network after upgrading to 9.2