Thanks for the response.

I removed and added your recommendations and then had to add route outside 0.0.0.0 0.0.0.0 7.x.x.1 (default gw isp)

Still no outside ping!

object network NAT_ALL
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) source dynamic NAT_ALL interface

That will nat anything from inside to your asa's external interface IP...in asa 8.4, not sure how the wording is in 9.1

When you say you added a default route -- did you make that default route point to the next layer 3 hop?

Can you ping the next hop from your ASA?  can you ping the external interface at that next hop device?

Can you do the following on your asa

access-list CAPNAME extended permit ip any any

capture CAPIN interface inside match access-list CAPNAME

capture CAPOUT interface outside match access-list CAPNAME

That would be nice to see the request going to the inside interface, being translated, and leaving the outside interface as the NAT'd ip address.  Running those capture, then a ping from the host to 8.8.8.8 (just 4 is fine) then posting show cap CAPIN and show cap CAPOUT will probably solve our issue, or at least really narrow it down by telling us where to look.

The default route ip is the default gateway of my ISP. When I connect modem directly to PC I get connection and I can see DGW and assigned ip address.  This has remained static as both FW and desktop have been assigned the same MAC. 

Not able to ping anything at all after ASA

I have added capture. 

Opened port dhcps port and seeing capture below.

home-fw-1# sh capture CAPOUT

14 packets captured

   1: 11:03:57.960155       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   2: 11:04:02.960079       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   3: 11:04:08.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   4: 11:04:15.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   5: 11:04:23.960109       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   6: 11:04:32.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   7: 11:04:42.960079       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   8: 11:04:45.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   9: 11:04:49.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  10: 11:04:54.960109       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  11: 11:05:00.960079       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  12: 11:05:07.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  13: 11:05:15.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  14: 11:05:24.960079       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
14 packets shown
home-fw-1# sh capture CAPIN

0 packet captured

0 packet shown
home-fw-1#

home-fw-1# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 7.x.x.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 7.x.x.1, outside
C        192.168.0.0 255.255.255.0 is directly connected, inside
L        192.168.0.254 255.255.255.255 is directly connected, inside

home-fw-1# sh run dhcpd
dhcpd dns 7.x.x.1
dhcpd auto_config outside
!
dhcpd address 192.168.0.2-192.168.0.33 inside.          I'm using static ips

home-fw-1# sh dhcpd state
Context  Not Configured for DHCP
Interface inside, Not Configured for DHCP
Interface outside, Configured for DHCP CLIENT
 

It seems no outbound connection is permitted.

Same output with NAT_ALL

Cheers

Hi,

Can you ping 8.8.8.8 from the FW itself?

Some ISP's bind the MAC address to devices and only those devices are allowed to communicate to outside world. If that is the case, you need to ask them to clear the arp and give them the ASA FW mac address to register. ( are you getting IP address for outside interface? looks like DHCP client is enabled on outside from the above)

If you manually configure primary DNS on the PC to 8.8.8.8, Can you reach internet from internet explorer?

Can you use packet trace from ASDM and select the interface as inside and protocol as tcp source port as 2005 ( or any random port) and destination ip : 216.58.208.46 and destination port as: 80 and post the result here?

Also please post the results of >

show xlate

show nat

show run nat

show run object

show conn

Hi,

I do have is ip address bound to my mac address, which has given me the same ip address and will continue to do so which is 7.x.x.239  (default gateway is .1 of this) but I have applied dhcp setroute because of ISP.

Outputs

home-fw-1# packet-tracer input inside tcp 192.168.0.254 2005 216.58.208.46 80 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc9bca08, priority=1, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 7.x.x.1, outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc28f3d8, priority=500, domain=permit, deny=true
        hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.0.254, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

home-fw-1# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_in; 2 elements; name hash: 0xc5896c24
access-list outside_in line 1 extended permit icmp any any echo (hitcnt=0) 0x80a148e1
access-list outside_in line 2 extended deny ip any any log informational interval 300 (hitcnt=0) 0x4cc7a6a3
access-list inside_in; 3 elements; name hash: 0xd3a8690b
access-list inside_in line 1 extended permit udp any any eq bootpc (hitcnt=0) 0x8352f743
access-list inside_in line 2 extended permit udp any any eq bootps (hitcnt=0) 0xa1bb4ef7
access-list inside_in line 3 extended deny ip any any log informational interval 300 (hitcnt=0) 0x14c87690
 

home-fw-1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
    flags sIT idle 0:03:53 timeout 0:00:00

home-fw-1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic NAT_ALL interface
    translate_hits = 0, untranslate_hits = 0

home-fw-1# show run nat
nat (inside,outside) source dynamic NAT_ALL interface

home-fw-1# sh run object
object network NAT_ALL
 subnet 0.0.0.0 0.0.0.0
 
home-fw-1# show conn
1 in use, 1 most used

Hi,

Can you not apply the inside ACL and see what happens?

also can you change

nat (inside,outside) source dynamic NAT_ALL interface

to

nat (inside,outside) source dynamic interface

you don't need to say NAT_ALL in nat statement.

So you're showing NO ip traffic entering your ASA.

And you're showing ip traffic leaving your ASA from 0.0.0.0 destined to 255.255.255.255.

Clearly your NAT is not working.

Ive troubleshooted the following -

Erase all / fresh config

ACL any4.  You now have to specify ipv4 or ipv6 for any

inspect traffic dns, http

Reapplying DHCPD config for inside

Permiting ICMP traffic [echo, unreachable, time]

Recommended nat statements

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

Cisco recommends the above.

I have attached latest config.

When I do a packet trace for internal source ip to isp default gateway with dhcp ports it says ok- same for internal to google.com OK again

home-fw-1# packet-tracer input inside udp 192.168.0.2 68 7.X.X.1 67 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 7.X.X.239, outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   192.168.0.0     255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_in in interface inside
access-list inside_in extended permit ip object-group ALL-SUBNET-INT object-group ALL-SUBNET-EXT
object-group network ALL-SUBNET-INT
 network-object 0.0.0.0 0.0.0.0
object-group network ALL-SUBNET-EXT
 network-object 0.0.0.0 0.0.0.0
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc4920b8, priority=13, domain=permit, deny=false
        hits=184, user_data=0xca9962c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 192.168.0.0_net
 nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.0.2/68 to 0.0.0.0/306
 Forward Flow based lookup yields rule:
 in  id=0xcc5fee38, priority=6, domain=nat, deny=false
        hits=107, user_data=0xcca768b8, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc350dd8, priority=0, domain=nat-per-session, deny=true
        hits=268, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc9c2650, priority=0, domain=inspect-ip-options, deny=true
        hits=201, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcca0ded8, priority=0, domain=host-limit, deny=false
        hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xcc350dd8, priority=0, domain=nat-per-session, deny=true
        hits=270, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xcc9eca40, priority=0, domain=inspect-ip-options, deny=true
        hits=189, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 212, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

When I ping to either 8.8.8.8 or default gw it fails and capture gives this output.

home-fw-1# sh capture CAPIN

0 packet captured

0 packet shown
home-fw-1# sh capture CAPOUT

17 packets captured

   1: 15:01:08.320036       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   2: 15:01:18.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   3: 15:01:21.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   4: 15:01:25.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   5: 15:01:30.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   6: 15:01:36.319990       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   7: 15:01:43.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   8: 15:01:51.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   9: 15:02:00.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  10: 15:02:10.319990       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  11: 15:02:13.319929       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  12: 15:02:17.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  13: 15:02:22.319990       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  14: 15:02:28.319990       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  15: 15:02:35.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  16: 15:02:43.320006       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  17: 15:02:52.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548

Im going to leave the firewall on in the mean time and leave it on for 24 hours.  ISP clear their ARP in the early hours
My mac address is bound to the same ip, which i have assigned both to FW and PC.

I also bypass the switch and the computer can king default gateway but nothing on the isp interface or default gateway.

Any other ideas?

It's still not natting.  You have packets leaving from 0.0.0.0 to 255.255.255.255

--

object network 192.168.0.0_net
 nat (inside,outside) dynamic interface

You need to define what is INCLUDED in the object network NAMED 192.168.0.0_net

so

object-group network 192.168.0.0_net

 network-object 192.168.0.0 255.255.255.0 !or whatever your subnet is

 nat (inside,outside) source dynamic 192.168.0.0_net interface

That WILL nat your traffic to the external interface.

I know you think you created a range, and you did with your range statement but you never called it with:

network-object object NAMEHERE

I have tried that nat statement (quite a few times) and its still not working.

Object group contains 192.168.0.0 / 24 and 0.0.0.0 0.0.0.0

When I connect desktop I have been assigned the correct 192.168.x.x internal ip with gateway but cannot ping or surf web.  From computer I can ping inside default gateway and nothing else.

I won't be back until tonight.  Can you post:

1) Your updated, newest, current configuration?

2) clear cap capin

3) clear cap capout

4) Ping from an inside device to 8.8.8.8.

5) and then also put up your newest captures (capin and capout)

If you change your config between posting and tonight, back it up so that any changes I can help you make can be put in.

Thanks!

:
ASA Version 9.2(3)
!
 
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
 description -OUTSIDE CONNECTION TO ISP-
 switchport access vlan 2
 switchport mode access
 no switchport protected
 speed auto
 duplex auto
 delay 10
!
interface Ethernet0/1
 switchport access vlan 2
 switchport protected
 shutdown
!
interface Ethernet0/2
 switchport access vlan 200
 shutdown
!
interface Ethernet0/3
 switchport access vlan 200
 shutdown
!
interface Ethernet0/4
 switchport access vlan 200
 shutdown
!
interface Ethernet0/5
 switchport access vlan 200
 shutdown
!
interface Ethernet0/6
 switchport access vlan 200
 shutdown
!
interface Ethernet0/7
 description -INSIDE CONNNECTION TO SWITCH-
 switchport access vlan 1
 switchport mode access
 no switchport protected
 speed auto
 duplex auto
 delay 10
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0
 delay 10

!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
 delay 10
!

!
boot system disk0:/asa923-k8.bin
ftp mode passive
clock timezone GMT 0

dns server-group DefaultDNS
 domain-name home-fw-1.com
object-group network ALL-SUBNET-INT
 network-object 0.0.0.0 0.0.0.0
object-group network ALL-SUBNET-EXT
 network-object 0.0.0.0 0.0.0.0
object-group icmp-type DefaultICMP
 description Default ICMP Types permitted
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object time-exceeded
object-group network INSIDE_NET
 network-object 192.168.0.0 255.255.255.0
 

access-list outside_in extended permit icmp any4 any4 object-group DefaultICMP
access-list outside_in extended deny ip object-group ALL-SUBNET-EXT object-group ALL-SUBNET-INT
access-list inside_in extended permit icmp any4 any4 object-group DefaultICMP
access-list inside_in extended permit ip object-group ALL-SUBNET-INT object-group ALL-SUBNET-EXT
access-list inside_in extended deny ip object-group ALL-SUBNET-INT object-group ALL-SUBNET-EXT
access-list CAPNAME extended permit ip any4 any4

pager lines 24
mtu inside 1500
mtu outside 1500

ip verify reverse-path interface inside
ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 240
no arp permit-nonconnected

nat (inside,outside) source dynamic INSIDE_NET interface
access-group inside_in in interface inside
access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 7.X.X.1 1   <default gw of ISP>
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 7.X.X.1      <default gw of ISP>
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain XXXX.com
!
dhcpd address 192.168.0.2-192.168.0.33 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5ebe606760ff455d1efc1e486c33e687
: end

From computer.  I am assigned 192.168.X.X ip address with correct default gw but not able to ping 7.X.X.1 (ISP Default GW) or 7.X.X.239 (FW outside interface ip).

home-fw-1# sh capture CAPIN

38 packets captured

   1: 19:27:44.698389       802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53:  udp 35
   2: 19:27:45.686640       802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53:  udp 35
   3: 19:27:46.686381       802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53:  udp 35
   4: 19:27:47.695352       802.1Q vlan#1 P0 192.168.0.2.62864 > 86.27.251.1.53:  udp 36
   5: 19:27:48.687830       802.1Q vlan#1 P0 192.168.0.2.62864 > 86.27.251.1.53:  udp 36
   6: 19:27:48.687906       802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53:  udp 35
   7: 19:27:50.687342       802.1Q vlan#1 P0 192.168.0.2.62864 > 86.27.251.1.53:  udp 36
   8: 19:27:52.689951       802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53:  udp 35
   9: 19:27:54.990305       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137:  udp 50
  10: 19:27:55.739417       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137:  udp 50
  11: 19:27:56.488805       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137:  udp 50
  12: 19:27:56.781530       802.1Q vlan#1 P0 192.168.0.2.56883 > 86.27.251.1.53:  udp 36
  13: 19:27:57.250383       802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53:  udp 42
  14: 19:27:57.771551       802.1Q vlan#1 P0 192.168.0.2.56883 > 86.27.251.1.53:  udp 36
  15: 19:27:58.241381       802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53:  udp 42
  16: 19:27:59.241152       802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53:  udp 42
  17: 19:27:59.770742       802.1Q vlan#1 P0 192.168.0.2.56883 > 86.27.251.1.53:  udp 36
  18: 19:28:01.240618       802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53:  udp 42
  19: 19:28:04.073986       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137:  udp 50
  20: 19:28:04.823047       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137:  udp 50
  21: 19:28:05.242632       802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53:  udp 42
  22: 19:28:05.572464       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137:  udp 50
  23: 19:28:06.416085       802.1Q vlan#1 P0 192.168.0.2.68 > 255.255.255.255.67:  udp 300
  24: 19:28:06.416375       802.1Q vlan#1 P0 192.168.0.254.67 > 192.168.0.2.68:  udp 286
  25: 19:28:06.440239       802.1Q vlan#1 P0 192.168.0.2.64070 > 86.27.251.1.53:  udp 36
  26: 19:28:07.432030       802.1Q vlan#1 P0 192.168.0.2.64070 > 86.27.251.1.53:  udp 36
  27: 19:28:09.440330       802.1Q vlan#1 P0 192.168.0.2.64070 > 86.27.251.1.53:  udp 36
  28: 19:28:13.743537       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137:  udp 50
  29: 19:28:14.492299       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137:  udp 50
  30: 19:28:14.498875       802.1Q vlan#1 P0 192.168.0.2 > 86.27.251.53: icmp: echo request
  31: 19:28:15.241976       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137:  udp 50
  32: 19:28:16.005584       802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53:  udp 35
  33: 19:28:16.991495       802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53:  udp 35
  34: 19:28:17.994196       802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53:  udp 35
  35: 19:28:19.064724       802.1Q vlan#1 P0 192.168.0.2 > 86.27.251.53: icmp: echo request
  36: 19:28:19.993494       802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53:  udp 35
  37: 19:28:23.994623       802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53:  udp 35
  38: 19:28:24.065456       802.1Q vlan#1 P0 192.168.0.2 > 86.27.251.53: icmp: echo request
38 packets shown
home-fw-1# sh capture CAPout

14 packets captured

   1: 19:27:14.940060       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   2: 19:27:17.940060       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   3: 19:27:21.941510       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   4: 19:27:26.941479       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   5: 19:27:32.940075       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   6: 19:27:39.940075       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   7: 19:27:47.940045       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   8: 19:27:56.940060       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
   9: 19:28:06.940045       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  10: 19:28:09.940045       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  11: 19:28:13.940060       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  12: 19:28:18.940045       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  13: 19:28:24.940045       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
  14: 19:28:31.940075       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67:  udp 548
14 packets shown

Hi,

again you got the NAT statement wrong

>>>nat (inside,outside) source dynamic INSIDE_NET interface

this should be

nat (inside,outside) source dynamic interface

and the above should be with in the object group/object as shown below, please add them one below the other, but remove the old one's before you put the following

object-group network INSIDE_NET
   network-object 192.168.0.0 255.255.255.0
   nat (inside,outside) source dynamic interface

regards