Hi Varun,

I guess you oversighted that ASA version is 8.4 :-).

Philipp,

For the new version try this...

object network obj_any

   subnet 0.0.0.0 0.0.0.0       --> You can replace 0/0 with your internal subnet.
   nat (inside,outside) dynamic interface

For more information on pre/post 8.3 syntax changes, refer the below link...

https://supportforums.cisco.com/docs/DOC-9129

hth

MS

Oh yess, definitely, thanks. I jsut didnt see any nat statement in there, n might have overlooked the one you specified

Cheers,

Varun

OK i see it :-)

But when i config this the Problem still exist :-(

New Config:

iscoasa# show run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password xxx

passwd xxx

names

!

interface Ethernet0/0

nameif outside

security-level 0

pppoe client vpdn group T-Online

ip address pppoe setroute

!

interface Ethernet0/1

shutdown

no nameif

security-level 100

no ip address

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 172.20.0.1 255.255.0.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 217.5.100.185

name-server 217.5.100.186

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Testpc

host 172.20.100.1

access-list inside_in extended permit ip any interface outside

access-list inside_access_in extended permit ip 172.20.0.0 255.255.0.0 interface outside

access-list inside_access_in extended permit ip object Testpc interface outside

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 87.139.227.44 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.20.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group T-Online request dialout pppoe

vpdn group T-Online localname

vpdn group T-Online ppp authentication pap

vpdn username password xxx

dhcpd address 172.20.100.1-172.20.100.200 inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3b1058e17ecd9f9dd895841e0cdf9688

: end

ciscoasa#

The new acls are a try to solve this output from the ASDM Logging:

443    Deny TCP (no connection) from 172.20.100.1/50142 to 172.20.0.1/443 flags FIN ACK  on interface inside

Update:

I have remove the acls so that only "Lower Interface" rule is working

It seems that the connection to the DNS Server is established but than theconnection is closed  with "Teardown" befor the information is transmittet.

All packets are translatet but is not working

Log Entrys:

217.100.5.185|   53|172.20.100.1 |63320|Teardown UDP connection 1552 for outside:217.100.5.185/53 to inside:172.20.100.1/63320 duration 0:02:07 bytes 129

217.100.5.186|   53|172.20.100.1 |63320|Teardown UDP connection 1551 for outside:217.100.5.186/53 to inside:172.20.100.1/63320 duration 0:02:08 bytes 172

172.20.100.1 |54829|217.100.5.186|   53|Built outbound UDP connection 1562 for outside:217.100.5.186/53 (217.100.5.186/53) to inside:172.20.100.1/54829 (ISP given IP/29049)

172.20.100.1 |54829|217.100.5.185|   53|Built outbound UDP connection 1561 for outside:217.100.5.185/53 (217.100.5.185/53) to inside:172.20.100.1/54829 (ISP given IP/29049)

172.20.100.1 |54829|87.139.227.44|29049|Built dynamic UDP translation from inside:172.20.100.1/54829 to ISP given IP/29049

Update:

The Problem is caused @ the outside Interface

Incomming Packtes ar droped through an outside acl.

The packet flows is broken @ an acl from the outside to the inside

When i openthe wall the nat drop the packet -.........

Hello Philiopp,

Please add the following access-list

access-list inside_in line 1 permit ip any any

Then provide me the following outputs:

- packet-tracer input inside tcp 172.20.1.15 1025 4.2.2.2 80

- fixup protocol icmp

-Try to ping from the PC 87.139.227.44 and let me know the result

-Ping for the ASA to 4.2.2.2

Regards,

Thanks ,

here the Output you need:

ciscoasa(config)#packet-tracer input inside Tcp 172.10.1.15 1025 4.2.2.2 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any

nat (inside,outside) dynamic interface

Additional Information:

Dynamic translate 172.10.1.15/1025 to 87.139.227.44/22793

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 294, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ciscoasa(config)# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/70 ms

ciscoasa(config)#

-----------------------------------------------------------------------------

Ping from PC:

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\Technik>ping 87.139.227.44

Ping wird ausgeführt für 87.139.227.44 mit 32 Bytes Daten:

Zeitüberschreitung der Anforderung.

Zeitüberschreitung der Anforderung.

Zeitüberschreitung der Anforderung.

Zeitüberschreitung der Anforderung.

Ping-Statistik für 87.139.227.44:

    Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4

    (100% Verlust),

C:\Users\Technik>

So the ASA does have internet connectivity..

Did you add the command fixup protocol ICMP??

Yes, i have enter this command but nothing chnage. I have activate vpn over ssl as a test, it works fine but the inside host has no connection to the outside.

The new config you posted- ASA missing DNS IPs for hosts.

dhcpd dns 217.5.100.185 217.5.100.186 interface inside  --> Add this to ASA

Also, remove access-group inside_access_in in interface inside  (you add later if required)

Try with this and see how it goes. If any issues, try to browse using IP instead of DNS name.

Thx

MS