08-24-2015 10:19 AM - edited 03-11-2019 11:29 PM
First I am not a Noob but pretty close I guess.
simple issue i think. I have two inside interfaces (Inside, VOIP) that need to connect to the internet but not each other. The Inside interface connects to the Outside interface just fine. The newly added VOIP interface does not connect to the internet at all.
Below is my config file. I am sure it is something simple but I can't get VOIP interface to get internet traffic.
: Saved : ASA Version 8.6(1)2 ! hostname $$$$$$$ enable password M651YVNoXjcfxJ40 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0/0 speed 100 duplex full nameif Outside security-level 0 ip address #.#.#.58 255.255.255.248 ! interface GigabitEthernet0/1 nameif Inside security-level 100 ip address 10.2.0.2 255.255.254.0 ! interface GigabitEthernet0/2 nameif V0IP security-level 50 ip address 10.20.0.2 255.255.254.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! ftp mode passive same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network NETWORK_OBJ_10.2.0.0_23 subnet 10.2.0.0 255.255.254.0 object network testsite subnet 10.42.2.0 255.255.255.0 object network CCGlenBurnie subnet 10.8.0.0 255.255.255.0 object network CCWaldorf subnet 10.6.0.0 255.255.255.0 object network LexPark subnet 206.95.142.0 255.255.255.0 object network LTFord subnet 10.3.0.0 255.255.255.0 object network LTUsed subnet 10.5.0.0 255.255.255.0 object network PFCJD subnet 10.253.42.0 255.255.255.0 object network PFFord subnet 10.10.0.0 255.255.255.0 object network PFUsed subnet 10.11.0.0 255.255.255.0 object network UpperMarl subnet 10.11.87.0 255.255.255.0 object network inside subnet 10.2.0.0 255.255.254.0 object service 3391 service tcp source eq 3391 destination eq 3391 object network obj-10.2.0.61 object network REMOTEPC host 10.2.0.61 object network REMOTEPC3390 host 10.2.0.3 object network UpperMarlboro subnet 10.7.0.0 255.255.255.0 description Upper Marlboro object network ChevyHonda subnet 10.12.0.0 255.255.254.0 object network CCglenburnie2 subnet 10.203.35.0 255.255.255.0 object network PartsWarehouse subnet 10.9.0.0 255.255.255.0 object network VOIP subnet 10.20.0.0 255.255.254.0 description Internal VOIP object-group service remote3390 tcp port-object eq 3390 object-group service remote3391 tcp port-object eq 3391 access-list Outside_cryptomap extended permit ip 10.2.0.0 255.255.254.0 object testsite access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in remark Allow TCP/3391 access-list outside_access_in extended permit tcp any object REMOTEPC eq 3391 access-list outside_access_in extended permit tcp any object REMOTEPC3390 eq 3390 access-list Outside_cryptomap_1 extended permit ip 10.2.0.0 255.255.254.0 object CCglenburnie2 access-list Outside_cryptomap_2 extended permit ip 10.2.0.0 255.255.254.0 object CCWaldorf access-list Outside_cryptomap_3 extended permit ip 10.2.0.0 255.255.254.0 object LexPark access-list Outside_cryptomap_4 extended permit ip 10.2.0.0 255.255.254.0 object LTFord access-list Outside_cryptomap_5 extended permit ip 10.2.0.0 255.255.254.0 object LTUsed access-list Outside_cryptomap_6 extended permit ip 10.2.0.0 255.255.254.0 object PFCJD access-list Outside_cryptomap_7 extended permit ip 10.2.0.0 255.255.254.0 object PFFord access-list Outside_cryptomap_8 extended permit ip 10.2.0.0 255.255.254.0 object PFUsed access-list Outside_cryptomap_9 extended permit ip 10.2.0.0 255.255.254.0 object UpperMarl access-list Outside_cryptomap_10 extended permit ip 10.2.0.0 255.255.254.0 object testsite access-list Outside_cryptomap_11 extended permit ip 10.2.0.0 255.255.254.0 object UpperMarlboro access-list Outside_cryptomap_12 extended permit ip 10.2.0.0 255.255.254.0 object ChevyHonda access-list Outside_cryptomap_13 extended permit ip 10.2.0.0 255.255.254.0 object PartsWarehouse pager lines 24 logging enable logging asdm-buffer-size 300 logging asdm debugging mtu Outside 1500 mtu Inside 1500 mtu management 1500 mtu V0IP 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static CCWaldorf CCWaldorf no-proxy-arp route-lookup nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static LexPark LexPark no-proxy-arp route-lookup nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static LTFord LTFord no-proxy-arp route-lookup nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static LTUsed LTUsed no-proxy-arp route-lookup nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static PFCJD PFCJD no-proxy-arp route-lookup nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static PFFord PFFord no-proxy-arp route-lookup nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static PFUsed PFUsed no-proxy-arp route-lookup nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static UpperMarl UpperMarl no-proxy-arp route-lookup nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static UpperMarlboro UpperMarlboro no-proxy-arp route-lookup nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static ChevyHonda ChevyHonda no-proxy-arp route-lookup nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static CCglenburnie2 CCglenburnie2 no-proxy-arp route-lookup nat (Inside,Outside) source static inside inside destination static ChevyHonda ChevyHonda no-proxy-arp route-lookup nat (Inside,Outside) source static NETWORK_OBJ_10.2.0.0_23 NETWORK_OBJ_10.2.0.0_23 destination static PartsWarehouse PartsWarehouse no-proxy-arp route-lookup nat (V0IP,Outside) source static VOIP VOIP unidirectional nat (V0IP,V0IP) source dynamic any interface ! object network inside nat (any,Outside) dynamic interface object network REMOTEPC nat (Inside,Outside) static interface service tcp 3391 3391 object network REMOTEPC3390 nat (any,Outside) static interface service tcp 3390 3390 access-group outside_access_in in interface Outside route Outside 0.0.0.0 0.0.0.0 ###.###.###.57 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 0.0.0.0 0.0.0.0 Outside http 0.0.0.0 0.0.0.0 Inside http 0.0.0.0 0.0.0.0 V0IP no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto map Outside_map 1 match address Outside_cryptomap crypto map Outside_map 1 set pfs group1 crypto map Outside_map 1 set peer #.#.#.# crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 2 match address Outside_cryptomap_1 crypto map Outside_map 2 set peer #.#.#.# crypto map Outside_map 2 set ikev1 transform-set ESP-DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5 crypto map Outside_map 3 match address Outside_cryptomap_2 crypto map Outside_map 3 set peer #.#.#.# crypto map Outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 4 match address Outside_cryptomap_3 crypto map Outside_map 4 set peer #.#.#.# crypto map Outside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 5 match address Outside_cryptomap_4 crypto map Outside_map 5 set pfs group1 crypto map Outside_map 5 set peer #.#.#.# crypto map Outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 6 match address Outside_cryptomap_5 crypto map Outside_map 6 set peer #.#.#.# crypto map Outside_map 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 7 match address Outside_cryptomap_6 crypto map Outside_map 7 set peer #.#.#.# crypto map Outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 8 match address Outside_cryptomap_7 crypto map Outside_map 8 set pfs group1 crypto map Outside_map 8 set peer #.#.#.# crypto map Outside_map 8 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 9 match address Outside_cryptomap_8 crypto map Outside_map 9 set pfs group1 crypto map Outside_map 9 set peer #.#.#.# crypto map Outside_map 9 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 10 match address Outside_cryptomap_9 crypto map Outside_map 10 set pfs group1 crypto map Outside_map 10 set peer #.#.#.# crypto map Outside_map 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 11 match address Outside_cryptomap_10 crypto map Outside_map 11 set peer #.#.#.# crypto map Outside_map 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 12 match address Outside_cryptomap_11 crypto map Outside_map 12 set pfs group1 crypto map Outside_map 12 set peer #.#.#.# crypto map Outside_map 12 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 13 match address Outside_cryptomap_12 crypto map Outside_map 13 set peer #.#.#.# crypto map Outside_map 13 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 14 match address Outside_cryptomap_13 crypto map Outside_map 14 set peer #.#.#.# crypto map Outside_map 14 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map interface Outside crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable Outside crypto ikev1 enable Outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 management-access Inside dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! dhcpd address 10.20.0.50-10.20.0.254 V0IP dhcpd dns 8.8.8.8 interface V0IP dhcpd enable V0IP ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn GROUP POLICY STUFF FOR VPNS DELETED ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:f90c4c42875429001615390683d3ae07 : end no asdm history enable
Solved! Go to Solution.
08-25-2015 06:47 AM
The dynamic NAT should never be placed in the manual NAT section (section 1) unless you have a very good reason to do so. Most often dynamic NAT is place in the after-auto section (section 3) so that it is matched last, though I have also seen dynamic NAT placed in the object-NAT aka. auto-NAT (section 2).
Andre has provided you with examples of manual NAT and object NAT, so here is an example of after-auto NAT:
nat (VOIP,Outside) after-auto source dynamic any interface
Also as Andre has mentioned, where you place your NAT statements will affect how they are matched and in which order.
--
Please remember to select a correct answer and rate helpful posts
08-24-2015 02:26 PM
To me it looks as though your NAT is messed up for your VOIP interface.
nat (V0IP,Outside) source static VOIP VOIP unidirectional nat (V0IP,V0IP) source dynamic any interface
In the first one you are NATing VOIP to itself which can not be routed on the outside interface. If you are trying to add an identity NAT for VOIP over VPN then you need to add a destination to that NAT stament.
In the second statement you are hairpinning any (all) traffic intering the VOIP interface, NATing it to the VOIP interface IP and sending it back out the VOIP interface. I suggest revising your NAT statements and then test.
--
Please remember to select a correct answer and rate helpful posts
08-24-2015 06:01 PM
Actually I thought I had deleted those. Sorry
the revising of the NAT statement is where I am struggling. What would be the proper syntax?
08-24-2015 09:36 PM
You can try the following:
nat (VOIP,Outside) source dynamic any interface
or
object network VOIP
subnet 10.20.0.0 255.255.254.0
nat (VOIP,Outside) source dynamic any interface
the difference is that the latter will apply in section 2 of the NAT rules, and the former will apply in section 1. this will affect order of operation of the VOIP NAT. So if you have more than 1 matching NAT rule, section 1 will apply first.
08-25-2015 06:47 AM
The dynamic NAT should never be placed in the manual NAT section (section 1) unless you have a very good reason to do so. Most often dynamic NAT is place in the after-auto section (section 3) so that it is matched last, though I have also seen dynamic NAT placed in the object-NAT aka. auto-NAT (section 2).
Andre has provided you with examples of manual NAT and object NAT, so here is an example of after-auto NAT:
nat (VOIP,Outside) after-auto source dynamic any interface
Also as Andre has mentioned, where you place your NAT statements will affect how they are matched and in which order.
--
Please remember to select a correct answer and rate helpful posts
08-25-2015 07:33 AM
Bam! Just like that problem solved.
Thanks Marius and Andre for the awesome assistance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide