08-27-2015 07:48 AM - edited 03-11-2019 11:30 PM
Hello,
We had an issue today at one of the unmanned locations. When the local tech went on site he was not able to reach anything on the internet. I started troubleshooting and noticed no entries in the xlate table. The NAT statements were all correct so this was rather puzzling.
I proceeded to stare and compare this site with a working one. I noticed that some inspection, service-policy and global-policy statements were missing. I knew that inspection shouldn't be a culprit of this but i went ahead and pasted in everything that was missing:
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
After config was applied entries in the xlate table started to generate and everything was good.
Now I did some research on the internet but couldn't find an answer to my question. Can somebody help me understand which line exactly fixed this issue (I know it wasn't the inspection that I applied)? Does this have to do with missing service-policy that points to global_policy statement?
08-27-2015 08:54 AM
Without knowing what commands you had previously and what was exactly added after, we cannot say which command fixed the issue.
You can apply the commands one per line to see what command fixed your issue if you want to do that, but this will require you to remove the syntax first; which can cause service interruption.
I suggest reading the ASA NAT Implementation Guide to get an understanding of ASA NAT, which I think will be more helpful.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_overview.html
08-27-2015 09:16 AM
Well we know exactly what I added...Its in the body of my original post...
Obviously I can't remove those commands now and add them line by line because that would break internet for the site...
I already read through the link you mentioned. There is nothing there in regards to the commands I applied to fix this issue.
08-27-2015 09:51 AM
Provide following information:
>> ASA version.
>> Mode: routed/transparent?
>> single/multiple context?
>> failover/ standalone?
Thanks
R.seth
08-27-2015 12:53 PM
ASA version: 8.2(5)55
Mode: Routed
Context: Single
Standalone
Thank you for reply.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide