access-list 101 extended permit tcp any host 192.168.x.c eq smtp
access-list 101 extended permit tcp any host 192.168.x.c eq 587
access-list 101 extended permit tcp any host 192.168.x.c eq imap4
access-list 101 extended permit tcp any host 192.168.x.c eq pop3
access-list 101 extended permit tcp any host 192.168.x.c eq www
access-list 101 extended permit tcp any host 192.168.x.c eq https
access-list 101 extended permit tcp any host 192.168.x.d eq www
access-list 101 extended permit tcp any host 192.168.x.d eq https
access-list 101 extended permit tcp any host 192.168.x.a eq ftp
access-list 101 extended permit tcp any host 192.168.x.a range 2048 3000
access-list 101 extended permit tcp any host 192.168.x.b eq sip
access-list 101 extended permit udp any host 192.168.x.b eq sip
access-list 101 extended permit udp any host 192.168.x.b range 9000 9049

access-group 101 in interface outside

object network obj-192.168.x.a
host 192.168.x.a
object network obj-192.168.x.b
host 192.168.x.b
object network obj-192.168.x.c
host 192.168.x.c
object network obj-192.168.x.d
host 192.168.x.d
object network obj_any
subnet 0.0.0.0 0.0.0.0

object network obj-192.168.x.a
nat (inside,outside) static externalip1
object network obj-192.168.x.b
nat (inside,outside) static externalip2
object network obj-192.168.x.c
nat (inside,outside) static externalip3
object network obj-192.168.x.d
nat (inside,outside) static externalip4
object network obj_any
nat (inside,outside) dynamic interface

The dynamic Nat seems to work fine, but I just spoke to a user onsite and it looks like the ASA just seems to stop Nat completely for a few minutes then starts working again. But anything with the one to one nat doesn't have internet access at all.

Hello Wolff,

The configuration is fine, do you have any logs while the issue happens?

We can do captures from the statics one to one:

access-list capin permit tcp host 192.168.x.d any eq 80

access-list capin permit tcp any eq 80  host 192.168.x.d

access-list capout permit tcp host static externalip4 any eq 80

access-list capout permit tcp any eq 80 host static externalip4

capture capin access-list capin interface inside

capture capout access-list capout interface outside

Then try to generate some traffic from host 192.168.x.d to a web site and provide:

sh capture capin

sh capture capout

Regards,

Rate helpful posts

Julio

sh capture capin

14 packets captured

   1: 14:29:05.969783 192.168.x.d.1070 > 74.125.227.49.80: S 3184866054:3184866054(0) win 65535
   2: 14:29:09.029264 192.168.x.d.1070 > 74.125.227.49.80: S 3184866054:3184866054(0) win 65535
   3: 14:29:15.046262 192.168.x.d.1070 > 74.125.227.49.80: S 3184866054:3184866054(0) win 65535
   4: 14:29:27.081233 192.168.x.d.1071 > 74.125.227.50.80: S 3788740114:3788740114(0) win 65535
   5: 14:29:30.143455 192.168.x.d.1071 > 74.125.227.50.80: S 3788740114:3788740114(0) win 65535
   6: 14:29:36.160468 192.168.x.d.1071 > 74.125.227.50.80: S 3788740114:3788740114(0) win 65535
   7: 14:29:48.195058 192.168.x.d.1072 > 74.125.227.51.80: S 1482165371:1482165371(0) win 65535
   8: 14:29:51.257661 192.168.x.d.1072 > 74.125.227.51.80: S 1482165371:1482165371(0) win 65535
   9: 14:29:57.274659 192.168.x.d.1072 > 74.125.227.51.80: S 1482165371:1482165371(0) win 65535
  10: 14:30:09.309111 192.168.x.d.1073 > 74.125.227.52.80: S 2907081959:2907081959(0) win 65535
  11: 14:30:12.371852 192.168.x.d.1073 > 74.125.227.52.80: S 2907081959:2907081959(0) win 65535
  12: 14:30:18.388850 192.168.x.d.1073 > 74.125.227.52.80: S 2907081959:2907081959(0) win 65535
  13: 14:30:30.423226 192.168.x.d.1074 > 74.125.227.48.80: S 1928456592:1928456592(0) win 65535
  14: 14:30:33.376658 192.168.x.d.1074 > 74.125.227.48.80: S 1928456592:1928456592(0) win 65535
14 packets shown

sh capture capout

14 packets captured

   1: 14:29:05.969935 externalip4.1070 > 74.125.227.49.80: S 624358576:624358576(0) win 65535
   2: 14:29:09.029310 externalip4.1070 > 74.125.227.49.80: S 624358576:624358576(0) win 65535
   3: 14:29:15.046292 externalip4.1070 > 74.125.227.49.80: S 624358576:624358576(0) win 65535
   4: 14:29:27.081370 externalip4.1071 > 74.125.227.50.80: S 1149315094:1149315094(0) win 65535
   5: 14:29:30.143501 externalip4.1071 > 74.125.227.50.80: S 1149315094:1149315094(0) win 65535
   6: 14:29:36.160498 externalip4.1071 > 74.125.227.50.80: S 1149315094:1149315094(0) win 65535
   7: 14:29:48.195195 externalip4.1072 > 74.125.227.51.80: S 2502567266:2502567266(0) win 65535
   8: 14:29:51.257692 externalip4.1072 > 74.125.227.51.80: S 2502567266:2502567266(0) win 65535
   9: 14:29:57.274689 externalip4.1072 > 74.125.227.51.80: S 2502567266:2502567266(0) win 65535
  10: 14:30:09.309264 externalip4.1073 > 74.125.227.52.80: S 451242494:451242494(0) win 65535
  11: 14:30:12.371883 externalip4.1073 > 74.125.227.52.80: S 451242494:451242494(0) win 65535
  12: 14:30:18.388880 externalip4.1073 > 74.125.227.52.80: S 451242494:451242494(0) win 65535
  13: 14:30:30.423378 externalip4.1074 > 74.125.227.48.80: S 3330073209:3330073209(0) win 65535
  14: 14:30:33.376689 externalip4.1074 > 74.125.227.48.80: S 3330073209:3330073209(0) win 65535
14 packets shown

That is trying to browse to Google.

Hello Wolff,

The problem is on the ISP site, the packets are traversing the ASA, the ASA is sending them to the outside but then nothing happens, the public ip address you are using may be blocked on the outside or your ISP is not routing properly.

So there is one thing you could do to confirm this.

1- Byppas the ASA, use a PC directly connected to the internet with the ip address of externalip4.

Regards,

Julio

Rate the helpful posts!

When we do that, everything works fine on the PC. That's was is so confusing about this. I originally thought it was the ISP as well.

Turns out this was an ISP issue. After several attempts to get them to realize this, they cleared their ARP cache and everything started working again. I appreciate your help in resolving this.