cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
488
Views
0
Helpful
1
Replies

ASA does not access to the Internet

julienr
Level 1
Level 1

Hello,

 

There are 2 internet links:

- SDSL : site to site VPN connection

- Fiber : Internet connection for all other stuff

 

The SDSL connection is used for VPN site to site and the fiber link for any other stuff.

The problem is that connecion site to site is working fine but not the connection on the Internet. The packets seems to work outsite (I can ping outside) but not inside. (The Internet cannot access to ASA).

 

Here is the configuration:

 

ASA Version 8.2(1) 
!
hostname ciscoasa
enable password  encrypted
passwd  encrypted
names
name AAA.AAA.AAA.AAA ABP-NAGIOS description ABP-NAGIOS
name BBB.BBB.BBB.BBB ouside2
name 192.168.3.1 SDSL
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif Outside-SDSL
 security-level 0
 ip address XXX.XXX.XXX.XXX 255.255.255.252 
!
interface Vlan12
 nameif Outside-Fibre
 security-level 0
 ip address YYY.YYY.YYY.YYY 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group service 12486 tcp
 port-object eq 12486
object-group service nagios tcp
 port-object eq 12486
object-group service NagiosABP tcp
 group-object nagios
 port-object eq 1249
access-list outside_access_in extended permit ip host VVV.VVV.VVV.VVV any 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit ip 195.1.1.0 255.255.255.0 any 
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 195.1.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 195.1.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.1.1.0 255.255.255.0 
access-list Outside-ADSL_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any 
access-list Sojam_splitunel extended permit ip 192.168.1.0 255.255.255.0 any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu Outside-SDSL 1500
mtu Outside-Fibre 1500
ip local pool dealer 10.1.1.1-10.1.1.254 mask 255.255.255.0
ip verify reverse-path interface Outside-SDSL
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside-SDSL
no asdm history enable
arp timeout 14400
global (Outside-SDSL) 2 interface
global (Outside-Fibre) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface Outside-SDSL
access-group Outside-ADSL_access_in in interface Outside-Fibre
route Outside-Fibre 0.0.0.0 0.0.0.0 YYY.YYY.YYY.YYG 1
route Outside-SDSL VVV.VVV.VVV.VVV 255.255.255.255 XXX.XXX.XXX.XXG 1
route Outside-SDSL 195.1.1.0 255.255.255.255 XXX.XXX.XXX.XXG 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http AAA.AAA.AAA.AAB 255.255.255.255 Outside-SDSL
http 0.0.0.0 0.0.0.0 Outside-SDSL
snmp-server host Outside-SDSL ABP-NAGIOS community rqdnet version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer VVV.VVV.VVV.VVV 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface Outside-SDSL
crypto map Outside-ADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside-ADSL_map interface Outside-Fibre
crypto isakmp enable Outside-SDSL
crypto isakmp enable Outside-Fibre
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config inside
!
dhcpd address 192.168.1.5-192.168.1.50 inside
dhcpd dns 192.168.1.2 195.1.1.10 interface inside
dhcpd option 6 ip 62.100.129.11 62.100.129.71 interface inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable Outside-SDSL
 enable Outside-Fibre
group-policy CGI-SFR internal
group-policy CGI-SFR attributes
 dns-server value 192.168.1.2 8.8.8.8
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Sojam_splitunel
 default-domain value CGI
group-policy superteam internal
group-policy superteam attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list none
username sshacto password xIm4wgbJj/D0Jqo. encrypted privilege 15

tunnel-group VVV.VVV.VVV.VVV type ipsec-l2l
tunnel-group VVV.VVV.VVV.VVV ipsec-attributes
 pre-shared-key *
tunnel-group superteam type remote-access
tunnel-group superteam general-attributes
 address-pool dealer
 default-group-policy superteam
tunnel-group superteam ipsec-attributes
 pre-shared-key *
tunnel-group CGI-SFR type remote-access
tunnel-group CGI-SFR general-attributes
 address-pool dealer
 default-group-policy CGI-SFR
tunnel-group CGI-SFR ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:74bcca3b0aaba509bf76bf4db2ccadce
: end

 

Thank you for your help.

Regards.

1 Reply 1

Florin Barhala
Level 6
Level 6
What is the source IP address of the workstation you ping from?

Can you share "route print -4" along with "tracert -d IP_destination" from where you ping?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: