- Cisco Community
- Technology and Support
- Security
- Network Security
- ASA5505 Config Question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-22-2015 12:01 PM - edited 03-11-2019 11:38 PM
I have a remote site at a customer I am working with and they have a 5505 at the head-end. We have put in a L3 switch behind the ASA with 4 networks on it and the switch is handing out DHCP and all of that is working fine. The networks can ping each other, etc. The issue becomes when we try to take one of the new networks to the Internet we hit the ASA but the traffic does not get routed out to the outside interface. VLAN 1 traffic, which is the network that the ASA sits can access Internet with no issue.
Here is ASA config:
ASA Version 8.0(5)
!
hostname Solon-ASA
domain-name schwebels.com
enable password i5aKZHZh.g2TF6I8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.17.1.0 Youngstown
name 24.182.156.188 PhoneSys2
name 172.19.51.0 syvox
!
interface Vlan1
nameif inside
security-level 100
ip address 172.18.3.252 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address PhoneSys2 255.255.255.248
!
interface Ethernet0/0
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 2
!
banner exec ****************************
banner exec Authorized Access Only!
banner exec ****************************
banner login ****************************
banner login Authorized Access Only!
banner login ****************************
boot system disk0:/asa805-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name schwebels.com
object-group network Solon_Local
network-object 172.17.3.0 255.255.255.0
object-group network Youngstown
network-object Youngstown 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list TECCOMVPN_splitTunnelAcl standard permit 172.16.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.3.0 255.255.255.0 172.16.254.80 255.255.255.240
access-list inside_nat0_outbound extended permit ip 172.16.3.0 255.255.255.0 Youngstown 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.3.0 255.255.255.0 syvox 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.16.3.0 255.255.255.0 Youngstown 255.255.255.0
access-list outside_access_in remark allow ping
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit object-group TCPUDP any host PhoneSys2 eq sip
access-list outside_access_in extended permit tcp any host PhoneSys2 eq 5080
access-list outside_access_in extended permit tcp any host PhoneSys2 eq 5090
access-list outside_access_in extended permit tcp any host PhoneSys2 eq 5003
access-list outside_access_in extended permit object-group TCPUDP any host PhoneSys2 range 6000 6001
access-list outside_access_in extended permit tcp any host PhoneSys2 eq 6100
<--- More --->
access-list outside_access_in extended permit object-group TCPUDP any host PhoneSys2 range 9000 9001
access-list outside_access_in extended permit object-group TCPUDP any host PhoneSys2 eq 8000
access-list outside_access_in extended permit udp any host PhoneSys2 range 30000 30008
access-list outside_access_in extended permit object-group TCPUDP any host PhoneSys2 eq 443 inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 172.16.254.80-172.16.254.95 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.3.0 255.255.255.0
static (inside,outside) tcp interface sip 172.16.3.250 sip netmask 255.255.255.255
static (inside,outside) udp interface sip 172.16.3.250 sip netmask 255.255.255.255
static (inside,outside) tcp interface 5080 172.16.3.250 5080 netmask 255.255.255.255
static (inside,outside) tcp interface 5090 172.16.3.250 5090 netmask 255.255.255.255
static (inside,outside) tcp interface 5003 172.16.3.250 5003 netmask 255.255.255.255
<--- More --->
static (inside,outside) tcp interface 6000 172.16.3.250 6000 netmask 255.255.255.255
static (inside,outside) udp interface 6000 172.16.3.250 6000 netmask 255.255.255.255
static (inside,outside) tcp interface 6001 172.16.3.250 6001 netmask 255.255.255.255
static (inside,outside) udp interface 6001 172.16.3.250 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6100 172.16.3.250 6100 netmask 255.255.255.255
static (inside,outside) tcp interface 9000 172.16.3.250 9000 netmask 255.255.255.255
static (inside,outside) udp interface 9000 172.16.3.250 9000 netmask 255.255.255.255
static (inside,outside) tcp interface 8000 172.16.3.250 8000 netmask 255.255.255.255
static (inside,outside) udp interface 8000 172.16.3.250 8000 netmask 255.255.255.255
static (inside,outside) udp interface 3000 172.16.3.250 3000 netmask 255.255.255.255
static (inside,outside) udp interface 30000 172.16.3.250 30000 netmask 255.255.255.255
static (inside,outside) udp interface 30001 172.16.3.250 30001 netmask 255.255.255.255
static (inside,outside) udp interface 30002 172.16.3.250 30002 netmask 255.255.255.255
static (inside,outside) udp interface 30003 172.16.3.250 30003 netmask 255.255.255.255
static (inside,outside) udp interface 30004 172.16.3.250 30004 netmask 255.255.255.255
static (inside,outside) udp interface 30005 172.16.3.250 30005 netmask 255.255.255.255
static (inside,outside) udp interface 30006 172.16.3.250 30006 netmask 255.255.255.255
static (inside,outside) udp interface 30007 172.16.3.250 30007 netmask 255.255.255.255
static (inside,outside) udp interface 30008 172.16.3.250 30008 netmask 255.255.255.255
static (inside,outside) udp interface 30009 172.16.3.250 30009 netmask 255.255.255.255
static (inside,outside) udp interface 30010 172.16.3.250 30010 netmask 255.255.255.255
static (inside,outside) udp interface 30011 172.16.3.250 30011 netmask 255.255.255.255
static (inside,outside) udp interface 30012 172.16.3.250 30012 netmask 255.255.255.255
static (inside,outside) udp interface 30013 172.16.3.250 30013 netmask 255.255.255.255
<--- More --->
static (inside,outside) udp interface 30014 172.16.3.250 30014 netmask 255.255.255.255
static (inside,outside) udp interface 30015 172.16.3.250 30015 netmask 255.255.255.255
static (inside,outside) udp interface 40000 172.16.3.250 40000 netmask 255.255.255.255
static (inside,outside) udp interface 40001 172.16.3.250 40001 netmask 255.255.255.255
static (inside,outside) udp interface 40002 172.16.3.250 40002 netmask 255.255.255.255
static (inside,outside) udp interface 40003 172.16.3.250 40003 netmask 255.255.255.255
static (inside,outside) udp interface 40004 172.16.3.250 40004 netmask 255.255.255.255
static (inside,outside) udp interface 40005 172.16.3.250 40005 netmask 255.255.255.255
static (inside,outside) udp interface 40006 172.16.3.250 40006 netmask 255.255.255.255
static (inside,outside) udp interface 40007 172.16.3.250 40007 netmask 255.255.255.255
static (inside,outside) udp interface 40008 172.16.3.250 40008 netmask 255.255.255.255
static (inside,outside) udp interface 40009 172.16.3.250 40009 netmask 255.255.255.255
static (inside,outside) udp interface 40010 172.16.3.250 40010 netmask 255.255.255.255
static (inside,outside) udp interface 40011 172.16.3.250 40011 netmask 255.255.255.255
static (inside,outside) udp interface 40012 172.16.3.250 40012 netmask 255.255.255.255
static (inside,outside) udp interface 40013 172.16.3.250 40013 netmask 255.255.255.255
static (inside,outside) udp interface 40014 172.16.3.250 40014 netmask 255.255.255.255
static (inside,outside) udp interface 40015 172.16.3.250 40015 netmask 255.255.255.255
static (inside,outside) udp interface 40016 172.16.3.250 40016 netmask 255.255.255.255
static (inside,outside) udp interface 40017 172.16.3.250 40017 netmask 255.255.255.255
static (inside,outside) udp interface 40018 172.16.3.250 40018 netmask 255.255.255.255
static (inside,outside) udp interface 40019 172.16.3.250 40019 netmask 255.255.255.255
static (inside,outside) udp interface 40020 172.16.3.250 40020 netmask 255.255.255.255
static (inside,outside) udp interface 40021 172.16.3.250 40021 netmask 255.255.255.255
<--- More --->
static (inside,outside) udp interface 40022 172.16.3.250 40022 netmask 255.255.255.255
static (inside,outside) udp interface 40023 172.16.3.250 40023 netmask 255.255.255.255
static (inside,outside) udp interface 40024 172.16.3.250 40024 netmask 255.255.255.255
static (inside,outside) udp interface 40025 172.16.3.250 40025 netmask 255.255.255.255
static (inside,outside) udp interface 40026 172.16.3.250 40026 netmask 255.255.255.255
static (inside,outside) udp interface 40027 172.16.3.250 40027 netmask 255.255.255.255
static (inside,outside) udp interface 40028 172.16.3.250 40028 netmask 255.255.255.255
static (inside,outside) udp interface 40029 172.16.3.250 40029 netmask 255.255.255.255
static (inside,outside) udp interface 40030 172.16.3.250 40030 netmask 255.255.255.255
static (inside,outside) udp interface 40031 172.16.3.250 40031 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.172.156.185 1
route inside 172.16.11.0 255.255.255.0 172.16.3.251 1
route inside 172.16.41.0 255.255.255.0 172.16.3.251 1
route inside syvox 255.255.255.0 172.16.3.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
<--- More --->
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 68.109.237.64 255.255.255.240 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
<--- More --->
crypto map outside_map 1 set peer 98.100.68.98
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 1
lifetime 28800
crypto isakmp policy 60
<--- More --->
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 68.109.237.64 255.255.255.240 outside
ssh 98.100.68.98 255.255.255.255 outside
ssh timeout 5
console timeout 10
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy TECCOMVPN internal
group-policy TECCOMVPN attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
<--- More --->
split-tunnel-network-list value TECCOMVPN_splitTunnelAcl
default-domain value schwebels.com
username teccom password MHvFS8qYNozp1cjl encrypted privilege 15
username admin password WqQwLWMnhsnu0tPQ encrypted privilege 15
tunnel-group TECCOMVPN type remote-access
tunnel-group TECCOMVPN general-attributes
address-pool VPN_Pool
default-group-policy TECCOMVPN
tunnel-group TECCOMVPN ipsec-attributes
pre-shared-key *
tunnel-group 98.100.68.98 type ipsec-l2l
tunnel-group 98.100.68.98 ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:a749cfc0d6310c3b6eb0e36a82fbd6b8
: end
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-22-2015 12:49 PM
Hi,
I don't see any NAT statements for these subnets on the ASA device:-
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.3.0 255.255.255.0
Create similar NAT statement for the other networks as this statement:-
nat (inside) 1 172.16.3.0 255.255.255.0
Thanks and Regards,
Vibhor Amrodia
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-22-2015 12:49 PM
Hi,
I don't see any NAT statements for these subnets on the ASA device:-
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.3.0 255.255.255.0
Create similar NAT statement for the other networks as this statement:-
nat (inside) 1 172.16.3.0 255.255.255.0
Thanks and Regards,
Vibhor Amrodia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
