Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1159
Views
0
Helpful
7
Replies

ASA5505 - No Internet Access after upgrade to 9.2version

Flo AM
Level 1
Level 1

‎08-07-2014 01:35 AM - edited ‎03-11-2019 09:35 PM

Dear all,

I post here a discussion because after many hours to troubleshoot on this issue, I have still no found how to do it so solve my issue.

Few days ago, I upgrade my CISCO 5505 to 9.2 version and 7.2 asdm version. Since, this upgrade, my VPN tunnel is UP and my users can connect to applications on my site and open Intranet site but they have not Internet connection/access since this upgrade...

I think issue is related to NAT issue but I cannot found how to do it.

Below, my running config :

: Saved

: Serial Number: 
: Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
: Written by admin at 04:57:46.744 CEDT Thu Aug 7 2014
!
ASA Version 9.2(1) 
!
hostname ASA5505-ZAG
domain-name default.domain.invalid
enable password xxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.90.0.2 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 86.15.50.102 255.255.255.248 
!
boot system disk0:/asa921-k8.bin
boot system disk0:/asa723-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 194.2.0.20
 domain-name default.domain.invalid
dns server-group AC
 name-server 10.xxx.xxx.xxx
 name-server 10.xxx.xxx.xxx
 domain-name xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object service HTTP
 service tcp destination eq www 
 description Web
object network PC_TEST
 host 10.90.0.132
object-group network obj_any
object-group service Web tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
object-group network ZAG
 network-object 10.90.0.0 255.255.255.0
object-group network Trafic_vpn_MainSite
 network-object 10.239.80.0 255.255.248.0
 network-object 10.239.88.0 255.255.248.0
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
 protocol-object tcp
access-list inside_nat0_outbound extended permit ip object-group ZAG object-group Trafic_vpn_MainSite 
access-list inside_access_in remark VPN Acces
access-list inside_access_in extended permit ip object-group ZAG object-group Trafic_vpn_MainSite 
access-list inside_access_in remark Internet Access
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group ZAG any 
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any object-group ZAG 
access-list outside_60_cryptomap extended permit ip object-group ZAG object-group Trafic_vpn_MainSite 
access-list inside_cryptomap_1 extended permit ip object-group ZAG object-group Monitoring 
access-list global_access extended permit ip any any 
pager lines 24
logging enable
logging monitor debugging
logging buffered critical
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 86.15.59.97 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 outside
http 10.xxx.0.0 255.255.0.0 inside
http 10.90.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 set peer 84.200.120.34
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 50 match address outside_60_cryptomap
crypto map outside_map 50 set peer 84.200.120.34
crypto map outside_map 50 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 50 set security-association lifetime seconds 28800
crypto map outside_map 60 set peer 84.200.120.34
crypto map outside_map interface outside
crypto map inside_map 1 match address inside_cryptomap_1
crypto map inside_map 1 set peer 84.200.120.34
crypto map inside_map interface inside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable inside
crypto ikev2 enable outside
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 10.xxx.0.0 255.255.0.0 inside
telnet 10.90.0.0 255.255.255.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 10.xxx.0.0 255.255.0.0 inside
ssh 10.90.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 10.90.0.128-10.90.0.154 inside
dhcpd dns 10.xxx.xxx.xxx 10.xxx.xxx.xxx interface inside
dhcpd lease 36000 interface inside
dhcpd domain XX interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username admin password xxxxxx encrypted privilege 15
username admin-internet password xxxxxx encrypted privilege 15
username view password xxxxxxx encrypted
tunnel-group 81.80.182.197 type ipsec-l2l
tunnel-group 81.252.245.20 type ipsec-l2l
tunnel-group 84.200.120.34type ipsec-l2l
tunnel-group 84.200.120.34ipsec-attributes
 ikev1 pre-shared-key xxxxx
tunnel-group 83.206.138.9 type ipsec-l2l
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4ba00f0a0b131f30d66feed196ea79c8
: end

 

 

If someone can help me please, it's will be very appreciate !

Thanks in advance.

Have a nice day.

Florian

Labels:
0 Helpful
7 Replies 7

nkarthikeyan
Level 7
Level 7

‎08-07-2014 03:12 AM

Hi Florian,

 

Also you need to place your real ip address in interface ACL's instead of NATed ip address...

 

Regards

Karthik

0 Helpful

nkarthikeyan
Level 7
Level 7

‎08-07-2014 04:01 AM

Hi,

 

I do not see any NAT configured for your device.... I hope you have upgraded from the older ASA OS version to the newer version. Could you please give the NAT statements which was configured on your old version?

 

for eg: If you have a PAT configured pointing your outside interface... then

 

nat (inside, outside) source any dynamic interface

 

for no-nat

 

object network ZAG_L2L
subnet 10.90.0.0 255.255.255.0

!
object network Trafic_vpn_MainSite_L2L1
 subnet 10.239.80.0 255.255.248.0

!

object network Trafic_vpn_MainSite_L2L2
subnet 10.239.88.0 255.255.248.0

!

nat (inside,outside) source static ZAG_L2L ZAG_L2L destination static Trafic_vpn_MainSite_L2L1 Trafic_vpn_MainSite_L2L1

!

nat (inside,outside) source static ZAG_L2L ZAG_L2L destination static Trafic_vpn_MainSite_L2L2 Trafic_vpn_MainSite_L2L2

!

 

 

Regards

Karthik

 

Regards

Karthik

 

!

0 Helpful

Flo AM
Level 1
Level 1
In response to nkarthikeyan

‎08-07-2014 06:24 AM

Hi nkarthikeyan ,

You're right, in the behind configuration, there aren't any NAT configured for the simple reason which's Firewall is on production on another site and users must to connect to our Intranet to working properly so until I found a solution, I do some tests only with one desktop located on site...

I tried to add this command on my configuration but when I do it, I lost connection with computer of my site of ZAG ...

 

ASA5505-ZAG(config)# nat (inside,outside) source dynamic any interface

 

Also, I tried this configuration but without success also :/

 

for no-nat

 

object network ZAG_L2L
subnet 10.90.0.0 255.255.255.0

!
object network Trafic_vpn_MainSite_L2L1
 subnet 10.239.80.0 255.255.248.0

!

object network Trafic_vpn_MainSite_L2L2
subnet 10.239.88.0 255.255.248.0

!

nat (inside,outside) source static ZAG_L2L ZAG_L2L destination static Trafic_vpn_MainSite_L2L1 Trafic_vpn_MainSite_L2L1

!

nat (inside,outside) source static ZAG_L2L ZAG_L2L destination static Trafic_vpn_MainSite_L2L2 Trafic_vpn_MainSite_L2L2

!

 

And to finish my questions, can you explain me this point please : 

 

Also you need to place your real ip address in interface ACL's instead of NATed ip address...

 

Thanks for your support !

I really appreciate it !

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Flo AM

‎08-07-2014 11:01 AM

Hi,

 

Can you try like this for internet access.

no nat (inside, outside) source any dynamic interface

object network ZAG_internet
subnet 10.90.0.0 255.255.255.0

nat (inside,outside) dynamic interface

access-list inside_access_out extended permit ip10.90.0.2 255.255.255.0 any

!

access-group inside_access_out in interface inside

!

You can retain the No-nat ACL, which is correct.....

And to finish my questions, can you explain me this point please : 

 

Also you need to place your real ip address in interface ACL's instead of NATed ip address...

 

In earlier pre-8.3 versions of ASA versions, you will always mentioned the NATed ip address in the access-list..... in post 8.3+ version you need to mention the real ip address in the access-list....

 

say you have a web server inside your network, which has the real ip of 10.0.0.1 and NAT IP as 1.1.1.1, in old OS versions you will be pointing 1.1.1.1 in outside interface ACL to filter the traffic... but in newer versions you need to have 10.0.0.1 mentioned in order to get that work.

 

Regards

Karthik

 

0 Helpful

Flo AM
Level 1
Level 1
In response to nkarthikeyan

‎08-07-2014 12:17 PM

Hi again,


I had your recommendation into my configuration but unfortunately doesn't work yet ...
When I add this config, I lost access to my Intranet portal which is after VPN tunnel... (ip of portal intranet is 10.239.83.2) and I have not Internet access..

It's really strange because I can ping google.com from Firewall and I have access on desktop wih Teamviewer application even if I have not access to Internet on it

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Flo AM

‎08-07-2014 06:50 PM

Hi,

can you share me your configs to my personal id nkartheekeyan@outlook.com?

 

Please make sure that you hash out the sensitive information.

 

Regards

Karthik

0 Helpful

Flo AM
Level 1
Level 1
In response to nkarthikeyan

‎08-07-2014 11:50 PM

Hi,

 

I've just sent you the running config of my firewall ASA 5505.

 

Thank you very much for your help here.

Best Regards,

Florian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card