cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
387
Views
0
Helpful
2
Replies
Highlighted
Beginner

Can't get internet traffic to route through ASA. Internal works though.

Here is the config.

Problem is they cannot get to the internet. All internal networks are functional. HELP!

Result of the command: "sho run"

: Saved

:

ASA Version 8.4(1)

!

hostname *******************

domain-name *************************

enable password **********************

passwd **********************

names

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan10

description Outside vlan

nameif outside

security-level 0

ip address 68.222.254.178 255.255.255.248

!

interface Vlan136

description Data Vlan

nameif inside

security-level 100

ip address 10.5.136.1 255.255.255.0

!

interface Ethernet0/0

description OUTSIDE

switchport access vlan 10

!

interface Ethernet0/1

description Data Vlan

switchport access vlan 136

!

interface Ethernet0/2

description Data Vlan

switchport access vlan 136

!

interface Ethernet0/3

description Data Vlan

switchport access vlan 136

!

interface Ethernet0/4

description Data Vlan

switchport access vlan 136

!

interface Ethernet0/5

description Voice Vlan

switchport access vlan 136

!

interface Ethernet0/6

description Voice Vlan

switchport access vlan 136

!

interface Ethernet0/7

description Voice Vlan

switchport access vlan 136

!

banner motd -------------

banner motd W A R N I N G

banner motd -------------

banner motd

banner motd THIS IS A PRIVATE COMPUTER SYSTEM.

banner motd

banner motd This computer system including all related equipment, network devices

banner motd (specifically including Internet access), are provided only for

banner motd authorized use.

banner motd

banner motd All computer systems may be monitored for all lawful purposes, including

banner motd to ensure that their use is authorized, for management of the system, to

banner motd facilitate protection against unauthorized access, and to verify security

banner motd procedures, survivability and operational security.

banner motd

banner motd Monitoring includes active attacks by authorized personnel and their

banner motd entities to test or verify the security of the system. All information including

banner motd personal information, placed on or sent over this system may be monitored.

banner motd During monitoring, information may be examined, recorded, copied and

banner motd used for authorized purposes. 

banner motd

banner motd Unauthorized use may subject you to criminal prosecution. Evidence of any such

banner motd unauthorized use collected during monitoring may be used for

banner motd administrative, criminal or other adverse action.

banner motd

banner motd Uses of this system, authorized or unauthorized, constitutes consent to monitoring

banner motd of this system for these purposes.

banner asdm -------------

banner asdm W A R N I N G

banner asdm -------------

banner asdm

banner asdm THIS IS A PRIVATE COMPUTER SYSTEM.

banner asdm

banner asdm This computer system including all related equipment, network devices

banner asdm (specifically including Internet access), are provided only for

banner asdm authorized use.

banner asdm

banner asdm All computer systems may be monitored for all lawful purposes, including

banner asdm to ensure that their use is authorized, for management of the system, to

banner asdm facilitate protection against unauthorized access, and to verify security

banner asdm procedures, survivability and operational security.

banner asdm

banner asdm Monitoring includes active attacks by authorized personnel and their

banner asdm entities to test or verify the security of the system. All information including

banner asdm personal information, placed on or sent over this system may be monitored.

banner asdm During monitoring, information may be examined, recorded, copied and

banner asdm used for authorized purposes. 

banner asdm

banner asdm Unauthorized use may subject you to criminal prosecution. Evidence of any such

banner asdm unauthorized use collected during monitoring may be used for

banner asdm administrative, criminal or other adverse action.

banner asdm

banner asdm Uses of this system, authorized or unauthorized, constitutes consent to monitoring

banner asdm of this system for these purposes.

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name **************

object network NETWORK_OBJ_10.0.0.0_8

subnet 10.0.0.0 255.0.0.0

object network NETWORK_OBJ_10.5.136.0_24

subnet 10.5.136.0 255.255.255.0

object network 10.10.0.0_16

subnet 10.10.0.0 255.255.0.0

object network 10.4.0.0_16

subnet 10.4.0.0 255.255.0.0

access-list outside_access_in extended permit ip 72.12.205.64 255.255.255.224 any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list outside_cryptomap_1 extended permit ip 10.5.136.0 255.255.255.0 10.0.0.0 255.0.0.0

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_10.5.136.0_24 NETWORK_OBJ_10.5.136.0_24 destination static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 68.222.254.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ACS protocol tacacs+

aaa-server ACS (inside) host 10.10.10.252

key *****

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

http server enable

http 72.12.205.64 255.255.255.224 outside

http 10.10.225.0 255.255.255.0 inside

snmp-server host inside 10.4.113.152 community *****

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto map outside_map1 2 match address outside_cryptomap_1

crypto map outside_map1 2 set peer 72.12.205.66

crypto map outside_map1 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map1 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map1 interface outside

crypto map vpnmap 2 set peer 68.222.254.178

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=***********************

crl configure

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 2

encryption 3des

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.10.225.0 255.255.255.0 inside

ssh 10.4.113.0 255.255.255.0 inside

ssh timeout 45

ssh version 2

console timeout 0

management-access inside

dhcpd address 10.5.136.21-10.5.136.254 inside

dhcpd dns 10.5.128.10 10.10.10.4 interface inside

dhcpd wins 10.10.10.25 10.10.10.4 interface inside

dhcpd lease 691200 interface inside

dhcpd domain ************* interface inside

dhcpd option 150 ip 10.4.29.11 10.4.30.10 interface inside

dhcpd option 4 ip 10.10.10.25 interface inside

dhcpd option 5 ip 10.5.128.10 10.10.10.25 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.10.1.5 source inside prefer

webvpn

group-policy GroupPolicy_68.222.254.178 internal

group-policy GroupPolicy_68.222.254.178 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy GroupPolicy_72.12.205.66 internal

group-policy GroupPolicy_72.12.205.66 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol ikev1 ikev2

username ************************************

tunnel-group 72.12.205.66 type ipsec-l2l

tunnel-group 72.12.205.66 general-attributes

default-group-policy GroupPolicy_72.12.205.66

tunnel-group 72.12.205.66 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group 68.222.254.178 type ipsec-l2l

tunnel-group 68.222.254.178 general-attributes

default-group-policy GroupPolicy_68.222.254.178

tunnel-group 68.222.254.178 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

smtp-server 10.10.10.7

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:99af6ce8f4c98b7b4487f02bf012a0f0

: end

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Mentor

Can't get internet traffic to route through ASA. Internal works

Hi,

I cant see any NAT for the Internet traffic

You could try adding the following

nat (inside,outside) after-auto source dynamic any interface

- Jouni

View solution in original post

2 REPLIES 2
Highlighted
Mentor

Can't get internet traffic to route through ASA. Internal works

Hi,

I cant see any NAT for the Internet traffic

You could try adding the following

nat (inside,outside) after-auto source dynamic any interface

- Jouni

View solution in original post

Highlighted
Beginner

Can't get internet traffic to route through ASA. Internal works

That did the trick, thank you so much!