06-17-2019 02:48 PM
Hi,
I have this configuration in GNS3 with FTD. I can't access Internet from the Inside interface and I can't figure why.
Could you please help me?
: Saved
:
: Serial Number: 9A2HWHFXJEA
: Hardware: ASAv, 8192 MB RAM, CPU Pentium II 2600 MHz, 1 CPU (4 cores)
:
NGFW Version 6.2.3
!
hostname firepower
enable password $sha512$5000$TXb2gmIfdxW9fOuH3v1nkg==$MdaH8/ZnLAccS0CtB0bjHg== pbkdf2
strong-encryption-disable
names
!
interface GigabitEthernet0/0
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.159.130 255.255.255.0
ipv6 address autoconfig
!
interface GigabitEthernet0/1
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.1.20 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/8
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
ftp mode passive
ngips conn-match vlan-id
object network InsideWebServer
host 192.168.159.200
object network MappedInsideWerServer
host 192.168.1.250
object network PC1
host 192.168.159.141
object network Gateway
host 192.168.1.1
object network OutsideIPv4DefaultRoute
subnet 0.0.0.0 0.0.0.0
object network OutsideIPv4Gateway
host 192.168.159.2
object network AIM_SERVERS-64.12.31.136
host 64.12.31.136
object network AIM_SERVERS-64.12.46.140
host 64.12.46.140
object network AIM_SERVERS-64.12.186.85
host 64.12.186.85
object network AIM_SERVERS-205.188.1.132
host 205.188.1.132
object network AIM_SERVERS-205.188.11.228
host 205.188.11.228
object network AIM_SERVERS-205.188.11.253
host 205.188.11.253
object network AIM_SERVERS-205.188.11.254
host 205.188.11.254
object network AIM_SERVERS-205.188.210.203
host 205.188.210.203
object network AIM_SERVERS-64.12.24.0-23
subnet 64.12.24.0 255.255.254.0
object network AIM_SERVERS-64.12.28.0-23
subnet 64.12.28.0 255.255.254.0
object network AIM_SERVERS-64.12.161.0-24
subnet 64.12.161.0 255.255.255.0
object network AIM_SERVERS-64.12.163.0-24
subnet 64.12.163.0 255.255.255.0
object network AIM_SERVERS-64.12.200.0-24
subnet 64.12.200.0 255.255.255.0
object network AIM_SERVERS-205.188.3.0-24
subnet 205.188.3.0 255.255.255.0
object network AIM_SERVERS-205.188.5.0-24
subnet 205.188.5.0 255.255.255.0
object network AIM_SERVERS-205.188.7.0-24
subnet 205.188.7.0 255.255.255.0
object network AIM_SERVERS-205.188.9.0-24
subnet 205.188.9.0 255.255.255.0
object network AIM_SERVERS-205.188.153.0-24
subnet 205.188.153.0 255.255.255.0
object network AIM_SERVERS-205.188.179.0-24
subnet 205.188.179.0 255.255.255.0
object network AIM_SERVERS-205.188.248.0-24
subnet 205.188.248.0 255.255.255.0
object network R1
host 192.168.1.30
object network R1_pub
host 192.168.159.141
object network INSIDE
subnet 192.168.1.0 255.255.255.0
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network NGFW-MGMT-IP
host 192.168.1.2
object network NGFW-MGMT-PUBLIC-IP
host 192.168.159.128
object-group network AIM_SERVERS
network-object object AIM_SERVERS-64.12.186.85
network-object object AIM_SERVERS-64.12.24.0-23
network-object object AIM_SERVERS-205.188.7.0-24
network-object object AIM_SERVERS-64.12.28.0-23
network-object object AIM_SERVERS-205.188.11.254
network-object object AIM_SERVERS-205.188.210.203
network-object object AIM_SERVERS-64.12.163.0-24
network-object object AIM_SERVERS-205.188.248.0-24
network-object object AIM_SERVERS-64.12.46.140
network-object object AIM_SERVERS-205.188.5.0-24
network-object object AIM_SERVERS-205.188.1.132
network-object object AIM_SERVERS-205.188.11.228
network-object object AIM_SERVERS-205.188.179.0-24
network-object object AIM_SERVERS-64.12.31.136
network-object object AIM_SERVERS-64.12.161.0-24
network-object object AIM_SERVERS-205.188.153.0-24
network-object object AIM_SERVERS-205.188.11.253
network-object object AIM_SERVERS-205.188.3.0-24
network-object object AIM_SERVERS-205.188.9.0-24
network-object object AIM_SERVERS-64.12.200.0-24
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L7 RULE: Permit_ICMP
access-list NGFW_ONBOX_ACL advanced permit ip ifc outside object any-ipv4 any rule-id 268435464
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L7 RULE: Drop Youtube
access-list NGFW_ONBOX_ACL advanced permit ip object PC1 any rule-id 268435462 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Inside_Outside
access-list NGFW_ONBOX_ACL advanced permit ip ifc inside any ifc outside any rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L7 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced permit ip any any rule-id 1 event-log flow-end
pager lines 23
logging enable
logging timestamp
logging console warnings
mtu outside 1500
mtu inside 1500
mtu diagnostic 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (any,outside) source dynamic any-ipv4 interface
access-group NGFW_ONBOX_ACL global
route outside 0.0.0.0 0.0.0.0 192.168.159.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
ip-client diagnostic
ip-client diagnostic ipv6
ip-client outside
ip-client outside ipv6
ip-client inside
ip-client inside ipv6
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 0
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev2 policy 100
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev1 policy 160
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
console timeout 0
dhcpd dns 8.8.8.8 4.2.2.2
!
dhcpd address 192.168.1.21-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
snort preserve-connection
Cryptochecksum:3fbd692e646397c0878e7b56fa39f900
: end
06-17-2019 07:14 PM
06-18-2019 12:56 AM
06-18-2019 01:01 AM
06-18-2019 01:02 AM
06-20-2019 08:34 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide