Hi Jouni,

Thank you so much for your reply.

Actually I knew the part between my home firewall and the ASA

it is working now.

Again Thanks a lot

Hello Jouni,

Someting strange happend in my place, suddenly I lost my internet connection. I reboot my firewall, and after 10 minutes I checked my test network after ASA5505

my computers do not have access to internet !!!??????

I guess when I applied your instruction previously I did not save my runnig config.

I added your instruction again but still I do not have access to internet.

Map:

Verrizon -> Firewall -> ASA -> My Test Lab   (No Internet)

                        |--> My other devicess          (Have Internet)

I have checked the cables and they are fine.

I am not sure if my ip address for the command below is correct

object network PC
host 192.168.20.1

=========================================

My Setting in the ASA is:

CiscoASA5505# show run
: Saved
:
ASA Version 9.1(2)
!
hostname CiscoASA5505
domain-name abc.com
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name abc.com
object network obj-192.168.20.0
subnet 192.168.20.0 255.255.255.0
object network PC
host 192.168.20.1
object-group network static-pat
access-list outside_in remark Allow RDP
access-list outside_in extended permit tcp any object PC eq 3389
access-list outside_in extended permit icmp any4 any4 echo-reply
access-list outside_in extended deny ip any4 any4 log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-192.168.20.0
nat (inside,outside) dynamic interface
object network PC
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sarparast password Hs/tIupNYaeztJyS encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e2b6b49bfe5ac8fe1c8c359e845f4350
: end

=========================

CiscoASA5505(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list outside_in; 3 elements; name hash: 0xc5896c24

access-list outside_in line 1 remark Allow RDP

access-list outside_in line 2 remark Allow RDP

access-list outside_in line 3 extended permit tcp any object PC eq 3389 (hitcnt=0) 0xde73064f

  access-list outside_in line 3 extended permit tcp any host 192.168.20.1 eq 3389 (hitcnt=0) 0xde73064f

access-list outside_in line 4 extended permit icmp any4 any4 echo-reply (hitcnt=0) 0x166f77cb

access-list outside_in line 5 extended deny ip any4 any4 log informational interval 300 (hitcnt=0) 0xb1248d92

Any idea?

I can see the problem from your config is your vlan1 ip the same with object network PC

interface Vlan1
nameif inside
security-level 100
ip 192.168.20.1 255.255.255.0

object network PC
host 192.168.20.1

Sent from Cisco Technical Support iPhone App

Hello,

Thank you so much for your reply.

Would you please advise me know what should the IP address be instead of ?

object network PC

host 192.168.20.?

Thank you in advance for your time

Amir

Hi,

The IP address should be the IP address of your actual PC behind the ASA. Not the ASA interface IP address.

The IP address defined under the object defines the IP address for which we want to do the NAT translation for.

I dont think your PCs actual local IP address was mentioned at any point so I dont know what that is.

- Jouni

Hello Jouni,

Thank you so much for your reply.

Now I know what the number should be.

Let me fix it tonight I will update you for the result as soon as I modified it.

Thank you for your time

Amir

Hello Jouni,

Please be informed I decided to erase my ASA and reconfigure it.

I did not know that NAT command after version 8.3 has been changed. so all of my instructions are worthless now

I found the link below to translate the NAT command:

https://supportforums.cisco.com/docs/DOC-9129

global (outside) 10 interface

nat (inside) 10 192.168.20.0 255.255.255.0

I thought the command below is equal to the above

object network obj-192.168.20.5_192.168.20.36
   range 192.168.20.5 192.168.20.36
 object network obj-192.168.20.0
   subnet 192.168.20.0 255.255.255.0
   nat (inside,outside) dynamic 
            obj-192.168.20.5_192.168.20.36 interface

Now inside does not have access to outside

At the moment I am lost.

Amir

=====================

CiscoASA5505(config)# show run

: Saved

:

ASA Version 9.1(2)

!

hostname CiscoASA5505

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

object network obj-19

object network obj-192.168.20.5_192.168.20.36

range 192.168.20.5 192.168.20.36

object network obj-192.168.20.0

subnet 192.168.20.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj-192.168.20.0

nat (inside,outside) dynamic obj-192.168.20.5_192.168.20.36 interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.20.5-192.168.20.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ba24bb28656db6af40b0efd20166b2fa

: end

Hello Amir

This will help you at least have access to outside, and afterward you can configured your firewall by your need.

interface vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

interface vlan2

nameif outside

security-level 0

ip address dhcp setroute

interface eth0/0

description "Connect to ISP"

switchport access vlan2

object network internal_lan.obj

  subnet 192.168.20.0 255.255.255.0

  nat (inside,outside) dynamic interface

Best regards,

Hello mynet4lab,

Thank you so much for your reply.

let me try it tonight, I will update the disccusion as soon as I apply the new command.

Again Thank you

Amir

My Friends,

Thank you so much for your helps.

Right now I find out what happend to my system.

Last week Verizon has changed my IP address and I did not pay attention to this matter.

So I wiped out amy ASA (how silly was I)

1- I had to reconfigure the ASA and then fix the issue to connect inside and outside see the link below:

    https://supportforums.cisco.com/message/4111695#4111695

Good experience again

2- Then set the boot image to 912 (how? refer to the link above JouniForss' email dated Dec 5, 2013 12:49 AM)

3 - Then run the commands base on JouniFross' instruction (this link (go above to) dated Sep 15, 2013 9:26 AM)

Note: the commands run when the boot system is:912 (please correct me if I am wrong)

4- Then reset my new IP on my host.

5- Reset my new IP on my firewall.

Now everything is working

Thank you so much Jouni for your fantastic support. God Bless you.

Amir