First of all thank you both for your help.

Today's hollyday on my country so I can't run the tests you're suggesting coz I'm not at office, but tomorrow morning first thing will be check what you're telling me.

I just want to tell you that I have an ASA 5520 in production and working fine. My idea is to replace that 5520 with the 5540 mentioned before, once it's running well. Because that, the 5540 have some configurations from the 5520 that I tried to clone from one to another. Maybe isn't right??

Thanks in advance.

Hi folks!! Now I have a new problem, now in this new scenario:

I have a Cablemodem connected directly to internet through the WAN interface and in the LAN interface it has  ip address 192.168.1.1 and it's not serving DHCP. When I connect my PC directly to de CM I setup a static ip address (192.168.1.3) and can reach the internet without problem. So far so good.

Now I configured one of the ASA interfaces with that ip address (192.168.1.3), named CM and connected the Cablemodem to it. Right after I do "nat (INSIDE,OUTSIDE) source dynamic PC interface" and make "nat (INSIDE,CM) source dynamic PC interface but the PC isn't reaching internet.

What I'm doing wrong?? Can anybody helpme please??

I didn't see this new block 192.168.1.x/24 anywhere in the configuration you sent earlier. Can you send how you are Nating this address and how is it getting routed to internet? also if you can send the route table.

Sorry my friend, here's the new configuration:

ciscoasa# show running-config
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
enable password X encrypted
passwd X encrypted
names
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 200.X.X.194 255.255.255.252
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.227.225.1 255.255.252.0
!
interface GigabitEthernet0/2
 nameif CM
 security-level 50
 ip address 192.168.1.3 255.255.255.0
!
interface GigabitEthernet0/3
 nameif CMTS  
 security-level 50
 ip address 192.168.61.1 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.0.22 255.255.255.0
 management-only
!
ftp mode passive
clock timezone CST -6
same-security-traffic permit intra-interface
object network CACTI
 host 10.227.224.11
object network ip120
 host 200.X.X.120
object network ip101
 host 200.X.X.101
object network ip102
 host 200.X.X.102
object network ip121
 host 200.X.X.121
object network ip122
 host 200.X.X.122
object network ip123
 host 200.X.X.123
object network ip124
 host 200.X.X.124
object network ip125
 host 200.X.X.125
object network ip126
 host 200.X.X.126
object network ip127
 host 200.X.X.127
object network Caja_Hipodromo
 host 10.227.225.29
object network Farma_Eco_NI
 host 10.227.255.3
object network Gas_Holanda
 host 10.227.225.41
object network Gasolinera_CM
 host 10.227.225.22
object network Gasolinera_Samantha
 host 10.227.225.21
object network Notigram
 host 10.227.224.225
object network Odoo
 host 10.227.224.226
object network AutopartesStgo_SucNI_81
 host 10.227.225.12
object network AutopartesStgo_SucNI_554
 host 10.227.225.12
object network AutopartesStgo_SucNI_8000
 host 10.227.225.12
object network PC
 subnet 10.227.224.0 255.255.252.0
access-list INSIDE_nat_outbound extended permit ip object PC any
access-list OUTSIDE_access_in remark Cacti
access-list OUTSIDE_access_in extended permit ip any object ip120 log disable
access-list OUTSIDE_access_in remark Caja Hipodromo
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.123 log disable
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10443 inactive
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10500 inactive
access-list OUTSIDE_access_in remark puerto caja hipodromo NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 14500 inactive
access-list OUTSIDE_access_in remark Farmacia Economica NI
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.102
access-list OUTSIDE_access_in remark puerto Ferrepisos NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 13389
access-list OUTSIDE_access_in remark Gasolinera Samantha
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.127 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10081 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10554 log disable
access-list OUTSIDE_access_in remark Autopartes Stgo Suc NI
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 18000 log disable
access-list OUTSIDE_access_in remark caja popular progreso
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10587 log disable
access-list OUTSIDE_access_in remark caja popular progreso
access-list OUTSIDE_access_in extended permit tcp any host 200.X.X.118 eq 10110
access-list OUTSIDE_access_in extended permit udp 200.X.X.0 255.255.255.0 any range 10000 20000 log disable
access-list OUTSIDE_access_in remark Odoo Felipe
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.121 log disable
access-list OUTSIDE_access_in remark Gasolinera Holanda
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.101 log disable
access-list OUTSIDE_access_in remark Servidor Notigram
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.122 log disable
access-list OUTSIDE_access_in remark Gasolinera CM
access-list OUTSIDE_access_in extended permit ip any host 200.X.X.124 log disable
access-list OUTSIDE_access_in extended permit ip any any
access-list CMTS_nat_outbound extended permit ip 10.39.0.0 255.255.0.0 any
access-list CMTS_nat_outbound_1 extended permit ip 10.27.0.0 255.255.0.0 any
access-list CMTS_nat_outbound_2 extended permit ip 10.25.0.0 255.255.0.0 any
access-list FTTH_nat_outbound_1 extended permit ip 10.229.0.0 255.255.255.0 any
access-list FTTH_nat_outbound_1 extended permit ip 10.228.0.0 255.255.240.0 any
access-list INSIDE_access_in extended permit ip object PC any
pager lines 24
logging enable
logging console debugging
logging monitor debugging
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu CM 1500
mtu CMTS 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (INSIDE,CM) source dynamic PC interface
!
object network AutopartesStgo_SucNI_81
 nat (INSIDE,OUTSIDE) static interface service tcp 81 10081
object network AutopartesStgo_SucNI_554
 nat (INSIDE,OUTSIDE) static interface service tcp rtsp 10554
object network AutopartesStgo_SucNI_8000
 nat (INSIDE,OUTSIDE) static interface service tcp 8000 18000
!
nat (INSIDE,OUTSIDE) after-auto source static CACTI ip120
nat (INSIDE,OUTSIDE) after-auto source static Gas_Holanda ip101
nat (INSIDE,OUTSIDE) after-auto source static Farma_Eco_NI ip102
nat (INSIDE,OUTSIDE) after-auto source static Odoo ip121
nat (INSIDE,OUTSIDE) after-auto source static Notigram ip122
nat (INSIDE,OUTSIDE) after-auto source static Caja_Hipodromo ip123
nat (INSIDE,OUTSIDE) after-auto source static Gasolinera_CM ip124
nat (INSIDE,OUTSIDE) after-auto source static Gasolinera_Samantha ip127
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 200.X.X.193 1
route CMTS 10.24.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.25.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.26.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.27.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.38.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.39.0.0 255.255.0.0 192.168.61.133 1
route CM 10.228.0.0 255.255.240.0 10.229.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
snmp-server location Site-X
snmp-server contact X
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username X password X encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!             
service-policy global_policy global
prompt hostname context
Cryptochecksum:X
: end

I only changed:

interface GigabitEthernet0/2
 nameif CM
 security-level 50
 ip address 192.168.1.3 255.255.255.0

and:

nat (INSIDE,CM) source dynamic PC interface

Regarding route table:

ciscoasa# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 200.X.X.193 to network 0.0.0.0

C    200.X.X.192 255.255.255.252 is directly connected, OUTSIDE
C    10.227.224.0 255.255.252.0 is directly connected, INSIDE
S    10.228.0.0 255.255.240.0 [1/0] via 10.229.0.2, CM
C    192.168.0.0 255.255.255.0 is directly connected, management
C    192.168.1.0 255.255.255.0 is directly connected, CM
S*   0.0.0.0 0.0.0.0 [1/0] via 200.X.X.193, OUTSIDE

The only thing I need is that traffic from PC reach internet through CM interface, without affecting other routes that wil reach internet through the OUTSIDE interface.

Does this help you?

You want to NAT your inside network to CM (192.168.1.x) but you have outside interface configured as the default gateway therefore it doesn't know how to get out.

Since destination address won't be specific you can't configure a route pointing to CM and you can't have dual default gateways. I will have to look it up if there is a way to do it. In the meantime may be someone else can assist you with this.

I really apreciate your help very much cofee@0400.

I'm totally agree with you about what you say regarding the 2 default gateways.

I have only 1 doubt: since the inside network is NATed to CM interface, is not the Cablemodem it self who works as gateway for everything incoming to the LAN port??

The problem is that your ASA can only use one default route. If traffic from your inside network is received, ASA will determine which outbound interface should be used to route the traffic to.

In case no specific route is found, it will fall back to your configured default route and route traffic according to your configuration. In case you would like to utilize source-based routing (e.g. route traffic from Subnet A to Internet via Uplink CM) PBR would be needed which is available since 9.5.x

Is there any reason you want to route traffic destined to the internet to different interfaces?

Thank you all guys for your help. I already tried to upgrade my ASA once but it wasn't possible due to the cost of the license.

Again thank you very much for your help.

I'll continue running some tests.

Keep in touch.

BR.

Hi folks, me again...

I'm still running tests in the ASA 5540. My problem now is that I can't see the log, don't know how...

In the ASDM at the bottom I can see the "Latest ASDM Syslog Messages" but are show so fast that I can't see them. In the CLI I don't even have a clue about how to see the log. Can anybody helpme please???

Thanks in advance.

Inside the ASDM portal click on monitoring (at the top) - logging (at the bottom of screen) - view  ( on this page you can filter the traffic you want to monitor)

CLI - show log ( show log | inc ip address (address you want to monitor.

Got it!!

Thank you very much my friend.

Hi my friend, I've got a new doubt

is it possible to see wich PC of my LAN is accessing to a specific public ip address, such as 200.x.x.x ???

Thank you very much in advance...