cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
579
Views
0
Helpful
4
Replies

ASA5505: can't access WWW from 3rd vlan (inside out)

craess
Level 1
Level 1

Hi all,

Plz help me. Have a problem in config of my ASA5505 --> I can't access Internet from my new created vlan number 4 (Vlan4):

here my config:

ASA Version 8.4(1)

!

hostname FWWIB1

enable password OEIOH8Zv/vNvif8C encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif WIB

security-level 100

ip address 192.168.222.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp

!

interface Vlan4

nameif ETC

security-level 60

ip address 192.168.16.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 4

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa841-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup WIB

dns domain-lookup ETC

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 192.168.1.1

name-server 195.186.1.162

name-server 62.2.17.61

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.55.0_25

subnet 192.168.55.0 255.255.255.128

object network NETWORK_OBJ_192.168.222.0_24

subnet 192.168.222.0 255.255.255.0

object network Vigor

host 192.168.1.1

access-list WIBRAS4ALL_splitTunnelAcl standard permit 192.168.222.0 255.255.255.0

access-list WIB_access_in extended permit ip any any

access-list ETC_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu WIB 1500

mtu outside 1500

mtu ETC 1500

ip local pool WIBRASPool 192.168.55.55-192.168.55.65 mask 255.255.255.0

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (WIB,outside) source dynamic any interface

nat (WIB,outside) source static any any destination static NETWORK_OBJ_192.168.55.0_25 NETWORK_OBJ_192.168.55.0_25

nat (WIB,outside) source static NETWORK_OBJ_192.168.222.0_24 NETWORK_OBJ_192.168.222.0_24 destination static NETWORK_OBJ_192.168.55.0_25 NETWORK_OBJ_192.168.55.0_25

nat (WIB,outside) source static any any

nat (ETC,outside) source static any any

nat (ETC,outside) source dynamic any interface

!

object network obj_any

nat (any,outside) dynamic interface

access-group WIB_access_in in interface WIB

access-group ETC_access_in in interface ETC

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.222.0 255.255.255.0 WIB

http 192.168.16.0 255.255.255.0 ETC

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.222.120-192.168.222.254 WIB

dhcpd dns 192.168.1.1 8.8.8.8 interface WIB

dhcpd lease 864000 interface WIB

dhcpd enable WIB

!

dhcpd address 192.168.16.20-192.168.16.200 ETC

dhcpd dns 192.168.1.1 8.8.8.8 interface ETC

dhcpd lease 864000 interface ETC

dhcpd enable ETC

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port number-of-rate 3

threat-detection statistics protocol number-of-rate 3

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 162.23.41.34 source outside

ntp server 194.88.212.205 source outside prefer

webvpn

group-policy WIBRAS4ALL internal

group-policy WIBRAS4ALL attributes

vpn-tunnel-protocol ikev1 ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value WIBRAS4ALL_splitTunnelAcl

username xxxxx password jezwB8dcsgMWFU1Q encrypted privilege 15

username xxxxx attributes

vpn-group-policy WIBRAS4ALL

username yyyyyy password 2s6hsBEa4EwJPz5A encrypted privilege 15

username yyyyyy attributes

vpn-group-policy WIBRAS4ALL

username zzzzzz password pAYFNGNl7qIaXsZT encrypted privilege 15

username zzzzzz attributes

vpn-group-policy WIBRAS4ALL

username fffffff password 7a9Uq15CRaie7CdZ encrypted privilege 15

username fffffff attributes

vpn-group-policy WIBRAS4ALL

tunnel-group WIBRAS4ALL type remote-access

tunnel-group WIBRAS4ALL general-attributes

address-pool WIBRASPool

default-group-policy WIBRAS4ALL

tunnel-group WIBRAS4ALL ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c7bd768aaa1575f1b035ac6b02855311

: end

thx 4 any suggestions.

Chris

1 Accepted Solution

Accepted Solutions

Hi,

  Did you check "show xlate" for 192.16816.0/24 network? Do you want 192.168.16.0/24 network going to the internet natted by an outside interface?

  Please try this if you want to do NAT on outside interface:


!

no nat (ETC,outside) source dynamic any interface

no nat (ETC,outside) source static any any

!

object network ETC-VLAN4

subnet 192.168.16.0 255.255.255.0

nat (ETC,outside) dynamic interface
!



HTH,

Toshi

View solution in original post

4 Replies 4

Roman Rodichev
Level 7
Level 7

ASA5505 requires Security Plus license to support DMZs, do you have it?

Hi Roman,

yes i have the sec plus license.

Hi,

  Did you check "show xlate" for 192.16816.0/24 network? Do you want 192.168.16.0/24 network going to the internet natted by an outside interface?

  Please try this if you want to do NAT on outside interface:


!

no nat (ETC,outside) source dynamic any interface

no nat (ETC,outside) source static any any

!

object network ETC-VLAN4

subnet 192.168.16.0 255.255.255.0

nat (ETC,outside) dynamic interface
!



HTH,

Toshi

hi all,

Thx 4 helping me.

in meantime i deleted all the definitions about vlan4 and created it new from scratch....now it works, but don't ask me why.

maybe it has something to do with NAT definitions as Thosi said.

Thx a lot again to all !!!

Chris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco