03-26-2018 04:30 PM - edited 03-08-2019 02:24 PM
Hi All,
Just got an ASA 5506-X and upon configuring:
Please see config file below
els-ciscoasa02# show running-config : Saved : : Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores) : ASA Version 9.5(1) ! hostname els-ciscoasa02 domain-name enable password names ! interface GigabitEthernet1/1 nameif TPx security-level 0 ip address 216.14.6.192 255.255.255.240 no shutdown ! interface GigabitEthernet1/2 nameif CORPNET security-level 100 ip address 10.110.52.1 255.255.255.0 no shutdown ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name cti.com object network obj_any subnet 0.0.0.0 0.0.0.0 access-list inside-out extended permit ip 10.110.52.0 255.255.252.0 host 216.14.6.192 access-list outside-in extended permit ip 216.14.6.192 255.255.255.240 host 10.110.52.1 pager lines 24 logging asdm informational mtu TPx 1500 mtu CORPNET 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected ! object network obj_any nat (any,TPx) dynamic interface ! nat (CORPNET,TPx) after-auto source dynamic any interface access-group outside-in in interface TPx access-group inside-out in interface CORPNET route TPx 0.0.0.0 0.0.0.0 216.14.6.193 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL http server enable http 10.110.0.0 255.255.255.0 CORPNET no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 no ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 10.110.52.11-10.110.52.254 CORPNET dhcpd dns 8.8.8.8 4.4.4.4 interface CORPNET dhcpd enable CORPNET ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:b45165b21113f5954ad8e7e69e7216be : end
03-26-2018 09:59 PM
Hi,
I found there is an access list configured and assigned to inside (CORPNET) interface, which is not allowed to communicate with 8.8.8.8. It is suggested to remove the access-list and check again.
no access-group inside-out in interface CORPNET
Regards,
Deepak Kumar
03-27-2018 01:07 PM
I just gave that a shot and same behavior.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide