Mohamed,

Thanks for your reply!

I have changed route 'inside' to 'outside' without any problems...but...can you be more explicite about the next one;

'Global (Outside) 1 intterface , as long as (Nat) inside 1 , Global (Outside)1 configured , then there is no additional rules to permit the traffic from higher Security Level to a lower Security level.'

I do not understand...thanks again!

What Mohamed means is that you have

nat (inside) 1 0.0.0.0 0.0.0.0

but you have no global (outside) 1 interface statement to match.

Your inside addresses are 192.168.1.x, these addresses will not route on the Internet so you need to NAT/PAT them to the public IP on your outside interface. You do this by matching

nat (inside) 1 0.0.0.0 0.0.0.0

with

global (outside) 1 interface

So apart from your nat (inside) 0 exemption all traffic destined for the Internet from inside will be natted to the public IP on the outside interface of your ASA.

Traffic by default is allowed from a higher security (your inside interface) to a lower security (your outside interface) so you do not need to update any access-lists. Remember with a stateful firewall once you allow traffic one way the return traffic is allowed without an acl.

So if you just add "global (inside) 1 interface" you should be able to get connectivity to the Internet.

Jon

I starting to feel a bit stupid to be honest.. :(

I set up what I think is correct, here the changes....damn this is harder then I thought...

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.55 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 87.x.x.84 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240

access-list outside_nat_outbound extended permit ip 87.x.x.80 255.255.255.248 192.168.1.240 255.255.255.240

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool Demiam_Pool1 192.168.1.240-192.168.1.250 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 87.x.x.83 netmask 255.255.255.248

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 access-list outside_nat_outbound

route outside 0.0.0.0 0.0.0.0 87.x.x.83 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.220-192.168.1.250 inside

dhcpd enable inside

!

group-policy Demiam_Tunnel internal

group-policy Demiam_Tunnel attributes

dns-server value 192.168.1.1

vpn-tunnel-protocol IPSec

username ralfmusterd password xxx encrypted privilege 0

username ralfmusterd attributes

vpn-group-policy Demiam_Tunnel

tunnel-group Demiam_Tunnel type ipsec-ra

tunnel-group Demiam_Tunnel general-attributes

address-pool Demiam_Pool1

default-group-policy Demiam_Tunnel

tunnel-group Demiam_Tunnel ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

I starting to feel a bit stupid to be honest.. :(

:-), you should have seen my recent performance in LAN Routing & Switching after i had had a few too many !!.

Don't worry everythings easy but only once you know how to do it.

You have set the following in your config

global (outside) 1 87.x.x.83 netmask 255.255.255.248

but 87.x.x.83 is the default-gateway of the ISP router or at least that is what you have in your router statement.

87.x.x.80 255.255.255.248 is your network which gives you

87.x.x.81 -> 87.x.x.86 as useable addresses with .87 as the broadcast address.

So you can use any of the above except .83 and the broadcast. Is there some reason you do not want to use the outside interface address on your ASA ie. 87.x.x.84 ?

If you don't mind using it replace

global (outside) 1 87.x.x.83 netmask 255.255.255.248

with

global (outside) 1 interface

If you want to use one of the other addresses

global (outside) 1 87.x.x.85 netmask 255.255.255.255

Jon

Hi Jon,

Set it up like this now;

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.55 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 87.x.x.84 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240

access-list outside_nat_outbound extended permit ip 87.x.x.80 255.255.255.248 192.168.1.240 255.255.255.240

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool Demiam_Pool1 192.168.1.240-192.168.1.250 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 87.x.x.85 netmask 255.255.255.248

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 access-list outside_nat_outbound

route outside 0.0.0.0 0.0.0.0 87.x.x.83 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.220-192.168.1.250 inside

dhcpd enable inside

!

group-policy Demiam_Tunnel internal

group-policy Demiam_Tunnel attributes

dns-server value 192.168.1.1

vpn-tunnel-protocol IPSec

username ralfmusterd password xxx encrypted privilege 0

username ralfmusterd attributes

vpn-group-policy Demiam_Tunnel

tunnel-group Demiam_Tunnel type ipsec-ra

tunnel-group Demiam_Tunnel general-attributes

address-pool Demiam_Pool1

default-group-policy Demiam_Tunnel

tunnel-group Demiam_Tunnel ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

But no go yet... I can't see this case in a helicoper view...damn. Thanks for your help Jon!

Things to check

1) From the firewall can you ping the default-gateway 87.x.x.83

2) What is the source IP address you are trying to access the internet from ?

3) If do you do a "sh xlate" or "sh running-config xlate" do you see a translation for the IP address in 2)

Jon

Can you ping anything outside from a host on the 192.168.1.x subnet? I noticed in your dhcp settings, you aren't setting a dns server. If you can ping an address (4.2.2.1), I would add the dns settings to your scope (unless you're manually setting them, and then I'm way off).

dhcpd dns

--John