Hi, I am having one urgent issue to fix. I have set 2 subnets (WAN from ISP). WAN1 that is used for GuestWiFi, and WAN2 for TVServer.

GuestWiFi is set and working perfectly, but TVServer WAN is multiple public IP. What I've done is, set first IP on physical interface, and second IP as network object (host). Created access list for inside to allow everything from that interface (permit ip any any). Set static NAT for both public IPs. I have also set the rule on outside to allow access on only certain ports. I was able to get from outside to inside (server) without any issues. I have used "nc" for that., The problem starts that server from inside, don't have internet access via that WAN2...

What am I missing? Why I cannot get access to outside even though static NAT is set and access lists allow all traffic from inside to outside.

Unfortunately the interface is down as server is not connected now, and I don't believe that packet-tracer will help me with that.

P.S. There are two static routes (default) set.

1st one is for GuestWiFi and metric are set to 1 (as higher priority)

2nd one is for TVServer and metric are set to 2.

I know that there is lot of garbage in the config that needs to be cleaned, but this is due to testings that I performed.

Can someone please read config and help me with this.

Config

: Saved

:
: Serial Number: XXXXXXXXX
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
: Written by enable_15 at 22:59:07.919 GMT Wed Nov 30 2016
!
ASA Version 9.6(1)
!
hostname HC-ClientASA
enable password xxxxxxxxxxxxxxxxxx encrypted
names
ip local pool Test_DHCP_VPN 10.20.30.0-10.20.30.100 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address xxx.xxx.xxx.74 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
description WAN for ServerTV
nameif ServerTV
security-level 80
ip address 192.168.96.1 255.255.255.0
!
interface GigabitEthernet1/5
description GuestWiFi interface for Access poitns
nameif GuestWiFi
security-level 100
ip address 172.16.64.1 255.255.248.0
!
interface GigabitEthernet1/6
description Parking interface To Server
nameif ParkingInterface
security-level 100
ip address 172.16.17.1 255.255.255.0
!
interface GigabitEthernet1/7
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
description Old WAN Interface
nameif WAN_OLD
security-level 0
ip address xxx.xxx.xxx.137 255.255.255.252
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT 0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network OLD_GW
host xxx.xxx.xxx.138
description Old GW Interface
object network GuestWiFi_NAT_OLD
subnet 172.16.64.0 255.255.248.0
description GuestWiFi OLD WAN
object network NEW_GW
host xxx.xxx.xxx.73
description Telia New Gateway
object network TestGw
subnet 192.168.1.0 255.255.255.0
description Test NAT
object network VPN_POOL_10.20.30.0
subnet 10.20.30.0 255.255.255.128
description VPN Pool
object network GuestWiFiNAT
subnet 172.16.64.0 255.255.248.0
description NAT for guestWiFi
object network inside_NAT_OLD
subnet 192.168.1.0 255.255.255.0
description Inside OLD WAN
object network ParkingSystem
subnet 172.16.17.0 255.255.255.0
description Parking system NAT
object network ParkingSystem_NAT_OLD
subnet 172.16.17.0 255.255.255.0
description Parking S OLD WAN
object network ParkingSystemServers
subnet xxx.xxx.xxx.0 255.255.255.0
description Public WAN from Parking System
object network ParkingSystemSubnet
subnet 172.16.17.0 255.255.255.0
description Parking System Subnet
object network GuestWiFi
subnet 172.16.64.0 255.255.248.0
description GuestWiFi object
object network ParkingServer1
host 172.16.17.3
description ParkingServer1
object network ParkingServer2
host 172.16.17.4
description Parking server 2
object service TCP_Parking_771
service tcp source eq 771
description Port for Parking server1
object service TCP_Parking_771_U
service udp source eq 771
description Port for parking server UDP
object service TCP_Parking2_9100
service tcp source eq 9100
description Parking for server 2 TCP
object service TCP_Parking2_9100_U
service udp source eq 9100
description TCP_Parking2_9100_UDP
object network TestLabNAT
subnet 192.168.1.0 255.255.255.0
description TestLab NAT
object network GuestWiFiLAB
subnet 172.16.64.0 255.255.248.0
object network ParkingInterfaceLAB
subnet 172.16.17.0 255.255.255.0
description Test Lab interface
object network ServerInternet
subnet 192.168.96.0 255.255.255.0
description Server Internet In
object network ServerTVLab
subnet 192.168.96.0 255.255.255.0
description Test Lab
object network ServerTV_OLD
subnet 192.168.96.0 255.255.255.0
object network ServerServer
host 192.168.96.2
description ConnectionToServer
object network NETWORK_OBJ_10.20.30.0_25
subnet 10.20.30.0 255.255.255.128
object network Parking
subnet 172.16.17.0 255.255.255.0
object network ParkingNAT
subnet 172.16.17.0 255.255.255.0
object network ParkingSystems
host xxx.xxx.xxx.120
object network ParkingInterfaceOLD_WAN
subnet 172.16.17.0 255.255.255.0
object network Server1
subnet 192.168.96.0 255.255.255.0
object network Server2
host 192.168.96.2
object service iPerfServer
service tcp source eq 5001
object network ServerNet
subnet 192.168.96.0 255.255.255.0
object network WAN2
host xxx.xxx.xxx.75
object network ServerTV2
host 192.168.96.2
object network HostNatToOutside
subnet 192.168.96.0 255.255.255.0
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service ParkingObj tcp-udp
port-object eq 771
port-object eq 9100
object-group service ParkingPortsNAT tcp-udp
description OpenPortsForParking
port-object eq 771
port-object eq 9100
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group icmp-type DM_INLINE_ICMP_4
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq 4500
service-object tcp-udp destination eq 500
service-object tcp-udp destination eq 5001
service-object tcp-udp destination eq 8090
service-object tcp destination eq https
service-object tcp destination eq ssh
service-object udp destination eq snmp
object-group network DM_INLINE_NETWORK_6
network-object object ParkingServer1
network-object object ParkingServer2
object-group service NOC_Auth tcp-udp
port-object eq 8090
object-group service VPN_IPSec tcp-udp
port-object eq 4500
port-object eq 500
object-group service iPerf tcp-udp
port-object eq 5001
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit object-group TCPUDP any any eq domain
access-list inside_access_in extended permit ip any any
access-list Test_Guest remark GuestWiFi network
access-list Test_Guest standard permit 172.16.64.0 255.255.248.0
access-list Test_Guest remark ParkingNetwork
access-list Test_Guest standard permit 172.16.17.0 255.255.255.0
access-list Test_Guest standard permit 192.168.96.0 255.255.255.0
access-list Test_Guest standard permit 192.168.1.0 255.255.255.0
access-list GuestWiFi_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list GuestWiFi_access_in extended permit object-group TCPUDP any any eq domain
access-list GuestWiFi_access_in extended permit ip any any
access-list ParkingInterface_access_in extended permit object-group TCPUDP any any object-group ParkingObj
access-list ParkingInterface_access_in extended permit object-group TCPUDP any any eq domain
access-list ParkingInterface_access_in extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object ServerServer
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any echo
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq https
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq ssh
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 8090
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 8090
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq snmp
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 5001
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 5001
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 500
access-list ServerTVAccessList extended permit tcp any host 192.168.96.2 eq 4500
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq 4500
access-list ServerTVAccessList extended permit udp any host 192.168.96.2 eq isakmp
access-list ServerTVAccessList extended permit icmp any any echo-reply
access-list ServerTV_access_in extended permit icmp any any object-group DM_INLINE_ICMP_4
access-list ServerTV_access_in extended permit object-group TCPUDP any any eq domain
access-list ServerTV_access_in extended permit ip any any
access-list WAN_OLD_access_in extended permit object-group TCPUDP xxx.xxx.xxx.0 255.255.255.0 object-group DM_INLINE_NETWORK_6 object-group ParkingPortsNAT
access-list WAN_OLD_access_in extended permit ip object ParkingSystems object ParkingSystemSubnet
access-list WAN_OLD_access_in extended permit ip any object ParkingSystemSubnet
access-list WAN_OLD_access_in extended permit ip any any inactive
access-list WAN_OLD_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu ServerTV 1500
mtu GuestWiFi 1500
mtu ParkingInterface 1500
mtu WAN_OLD 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any GuestWiFi
icmp permit any ParkingInterface
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static VPN_POOL_10.20.30.0 VPN_POOL_10.20.30.0 no-proxy-arp route-lookup
nat (ParkingInterface,WAN_OLD) source static ParkingServer1 interface service any TCP_Parking_771
nat (ParkingInterface,WAN_OLD) source static ParkingServer1 interface service any TCP_Parking_771_U
nat (ParkingInterface,WAN_OLD) source static ParkingServer2 interface service any TCP_Parking2_9100
nat (ParkingInterface,WAN_OLD) source static ParkingServer2 interface service any TCP_Parking2_9100_U
!
object network GuestWiFi_NAT_OLD
nat (GuestWiFi,WAN_OLD) dynamic interface dns
object network inside_NAT_OLD
nat (inside,WAN_OLD) dynamic interface dns
object network ServerServer
nat (ServerTV,outside) static interface
object network ParkingInterfaceOLD_WAN
nat (ParkingInterface,WAN_OLD) dynamic interface dns
object network ServerTV2
nat (ServerTV,outside) static WAN2
access-group ServerTVAccessList in interface outside
access-group inside_access_in in interface inside
access-group ServerTV_access_in in interface ServerTV
access-group GuestWiFi_access_in in interface GuestWiFi
access-group ParkingInterface_access_in in interface ParkingInterface
access-group WAN_OLD_access_in in interface WAN_OLD
route WAN_OLD 0.0.0.0 0.0.0.0 xxx.xxx.xxx.138 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.73 2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.16.64.0 255.255.248.0 GuestWiFi
http 10.20.30.0 255.255.255.0 GuestWiFi
http 172.16.17.0 255.255.255.0 ParkingInterface
http 192.168.96.0 255.255.255.0 ServerTV
http xxx.xxx.xxx.72 255.255.255.248 outside
http xxx.xxx.xxx.136 255.255.255.252 WAN_OLD
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map WAN_OLD_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_OLD_map interface WAN_OLD
crypto map TestLab_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=HC-ClientASA
keypair HC_Client_Odense
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 50de3358
30820551 30820339 a0030201 02020450 de335830 0d06092a 864886f7 0d010105
0a517ac1 5d1eb7a3 1dca77f7 054b0615 7a85096b 87b3d32f b86e61b5 78fa6364
08d932b7 2e73d1a9 1acdef89 a5cf7dd2 a9dfa34c b5086cd2 6f954b83 680c5fcc
dee06f08 7030ff8d 729458e4 59780d58 ae72b300 4a0b2e7a ac608cb7 cd5ce92a
d09a07cb ea159809 1dc1b666 a1401ea3 bb7e9203 f905c696 aee9d2f6 93978e82
4b6ec24e ab695964 64fd929c d0cfc46b dea848e5 d3cf56cb 08a2991f 7ddee7ef
5ed8869f 0be2a5ed dba14771 0d23ae29 6ebf7640 381106ff 99c1d56a 7d5ec7ad
cd432009 2ef4248e aa9b42b8 a71ead22 14b38dcb e343c945 064796d3 1e337d75
baccf54c 209b67f8 0e4e8fa8 cf7ce3f1 99cddf3b 18eced0d 770448aa 1b37d65a
09574ee9 d5985c00 bdb804c3 9c0e069e 9eaa50e3 b4694174 e17251b4 fc0bc169
845b7639 ebc47f37 894b5a5f d5662fa9 40b9898c 86a44b6b 805cb0ba 8607499d
2c330359 c0b30ef1 046b01b2 bad5d514 efea8647 55db6819 4eaf2da2 59e219b8
e8ff9053 f4e630b8 34f631c7 c49062a5 a0239c9a ef
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable WAN_OLD client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh xxx.xxx.xxx.72 255.255.255.248 outside
ssh 192.168.1.0 255.255.255.0 GuestWiFi
ssh 172.16.64.0 255.255.248.0 GuestWiFi
ssh 10.20.30.0 255.255.255.0 GuestWiFi
ssh xxx.xxx.xxx.136 255.255.255.252 WAN_OLD
ssh timeout 10
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access GuestWiFi

dhcp-client client-id interface outside
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd dns 8.8.8.8 208.67.222.222 interface inside
dhcpd enable inside
!
dhcpd address 192.168.96.3-192.168.96.254 ServerTV
dhcpd dns 8.8.8.8 8.8.4.4 interface ServerTV
!
dhcpd address 172.16.64.2-172.16.64.250 GuestWiFi
dhcpd dns 8.8.8.8 208.67.222.222 interface GuestWiFi
dhcpd enable GuestWiFi
!
dhcpd address 172.16.17.33-172.16.17.250 ParkingInterface
dhcpd dns 8.8.8.8 8.8.8.8 interface ParkingInterface
dhcpd enable ParkingInterface
!
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 ServerTV
ssl trust-point ASDM_TrustPoint0 GuestWiFi
ssl trust-point ASDM_TrustPoint0 ParkingInterface
ssl trust-point ASDM_TrustPoint0 WAN_OLD
webvpn
enable outside
enable WAN_OLD
anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
anyconnect profiles Test_GuestWiFi_client_profile disk0:/Test_GuestWiFi_client_profile.xml
anyconnect profiles VPN_Test_client_profile disk0:/VPN_Test_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_VPN_Test internal
group-policy GroupPolicy_VPN_Test attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Test_Guest
default-domain none
webvpn
anyconnect profiles value VPN_Test_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username admin password xxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group VPN_Test type remote-access
tunnel-group VPN_Test general-attributes
address-pool Test_DHCP_VPN
default-group-policy GroupPolicy_VPN_Test
tunnel-group VPN_Test webvpn-attributes
group-alias VPN_Test enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:14a2b233fa9e205b5a530e7925ef77ac
: end