cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3836
Views
8
Helpful
11
Replies

ASA5510 not working ok after upgrade 8.2 -> 8.3 -> 8.4

Casperdegeus
Level 1
Level 1

Hi, I hope someone can help me. An ASA5510 (with 1 webserver behind it, just starting to build the cluster) was functioning OK with version 8.2: I was able to log in using RDP to the server bhind it from some trusted IP's.

I updated ASDM to the latest version 6.4.7, and then the ASA-software to 8.3.2. After reloading, I could not access the server anymore. I saw that changes were made to the config. Then I updated to version 8.4.3, same results of course, and this is the config. Can anyone help me by telling what I should change to get it working again?

Thx very much!

cisco# sh ru

: Saved

:

ASA Version 8.4(3)

!

hostname cisco

domain-name domainname.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd MOhAB706upGiCD8v encrypted

names

name XX.XX.152.102 ipOutside

name 172.16.152.126 ipInside

name XX.XX.152.126 ipGateway

name XX.XX.154.12 ipTimeServer

name XX.XX.227.113 srcJaapHQ

name XX.XX.36.186 srcJaapHQ2

name XX.XX.74.202 srcCasperHome

name 172.16.152.103 svrWE02_ILO_Inside

name XX.XX.152.103 svrWE02_ILO_Outside

name 172.16.152.104 svrWE02Inside

name XX.XX.152.104 svrWE02Outside

name XX.XX.198.101 srcEvoSwitch

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address ipOutside 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address ipInside 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name webenable.nl

object-group network obj-172.16.152.0

object-group network svrWE02Inside

object-group network svrWE02Outside

object-group network obj_any

object-group network svrWE02_ILO_Outside

object-group network FullyTrustedSources

network-object host srcCasperHome

network-object host srcJaapHQ

network-object host srcJaapHQ2

network-object host srcEvoSwitch

object-group service Services_NonPublic_WE02ILO tcp

port-object eq www

object-group service Services_NonPublic_WE02 tcp

port-object eq 3389

port-object eq www

access-list inside_nat0_outbound extended permit ip any 172.16.152.0 255.255.255.0

access-list Private standard permit 172.16.199.0 255.255.255.0

access-list outside_access_in extended permit icmp object-group FullyTrustedSources any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ipGateway 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http srcJaapHQ 255.255.255.255 outside

http srcJaapHQ2 255.255.255.255 outside

http srcCasperHome 255.255.255.255 outside

http 172.16.152.0 255.255.255.0 inside

http srcEvoSwitch 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh srcJaapHQ 255.255.255.255 outside

ssh srcJaapHQ2 255.255.255.255 outside

ssh srcCasperHome 255.255.255.255 outside

ssh srcEvoSwitch 255.255.255.255 outside

ssh 172.16.152.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server ipTimeServer source outside prefer

ssl encryption des-sha1

webvpn

username admin password ztUzXsDyW6EdO7Uz encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:cb5e56b7cbba929561d64f896d7c7076

: end

1 Accepted Solution

Accepted Solutions

you are missing config on the outside_in access list, and your nat config missing. Fix these 2 things and it should all work for you.

Sent from Cisco Technical Support iPad App

View solution in original post

11 Replies 11

andrew.prince
Level 10
Level 10

compare the config before the upgrade from 8.2 > 8.3 to see the differences

Sent from Cisco Technical Support iPad App

Sure, I did that. I noticed that the configurationsyntax has changed, and was converted automatically. Unfortunately not in a correct way. Since I am not familiar with this new syntax, I hope some expert will help me...

post the before and after config changes

Sent from Cisco Technical Support iPad App

This is the working 8.2 config...

cisco# sh ru

: Saved

:

ASA Version 8.2(3)

!

hostname cisco

domain-name domainname.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd MOhAB706upGiCD8v encrypted

names

name XX.XX.152.102 ipOutside

name 172.16.152.126 ipInside

name XX.XX.152.126 ipGateway

name XX.XX.154.12 ipTimeServer

name XX.XX.227.113 srcJaapHQ

name XX.XX.36.186 srcJaapHQ2

name XX.XX.74.202 srcCasperHome

name 172.16.152.103 svrWE02_ILO_Inside

name XX.XX.152.103 svrWE02_ILO_Outside

name 172.16.152.104 svrWE02Inside

name XX.XX.152.104 svrWE02Outside

name XX.XX.198.101 srcEvoSwitch

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address ipOutside 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address ipInside 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa823-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name webenable.nl

object-group network FullyTrustedSources

network-object host srcCasperHome

network-object host srcJaapHQ

network-object host srcJaapHQ2

network-object host srcEvoSwitch

object-group service Services_NonPublic_WE02ILO tcp

port-object eq www

object-group service Services_NonPublic_WE02 tcp

port-object eq 3389

port-object eq www

access-list inside_nat0_outbound extended permit ip any 172.16.152.0 255.255.255                                                                                                                                                              .0

access-list Private standard permit 172.16.199.0 255.255.255.0

access-list outside_access_in extended permit icmp object-group FullyTrustedSour                                                                                                                                                              ces any

access-list outside_access_in extended permit tcp object-group FullyTrustedSourc                                                                                                                                                              es host svrWE02_ILO_Outside object-group Services_NonPublic_WE02ILO

access-list outside_access_in extended permit tcp object-group FullyTrustedSourc                                                                                                                                                              es host svrWE02Outside object-group Services_NonPublic_WE02

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) svrWE02Outside svrWE02Inside netmask 255.255.255.255 dns                                                                                                                                                             

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ipGateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http srcJaapHQ 255.255.255.255 outside

http srcJaapHQ2 255.255.255.255 outside

http srcCasperHome 255.255.255.255 outside

http 172.16.152.0 255.255.255.0 inside

http srcEvoSwitch 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh srcJaapHQ 255.255.255.255 outside

ssh srcJaapHQ2 255.255.255.255 outside

ssh srcCasperHome 255.255.255.255 outside

ssh srcEvoSwitch 255.255.255.255 outside

ssh 172.16.152.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server ipTimeServer source outside prefer

ssl encryption des-sha1

webvpn

username admin password ztUzXsDyW6EdO7Uz encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c1b8bfe8908dc6a75844416f896b1845

: end

cisco# sh ru

: Saved

:

ASA Version 8.2(3)

!

hostname cisco

domain-name webenable.nl

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd MOhAB706upGiCD8v encrypted

names

name XX.XX.152.102 ipOutside

name 172.16.152.126 ipInside

name XX.XX.152.126 ipGateway

name 213.239.154.12 ipTimeServer

name 213.144.227.113 srcJaapHQ

name 95.97.36.186 srcJaapHQ2

name 213.125.74.202 srcCasperHome

name 172.16.152.103 svrWE02_ILO_Inside

name XX.XX.152.103 svrWE02_ILO_Outside

name 172.16.152.104 svrWE02Inside

name XX.XX.152.104 svrWE02Outside

name XX.XX.198.101 srcEvoSwitch

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address ipOutside 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address ipInside 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa823-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name webenable.nl

object-group network FullyTrustedSources

network-object host srcCasperHome

network-object host srcJaapHQ

network-object host srcJaapHQ2

network-object host srcEvoSwitch

object-group service Services_NonPublic_WE02ILO tcp

port-object eq www

object-group service Services_NonPublic_WE02 tcp

port-object eq 3389

port-object eq www

access-list inside_nat0_outbound extended permit ip any 172.16.152.0 255.255.255                                                                                                                                                              .0

access-list Private standard permit 172.16.199.0 255.255.255.0

access-list outside_access_in extended permit icmp object-group FullyTrustedSour                                                                                                                                                              ces any

access-list outside_access_in extended permit tcp object-group FullyTrustedSourc                                                                                                                                                              es host svrWE02_ILO_Outside object-group Services_NonPublic_WE02ILO

access-list outside_access_in extended permit tcp object-group FullyTrustedSourc                                                                                                                                                              es host svrWE02Outside object-group Services_NonPublic_WE02

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) svrWE02Outside svrWE02Inside netmask 255.255.255.255 dns                                                                                                                                                             

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ipGateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http srcJaapHQ 255.255.255.255 outside

http srcJaapHQ2 255.255.255.255 outside

http srcCasperHome 255.255.255.255 outside

http 172.16.152.0 255.255.255.0 inside

http srcEvoSwitch 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh srcJaapHQ 255.255.255.255 outside

ssh srcJaapHQ2 255.255.255.255 outside

ssh srcCasperHome 255.255.255.255 outside

ssh srcEvoSwitch 255.255.255.255 outside

ssh 172.16.152.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server ipTimeServer source outside prefer

ssl encryption des-sha1

webvpn

username admin password ztUzXsDyW6EdO7Uz encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c1b8bfe8908dc6a75844416f896b1845

: end

you are missing config on the outside_in access list, and your nat config missing. Fix these 2 things and it should all work for you.

Sent from Cisco Technical Support iPad App

Ok, thanks! I made the changes according to this tutorial-video: https://supportforums.cisco.com/docs/DOC-12324

and it works!

Great!

For anyone else who needs a simple ASA5510 config with some static routes to use webservers, here's the basic config:

ASA Version 8.4(3)

!

hostname cisco

domain-name domainname.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd MOhAB706upGiCD8v encrypted

names

name XX.XX.152.102 ipOutside

name 172.16.152.126 ipInside

name XX.XX.152.126 ipGateway

name 213.239.154.12 ipTimeServer

name XX.XX.74.202 srcHome

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address ipOutside 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address ipInside 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name webenable.nl

object network svrWE02

host 172.16.152.104

object network svrWE02ILO

host 172.16.152.103

object-group network FullyTrustedSources

network-object host srcHome

object-group service Services_NonPublic_WE02ILO tcp

port-object eq www

port-object eq https

port-object eq ssh

port-object eq 17990

port-object eq 17988

port-object eq 623

object-group service Services_NonPublic_WE02 tcp

port-object eq 3389

port-object eq www

access-list inside_nat0_outbound extended permit ip any 172.16.152.0 255.255.255.0

access-list Private standard permit 172.16.152.0 255.255.255.0

access-list outside_access_in extended permit icmp object-group FullyTrustedSources any

access-list outside_access_in extended permit tcp object-group FullyTrustedSources host 172.16.152.104 object-group Services_NonPublic_WE02

access-list outside_access_in extended permit tcp object-group FullyTrustedSources host 172.16.152.103 object-group Services_NonPublic_WE02ILO

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

!

object network svrWE02

nat (inside,outside) static XX.XX.152.104

object network svrWE02ILO

nat (inside,outside) static XX.XX.152.103

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ipGateway 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http srcHome 255.255.255.255 outside

http 172.16.152.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh srcHome 255.255.255.255 outside

ssh 172.16.152.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server ipTimeServer source outside prefer

ssl encryption des-sha1

webvpn

username admin password ztUzXsDyW6EdO7Uz encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8b55959660d6ea2b0359d80b83d414bc

: end

Hello ,

Could you help please?

I have the same problem like yours I upgraded from 8.0 to 8.4(2), but i can access Internet at the moment.

Would youtry to explaine how to configure you nat please

In my case i have these ;

nat (inside) 1 00

global (outside) 1 interface

nat ( inside ) 0 access-list inside-nat0-outbound

global (inside) 2 interface

I would be glad on your feed bac

Cheers

The upgrade does make some 'changes' but I my case the firewall did not function anymore. I'll try to help you, but first you should tell what you want the ASA to do _exactly_.

I just want to be connected to Internet , although my ASA5510 are in Active /Standby mode

Ok, then you should add a static route like this (for one server to access the internet),

where YourInsideServerIP could be like 10.0.0.1, YourGatewayIP 10.0.0.254

object network YourServerName

host YourInsideServerIP

object network YourServerName

nat (inside,outside) static YourOutsideIP

access-list inside_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.0

access-list Private standard permit 10.0.0.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 YourGatewayIP 1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: