Hi Scott,

Well we've tried several different options.  Right now just to try to get ANYTHING to work, we've created really open rules that would essentially allow anything in either direction.  We've tried with and without NAT rules in place, but it doesn't seem to make a difference one way or another.  I'm not sure if the "any interface, any source, any destination" type of NAT would do anything anyway.   NAT control is no longer available in 8.3, so it seems that NAT is less likly to be holding us up, but we're so new to this that we couldn't be sure of that.

We've done the global ACL allows to open it up, and with our staic routes we've tried a myriad of ideas on how to communicate it's direction.  It seems that the interfaces are just not passing information to one another.  We have routes from 0.0.0.0 to the external interface, we've tried from the internal to external interfaces, and pretty much any combination you can think of, and to no effect.

Any ideas what to look at?

Hi Heather,

Can you post a running config for us to review? That will help determine the areas of the config that need to be focused on.

-Mike

Heather,

Is there a route back for internal ip addresses when they are hitting the outside since you are not natting?

Does your inside interface have higher security level than your outside?

If you are testing with pings, make sure you have icmp inspection enabled.

Let me know  if they helped. And like mirober2 suggested, if not please provide your config.

PK

here is our config file.  It's a bit of a mess now because we've been trying so many different things (

none of which have worked)

:
ASA Version 8.3(2)
!

!
interface Ethernet0/0
description EXTERNAL
nameif OUTSIDE
security-level 0
ip address 10.0.204.65 255.255.255.0
!
interface Ethernet0/1
description INTERNAL INTERFACE
nameif INSIDE
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
description DMZ INTERFACE
shutdown
nameif DMZ
security-level 50
ip address STORAGECONTROLLERA 255.255.255.192
!
interface Ethernet0/3
description LAN/STATE Failover Interface
management-only
!
interface Management0/0
nameif management
security-level 99
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa823-k8.bin
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone MST -7
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 8.8.8.8

access-list INSIDE_access_in extended permit tcp any any eq www
access-list OUTSIDE_access_in remark ALLOW SLO TESTERS TO COMMUNICATE WITH XWD.
access-list OUTSIDE_access_in extended permit object-group HTTPHTTPS 10.0.204.64 255.255.255.192 host 10.2.204.55
access-list INSIDE_nat0_outbound extended permit ip any 192.168.204.240 255.255.255.240
access-list global_access extended permit tcp any any eq www log errors
pager lines 24
logging enable
logging console emergencies
logging asdm informational
logging class auth console errors
logging class sys console errors
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPBNIPPOOL 192.168.204.240-192.168.204.250 mask 255.255.255.0

asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat (INSIDE,OUTSIDE) source static X_LAN X_LAN destination static mapped_public_pool mapped_public_pool
access-group INSIDE_access_in in interface INSIDE
access-group global_access global
route OUTSIDE 0.0.0.0 0.0.0.0 10.0.204.65 1
route INSIDE 192.168.2.137 255.255.255.255 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-

SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface INSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 INSIDE
ssh 192.168.1.2 255.255.255.255 INSIDE
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bab91fe79432cd34bd138842c26c47c4
: end

Whoops I hadn't noticed that my co-worker deletedmost of the NAT and Route rules that were in place yesterday.

There would hve been a few "any, any, any" commands for the NAT and allow all services in the ACL

Hi Heather,

I would suggest taking on one issue at a time to make it easier to troubleshoot. Try removing your NAT rules and then configuring this:

object network obj-192.168.2.0

    subnet 192.168.2.0 255.255.255.0

    nat (inside,outside) dynamic interface

!

You may also need this if your DNS server is not in the 192.168.2.0 subnet:

access-list INSIDE_access_in extended permit udp any any eq 53

or

access-list global_access extended permit udp any any eq 53

Once those commands are configured, try to access the Internet from a host in the 192.168.2.0 subnet. If that works, let us know what other traffic is failing.

Hope that helps.

-Mike

Mike,

Thanks!!  Your dynamic NAT statement is the key that we were looking for!  As I understand it, it is the statement that allows the internal and external interfaces to communicate with one another, and that is the piece we were missing.

Now we need to start redoing our actual ACLs and see if they work.

Thanks again!

Hi Heather,

Glad that worked for you. Keep in mind that in 8.3 you need to use the real IP (i.e. before NAT takes place) when you setup your access-lists. This is a significant change from the way it was done in pre-8.3 configurations.

-Mike