I did try to remove the SLA MOnitor config.  I am trying to ping 4.2.2.2 from both ISP links from inside of the LAN going out to the Internet.  I would shut one side down and try.  But to no avail.

Thanks for the help thus far.

I would try from either ISP and it doesn't work.  When I connect my laptop directly to the internet router bypassing the asa I can get out to the Internet.

I would shut down circuit at a time to test.  I can ping the gateway going out but not anything after that.

I did try the asdm with the correct url as you had.  And it say page cannot be found. 

Thanks for your help!  Any other suggestions?

please paste your config after removing the sla config

Thanks dude!

Here you go.

ASA Version 8.2(2)

!

names

!

interface Vlan1

nameif inside

security-level 100

ip address 1.1.1.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 14.14.14.14 255.255.255.248

!

interface Vlan3

no forward interface Vlan2

nameif backup

security-level 0

ip address 14.14.15.14 255.255.255.248

!

!

interface Ethernet0/3 - inside

speed 100

duplex full

!

interface Ethernet0/4 - outside

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/5 - backup

switchport access vlan 3

speed 100

duplex full

!

ftp mode passive

same-security-traffic permit intra-interface

access-list inside_nat0 extended permit ip any 1.1.1.0 255.255.255.0

access-list split-tunnel standard permit 1.1.1.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu twb-primary 1500

mtu twb-backup 1500

ip local pool newpool 10.10.10.10-10.10.10.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (inside) 0 access-list inside_nat0

route outside 0.0.0.0 0.0.0.0 14.14.14.13 1

route backup 0.0.0.0 0.0.0.0 14.14.15.13 2

route inside 10.10.10.0 255.255.255.0 1.1.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 8080

http 1.1.1.2 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

!Cryptochecksum:089fff25b0db63830fc79cf36013125c

You mention that you can ping both default gateways but not 4.2.2.2 from the firewall is that correct?

Mike

After resolving an issue with the ISP, I can ONLY ping 4.2.2.2 from the primary interface but not the backup.  Even if I shutdown the primary interface completely, I still cannot ping passed the backup's gateway address.

To be clear:

1.  Both primary and backup interfaces enabled

     Ping primary gateway - Yes

     Ping 4.2.2.2 from ASA5505 - Yes

     Ping backup gateway - Yes

     Ping 4.2.2.2 from ASA5505  - No

     Ping inside Interface from PC behind ASA - Yes

     Ping 4.2.2.2 from PC behind ASA - No

2.  Shutdown primary Interface

     Ping backup gateway - Yes

     Ping 4.2.2.2 - No

     Ping inside Interface from PC behind ASA - Yes

     Ping 4.2.2.2 from PC behind ASA - No

3.  Shutdown backup interface

     Ping primary gateway - Yes

     Ping 4.2.2.2 - Yes

     Ping inside Interface from PC behind ASA - Yes

     Ping 4.2.2.2 from PC behind ASA - No

I think my config is screwy.

Thanks for your help

Hi! a few questions:

Is there a device between the inside PC and the ASA5505? or Is the PC on the 1.1.1.x network and the default gateway of the PC is pointing to the ASA inside interface?

If you run a "sh xlate" after trying the ping do you see the translation for the users ip addres?

If you enable "debug icmp" (and "term monitor" if you are connected via ssh) do you see the ICMP request from the PC? (disable it with "undebug all").

I would run a capture to verify if the traffic is arriving or not to the ASA and to see why it is dropping it. But maybe first this tests can help.

Regards,

----

For the "sh xlate" you should see something like:

     PAT Global 14.14.x.x (port) Local y.y.y.y ICMP id 512

where y.y.y.y is the IP of the PC. and 14.14. is the interface where you have the global statement.

Have you tried

https://1.1.1.2:8080 ??