Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1094
Views
0
Helpful
10
Replies

No internet access

Go to solution
gasparmenendez
Level 3
Level 3

‎10-19-2017 11:15 AM - edited ‎02-21-2020 06:32 AM

hi friends, my ASA 5580 has an INSIDE interface with 192.168.62.254 ip add. and that interf. is connected to a Switch through vlan62 with 192.168.62.253 ip addr. When I connect a PC to vlan62 with a static ip add. (192.168.62.40) and set GW as 192.168.62.253 or 192.168.62.254 for the PC in both cases I can access the internet without any problem. So far so good....

Now I'm trying to do the same with another interface but I can't. The other inter. has 192.168.51.254 ip add and is connected to Swich through vlan51 with 192.168.51.253 ip add. When I use GW 192.168.51.254 in the PC I can access internet without problem, but when I use 192.168.51.253 as GW I can't...and the problem is that I need to use 192.168.51.253 as GW...can anybody help me please??? is this a conf. problem on the ASA ??? Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gasparmenendez
Level 3
Level 3
In response to mikael.lahtela

‎10-20-2017 07:12 AM

thanks my friend, I solved already.... Just added a route to the 5580 and now everything is ok.

Thanks!

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Dean Romanelli
Level 4
Level 4

‎10-19-2017 11:20 AM

Could you post your ASA configs for us please?

0 Helpful

Go to solution
gasparmenendez
Level 3
Level 3
In response to Dean Romanelli

‎10-19-2017 11:35 AM

here it is:

ASA5580# sh running-config
: Saved
:
: Serial Number: USE00
: Hardware:   ASA5580-20, 8192 MB RAM, CPU AMD Opteron 2600 MHz, 2 CPUs (4 cores)
:
ASA Version 9.1(7)19
!
hostname ASA5580
enable password TFyi2xrxZ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool pool-vpn-prueba 192.168.239.1-192.168.239.100 mask 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 0
 ip address 192.168.0.44 255.255.255.0
!             
interface Management0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3/2
 nameif CARRIERS
 security-level 30
 ip address 10.227.224.3 255.255.252.0
!
interface GigabitEthernet3/3
 nameif INSIDE_Prueba
 security-level 40
 ip address 192.168.62.254 255.255.255.0
!
interface TenGigabitEthernet5/0
 nameif CMTS
 security-level 50
 ip address 192.168.61.9 255.255.255.0
!
interface TenGigabitEthernet5/1
 nameif FTTH
 security-level 50
 ip address 192.168.51.254 255.255.255.0
!
interface TenGigabitEthernet7/0
 nameif OUTSIDE
 security-level 0
 ip address 170.X.X.2 255.255.255.240
!
interface TenGigabitEthernet7/1
 shutdown
 no nameif
 no security-level
 no ip address
!             
boot system disk0:/asa917-19-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 10.19.0.0
 subnet 10.19.0.0 255.255.0.0
object network 170.X.X.3
 host 170.X.X.3
object network 170.X.X.4
 host 170.X.X.4
object network 170.X.X.5
 host 170.X.X.5
object network 170.X.X.6
 host 170.X.X.6
object network 170.X.X.7
 host 170.X.X.7
object network 170.X.X.8
 host 170.X.X.8
object network 170.X.X.9
 host 170.X.X.9
object network 170.X.X.10
 host 170.X.X.10
object network 170.X.X.11
 host 170.X.X.11
object network 170.X.X.12
 host 170.X.X.12
object network 170.X.X.13
 host 170.X.X.13
object network 170.X.X.14
 host 170.X.X.14
object network 10.27.0.0
 subnet 10.27.0.0 255.255.0.0
object network 10.25.0.0
 subnet 10.25.0.0 255.255.0.0
object network 10.9.0.0
 subnet 10.9.0.0 255.255.0.0
object network 10.39.0.0
 subnet 10.39.0.0 255.255.0.0
object network 10.11.0.0
 subnet 10.11.0.0 255.255.0.0
object network 10.35.0.0
 subnet 10.35.0.0 255.255.0.0
object network 10.33.0.0
 subnet 10.33.0.0 255.255.0.0
object network 10.13.0.0
 subnet 10.13.0.0 255.255.0.0
object network 10.17.0.0
 subnet 10.17.0.0 255.255.0.0
object network 10.37.0.0
 subnet 10.37.0.0 255.255.0.0
object network 10.41.0.0
 subnet 10.41.0.0 255.255.0.0
object network 10.45.0.0
 subnet 10.45.0.0 255.255.0.0
object network 170.X.X.16
 host 170.X.X.16
object network 170.X.X.17
 host 170.X.X.17
object network 170.X.X.18
 host 170.X.X.18
object network 170.X.X.19
 host 170.X.X.19
object network 170.X.X.20
 host 170.X.X.20
object network 170.X.X.21
 host 170.X.X.21
object network 170.X.X.22
 host 170.X.X.22
object network 170.X.X.23
 host 170.X.X.23
object network 170.X.X.24
 host 170.X.X.24
object network 170.X.X.25
 host 170.X.X.25
object network 10.47.0.0
 subnet 10.47.0.0 255.255.0.0
object network 170.X.X.26
 host 170.X.X.26
object network 170.X.X.27
 host 170.X.X.27
object network 170.X.X.28
 host 170.X.X.28
object network 170.X.X.29
 host 170.X.X.29
object network 170.X.X.30
 host 170.X.X.30
object network 170.X.X.31
 host 170.X.X.31
object network 10.49.0.0
 subnet 10.49.0.0 255.255.0.0
object network Prueba-10.227.225.210
 host 10.227.225.210
object network 10.227.225.210
 host 10.227.225.210
object network 172.16.99.0
 subnet 172.16.99.0 255.255.255.0
object network 172.16.99.22
 host 172.16.99.22
object network 10.50.0.0
 subnet 10.50.0.0 255.255.0.0
object network 10.51.0.0
 subnet 10.51.0.0 255.255.0.0
object network 10.227.225.20
 host 10.227.225.20
object network CentroValle_1930
 host 10.227.225.20
object network CentroValle_1946
 host 10.227.225.20
object network 170.X.X.2
 host 170.X.X.2
object network Stgo4646_3050
 host 10.44.0.130
object network 10.44.0.130
 host 10.44.0.130
object network 192.168.199.0
 subnet 192.168.199.0 255.255.255.0
object network 10.227.225.41
 host 10.227.225.41
object network Administracion_FTTH_NuevoIdeal
 subnet 10.16.10.0 255.255.255.0
 description Administracion FTTH Nuevo Ideal
object network 10.228.0.0
 subnet 10.228.0.0 255.255.240.0
 description 10.228.0.0
object network 192.168.239.0
 subnet 192.168.239.0 255.255.255.128
 description 192.168.239.0
object network NETWORK_OBJ_192.168.239.0_25
 subnet 192.168.239.0 255.255.255.128
object network pool-vpn-prueba
 subnet 192.168.239.0 255.255.255.128
object network Pool_CMTS_Stgo
 range 170.X.X.8 170.X.X.9
object network 10.227.225.12
 host 10.227.225.12
object network AutopartesStgo_Suc_NI_81
 host 10.227.225.12
object network AutopartesStgo_Suc_NI_554
 host 10.227.225.12
object network AutopartesStgo_Suc_NI_8000
 host 10.227.225.12
object network 10.227.225.31
 host 10.227.225.31
object network Ferrepisos_NI_3389
 host 10.227.225.31
object network Ferrepisos_NI_8081
 host 10.227.225.31
object network 10.227.225.21
 host 10.227.225.21
object network 10.227.225.22
 host 10.227.225.22
object network 170.X.X.80
 host 170.X.X.80
object network 170.X.X.81
 host 170.X.X.81
object network 170.X.X.82
 host 170.X.X.82
object network 10.227.225.29
 host 10.227.225.29
object network 10.227.225.39
 host 10.227.225.39
object network 170.X.X.83
 host 170.X.X.83
object network 170.X.X.84
 host 170.X.X.84
object network 170.X.X.85
 host 170.X.X.85
object network 192.168.199.29
 host 192.168.199.29
 description Gaspar
object network 10.227.224.11
 host 10.227.224.11
 description CACTI_Carrier
object network CACTI_Carrier
 host 10.227.224.11
object network 10.227.224.0
 subnet 10.227.224.0 255.255.252.0
object network ALTAI
 host 172.16.99.22
object network VPN-POOL
 range 192.168.239.1 192.168.239.100
object network Pool_CMTS_Victoria
 range 170.X.X.11 170.X.X.12
object network INSIDE-TEST
 subnet 192.168.62.0 255.255.255.0
object network Servidor_Comcast
 host 192.168.51.100
object network FTTH-network
 subnet 192.168.51.0 255.255.255.0
object network 10.30.0.0
 subnet 10.30.0.0 255.255.0.0
 description 10.30.0.0
object-group network redvpn
 network-object object 192.168.199.0
access-list CARRIERS_access_in extended permit ip 10.227.224.0 255.255.252.0 any4
access-list CARRIERS_access_out extended permit ip any4 10.227.224.0 255.255.252.0
access-list CARRIERS_access_out extended permit ip 192.168.199.0 255.255.255.0 10.227.224.0 255.255.252.0
access-list OUTSIDE_access_in remark ALTAI
access-list OUTSIDE_access_in extended permit ip any4 object 172.16.99.22
access-list OUTSIDE_access_in remark Centro Valle
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.20 eq 1930
access-list OUTSIDE_access_in remark Centro Valle
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.20 eq 1946
access-list OUTSIDE_access_in remark Stgo Contrato 4646
access-list OUTSIDE_access_in extended permit tcp any4 object 10.44.0.130 eq 3050
access-list OUTSIDE_access_in remark Prueba
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.210
access-list OUTSIDE_access_in remark Gasolinera Holanda
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.41
access-list OUTSIDE_access_in remark AutopartesStgo_Suc_NI
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.12 eq 81
access-list OUTSIDE_access_in remark AutopartesStgo_Suc_NI
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.12 eq rtsp
access-list OUTSIDE_access_in remark AutopartesStgo_Suc_NI
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.12 eq 8000
access-list OUTSIDE_access_in remark Ferrepisos_NI
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.31 eq 3389
access-list OUTSIDE_access_in remark Ferrepisos_NI
access-list OUTSIDE_access_in extended permit tcp any4 object 10.227.225.31 eq 8081
access-list OUTSIDE_access_in remark Gasolinera Samantha
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.21
access-list OUTSIDE_access_in remark Gasolinera CM
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.22
access-list OUTSIDE_access_in remark Farmacia Economica NI
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.39
access-list OUTSIDE_access_in remark Caja Hipodromo NI
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.225.29
access-list OUTSIDE_access_in remark CACTI_Carrier
access-list OUTSIDE_access_in extended permit ip any4 object 10.227.224.11
access-list OUTSIDE_access_in extended permit ip any4 any4
access-list INSIDE_Prueba_access_in extended permit ip 192.168.62.0 255.255.255.0 any4
access-list INSIDE_Prueba_access_in extended permit ip object 172.16.99.0 any4
access-list INSIDE_Prueba_access_in extended permit ip object 192.168.199.0 any4
access-list INSIDE_Prueba_access_in extended permit ip object 10.228.0.0 any4
access-list INSIDE_Prueba_access_in extended permit ip 10.227.224.0 255.255.252.0 192.168.199.0 255.255.255.0
access-list INSIDE_Prueba_access_in extended permit ip 192.168.199.0 255.255.255.0 192.168.239.0 255.255.255.128
access-list ACL-tunel-vpn-prueba standard permit 192.168.199.0 255.255.255.0
access-list ACL-tunel-vpn-prueba standard permit 192.168.239.0 255.255.255.0
access-list ACL-tunel-vpn-prueba standard permit 192.168.62.0 255.255.255.0
access-list INSIDE_Prueba_access_out extended permit ip 10.227.224.0 255.255.252.0 any4
access-list INSIDE_Prueba_access_out extended permit ip 192.168.199.0 255.255.255.0 any4
access-list INSIDE_Prueba_access_out extended permit ip any4 object 172.16.99.0
access-list INSIDE_Prueba_access_out extended permit ip 192.168.239.0 255.255.255.128 192.168.199.0 255.255.255.0
access-list TEST extended permit ip 192.168.199.0 255.255.255.0 192.168.239.0 255.255.255.128
access-list TEST extended permit ip 192.168.239.0 255.255.255.128 192.168.199.0 255.255.255.0
access-list FTTH_access_in extended permit ip 192.168.51.0 255.255.255.0 any4
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu CARRIERS 1500
mtu INSIDE_Prueba 1500
mtu CMTS 1500
mtu OUTSIDE 1500
mtu FTTH 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any CARRIERS
icmp permit any echo CARRIERS
icmp permit any echo-reply CARRIERS
icmp permit any OUTSIDE
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (CMTS,OUTSIDE) source dynamic 10.19.0.0 170.X.X.16
nat (CMTS,OUTSIDE) source dynamic 10.27.0.0 pat-pool Pool_CMTS_Victoria
nat (CMTS,OUTSIDE) source dynamic 10.25.0.0 170.X.X.18
nat (CMTS,OUTSIDE) source dynamic 10.39.0.0 170.X.X.20
nat (CMTS,OUTSIDE) source dynamic 10.35.0.0 170.X.X.22
nat (CMTS,OUTSIDE) source dynamic 10.33.0.0 170.X.X.23
nat (CMTS,OUTSIDE) source dynamic 10.13.0.0 170.X.X.13
nat (CMTS,OUTSIDE) source dynamic 10.17.0.0 170.X.X.25
nat (CMTS,OUTSIDE) source dynamic 10.37.0.0 170.X.X.26
nat (CMTS,OUTSIDE) source dynamic 10.41.0.0 170.X.X.27
nat (CMTS,OUTSIDE) source dynamic 10.33.0.0 170.X.X.29
nat (CMTS,OUTSIDE) source dynamic 10.47.0.0 170.X.X.21
nat (CMTS,OUTSIDE) source dynamic 10.49.0.0 170.X.X.24
nat (CARRIERS,OUTSIDE) source static 10.227.225.210 170.X.X.3
nat (CARRIERS,OUTSIDE) source static 10.227.225.41 170.X.X.82 description Gasolinera Holanda
nat (INSIDE_Prueba,OUTSIDE) source dynamic 10.228.0.0 170.X.X.10
nat (CMTS,OUTSIDE) source dynamic 10.51.0.0 pat-pool Pool_CMTS_Stgo
nat (CARRIERS,OUTSIDE) source static 10.227.225.21 170.X.X.80 description Gasolinera Samantha
nat (CARRIERS,OUTSIDE) source static 10.227.225.22 170.X.X.81 description Gasolinera CM
nat (CARRIERS,OUTSIDE) source static 10.227.225.39 170.X.X.83
nat (CARRIERS,OUTSIDE) source static 10.227.225.29 170.X.X.84
nat (INSIDE_Prueba,OUTSIDE) source static INSIDE-TEST INSIDE-TEST destination static NETWORK_OBJ_192.168.239.0_25 NETWORK_OBJ_192.168.239.0_25 no-proxy-arp route-lookup
nat (INSIDE_Prueba,OUTSIDE) source static redvpn redvpn destination static pool-vpn-prueba pool-vpn-prueba no-proxy-arp route-lookup
nat (OUTSIDE,OUTSIDE) source static pool-vpn-prueba pool-vpn-prueba destination static pool-vpn-prueba pool-vpn-prueba no-proxy-arp route-lookup
nat (FTTH,OUTSIDE) source dynamic any 170.X.X.10
nat (FTTH,OUTSIDE) source dynamic 10.30.0.0 170.X.X.10
!
object network CentroValle_1930
 nat (CARRIERS,OUTSIDE) static interface service tcp 1930 11930
object network CentroValle_1946
 nat (CARRIERS,OUTSIDE) static interface service tcp 1946 11946
object network Stgo4646_3050
 nat (CMTS,OUTSIDE) static 170.X.X.28 service tcp 3050 13050
object network AutopartesStgo_Suc_NI_81
 nat (CARRIERS,OUTSIDE) static interface service tcp 81 10081
object network AutopartesStgo_Suc_NI_554
 nat (CARRIERS,OUTSIDE) static interface service tcp rtsp 10554
object network AutopartesStgo_Suc_NI_8000
 nat (CARRIERS,OUTSIDE) static interface service tcp 8000 18000
object network Ferrepisos_NI_3389
 nat (CARRIERS,OUTSIDE) static interface service tcp 3389 13389
object network Ferrepisos_NI_8081
 nat (CARRIERS,OUTSIDE) static interface service tcp 8081 18081
object network CACTI_Carrier
 nat (CARRIERS,OUTSIDE) static 170.X.X.6
object network ALTAI
 nat (INSIDE_Prueba,OUTSIDE) static 170.X.X.4
!
nat (CARRIERS,OUTSIDE) after-auto source dynamic any interface
nat (INSIDE_Prueba,OUTSIDE) after-auto source dynamic any interface
nat (CMTS,OUTSIDE) after-auto source dynamic 10.45.0.0 170.X.X.28
nat (OUTSIDE,OUTSIDE) after-auto source static pool-vpn-prueba interface no-proxy-arp
access-group CARRIERS_access_in in interface CARRIERS
access-group CARRIERS_access_out out interface CARRIERS
access-group INSIDE_Prueba_access_out out interface INSIDE_Prueba
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 170.X.X.1 1
route CMTS 10.8.0.0 255.255.0.0 192.168.61.102 1
route CMTS 10.9.0.0 255.255.0.0 192.168.61.102 1
route CMTS 10.10.0.0 255.255.0.0 192.168.61.101 1
route CMTS 10.11.0.0 255.255.0.0 192.168.61.101 1
route CMTS 10.12.0.0 255.255.0.0 192.168.61.114 1
route CMTS 10.13.0.0 255.255.0.0 192.168.61.114 1
route CMTS 10.16.0.0 255.255.0.0 192.168.61.112 1
route CMTS 10.17.0.0 255.255.0.0 192.168.61.112 1
route CMTS 10.18.0.0 255.255.0.0 192.168.61.111 1
route CMTS 10.19.0.0 255.255.0.0 192.168.61.111 1
route CMTS 10.24.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.25.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.26.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.27.0.0 255.255.0.0 192.168.61.123 1
route FTTH 10.30.0.0 255.255.0.0 192.168.51.50 1
route CMTS 10.32.0.0 255.255.0.0 192.168.61.130 1
route CMTS 10.33.0.0 255.255.0.0 192.168.61.130 1
route CMTS 10.34.0.0 255.255.0.0 192.168.61.131 1
route CMTS 10.35.0.0 255.255.0.0 192.168.61.131 1
route CMTS 10.36.0.0 255.255.0.0 192.168.61.132 1
route CMTS 10.37.0.0 255.255.0.0 192.168.61.132 1
route CMTS 10.38.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.39.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.40.0.0 255.255.0.0 192.168.61.134 1
route CMTS 10.41.0.0 255.255.0.0 192.168.61.134 1
route CMTS 10.44.0.0 255.255.0.0 192.168.61.135 1
route CMTS 10.45.0.0 255.255.0.0 192.168.61.135 1
route CMTS 10.46.0.0 255.255.0.0 192.168.61.137 1
route CMTS 10.47.0.0 255.255.0.0 192.168.61.137 1
route CMTS 10.48.0.0 255.255.0.0 192.168.61.138 1
route CMTS 10.49.0.0 255.255.0.0 192.168.61.138 1
route CMTS 10.50.0.0 255.255.0.0 192.168.61.139 1
route CMTS 10.51.0.0 255.255.0.0 192.168.61.139 1
route INSIDE_Prueba 10.228.0.0 255.255.0.0 192.168.62.253 1
route INSIDE_Prueba 172.16.99.0 255.255.255.0 192.168.62.253 1
route INSIDE_Prueba 192.168.199.0 255.255.255.0 192.168.62.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
snmp-server host management 192.168.0.2 community ***** udp-port 161
snmp-server location Site-Dg
no snmp-server contact
snmp-server community *****
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ca trustpool policy
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.255.0 management
ssh 192.168.0.0 255.255.255.0 INSIDE_Prueba
ssh 200.Y.Y.3 255.255.255.255 OUTSIDE
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access INSIDE_Prueba
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy policiy-tunel-vpn-prueba-all internal
group-policy policiy-tunel-vpn-prueba-all attributes
 dns-server value 209.244.0.3 209.244.0.4
 vpn-tunnel-protocol ikev1 ssl-clientless
 split-tunnel-policy tunnelall
group-policy policiy-tunel-vpn-prueba-split internal
group-policy policiy-tunel-vpn-prueba-split attributes
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-tunel-vpn-prueba
username fermin password vWzyma2s encrypted privilege 15
username gaspar password uFhUHyhgi encrypted privilege 15
username extra password Mgi9n5y3x encrypted privilege 15
tunnel-group tunel-vpn-prueba type remote-access
tunnel-group tunel-vpn-prueba general-attributes
 address-pool pool-vpn-prueba
 default-group-policy policiy-tunel-vpn-prueba-split
tunnel-group tunel-vpn-prueba ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 7
  subscribe-to-alert-group configuration periodic monthly 7
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a33559ffa672a6fb650
: end
ASA5580#

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to gasparmenendez

‎10-19-2017 11:53 AM - edited ‎10-19-2017 11:54 AM

Does your switch have any static routes configured? I suspect I may know the issue.

Could you please port the output of the following command from your switch:

show run | section ip route

0 Helpful

Go to solution
gasparmenendez
Level 3
Level 3
In response to Dean Romanelli

‎10-19-2017 12:07 PM - edited ‎10-19-2017 12:10 PM

Sorry, I forgot to mention that both interfaces are connected to diffrent switches, INSIDE is connected to 3750 Switch and FFTH is connected to 3850 Switch. Supposing you want me to run the command in 3850 here you go:

SW3850_Core#show run | section ip route
ip route 0.0.0.0 0.0.0.0 192.168.60.254
ip route 10.26.0.0 255.255.0.0 192.168.61.123
ip route 10.27.0.0 255.255.0.0 192.168.61.123
ip route 172.16.8.0 255.255.255.0 192.168.60.254
ip route 172.30.0.0 255.255.254.0 192.168.60.254
ip route 192.168.61.0 255.255.255.0 192.168.61.254
ip route 192.168.62.0 255.255.255.0 192.168.20.223

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to gasparmenendez

‎10-19-2017 12:22 PM

Where is 192.168.60.254 in physical relation to the 3850 and the ASA?

0 Helpful

Go to solution
gasparmenendez
Level 3
Level 3
In response to Dean Romanelli

‎10-19-2017 12:27 PM

is in another ASA (5540)...

0 Helpful

Go to solution
Dean Romanelli
Level 4
Level 4
In response to gasparmenendez

‎10-19-2017 01:04 PM

Is that ASA 5540 in between the core switch and the ASA 5580?

0 Helpful

Go to solution
gasparmenendez
Level 3
Level 3
In response to Dean Romanelli

‎10-19-2017 01:15 PM - edited ‎10-19-2017 01:15 PM

not between, is connected to another port in 3850, like the 5580...

5540 is in port g1/0/1 and 5580 in port t1/1/3....

besides that, I ran some test in the 5580:

ASA5580# packet-tracer input ftTH tcp 192.168.51.40 1024 8.8.8.8 3389

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (FTTH,OUTSIDE) source dynamic any 170.X.X.10
Additional Information:
Dynamic translate 192.168.51.40/1024 to 170.X.X.10/1024

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (FTTH,OUTSIDE) source dynamic any 170.X.X.10
Additional Information:

Phase: 7      
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2128048568, packet dispatched to next module

Result:
input-interface: FTTH
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

and in the way around:


ASA5580# packet-tracer input ouTSIDE tcp 8.8.8.8 12345 170.X.X.10 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   170.X.X.0    255.255.255.240 OUTSIDE

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop  
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

0 Helpful

Go to solution
mikael.lahtela
Level 4
Level 4
In response to gasparmenendez

‎10-20-2017 01:07 AM

Hi,

Looks like the 5580 is working as expected, but you are default routing everything to the 5540 in the 3850.
Is that what you want?
If so the problem is probably in the 5540 and not in the 5580.
If you do a packet capture on the 5540, do you see the client traffic there?

# to capture traffic, need to change X to correct interface.
capture A interface X match ip host 192.168.51.40 host 8.8.8.8
# to see the capture
show capture A

br, Micke
0 Helpful

Go to solution
gasparmenendez
Level 3
Level 3
In response to mikael.lahtela

‎10-20-2017 07:12 AM

thanks my friend, I solved already.... Just added a route to the 5580 and now everything is ok.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card