Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.4, subnets unable to reach outside

I'm replacing our current router with an ASA 5510 running 8.4(3) and I'm having what I think are NAT issues.

From the 192.168.0.0/24 subnet, I'm able to reach the outside world (via NAT/PAT) without any issues. However none of the internal subnets (e.g. 192.168.10.0/24) are able to. Packet-tracer shows no ACL issues. Any thoughts?

Here's my config:

ASA Version 8.4(3)

!

hostname gw

domain-name internal.mycompany.com

enable password asdf encrypted

passwd asdf encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 216.x.x.x 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone MST -7

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name internal.mycompany.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network public_dc

subnet 204.x.x.x 255.255.255.224

object network subnet_a

subnet 192.168.20.0 255.255.255.0

object network subnet_a_wireless

subnet 192.168.21.0 255.255.255.0

object network subnet_b

subnet 192.168.10.0 255.255.255.0

object network subnet_b_wireless

subnet 192.168.11.0 255.255.255.0

object network subnet_c

subnet 192.168.30.0 255.255.255.0

object network subnet_c_wireless

subnet 192.168.31.0 255.255.255.0

object network subnet_dc

subnet 10.10.10.0 255.255.255.192

object network subnet_server

subnet 192.168.5.0 255.255.255.0

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network subnet_primary

subnet 192.168.0.0 255.255.255.0

object network EXTERNAL_PAT

host 216.x.x.x

object-group network internal_lan_trusted

network-object object subnet_a

network-object object subnet_b

network-object object subnet_c

network-object object subnet_server

network-object object subnet_primary

object-group network internal_lan_wireless

network-object object subnet_b_wireless

network-object object subnet_c_wireless

network-object object subnet_a_wireless

object-group network mycompany_trusted_lan

network-object object subnet_a

network-object object subnet_b

network-object object subnet_c

network-object object subnet_server

network-object object subnet_dc

network-object object subnet_primary

object-group network mycompany_lan

network-object object subnet_a

network-object object subnet_a_wireless

network-object object subnet_b

network-object object subnet_b_wireless

network-object object subnet_c

network-object object subnet_c_wireless

network-object object subnet_dc

network-object object subnet_primary

network-object object subnet_server

object-group network mycompany_lan_internal

network-object object subnet_a

network-object object subnet_a_wireless

network-object object subnet_b

network-object object subnet_b_wireless

network-object object subnet_c

network-object object subnet_c_wireless

network-object object subnet_primary

network-object object subnet_server

access-list inside_access_in extended permit ip any any log disable

access-list global_access extended permit icmp any any log disable

access-list global_access extended permit ip any any log disable

access-list outside_access_in extended permit ip any any log disable

access-list outside_access_in extended permit icmp any any log disable

access-list split_tunnel extended permit ip object-group mycompany_lan any log disable

access-list DC_VPN_TRAFFIC extended permit ip object-group mycompany_trusted_lan object subnet_dc log disable

access-list DC_VPN_TRAFFIC extended permit icmp object-group mycompany_trusted_lan object subnet_dc log disable

access-list inside_access extended permit ip any any

access-list inside_acl extended permit ip object-group mycompany_lan any

access-list inside_acl extended permit icmp object-group mycompany_lan any

access-list outside_access_out extended permit ip any any log disable

access-list outside_access_out extended permit icmp any any log disable

no pager

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu temporary 1500

ip local pool vpn_pool 192.168.0.101-192.168.0.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

!

nat (inside,outside) source static mycompany_lan mycompany_lan destination static mycompany_lan mycompany_lan

nat (inside,outside) after-auto source dynamic mycompany_lan_internal interface

!

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group inside_acl in interface inside

access-group inside_acl out interface inside

access-group global_access global

!

router eigrp 10

network 192.168.0.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 216.x.x.x 1

route inside 192.168.5.0 255.255.255.0 192.168.0.6 1

route inside 192.168.10.0 255.255.255.0 192.168.0.10 1

route inside 192.168.11.0 255.255.255.0 192.168.0.10 1

route inside 192.168.20.0 255.255.255.0 192.168.0.20 1

route inside 192.168.21.0 255.255.255.0 192.168.0.20 1

route inside 192.168.30.0 255.255.255.0 192.168.0.30 1

route inside 192.168.31.0 255.255.255.0 192.168.0.30 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server mycompany protocol radius

aaa-server mycompany (inside) host 192.168.5.29

key *****

radius-common-pw *****

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec fragmentation after-encryption outside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DC_VPN_MAP 1 match address DC_VPN_TRAFFIC

crypto map DC_VPN_MAP 1 set pfs

crypto map DC_VPN_MAP 1 set peer 204.x.x.x

crypto map DC_VPN_MAP 1 set ikev1 transform-set ESP-3DES-SHA

crypto map DC_VPN_MAP interface outside

crypto ca trustpoint anyconnect_trustpoint

enrollment self

subject-name CN=gw

crl configure

crypto ca certificate chain anyconnect_trustpoint

certificate 48733d4f

    308201e3 3082014c a0030201 02020448 733d4f30 0d06092a 864886f7 0d010105

    05003036 310b3009 06035504 03130267 77312730 2506092a 864886f7 0d010902

    16186777 2e696e74 65726e61 6c2e7370 61726b66 756e2e63 6f6d301e 170d3132

    30323136 32323331 30375a17 0d323230 32313332 32333130 375a3036 310b3009

    06035504 03130267 77312730 2506092a 864886f7 0d010902 16186777 2e696e74

    65726e61 6c2e7370 61726b66 756e2e63 6f6d3081 9f300d06 092a8648 86f70d01

    01010500 03818d00 30818902 818100dd c12be975 8e68594c 3d3f2e20 2deab59b

    5a584d62 f1dc0a2f 34bfbf7b a3cda514 c9b8cd7a 371920b4 20460ff8 0bc15eea

    8ce801d1 96745f83 c6218cee d87d0d47 8b1eb05a f2f65367 069a99ff 3af5bd3a

    4a1bbb79 b0229e81 1a507670 bb7aa46e 9224791c a9e353ec 60a262ea 7a262909

    56afa944 536864b5 4e93a19d b77df302 03010001 300d0609 2a864886 f70d0101

    05050003 81810078 7c5c652a 3f1b296d 72cca5f8 a8ba36f3 110a21bc 6c501c88

    22eed1db 086dac0a 90d1cecd e870c113 b1614445 fc0e3505 1b569c1a c196d1d1

    6af0efff f8c6e76a eb269b7f bae0cbf0 5cb4f010 f35496a3 504c8001 f81c3b7f

    e98a2cae 6610bdd7 2a25ccba ac5d735a 71c72069 53653a7a c0ef0121 0adfe7b6

    58798f08 0750d8

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint anyconnect_trustpoint

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 management

ssh timeout 60

console timeout 0

dhcpd address 192.168.0.20-192.168.0.100 inside

dhcpd dns 192.168.5.47 interface inside

dhcpd wins 192.168.5.29 interface inside

dhcpd ping_timeout 20 interface inside

dhcpd domain internal.mycompany.com interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 91.189.94.4 source outside prefer

ssl trust-point anyconnect_trustpoint outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2

anyconnect image disk0:/anyconnect-linux-64-2.5.3054-k9.pkg 3

anyconnect image disk0:/anyconnect-linux-2.5.3054-k9.pkg 4

anyconnect profiles mycompany_anyconnect_client_profile disk0:/mycompany_anyconnect_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 192.168.5.29

dns-server value 192.168.5.46

vpn-tunnel-protocol ikev1 ikev2 ssl-client

password-storage enable

split-tunnel-network-list value split_tunnel

default-domain value internal.mycompany.com

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

default-domain value internal.mycompany.com

group-policy mycompany internal

group-policy mycompany attributes

wins-server value 192.168.5.29

dns-server value 192.168.5.46

vpn-tunnel-protocol ikev1

split-tunnel-network-list value split_tunnel

default-domain value internal.mycompany.com

group-policy GroupPolicy_mycompany_anyconnect internal

group-policy GroupPolicy_mycompany_anyconnect attributes

wins-server value 192.168.5.29

dns-server value 192.168.5.46

vpn-tunnel-protocol ikev2 ssl-client

password-storage enable

split-tunnel-network-list value split_tunnel

default-domain value internal.mycompany.com

webvpn

  anyconnect profiles value mycompany_anyconnect_client_profile type user

tunnel-group DefaultRAGroup general-attributes

address-pool vpn_pool

authentication-server-group (temporary) mycompany LOCAL

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group (temporary) mycompany LOCAL

tunnel-group mycompany_anyconnect type remote-access

tunnel-group mycompany_anyconnect general-attributes

address-pool vpn_pool

authentication-server-group (temporary) mycompany LOCAL

default-group-policy GroupPolicy_mycompany_anyconnect

tunnel-group mycompany_anyconnect webvpn-attributes

group-alias mycompany_anyconnect enable

tunnel-group mycompany type remote-access

tunnel-group mycompany general-attributes

address-pool vpn_pool

authentication-server-group (temporary) mycompany LOCAL

default-group-policy mycompany

tunnel-group mycompany ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DC_VPN type ipsec-l2l

tunnel-group 204.x.x.x type ipsec-l2l

tunnel-group 204.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

password encryption aes

Cryptochecksum:3a10facef4d0c6fe63bf34d5899274f9

: end


Everyone's tags (2)
6 REPLIES
VIP Super Bronze

Re: ASA 8.4, subnets unable to reach outside

What is connected to ASA on the internal side?

Are u running EIGRP with that device?

Sent from Cisco Technical Support iPhone App

New Member

Re: ASA 8.4, subnets unable to reach outside

Routers on the 192.168.0.0/24 network are connected via a switch. All internal 192.168.0.0/16 hosts are able to communicate with each other.

EIGRP is running on all devices, though I was having some issues so I added static routes on the ASA

Purple

Re: ASA 8.4, subnets unable to reach outside

Hi,

what is packet-tracer telling you ?

maybe  you could do a packet capture on inside and outside interfaces and post it here too.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: ASA 8.4, subnets unable to reach outside

Packet tracer output:

gw# packet-tracer input inside tcp 192.168.5.1 4900 8.8.8.8 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_acl in interface inside

access-list inside_acl extended permit ip object-group mycompany_lan any

object-group network mycompany_lan

network-object object subnet_a

network-object object subnet_a_wireless

network-object object subnet_b

network-object object subnet_b_wireless

network-object object subnet_c

network-object object subnet_c_wireless

network-object object subnet_dc

network-object object subnet_primary

network-object object subnet_server

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) after-auto source dynamic mycompany_lan_internal interface

Additional Information:

Dynamic translate 192.168.5.1/4900 to 216.x.x.x/4900

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_out out interface outside

access-list outside_access_out extended permit ip any any log disable

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 49776, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Bronze

ASA 8.4, subnets unable to reach outside

Did you try to change the network statement in eigrp to include other subnets too?

router eigrp 10

network 192.168.0.0 255.255.0.0

Also can you post the output of "sh ip route"

New Member

Re: ASA 8.4, subnets unable to reach outside

I did try setting the ASA's EIGRP network to /16, which didn't seem to make a difference.

gw# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 216.x.x.x to network 0.0.0.0

S    192.168.31.0 255.255.255.0 [1/0] via 192.168.0.30, inside

S    192.168.30.0 255.255.255.0 [1/0] via 192.168.0.30, inside

S    192.168.10.0 255.255.255.0 [1/0] via 192.168.0.10, inside

S    192.168.11.0 255.255.255.0 [1/0] via 192.168.0.10, inside

C    216.x.x.x 255.255.255.224 is directly connected, outside

S    192.168.21.0 255.255.255.0 [1/0] via 192.168.0.20, inside

S    192.168.20.0 255.255.255.0 [1/0] via 192.168.0.20, inside

S    192.168.5.0 255.255.255.0 [1/0] via 192.168.0.6, inside

S    192.168.0.104 255.255.255.255 [1/0] via 216.x.x.x, outside <--- Not sure why this is here..?

C    192.168.0.0 255.255.255.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 216.x.x.x, outside

774
Views
0
Helpful
6
Replies
CreatePlease to create content