?
Solved

ASA 5505, PAT/NAT stops working after a while

Posted on 2008-02-07
25
Medium Priority
?
2,649 Views
Last Modified: 2013-11-16
Hello

We have a cisco asa 5505, it works quite good. But we have a problem that we cannot find a solution to.

Our DMZ with PAT just stops working after a few hours. If I restart the machine it will work for a couple of hours and then it will stop again.

I see this in the log files:

2008-01-30 21:46:38 Local4.Debug 10.80.1.253 %ASA-7-711002: Task ran for 16 msec, Process = Unicorn Proxy Thread, PC = 8ab7a5d, Traceback =
2008-01-30 21:46:38 Local4.Debug 10.80.1.253 %ASA-7-711002: Task ran for 16 msec, Process = Unicorn Proxy Thread, PC = 8ab7a5d, Traceback =   0x08AB7A5D  0x08AA1DDA  0x08AA3786  0x08AA3835  0x08AA4958  0x08AA63A8  0x08AA193E  0x08D8327D  0x08D7B33A  0x0805E033
 
2008-01-31 08:05:31 Local4.Debug 10.80.1.253 %ASA-7-711002: Task ran for 15 msec, Process = Unicorn Proxy Thread, PC = 8ab7a5d, Traceback =
2008-01-31 08:05:31 Local4.Debug 10.80.1.253 %ASA-7-711002: Task ran for 15 msec, Process = Unicorn Proxy Thread, PC = 8ab7a5d, Traceback =   0x08AB7A5D  0x08AA1DDA  0x08AA3786  0x08AA3835  0x08AA4958  0x08AA63A8  0x08AA193E  0x08D8327D  0x08D7B33A  0x0805E033



The configuration is below, external ips is replaced with xxx.


: Saved
:
ASA Version 8.0(3)
!
hostname gw
domain-name smab.local
enable password encrypted
names
!
interface Vlan2
 nameif outside-bbb
 security-level 0
 dhcp client route distance 2
 ip address dhcp setroute
 ospf cost 10
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 192.168.2.1 255.255.255.0
 ospf cost 10
!
interface Vlan13
 nameif inside
 security-level 100
 ip address 10.80.1.253 255.255.255.0
 ospf cost 10
!
interface Vlan23
 backup interface Vlan2
 nameif outside-ve
 security-level 0
 ip address xxx.xxx.xxx.191 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 23
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 13
!
interface Ethernet0/3
 switchport access vlan 13
!
interface Ethernet0/4
 switchport access vlan 13
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.80.1.1
 name-server 10.80.1.4
 domain-name smab.local
same-security-traffic permit intra-interface
object-group icmp-type OBJ_IN-ICMP
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group service SQL-Server tcp
 port-object eq 1433
 port-object eq 1434
object-group service MAIL-Related tcp
 port-object eq 465
 port-object eq 993
 port-object eq 995
 port-object eq imap4
 port-object eq pop3
object-group service DM_INLINE_TCP_1 tcp
 group-object MAIL-Related
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 group-object MAIL-Related
 port-object eq pptp
 port-object eq ftp
 port-object eq ftp-data
object-group service Other tcp
 port-object eq 3000
 port-object eq 3390
object-group service RDP tcp
 port-object eq 3389
object-group service UDP-4500 udp
 port-object eq 4500
object-group network obj_net-spoof
 description obj_net-spoof
 network-object host 0.0.0.0
 network-object 10.0.0.0 255.0.0.0
 network-object 127.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0
 network-object 224.0.0.0 240.0.0.0
 network-object 240.0.0.0 240.0.0.0
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq www
 service-object tcp eq https
 service-object udp eq domain
 service-object icmp
 service-object udp eq ntp
object-group service DM_INLINE_TCP_4 tcp
 group-object MAIL-Related
 port-object eq smtp
object-group service DM_INLINE_UDP_1 udp
 port-object eq domain
 port-object eq ntp
object-group service DM_INLINE_TCP_3 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service DM_INLINE_TCP_5 tcp
 group-object RDP
 group-object SQL-Server
object-group service tivoli_backup tcp
 description ports for backup
 port-object eq 1500
 port-object eq 1581
 port-object eq 1801
 port-object eq 32768
 port-object eq 8421
object-group network DM_INLINE_NETWORK_1
 network-object 10.99.194.0 255.255.255.0
 network-object host 10.99.192.7
access-list intranet_access_in extended permit icmp any any
access-list intranet_access_in remark VE smtp
access-list intranet_access_in extended permit tcp any host xxx.xxx.xxx.60 eq smtp
access-list intranet_access_in remark tenggren smtp
access-list intranet_access_in extended permit tcp any host xxx.xxx.xxx.85 eq smtp
access-list intranet_access_in remark josj smtp
access-list intranet_access_in extended permit tcp any host xxx.xxx.xxx.48 eq smtp
access-list intranet_access_in remark donators smtp
access-list intranet_access_in extended permit tcp any host xxx.xxx.xxx.150 eq smtp
access-list intranet_access_in extended permit ip 10.80.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list intranet_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list intranet_access_in extended permit tcp any any eq 1863
access-list intranet_access_in extended permit udp any any object-group DM_INLINE_UDP_1
access-list intranet_access_in extended permit tcp 10.80.1.48 255.255.255.240 any object-group DM_INLINE_TCP_3
access-list intranet_access_in extended permit tcp 10.80.1.48 255.255.255.240 10.99.194.0 255.255.255.0 object-group DM_INLINE_TCP_5
access-list intranet_access_in remark Backup LOKE till donator
access-list intranet_access_in extended permit tcp host 10.80.1.1 host 10.99.192.7 object-group tivoli_backup
access-list intranet_access_in extended deny ip any 10.99.194.0 255.255.255.0
access-list intranet_access_in extended deny ip any host 10.99.192.7
access-list acl_nonat extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list acl_nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0
access-list acl_nonat extended permit ip 10.80.1.0 255.255.255.0 10.99.194.0 255.255.255.0 inactive
access-list outside-ve_access_in extended deny ip object-group obj_net-spoof any
access-list outside-ve_access_in extended permit icmp any any object-group OBJ_IN-ICMP
access-list outside-ve_access_in extended permit tcp any host xxx.xxx.xxx.193 object-group DM_INLINE_TCP_2
access-list outside-ve_1_cryptomap extended permit ip 10.80.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside-ve_cryptomap_1 extended permit ip 10.80.1.0 255.255.255.0 10.99.194.0 255.255.255.0
access-list outside-bbb_access_in extended deny ip object-group obj_net-spoof any
access-list dmz_access_in extended permit tcp host 192.168.2.40 any object-group DM_INLINE_TCP_4
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 192.168.2.0 255.255.255.0 any
access-list acl_nonat_dmz_to_vpn extended permit ip 192.168.2.0 255.255.255.0 10.81.1.0 255.255.255.0
pager lines 24
logging enable
logging trap debugging
logging asdm warnings
logging from-address sysop@xxxx.domain.com
logging recipient-address sysop@xxxx.domain.com level errors
logging host inside 10.80.1.4
no logging message 710005
mtu outside-bbb 1500
mtu dmz 1500
mtu inside 1500
mtu outside-ve 1500
ip local pool VPN-Pool 10.81.1.1-10.81.1.253 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (outside-bbb) 1 interface
global (outside-ve) 1 interface
nat (dmz) 0 access-list acl_nonat_dmz_to_vpn
nat (dmz) 1 192.168.2.0 255.255.255.0
nat (inside) 0 access-list acl_nonat
nat (inside) 1 10.80.1.0 255.255.255.0
nat (outside-ve) 1 10.81.1.0 255.255.255.0
static (inside,outside-ve) tcp xxx.xxx.xxx.193 pptp 10.80.1.4 pptp netmask 255.255.255.255
static (dmz,outside-ve) tcp xxx.xxx.xxx.193 www 192.168.2.10 www netmask 255.255.255.255
static (dmz,outside-ve) tcp xxx.xxx.xxx.193 https 192.168.2.40 https netmask 255.255.255.255
static (dmz,outside-ve) tcp xxx.xxx.xxx.193 ftp 192.168.2.10 ftp netmask 255.255.255.255
static (dmz,outside-ve) tcp xxx.xxx.xxx.193 imap4 192.168.2.40 imap4 netmask 255.255.255.255
static (dmz,outside-ve) tcp xxx.xxx.xxx.193 pop3 192.168.2.40 pop3 netmask 255.255.255.255
static (dmz,outside-ve) tcp xxx.xxx.xxx.193 smtp 192.168.2.40 smtp netmask 255.255.255.255
static (dmz,outside-ve) tcp xxx.xxx.xxx.193 993 192.168.2.40 993 netmask 255.255.255.255
static (dmz,outside-ve) tcp xxx.xxx.xxx.193 995 192.168.2.40 995 netmask 255.255.255.255
access-group outside-bbb_access_in in interface outside-bbb
access-group dmz_access_in in interface dmz
access-group intranet_access_in in interface inside
access-group outside-ve_access_in in interface outside-ve
route outside-ve 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD protocol radius
aaa-server AD host 10.80.1.4
 key
 radius-common-pw
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http xxx.xxx.xxx.113 255.255.255.255 outside-ve
http 10.80.1.0 255.255.255.0 inside
http 10.81.1.0 255.255.255.0 inside
http xxx.xxx.xxx.75 255.255.255.255 outside-ve
http xxx.xxx.xxx.94 255.255.255.255 outside-ve
http xxx.xxx.xxx.137 255.255.255.255 outside-ve
snmp-server host inside 10.80.1.2 community smab version 2c
snmp-server location Varberg
snmp-server contact IT
snmp-server community smab
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp outside-bbb
sysopt noproxyarp dmz
sysopt noproxyarp inside
sysopt noproxyarp outside-ve
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside-ve_map 1 match address outside-ve_1_cryptomap
crypto map outside-ve_map 1 set pfs
crypto map outside-ve_map 1 set peer xxx.xxx.xxx.120
crypto map outside-ve_map 1 set transform-set ESP-3DES-MD5
crypto map outside-ve_map 1 set nat-t-disable
crypto map outside-ve_map interface outside-ve
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 fqdn gw
 subject-name CN=gw
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 fqdn gw
 subject-name CN=gw
 keypair ASDM_TrustPoint2
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint2
 certificate 4a2a7830ef4b18b6c4a366b7ca8fa57e
    3082039b 30820304 a0030201 0202104a 2a7830ef 4b18b6c4 a366b7ca 8fa57e30
    0d06092a 864886f7 0d010105 05003081 c4310b30 09060355 04061302 5a413115
  quit
crypto isakmp enable outside-ve
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 10.80.1.0 255.255.255.0 inside
telnet timeout 5
ssh 10.80.1.0 255.255.255.0 inside
ssh 10.81.1.0 255.255.255.0 inside
ssh xxx.xxx.xxx.113 255.255.255.255 outside-ve
ssh xxx.xxx.xxx.75 255.255.255.255 outside-ve
ssh xxx.xxx.xxx.137 255.255.255.255 outside-ve
ssh xxx.xxx.xxx.94 255.255.255.255 outside-ve
ssh timeout 5
ssh version 2
console timeout 0
dhcp-client broadcast-flag
dhcp-client client-id interface outside-bbb
dhcpd auto_config outside-bbb
!

threat-detection basic-threat
threat-detection statistics
ntp server 10.80.1.4 source inside prefer
ssl trust-point ASDM_TrustPoint2
ssl trust-point ASDM_TrustPoint2 outside-ve
ssl trust-point ASDM_TrustPoint2 inside
webvpn
 enable outside-ve
 svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.0.0343-k9.pkg 2
 svc image disk0:/anyconnect-linux-2.0.0343-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 wins-server value 10.80.1.4
 dns-server value 10.80.1.1 10.80.1.4
 vpn-simultaneous-logins 1
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 default-domain value smab.local
 address-pools value VPN-Pool
group-policy Support internal
group-policy Support attributes
 vpn-tunnel-protocol webvpn
 group-lock value TunnelGroupSupport
 webvpn
  url-list value BookMark-Support
  customization value Portal-Support
  hidden-shares none
  file-entry disable
  file-browsing disable
  url-entry disable
group-policy Intern internal
group-policy Intern attributes
 vpn-tunnel-protocol svc webvpn
 group-lock value TunnelGroupIntern
 webvpn
  url-list value BookMark-Intern
  customization value Portal-Intern
  hidden-shares none
  file-entry enable
  file-browsing enable
  url-entry enable
  auto-signon allow ip 10.80.1.0 255.255.255.0 auth-type all
username patrik password encrypted privilege 15
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 10.80.1.4 master timeout 2 retry 2
tunnel-group TunnelGroupIntern type remote-access
tunnel-group TunnelGroupIntern general-attributes
 address-pool VPN-Pool
 authentication-server-group AD
 default-group-policy Intern
 password-management
tunnel-group TunnelGroupIntern webvpn-attributes
 group-alias Intern enable
tunnel-group TunnelGroupSupport type remote-access
tunnel-group TunnelGroupSupport general-attributes
 authentication-server-group AD
 default-group-policy Support
 password-management
tunnel-group TunnelGroupSupport webvpn-attributes
 group-alias Support enable
tunnel-group xxx.xxx.xxx.120 type ipsec-l2l
tunnel-group xxx.xxx.xxx.120 ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
!
class-map inspection_default
 match default-inspection-traffic
class-map type inspect im match-all msn
 description msn
 match protocol msn-im
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 1280
  id-randomization
  id-mismatch action log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
smtp-server xxx.xxx.xxx.60
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:
: end
asdm image disk0:/asdm-603.bin
asdm history enable
0
Comment
Question by:Brimba
  • 13
  • 12
25 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 20840092
does clear xlate help?
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20840095
if yes, then wait some time and issue show xlate to see what is going on with translations.
0
 
LVL 4

Author Comment

by:Brimba
ID: 20848473
No, clear xlate does not help.

Any other suggestions?
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
LVL 21

Expert Comment

by:from_exp
ID: 20848562
ok
show xlate, show int, please, when there is no connectivity.

0
 
LVL 4

Author Comment

by:Brimba
ID: 20848588
Result of the command: "show int"

Interface Vlan2 "outside-bbb", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
      MAC address 001d.a214.40b4, MTU 1500
      IP address xxx.xxx.xxx.188, subnet mask 255.255.252.0
  Traffic Statistics for "outside-bbb":
      620 packets input, 136577 bytes
      49 packets output, 27676 bytes
      574 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
      Backup state. Blocked 0 through-the-device packets

Interface Vlan3 "dmz", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
      MAC address 001d.a214.40b4, MTU 1500
      IP address 192.168.2.1, subnet mask 255.255.255.0
  Traffic Statistics for "dmz":
      38452 packets input, 33409305 bytes
      29736 packets output, 3264188 bytes
      3376 packets dropped
      1 minute input rate 0 pkts/sec,  56 bytes/sec
      1 minute output rate 1 pkts/sec,  40 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 1 pkts/sec,  60 bytes/sec
      5 minute output rate 1 pkts/sec,  40 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Vlan13 "inside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
      MAC address 001d.a214.40b4, MTU 1500
      IP address 10.80.1.253, subnet mask 255.255.255.0
  Traffic Statistics for "inside":
      7071150 packets input, 8334353852 bytes
      4833363 packets output, 1691113230 bytes
      158019 packets dropped
      1 minute input rate 473 pkts/sec,  612559 bytes/sec
      1 minute output rate 281 pkts/sec,  39232 bytes/sec
      1 minute drop rate, 2 pkts/sec
      5 minute input rate 450 pkts/sec,  579510 bytes/sec
      5 minute output rate 274 pkts/sec,  42086 bytes/sec
      5 minute drop rate, 2 pkts/sec
Interface Vlan23 "outside-ve", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
      MAC address 001d.a214.40b4, MTU 1500
      IP address xxx.xxx.xxx.191, subnet mask 255.255.255.0
  Traffic Statistics for "outside-ve":
      5583648 packets input, 2208940785 bytes
      7740380 packets output, 8894161312 bytes
      28555 packets dropped
      1 minute input rate 279 pkts/sec,  51460 bytes/sec
      1 minute output rate 471 pkts/sec,  635934 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 277 pkts/sec,  54866 bytes/sec
      5 minute output rate 449 pkts/sec,  601855 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.a214.40ac, MTU not set
      IP address unassigned
      6067571 packets input, 2346267531 bytes, 0 no buffer
      Received 387775 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      30064797042 switch ingress policy drops
      7739018 packets output, 9038274408 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.a214.40ad, MTU not set
      IP address unassigned
      3594 packets input, 500523 bytes, 0 no buffer
      Received 2 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      2974 switch ingress policy drops
      49 packets output, 28576 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/2 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 001d.a214.40ae, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/3 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.a214.40af, MTU not set
      IP address unassigned
      8202928 packets input, 9162248255 bytes, 0 no buffer
      Received 160430 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      83 switch ingress policy drops
      4832308 packets output, 1797456024 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/4 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 001d.a214.40b0, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/5 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 001d.a214.40b1, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/6 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.a214.40b2, MTU not set
      IP address unassigned
      43427 packets input, 34671989 bytes, 0 no buffer
      Received 142 broadcasts, 0 runts, 0 giants
      6 input errors, 1 CRC, 0 frame, 0 overrun, 1 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      42816 packets output, 14580482 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/7 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.a214.40b3, MTU not set
      IP address unassigned
      14264 packets input, 11271745 bytes, 0 no buffer
      Received 2582 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      8900 packets output, 1451871 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops













Result of the command: "show xlate"

267 in use, 412 most used
PAT Global xxx.xxx.xxx.193(1723) Local 10.80.1.4(1723)
PAT Global xxx.xxx.xxx.193(80) Local 192.168.2.10(80)
PAT Global xxx.xxx.xxx.193(443) Local 192.168.2.40(443)
PAT Global xxx.xxx.xxx.193(21) Local 192.168.2.10(21)
PAT Global xxx.xxx.xxx.193(143) Local 192.168.2.40(143)
PAT Global xxx.xxx.xxx.193(110) Local 192.168.2.40(110)
PAT Global xxx.xxx.xxx.193(25) Local 192.168.2.40(25)
PAT Global xxx.xxx.xxx.193(993) Local 192.168.2.40(993)
PAT Global xxx.xxx.xxx.193(995) Local 192.168.2.40(995)
PAT Global xxx.xxx.xxx.191(19332) Local 10.80.1.100(1806)
PAT Global xxx.xxx.xxx.191(19331) Local 10.80.1.100(1805)
PAT Global xxx.xxx.xxx.191(19330) Local 10.80.1.100(1804)
PAT Global xxx.xxx.xxx.191(19329) Local 10.80.1.100(1803)
PAT Global xxx.xxx.xxx.191(19327) Local 10.80.1.100(1802)
PAT Global xxx.xxx.xxx.191(19325) Local 10.80.1.100(1801)
PAT Global xxx.xxx.xxx.191(19321) Local 10.80.1.100(1800)
PAT Global xxx.xxx.xxx.191(19319) Local 10.80.1.100(1799)
PAT Global xxx.xxx.xxx.191(19318) Local 10.80.1.100(1798)
PAT Global xxx.xxx.xxx.191(19317) Local 10.80.1.100(1797)
PAT Global xxx.xxx.xxx.191(19316) Local 10.80.1.100(1796)
PAT Global xxx.xxx.xxx.191(19314) Local 10.80.1.100(1795)
PAT Global xxx.xxx.xxx.191(19310) Local 10.80.1.100(1794)
PAT Global xxx.xxx.xxx.191(19308) Local 10.80.1.100(1793)
PAT Global xxx.xxx.xxx.191(19307) Local 10.80.1.100(1792)
PAT Global xxx.xxx.xxx.191(19306) Local 10.80.1.100(1791)
PAT Global xxx.xxx.xxx.191(19305) Local 10.80.1.100(1790)
PAT Global xxx.xxx.xxx.191(19304) Local 10.80.1.100(1789)
PAT Global xxx.xxx.xxx.191(19303) Local 10.80.1.100(1788)
PAT Global xxx.xxx.xxx.191(19296) Local 10.80.1.100(1787)
PAT Global xxx.xxx.xxx.191(19295) Local 10.80.1.100(1786)
PAT Global xxx.xxx.xxx.191(18861) Local 10.80.1.100(1752)
PAT Global xxx.xxx.xxx.191(18860) Local 10.80.1.100(1751)
PAT Global xxx.xxx.xxx.191(18837) Local 10.80.1.100(1749)
PAT Global xxx.xxx.xxx.191(18836) Local 10.80.1.100(1748)
PAT Global xxx.xxx.xxx.191(18835) Local 10.80.1.100(1747)
PAT Global xxx.xxx.xxx.191(18834) Local 10.80.1.100(1746)
PAT Global xxx.xxx.xxx.191(18832) Local 10.80.1.100(1745)
PAT Global xxx.xxx.xxx.191(18831) Local 10.80.1.100(1744)
PAT Global xxx.xxx.xxx.191(18829) Local 10.80.1.100(1743)
PAT Global xxx.xxx.xxx.191(18828) Local 10.80.1.100(1742)
PAT Global xxx.xxx.xxx.191(18826) Local 10.80.1.100(1740)
PAT Global xxx.xxx.xxx.191(18824) Local 10.80.1.100(1737)
PAT Global xxx.xxx.xxx.191(18823) Local 10.80.1.100(1736)
PAT Global xxx.xxx.xxx.191(18821) Local 10.80.1.100(1734)
PAT Global xxx.xxx.xxx.191(18820) Local 10.80.1.100(1733)
PAT Global xxx.xxx.xxx.191(18819) Local 10.80.1.100(1732)
PAT Global xxx.xxx.xxx.191(18817) Local 10.80.1.100(1729)
PAT Global xxx.xxx.xxx.191(18816) Local 10.80.1.100(1728)
PAT Global xxx.xxx.xxx.191(18794) Local 10.80.1.100(1713)
PAT Global xxx.xxx.xxx.191(18793) Local 10.80.1.100(1712)
PAT Global xxx.xxx.xxx.191(1393) Local 10.80.1.4(1067)
PAT Global xxx.xxx.xxx.191(19284) Local 10.80.1.70(1334)
PAT Global xxx.xxx.xxx.191(19261) Local 10.80.1.70(1333)
PAT Global xxx.xxx.xxx.191(19246) Local 10.80.1.70(1331)
PAT Global xxx.xxx.xxx.191(19242) Local 10.80.1.70(1329)
PAT Global xxx.xxx.xxx.191(19241) Local 10.80.1.70(1328)
PAT Global xxx.xxx.xxx.191(19240) Local 10.80.1.70(1327)
PAT Global xxx.xxx.xxx.191(19239) Local 10.80.1.70(1326)
PAT Global xxx.xxx.xxx.191(19238) Local 10.80.1.70(1325)
PAT Global xxx.xxx.xxx.191(19237) Local 10.80.1.70(1324)
PAT Global xxx.xxx.xxx.191(19236) Local 10.80.1.70(1323)
PAT Global xxx.xxx.xxx.191(19235) Local 10.80.1.70(1322)
PAT Global xxx.xxx.xxx.191(19234) Local 10.80.1.70(1321)
PAT Global xxx.xxx.xxx.191(19233) Local 10.80.1.70(1320)
PAT Global xxx.xxx.xxx.191(19232) Local 10.80.1.70(1319)
PAT Global xxx.xxx.xxx.191(19168) Local 10.80.1.70(1269)
PAT Global xxx.xxx.xxx.191(19153) Local 10.80.1.70(1262)
PAT Global xxx.xxx.xxx.191(19130) Local 10.80.1.70(1249)
PAT Global xxx.xxx.xxx.191(19129) Local 10.80.1.70(1248)
PAT Global xxx.xxx.xxx.191(19127) Local 10.80.1.70(1246)
PAT Global xxx.xxx.xxx.191(19126) Local 10.80.1.70(1245)
PAT Global xxx.xxx.xxx.191(19125) Local 10.80.1.70(1244)
PAT Global xxx.xxx.xxx.191(19110) Local 10.80.1.70(1231)
PAT Global xxx.xxx.xxx.191(19109) Local 10.80.1.70(1230)
PAT Global xxx.xxx.xxx.191(19071) Local 10.80.1.70(1208)
PAT Global xxx.xxx.xxx.191(19070) Local 10.80.1.70(1207)
PAT Global xxx.xxx.xxx.191(19046) Local 10.80.1.70(1204)
PAT Global xxx.xxx.xxx.191(19045) Local 10.80.1.70(1203)
PAT Global xxx.xxx.xxx.191(19040) Local 10.80.1.70(1201)
PAT Global xxx.xxx.xxx.191(19039) Local 10.80.1.70(1200)
PAT Global xxx.xxx.xxx.191(19019) Local 10.80.1.70(1177)
PAT Global xxx.xxx.xxx.191(19018) Local 10.80.1.70(1176)
PAT Global xxx.xxx.xxx.191(19007) Local 10.80.1.70(1166)
PAT Global xxx.xxx.xxx.191(19005) Local 10.80.1.70(1165)
PAT Global xxx.xxx.xxx.191(18998) Local 10.80.1.70(1159)
PAT Global xxx.xxx.xxx.191(18996) Local 10.80.1.70(1158)
PAT Global xxx.xxx.xxx.191(18978) Local 10.80.1.70(1142)
PAT Global xxx.xxx.xxx.191(18971) Local 10.80.1.70(1134)
PAT Global xxx.xxx.xxx.191(18970) Local 10.80.1.70(1133)
PAT Global xxx.xxx.xxx.191(18963) Local 10.80.1.70(1130)
PAT Global xxx.xxx.xxx.191(18926) Local 10.80.1.70(1124)
PAT Global xxx.xxx.xxx.191(18925) Local 10.80.1.70(1123)
PAT Global xxx.xxx.xxx.191(18918) Local 10.80.1.70(1120)
PAT Global xxx.xxx.xxx.191(18917) Local 10.80.1.70(1118)
PAT Global xxx.xxx.xxx.191(18911) Local 10.80.1.70(1110)
PAT Global xxx.xxx.xxx.191(18874) Local 10.80.1.70(1100)
PAT Global xxx.xxx.xxx.191(18290) Local 10.80.1.49(1297)
PAT Global xxx.xxx.xxx.191(18289) Local 10.80.1.49(1296)
PAT Global xxx.xxx.xxx.191(18185) Local 10.80.1.49(1215)
PAT Global xxx.xxx.xxx.191(18184) Local 10.80.1.49(1214)
PAT Global xxx.xxx.xxx.191(18176) Local 10.80.1.49(1210)
PAT Global xxx.xxx.xxx.191(18174) Local 10.80.1.49(1207)
PAT Global xxx.xxx.xxx.191(18173) Local 10.80.1.49(1206)
PAT Global xxx.xxx.xxx.191(18171) Local 10.80.1.49(1204)
PAT Global xxx.xxx.xxx.191(18170) Local 10.80.1.49(1203)
PAT Global xxx.xxx.xxx.191(18169) Local 10.80.1.49(1202)
PAT Global xxx.xxx.xxx.191(18168) Local 10.80.1.49(1201)
PAT Global xxx.xxx.xxx.191(18167) Local 10.80.1.49(1200)
PAT Global xxx.xxx.xxx.191(18166) Local 10.80.1.49(1199)
PAT Global xxx.xxx.xxx.191(18165) Local 10.80.1.49(1198)
PAT Global xxx.xxx.xxx.191(18164) Local 10.80.1.49(1197)
PAT Global xxx.xxx.xxx.191(18161) Local 10.80.1.49(1193)
PAT Global xxx.xxx.xxx.191(18160) Local 10.80.1.49(1192)
PAT Global xxx.xxx.xxx.191(18157) Local 10.80.1.49(1188)
PAT Global xxx.xxx.xxx.191(18156) Local 10.80.1.49(1187)
PAT Global xxx.xxx.xxx.191(18155) Local 10.80.1.49(1186)
PAT Global xxx.xxx.xxx.191(18154) Local 10.80.1.49(1185)
PAT Global xxx.xxx.xxx.191(18137) Local 10.80.1.49(1164)
PAT Global xxx.xxx.xxx.191(19333) Local 10.80.1.66(49254)
PAT Global xxx.xxx.xxx.191(19324) Local 10.80.1.66(49253)
PAT Global xxx.xxx.xxx.191(19300) Local 10.80.1.66(49252)
PAT Global xxx.xxx.xxx.191(19298) Local 10.80.1.66(49251)
PAT Global xxx.xxx.xxx.191(19297) Local 10.80.1.66(49250)
PAT Global xxx.xxx.xxx.191(19294) Local 10.80.1.66(49249)
PAT Global xxx.xxx.xxx.191(19265) Local 10.80.1.66(49246)
PAT Global xxx.xxx.xxx.191(19292) Local 10.80.1.50(2455)
PAT Global xxx.xxx.xxx.191(19291) Local 10.80.1.50(2454)
PAT Global xxx.xxx.xxx.191(19290) Local 10.80.1.50(2450)
PAT Global xxx.xxx.xxx.191(19289) Local 10.80.1.50(2449)
PAT Global xxx.xxx.xxx.191(19288) Local 10.80.1.50(2448)
PAT Global xxx.xxx.xxx.191(19287) Local 10.80.1.50(2447)
PAT Global xxx.xxx.xxx.191(19286) Local 10.80.1.50(2446)
PAT Global xxx.xxx.xxx.191(19285) Local 10.80.1.50(2445)
PAT Global xxx.xxx.xxx.191(19283) Local 10.80.1.50(2444)
PAT Global xxx.xxx.xxx.191(19282) Local 10.80.1.50(2443)
PAT Global xxx.xxx.xxx.191(19281) Local 10.80.1.50(2442)
PAT Global xxx.xxx.xxx.191(19280) Local 10.80.1.50(2441)
PAT Global xxx.xxx.xxx.191(19279) Local 10.80.1.50(2440)
PAT Global xxx.xxx.xxx.191(19278) Local 10.80.1.50(2439)
PAT Global xxx.xxx.xxx.191(19277) Local 10.80.1.50(2438)
PAT Global xxx.xxx.xxx.191(19276) Local 10.80.1.50(2437)
PAT Global xxx.xxx.xxx.191(19275) Local 10.80.1.50(2436)
PAT Global xxx.xxx.xxx.191(19274) Local 10.80.1.50(2435)
PAT Global xxx.xxx.xxx.191(19273) Local 10.80.1.50(2434)
PAT Global xxx.xxx.xxx.191(19272) Local 10.80.1.50(2433)
PAT Global xxx.xxx.xxx.191(19271) Local 10.80.1.50(2432)
PAT Global xxx.xxx.xxx.191(19270) Local 10.80.1.50(2431)
PAT Global xxx.xxx.xxx.191(19269) Local 10.80.1.50(2430)
PAT Global xxx.xxx.xxx.191(19268) Local 10.80.1.50(2429)
PAT Global xxx.xxx.xxx.191(19267) Local 10.80.1.50(2428)
PAT Global xxx.xxx.xxx.191(19264) Local 10.80.1.50(2427)
PAT Global xxx.xxx.xxx.191(19248) Local 10.80.1.50(2424)
PAT Global xxx.xxx.xxx.191(19247) Local 10.80.1.50(2423)
PAT Global xxx.xxx.xxx.191(19068) Local 10.80.1.50(2366)
PAT Global xxx.xxx.xxx.191(18859) Local 10.80.1.50(2331)
PAT Global xxx.xxx.xxx.191(18813) Local 10.80.1.50(2330)
PAT Global xxx.xxx.xxx.191(18812) Local 10.80.1.50(2329)
PAT Global xxx.xxx.xxx.191(18663) Local 10.80.1.50(2291)
PAT Global xxx.xxx.xxx.191(18662) Local 10.80.1.50(2290)
PAT Global xxx.xxx.xxx.191(18661) Local 10.80.1.50(2288)
PAT Global xxx.xxx.xxx.191(18660) Local 10.80.1.50(2287)
PAT Global xxx.xxx.xxx.191(18658) Local 10.80.1.50(2285)
PAT Global xxx.xxx.xxx.191(18656) Local 10.80.1.50(2283)
PAT Global xxx.xxx.xxx.191(18655) Local 10.80.1.50(2281)
PAT Global xxx.xxx.xxx.191(18653) Local 10.80.1.50(2279)
PAT Global xxx.xxx.xxx.191(18650) Local 10.80.1.50(2275)
PAT Global xxx.xxx.xxx.191(18648) Local 10.80.1.50(2273)
PAT Global xxx.xxx.xxx.191(18646) Local 10.80.1.50(2270)
PAT Global xxx.xxx.xxx.191(18645) Local 10.80.1.50(2269)
PAT Global xxx.xxx.xxx.191(18644) Local 10.80.1.50(2268)
PAT Global xxx.xxx.xxx.191(18643) Local 10.80.1.50(2267)
PAT Global xxx.xxx.xxx.191(18641) Local 10.80.1.50(2266)
PAT Global xxx.xxx.xxx.191(18639) Local 10.80.1.50(2265)
PAT Global xxx.xxx.xxx.191(18637) Local 10.80.1.50(2264)
PAT Global xxx.xxx.xxx.191(18636) Local 10.80.1.50(2263)
PAT Global xxx.xxx.xxx.191(18634) Local 10.80.1.50(2258)
PAT Global xxx.xxx.xxx.191(18633) Local 10.80.1.50(2257)
PAT Global xxx.xxx.xxx.191(18357) Local 10.80.1.50(2239)
PAT Global xxx.xxx.xxx.191(19299) Local 10.80.1.51(2324)
PAT Global xxx.xxx.xxx.191(18694) Local 10.80.1.51(2274)
PAT Global xxx.xxx.xxx.191(18692) Local 10.80.1.51(2272)
PAT Global xxx.xxx.xxx.191(18305) Local 10.80.1.51(2085)
PAT Global xxx.xxx.xxx.191(18304) Local 10.80.1.51(2084)
PAT Global xxx.xxx.xxx.191(18302) Local 10.80.1.51(2082)
PAT Global xxx.xxx.xxx.191(18301) Local 10.80.1.51(2081)
PAT Global xxx.xxx.xxx.191(18298) Local 10.80.1.51(2078)
PAT Global xxx.xxx.xxx.191(18296) Local 10.80.1.51(2077)
PAT Global xxx.xxx.xxx.191(18295) Local 10.80.1.51(2076)
PAT Global xxx.xxx.xxx.191(18293) Local 10.80.1.51(2075)
PAT Global xxx.xxx.xxx.191(18283) Local 10.80.1.51(2071)
PAT Global xxx.xxx.xxx.191(18280) Local 10.80.1.51(2070)
PAT Global xxx.xxx.xxx.191(18279) Local 10.80.1.51(2068)
PAT Global xxx.xxx.xxx.191(18274) Local 10.80.1.51(2062)
PAT Global xxx.xxx.xxx.191(18273) Local 10.80.1.51(2061)
PAT Global xxx.xxx.xxx.191(18272) Local 10.80.1.51(2060)
PAT Global xxx.xxx.xxx.191(18271) Local 10.80.1.51(2059)
PAT Global xxx.xxx.xxx.191(18267) Local 10.80.1.51(2058)
PAT Global xxx.xxx.xxx.191(18266) Local 10.80.1.51(2057)
PAT Global xxx.xxx.xxx.191(18265) Local 10.80.1.51(2056)
PAT Global xxx.xxx.xxx.191(18264) Local 10.80.1.51(2055)
PAT Global xxx.xxx.xxx.191(18262) Local 10.80.1.51(2054)
PAT Global xxx.xxx.xxx.191(18261) Local 10.80.1.51(2053)
PAT Global xxx.xxx.xxx.191(18223) Local 10.80.1.51(2024)
PAT Global xxx.xxx.xxx.191(4389) Local 10.80.1.51(3210)
PAT Global xxx.xxx.xxx.191(1392) Local 10.80.1.1(1059)
PAT Global xxx.xxx.xxx.191(19345) Local 10.80.1.93(1404)
PAT Global xxx.xxx.xxx.191(19344) Local 10.80.1.93(1403)
PAT Global xxx.xxx.xxx.191(19341) Local 10.80.1.93(1402)
PAT Global xxx.xxx.xxx.191(19340) Local 10.80.1.93(1401)
PAT Global xxx.xxx.xxx.191(19339) Local 10.80.1.93(1400)
PAT Global xxx.xxx.xxx.191(19338) Local 10.80.1.93(1399)
PAT Global xxx.xxx.xxx.191(19337) Local 10.80.1.93(1398)
PAT Global xxx.xxx.xxx.191(19336) Local 10.80.1.93(1397)
PAT Global xxx.xxx.xxx.191(19328) Local 10.80.1.93(1396)
PAT Global xxx.xxx.xxx.191(19326) Local 10.80.1.93(1395)
PAT Global xxx.xxx.xxx.191(19323) Local 10.80.1.93(1394)
PAT Global xxx.xxx.xxx.191(19322) Local 10.80.1.93(1393)
PAT Global xxx.xxx.xxx.191(19320) Local 10.80.1.93(1392)
PAT Global xxx.xxx.xxx.191(19315) Local 10.80.1.93(1391)
PAT Global xxx.xxx.xxx.191(19313) Local 10.80.1.93(1390)
PAT Global xxx.xxx.xxx.191(19312) Local 10.80.1.93(1389)
PAT Global xxx.xxx.xxx.191(19311) Local 10.80.1.93(1388)
PAT Global xxx.xxx.xxx.191(19309) Local 10.80.1.93(1387)
PAT Global xxx.xxx.xxx.191(19302) Local 10.80.1.93(1386)
PAT Global xxx.xxx.xxx.191(19301) Local 10.80.1.93(1385)
PAT Global xxx.xxx.xxx.191(19266) Local 10.80.1.93(1384)
PAT Global xxx.xxx.xxx.191(19140) Local 10.80.1.93(1360)
PAT Global xxx.xxx.xxx.191(18934) Local 10.80.1.93(1351)
PAT Global xxx.xxx.xxx.191(18785) Local 10.80.1.93(1348)
PAT Global xxx.xxx.xxx.191(18781) Local 10.80.1.93(1344)
PAT Global xxx.xxx.xxx.191(18769) Local 10.80.1.93(1332)
PAT Global xxx.xxx.xxx.191(18768) Local 10.80.1.93(1331)
PAT Global xxx.xxx.xxx.191(18765) Local 10.80.1.93(1329)
PAT Global xxx.xxx.xxx.191(18318) Local 10.80.1.93(1164)
PAT Global xxx.xxx.xxx.191(18317) Local 10.80.1.93(1163)
PAT Global xxx.xxx.xxx.191(18316) Local 10.80.1.93(1162)
PAT Global xxx.xxx.xxx.191(18315) Local 10.80.1.93(1161)
PAT Global xxx.xxx.xxx.191(18314) Local 10.80.1.93(1160)
PAT Global xxx.xxx.xxx.191(18313) Local 10.80.1.93(1159)
PAT Global xxx.xxx.xxx.191(18310) Local 10.80.1.93(1158)
PAT Global xxx.xxx.xxx.191(18309) Local 10.80.1.93(1157)
PAT Global xxx.xxx.xxx.191(18297) Local 10.80.1.93(1156)
PAT Global xxx.xxx.xxx.191(18294) Local 10.80.1.93(1155)
PAT Global xxx.xxx.xxx.191(18291) Local 10.80.1.93(1154)
PAT Global xxx.xxx.xxx.191(18281) Local 10.80.1.93(1153)
PAT Global xxx.xxx.xxx.191(18270) Local 10.80.1.93(1152)
PAT Global xxx.xxx.xxx.191(18269) Local 10.80.1.93(1151)
PAT Global xxx.xxx.xxx.191(18194) Local 10.80.1.93(1093)
PAT Global xxx.xxx.xxx.191(18066) Local 10.80.1.90(1290)
PAT Global xxx.xxx.xxx.191(18063) Local 10.80.1.90(1288)
PAT Global xxx.xxx.xxx.191(17967) Local 10.80.1.90(1193)
PAT Global xxx.xxx.xxx.191(17966) Local 10.80.1.90(1192)
PAT Global xxx.xxx.xxx.191(17965) Local 10.80.1.90(1191)
PAT Global xxx.xxx.xxx.191(17964) Local 10.80.1.90(1190)
PAT Global xxx.xxx.xxx.191(17963) Local 10.80.1.90(1189)
PAT Global xxx.xxx.xxx.191(17962) Local 10.80.1.90(1188)
PAT Global xxx.xxx.xxx.191(17961) Local 10.80.1.90(1187)
PAT Global xxx.xxx.xxx.191(17960) Local 10.80.1.90(1186)
PAT Global xxx.xxx.xxx.191(17959) Local 10.80.1.90(1185)
PAT Global xxx.xxx.xxx.191(17958) Local 10.80.1.90(1184)
PAT Global xxx.xxx.xxx.191(17957) Local 10.80.1.90(1183)
PAT Global xxx.xxx.xxx.191(17956) Local 10.80.1.90(1182)
PAT Global xxx.xxx.xxx.191(17952) Local 10.80.1.90(1177)
PAT Global xxx.xxx.xxx.191(17950) Local 10.80.1.90(1174)
PAT Global xxx.xxx.xxx.191(17949) Local 10.80.1.90(1173)
PAT Global xxx.xxx.xxx.191(17948) Local 10.80.1.90(1172)
PAT Global xxx.xxx.xxx.191(17857) Local 10.80.1.90(1125)
0
 
LVL 4

Author Comment

by:Brimba
ID: 20848596
By the way, I am running with the latest version

ASA: 8.0 (3)
ASDM: 6.0 (3)
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20848675
ok can you describe your current situation:
can you access internet from 10.80.1.0 network?
can you access ping your asa from 10.80.1.0 network?
can you ping cisco from dmz 192.168.2.0 network?
can you ping outside interface of cisco from 192.168.2.0 network?
0
 
LVL 4

Author Comment

by:Brimba
ID: 20848804
The 10.80.1.0 network is the LAN.
I can access internet from the LAN.
I can ping the cisco LAN interface from the LAN.
I cannot ping the cisco outside interace from the LAN.


The 192.168.2.0 network is the DMZ.
I can access internet from the DMZ.
I cannot ping the cisco LAN interface from the DMZ.
I cannot ping the cisco outside interface from the DMZ.


I can ping the cisco outside interface from the outside.
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20848898
are you're talking about the moment when you are experiencing  pat issue?
0
 
LVL 4

Author Comment

by:Brimba
ID: 20849005
Yes as that time that was when the DMZ didnt work.

After a restart of the ASA I can access the DMZ again and then this is the results (actually still the same as when it doesnt work)


The 10.80.1.0 network is the LAN.
I can access internet from the LAN.
I can ping the cisco LAN interface from the LAN.
I cannot ping the cisco outside interace from the LAN.


The 192.168.2.0 network is the DMZ.
I can access internet from the DMZ.
I cannot ping the cisco LAN interface from the DMZ.
I cannot ping the cisco outside interface from the DMZ.


I can ping the cisco outside interface from the outside.


One thing about this data though.
When I try to ping the cisco DMZ interface (192.168.2.1) from the DMZ it works. When I to ping the DMZ interface from the LAN it does not work.





Result of the command: "show int"

Interface Vlan2 "outside-bbb", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
      MAC address 001d.a214.40b4, MTU 1500
      IP address xxx.xxx.xxx.188, subnet mask 255.255.252.0
  Traffic Statistics for "outside-bbb":
      11 packets input, 2341 bytes
      8 packets output, 4060 bytes
      7 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  2 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
      Backup state. Blocked 0 through-the-device packets

Interface Vlan3 "dmz", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
      MAC address 001d.a214.40b4, MTU 1500
      IP address 192.168.2.1, subnet mask 255.255.255.0
  Traffic Statistics for "dmz":
      2110 packets input, 1877067 bytes
      1756 packets output, 174010 bytes
      133 packets dropped
      1 minute input rate 7 pkts/sec,  8475 bytes/sec
      1 minute output rate 5 pkts/sec,  471 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 2 pkts/sec,  2344 bytes/sec
      5 minute output rate 1 pkts/sec,  204 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Vlan13 "inside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
      MAC address 001d.a214.40b4, MTU 1500
      IP address 10.80.1.253, subnet mask 255.255.255.0
  Traffic Statistics for "inside":
      30600 packets input, 3599147 bytes
      41282 packets output, 32272457 bytes
      2237 packets dropped
      1 minute input rate 36 pkts/sec,  2408 bytes/sec
      1 minute output rate 60 pkts/sec,  23033 bytes/sec
      1 minute drop rate, 2 pkts/sec
      5 minute input rate 49 pkts/sec,  4595 bytes/sec
      5 minute output rate 68 pkts/sec,  66678 bytes/sec
      5 minute drop rate, 2 pkts/sec
Interface Vlan23 "outside-ve", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
      MAC address 001d.a214.40b4, MTU 1500
      IP address xxx.xxx.xxx.191, subnet mask 255.255.255.0
  Traffic Statistics for "outside-ve":
      48148 packets input, 37043331 bytes
      42854 packets output, 8633144 bytes
      582 packets dropped
      1 minute input rate 34 pkts/sec,  21854 bytes/sec
      1 minute output rate 33 pkts/sec,  12000 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 76 pkts/sec,  69976 bytes/sec
      5 minute output rate 58 pkts/sec,  8766 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.a214.40ac, MTU not set
      IP address unassigned
      53577 packets input, 38445811 bytes, 0 no buffer
      Received 3600 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      5438 switch ingress policy drops
      42844 packets output, 9548212 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.a214.40ad, MTU not set
      IP address unassigned
      41 packets input, 5768 bytes, 0 no buffer
      Received 2 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      30 switch ingress policy drops
      8 packets output, 4222 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/2 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 001d.a214.40ae, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/3 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.a214.40af, MTU not set
      IP address unassigned
      44768 packets input, 12989975 bytes, 0 no buffer
      Received 1764 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      23 switch ingress policy drops
      41246 packets output, 33021322 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/4 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 001d.a214.40b0, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/5 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 001d.a214.40b1, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/6 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.a214.40b2, MTU not set
      IP address unassigned
      2646 packets input, 1995526 bytes, 0 no buffer
      Received 3 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      2520 packets output, 942018 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/7 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.a214.40b3, MTU not set
      IP address unassigned
      826 packets input, 738296 bytes, 0 no buffer
      Received 21 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      625 packets output, 89296 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops








Result of the command: "show xlate"

180 in use, 272 most used
PAT Global xxx.xxx.xxx.193(1723) Local 10.80.1.4(1723)
PAT Global xxx.xxx.xxx.193(80) Local 192.168.2.10(80)
PAT Global xxx.xxx.xxx.193(443) Local 192.168.2.40(443)
PAT Global xxx.xxx.xxx.193(21) Local 192.168.2.10(21)
PAT Global xxx.xxx.xxx.193(143) Local 192.168.2.40(143)
PAT Global xxx.xxx.xxx.193(110) Local 192.168.2.40(110)
PAT Global xxx.xxx.xxx.193(25) Local 192.168.2.40(25)
PAT Global xxx.xxx.xxx.193(993) Local 192.168.2.40(993)
PAT Global xxx.xxx.xxx.193(995) Local 192.168.2.40(995)
PAT Global xxx.xxx.xxx.191(1858) Local 10.80.1.100(2334)
PAT Global xxx.xxx.xxx.191(1857) Local 10.80.1.100(2333)
PAT Global xxx.xxx.xxx.191(1228) Local 10.80.1.100(2241)
PAT Global xxx.xxx.xxx.191(1225) Local 10.80.1.100(2240)
PAT Global xxx.xxx.xxx.191(1213) Local 10.80.1.100(2239)
PAT Global xxx.xxx.xxx.191(1205) Local 10.80.1.100(2238)
PAT Global xxx.xxx.xxx.191(1148) Local 10.80.1.100(2237)
PAT Global xxx.xxx.xxx.191(1145) Local 10.80.1.100(2236)
PAT Global xxx.xxx.xxx.191(1127) Local 10.80.1.100(2235)
PAT Global xxx.xxx.xxx.191(1123) Local 10.80.1.100(2234)
PAT Global xxx.xxx.xxx.191(1110) Local 10.80.1.100(2233)
PAT Global xxx.xxx.xxx.191(1104) Local 10.80.1.100(2232)
PAT Global xxx.xxx.xxx.191(1078) Local 10.80.1.100(2231)
PAT Global xxx.xxx.xxx.191(1075) Local 10.80.1.100(2230)
PAT Global xxx.xxx.xxx.191(1048) Local 10.80.1.100(2229)
PAT Global xxx.xxx.xxx.191(1045) Local 10.80.1.100(2228)
PAT Global xxx.xxx.xxx.191(1035) Local 10.80.1.100(2225)
PAT Global xxx.xxx.xxx.191(1031) Local 10.80.1.100(2220)
PAT Global xxx.xxx.xxx.191(1657) Local 10.80.1.70(2758)
PAT Global xxx.xxx.xxx.191(1480) Local 10.80.1.70(2730)
PAT Global xxx.xxx.xxx.191(1246) Local 10.80.1.70(2608)
PAT Global xxx.xxx.xxx.191(1195) Local 10.80.1.70(2601)
PAT Global xxx.xxx.xxx.191(1193) Local 10.80.1.70(2600)
PAT Global xxx.xxx.xxx.191(1180) Local 10.80.1.70(2599)
PAT Global xxx.xxx.xxx.191(1179) Local 10.80.1.70(2598)
PAT Global xxx.xxx.xxx.191(1152) Local 10.80.1.70(2596)
PAT Global xxx.xxx.xxx.191(1149) Local 10.80.1.70(2595)
PAT Global xxx.xxx.xxx.191(1120) Local 10.80.1.70(2588)
PAT Global xxx.xxx.xxx.191(1116) Local 10.80.1.70(2585)
PAT Global xxx.xxx.xxx.191(1092) Local 10.80.1.70(2581)
PAT Global xxx.xxx.xxx.191(1090) Local 10.80.1.70(2580)
PAT Global xxx.xxx.xxx.191(1087) Local 10.80.1.70(2577)
PAT Global xxx.xxx.xxx.191(1084) Local 10.80.1.70(2575)
PAT Global xxx.xxx.xxx.191(1067) Local 10.80.1.70(2574)
PAT Global xxx.xxx.xxx.191(1065) Local 10.80.1.70(2573)
PAT Global xxx.xxx.xxx.191(1055) Local 10.80.1.70(2569)
PAT Global xxx.xxx.xxx.191(1054) Local 10.80.1.70(2568)
PAT Global xxx.xxx.xxx.191(1699) Local 10.80.1.49(2346)
PAT Global xxx.xxx.xxx.191(1696) Local 10.80.1.49(2343)
PAT Global xxx.xxx.xxx.191(1695) Local 10.80.1.49(2342)
PAT Global xxx.xxx.xxx.191(1691) Local 10.80.1.49(2339)
PAT Global xxx.xxx.xxx.191(1690) Local 10.80.1.49(2338)
PAT Global xxx.xxx.xxx.191(1676) Local 10.80.1.49(2337)
PAT Global xxx.xxx.xxx.191(1666) Local 10.80.1.49(2335)
PAT Global xxx.xxx.xxx.191(1665) Local 10.80.1.49(2334)
PAT Global xxx.xxx.xxx.191(1664) Local 10.80.1.49(2333)
PAT Global xxx.xxx.xxx.191(1663) Local 10.80.1.49(2331)
PAT Global xxx.xxx.xxx.191(1653) Local 10.80.1.49(2321)
PAT Global xxx.xxx.xxx.191(1607) Local 10.80.1.49(2309)
PAT Global xxx.xxx.xxx.191(1605) Local 10.80.1.49(2308)
PAT Global xxx.xxx.xxx.191(1604) Local 10.80.1.49(2307)
PAT Global xxx.xxx.xxx.191(1533) Local 10.80.1.49(2286)
PAT Global xxx.xxx.xxx.191(1532) Local 10.80.1.49(2285)
PAT Global xxx.xxx.xxx.191(1530) Local 10.80.1.49(2276)
PAT Global xxx.xxx.xxx.191(1529) Local 10.80.1.49(2275)
PAT Global xxx.xxx.xxx.191(1528) Local 10.80.1.49(2274)
PAT Global xxx.xxx.xxx.191(1527) Local 10.80.1.49(2273)
PAT Global xxx.xxx.xxx.191(1264) Local 10.80.1.49(2164)
PAT Global xxx.xxx.xxx.191(1231) Local 10.80.1.49(2158)
PAT Global xxx.xxx.xxx.191(1229) Local 10.80.1.49(2157)
PAT Global xxx.xxx.xxx.191(1220) Local 10.80.1.49(2156)
PAT Global xxx.xxx.xxx.191(1207) Local 10.80.1.49(2151)
PAT Global xxx.xxx.xxx.191(1150) Local 10.80.1.49(2148)
PAT Global xxx.xxx.xxx.191(1147) Local 10.80.1.49(2147)
PAT Global xxx.xxx.xxx.191(1135) Local 10.80.1.49(2146)
PAT Global xxx.xxx.xxx.191(1129) Local 10.80.1.49(2145)
PAT Global xxx.xxx.xxx.191(1111) Local 10.80.1.49(2144)
PAT Global xxx.xxx.xxx.191(1103) Local 10.80.1.49(2143)
PAT Global xxx.xxx.xxx.191(1074) Local 10.80.1.49(2142)
PAT Global xxx.xxx.xxx.191(1070) Local 10.80.1.49(2141)
PAT Global xxx.xxx.xxx.191(1057) Local 10.80.1.49(2139)
PAT Global xxx.xxx.xxx.191(1053) Local 10.80.1.49(2138)
PAT Global xxx.xxx.xxx.191(1036) Local 10.80.1.49(2137)
PAT Global xxx.xxx.xxx.191(1032) Local 10.80.1.49(2134)
PAT Global xxx.xxx.xxx.191(1232) Local 10.80.1.66(49663)
PAT Global xxx.xxx.xxx.191(1230) Local 10.80.1.66(49662)
PAT Global xxx.xxx.xxx.191(1221) Local 10.80.1.66(49661)
PAT Global xxx.xxx.xxx.191(1218) Local 10.80.1.66(49660)
PAT Global xxx.xxx.xxx.191(1215) Local 10.80.1.66(49659)
PAT Global xxx.xxx.xxx.191(1209) Local 10.80.1.66(49658)
PAT Global xxx.xxx.xxx.191(1208) Local 10.80.1.66(49657)
PAT Global xxx.xxx.xxx.191(1203) Local 10.80.1.66(49656)
PAT Global xxx.xxx.xxx.191(1202) Local 10.80.1.66(49655)
PAT Global xxx.xxx.xxx.191(1132) Local 10.80.1.66(49642)
PAT Global xxx.xxx.xxx.191(1124) Local 10.80.1.66(49640)
PAT Global xxx.xxx.xxx.191(1108) Local 10.80.1.66(49637)
PAT Global xxx.xxx.xxx.191(1107) Local 10.80.1.66(49636)
PAT Global xxx.xxx.xxx.191(1106) Local 10.80.1.66(49635)
PAT Global xxx.xxx.xxx.191(1100) Local 10.80.1.66(49631)
PAT Global xxx.xxx.xxx.191(1099) Local 10.80.1.66(49630)
PAT Global xxx.xxx.xxx.191(1098) Local 10.80.1.66(49629)
PAT Global xxx.xxx.xxx.191(1096) Local 10.80.1.66(49627)
PAT Global xxx.xxx.xxx.191(1769) Local 10.80.1.50(3844)
PAT Global xxx.xxx.xxx.191(1649) Local 10.80.1.50(3843)
PAT Global xxx.xxx.xxx.191(1648) Local 10.80.1.50(3842)
PAT Global xxx.xxx.xxx.191(1307) Local 10.80.1.50(3811)
PAT Global xxx.xxx.xxx.191(1214) Local 10.80.1.50(3805)
PAT Global xxx.xxx.xxx.191(1204) Local 10.80.1.50(3804)
PAT Global xxx.xxx.xxx.191(1199) Local 10.80.1.50(3803)
PAT Global xxx.xxx.xxx.191(1198) Local 10.80.1.50(3802)
PAT Global xxx.xxx.xxx.191(1190) Local 10.80.1.50(3801)
PAT Global xxx.xxx.xxx.191(1189) Local 10.80.1.50(3800)
PAT Global xxx.xxx.xxx.191(1186) Local 10.80.1.50(3799)
PAT Global xxx.xxx.xxx.191(1185) Local 10.80.1.50(3798)
PAT Global xxx.xxx.xxx.191(1121) Local 10.80.1.50(3789)
PAT Global xxx.xxx.xxx.191(1117) Local 10.80.1.50(3788)
PAT Global xxx.xxx.xxx.191(1088) Local 10.80.1.50(3783)
PAT Global xxx.xxx.xxx.191(1079) Local 10.80.1.50(3781)
PAT Global xxx.xxx.xxx.191(1051) Local 10.80.1.50(3776)
PAT Global xxx.xxx.xxx.191(1049) Local 10.80.1.50(3775)
PAT Global xxx.xxx.xxx.191(1041) Local 10.80.1.50(3768)
PAT Global xxx.xxx.xxx.191(1039) Local 10.80.1.50(3766)
PAT Global xxx.xxx.xxx.191(1860) Local 10.80.1.51(1540)
PAT Global xxx.xxx.xxx.191(1308) Local 10.80.1.51(1507)
PAT Global xxx.xxx.xxx.191(1300) Local 10.80.1.51(1500)
PAT Global xxx.xxx.xxx.191(1238) Local 10.80.1.51(1487)
PAT Global xxx.xxx.xxx.191(1237) Local 10.80.1.51(1486)
PAT Global xxx.xxx.xxx.191(1236) Local 10.80.1.51(1485)
PAT Global xxx.xxx.xxx.191(1235) Local 10.80.1.51(1484)
PAT Global xxx.xxx.xxx.191(1234) Local 10.80.1.51(1483)
PAT Global xxx.xxx.xxx.191(1233) Local 10.80.1.51(1482)
PAT Global xxx.xxx.xxx.191(1227) Local 10.80.1.51(1481)
PAT Global xxx.xxx.xxx.191(1226) Local 10.80.1.51(1480)
PAT Global xxx.xxx.xxx.191(1224) Local 10.80.1.51(1479)
PAT Global xxx.xxx.xxx.191(1222) Local 10.80.1.51(1478)
PAT Global xxx.xxx.xxx.191(1217) Local 10.80.1.51(1477)
PAT Global xxx.xxx.xxx.191(1216) Local 10.80.1.51(1476)
PAT Global xxx.xxx.xxx.191(1211) Local 10.80.1.51(1475)
PAT Global xxx.xxx.xxx.191(1210) Local 10.80.1.51(1474)
PAT Global xxx.xxx.xxx.191(1141) Local 10.80.1.51(1472)
PAT Global xxx.xxx.xxx.191(1136) Local 10.80.1.51(1471)
PAT Global xxx.xxx.xxx.191(1034) Local 10.80.1.51(1465)
PAT Global xxx.xxx.xxx.191(2) Local 10.80.1.1(123)
PAT Global xxx.xxx.xxx.191(1729) Local 10.80.1.93(2489)
PAT Global xxx.xxx.xxx.191(1728) Local 10.80.1.93(2488)
PAT Global xxx.xxx.xxx.191(1196) Local 10.80.1.93(2448)
PAT Global xxx.xxx.xxx.191(1192) Local 10.80.1.93(2446)
PAT Global xxx.xxx.xxx.191(1183) Local 10.80.1.93(2440)
PAT Global xxx.xxx.xxx.191(1181) Local 10.80.1.93(2439)
PAT Global xxx.xxx.xxx.191(1178) Local 10.80.1.93(2438)
PAT Global xxx.xxx.xxx.191(1174) Local 10.80.1.93(2437)
PAT Global xxx.xxx.xxx.191(1161) Local 10.80.1.93(2433)
PAT Global xxx.xxx.xxx.191(1160) Local 10.80.1.93(2432)
PAT Global xxx.xxx.xxx.191(1156) Local 10.80.1.93(2431)
PAT Global xxx.xxx.xxx.191(1155) Local 10.80.1.93(2430)
PAT Global xxx.xxx.xxx.191(1137) Local 10.80.1.93(2427)
PAT Global xxx.xxx.xxx.191(1130) Local 10.80.1.93(2425)
PAT Global xxx.xxx.xxx.191(1115) Local 10.80.1.93(2422)
PAT Global xxx.xxx.xxx.191(1109) Local 10.80.1.93(2421)
PAT Global xxx.xxx.xxx.191(1083) Local 10.80.1.93(2419)
PAT Global xxx.xxx.xxx.191(1836) Local 10.80.1.90(2503)
PAT Global xxx.xxx.xxx.191(1821) Local 10.80.1.90(2502)
PAT Global xxx.xxx.xxx.191(1770) Local 10.80.1.90(2500)
PAT Global xxx.xxx.xxx.191(1714) Local 10.80.1.90(2483)
PAT Global xxx.xxx.xxx.191(1686) Local 10.80.1.90(2470)
PAT Global xxx.xxx.xxx.191(1682) Local 10.80.1.90(2466)
PAT Global xxx.xxx.xxx.191(1630) Local 10.80.1.90(2450)
PAT Global xxx.xxx.xxx.191(1614) Local 10.80.1.90(2435)
PAT Global xxx.xxx.xxx.191(1603) Local 10.80.1.90(2427)
PAT Global xxx.xxx.xxx.191(1602) Local 10.80.1.90(2426)
PAT Global xxx.xxx.xxx.191(1589) Local 10.80.1.90(2413)
PAT Global xxx.xxx.xxx.191(1495) Local 10.80.1.90(2383)
PAT Global xxx.xxx.xxx.191(1490) Local 10.80.1.90(2378)
PAT Global xxx.xxx.xxx.191(1197) Local 10.80.1.90(2349)
PAT Global xxx.xxx.xxx.191(1118) Local 10.80.1.90(2343)
PAT Global xxx.xxx.xxx.191(1114) Local 10.80.1.90(2342)
PAT Global xxx.xxx.xxx.191(1081) Local 10.80.1.90(2339)
PAT Global xxx.xxx.xxx.191(1077) Local 10.80.1.90(2338)
PAT Global xxx.xxx.xxx.191(1071) Local 10.80.1.90(2337)
PAT Global xxx.xxx.xxx.191(1069) Local 10.80.1.90(2336)
PAT Global xxx.xxx.xxx.191(1062) Local 10.80.1.90(2334)
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20849161
try to remove this:
access-list outside-ve_access_in extended deny ip object-group obj_net-spoof any
access-list outside-bbb_access_in extended deny ip object-group obj_net-spoof any
0
 
LVL 4

Author Comment

by:Brimba
ID: 20849570
Ok, I will try that, but the obj_net-spoof was just there to block potential spoofed traffic from the outside that come from these ip:s

 network-object host 0.0.0.0
 network-object 10.0.0.0 255.0.0.0
 network-object 127.0.0.0 255.0.0.0
 network-object 172.16.0.0 255.240.0.0
 network-object 192.168.0.0 255.255.0.0
 network-object 224.0.0.0 240.0.0.0
 network-object 240.0.0.0 240.0.0.0

I will get back to you about how this works.
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20849636
yep, but your network is using 10.80.1.0 (from range 10.0.0.0/8)
and dmz 192.168.2.0/24 (from 192.168.0.0/16 range)
just for debug porposes switch them off
0
 
LVL 4

Author Comment

by:Brimba
ID: 20850561
No difference. The problem still occur after the configuration change.
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20850620
I have to admit, I'm out of ideas already.
please, repeat, what exactly happens:
your dmz servers unable to reach you lan, but can communicate to the internet? does it possible to reach services from internet in this moment?
0
 
LVL 4

Author Comment

by:Brimba
ID: 20850931
If I change the hostfile in a machine in my LAN to point to the local adress of a machine in the DMZ then it will work.

The thing that stops working is the traffic from outside to the DMZ. I attach a screenshot of a traffic graph of the DMZ interface that shows you pretty much whats happening.

So somehow it shuts of the connection from the outside to the DMZ, but the connection between the LAN and DMZ still continues to work. The connection from the DMZ to the outside also continues to work, along with the connection from LAN to outside.

So the really only problem is the connection from outside to DMZ (NAT/PAT).
ScreenShot023.jpg
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20851004
try to configure xlate timeouts:
"When a host or device tries to start a connection, the PIX Firewall checks the translation table if there is an entry for that particular IP. If there is no existing translation, a new translation slot is created. The default time that a translated IP is kept in the translation table is 3 hours. You can change this with the timeout xlate hh:mm:ss command"
0
 
LVL 4

Author Comment

by:Brimba
ID: 20851935
Do you mean to see if it will work longer with a longer timeout?
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20852968
exactly!

0
 
LVL 4

Author Comment

by:Brimba
ID: 20854968
I configured the limit to 10 hours but still no difference.

When I look at the log files I can see that it works for about 4 hours after each restart. I attach a screenshot where you can see the scenario.

So is there any default timeout of 4 hours?
screenshot.jpg
0
 
LVL 4

Author Comment

by:Brimba
ID: 20868105
No new ideas?
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20868293
hi unfortunately I must admit, I have nothing to add here. sorry.

but let's take a look at this problem from a different side. we have checked a number of options on asa.
may be we are searching in a wrong place. when you restart your asa, all interfaces restarts, so ports of the switches asa is plugged into also restarts. possible we should take a look there.
what type of equipment do you have between lan and pix and between pix and dmz?
0
 
LVL 4

Author Comment

by:Brimba
ID: 20868546
This same configuration has worked before with another firewall (Zyxel Zywall 35). But maybe the combination of asa and what we have between does not work well together.

Between LAN and ASA we have HP switch 2626.
We currently have a temporary switch between the DMZ-servers and the ASA. But we have 3 interfaces on the ASA dedicated to the DMZ and that is enough for us for now.

I will try to connect the DMZ servers without using the switch.

If that doesnt help, I will try to get help from the cisco support and will post information here if I find out what the problem is.

Thanks for all the help!
0
 
LVL 21

Assisted Solution

by:from_exp
from_exp earned 1000 total points
ID: 20868705
good luck!
I will wait for update!
0
 
LVL 4

Accepted Solution

by:
Brimba earned 0 total points
ID: 21176289
I just wanted to resume what we did exactly. While we were doing captures of arp and icmp traffic we have seen that ASA was receiving arp requests but didn't generate any arp replies for the address that was static NATed. Further checking of the configuration showed us the command 'sysopt noproxyarp outside-ve' which disables proxy ARP for global addresses. Proxy ARP is when a device responds to an ARP request with its own MAC address, even though the device does not own the IP address. The ASA uses proxy ARP when you configure NAT and specify a global address that is on the same network as the firewall interface. The only way traffic can reach the hosts is if the security appliance uses proxy ARP to claim that the security appliance MAC address is assigned to destination global addresses. So removing this command solved our issue.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question