Cisco ASA Internal routing issues

Hello,

I am having some issues with routing i think.  Everything seems to be working fine and all of a sudden my connection drops and i cant hit the internet.  After awhile the connection reconnects and i am back online after looking on the asa i see the below message.  I have the ASA hading out two DNS servers my internal server 192.168.1.5 and itself 192.168.1.1  Please let me know if anything looks wrong or where to look.

Make sure that a DNS server is configured and reachable by the adaptive security appliance. If the problem persists, contact the Cisco TAC.

Thanks,
Brandon
Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx  encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq 587 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0 
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0 
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0 
access-list outside_in extended permit icmp any any 
access-list outside_in extended permit tcp any any 
pager lines 24
logging enable
logging trap errors
logging asdm informational
logging host inside 192.168.1.5 format emblem
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200
ip local pool SSL_Pool 172.16.253.1-172.16.253.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255 
static (inside,outside) 192.168.1.5 176.0.0.0 netmask 255.255.255.255 
static (inside,inside) 192.168.1.5 176.0.0.0 netmask 255.255.255.255 
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WindowsIAS protocol radius
aaa-server WindowsIAS (inside) host 192.168.1.8
 key *****
 radius-common-pw *****
http server enable 4443
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 176.0.0.0 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.1 192.168.1.5
dhcpd domain INKBAL.COM
dhcpd auto_config outside
dhcpd update dns both override 
!
dhcpd address 192.168.1.6-192.168.1.35 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 port 8443
 enable outside
 dtls port 8443
 csd image disk0:/securedesktop_asa_3_2_1_103.pkg.zip
 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSL_Policy internal
group-policy SSL_Policy attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  svc ask enable
group-policy SSL-Users internal
group-policy SSL-Users attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  url-list value Webmail
  svc ask enable
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
 dns-server value 192.168.1.5
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
 split-dns value DOMAIN.COM 
username test password xxxxxxxxxxxxxxxxx encrypted privilege 0
username test attributes
 vpn-group-policy SSL_Policy
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
 address-pool RA_VPN_POOL
 default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
 pre-shared-key *****
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
 address-pool SSL_Pool
 default-group-policy SSL-Users
tunnel-group SSLVPN webvpn-attributes
 group-alias Anyconnect enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3049b4c5d535ebe072c0feb6f6481ce3
: end

Open in new window

balintonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
>out two DNS servers my internal server 192.168.1.5 and itself 192.168.1.1  
Do NOT hand out the ASA itself as a DNS server. It should be your internal DNS sever only.

balintonAuthor Commented:
Hmmm...  Didn't think about they as an issue thought that for redundancy I could use the Asa invade my dns server went down guess I need to stand up a second dns server
Pro4iaCommented:
if you don't have a secondary internal DNS server you can do one of the following -

1. just use the primary internal dns server
2. setup a secondary internal dns server and use that as the secondary dns server
3. use an external public dns server as secondary dns server - such as 4.2.2.2
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

gavvingCommented:
Also when you loose connectivity have you confirmed that the ASA is still accessible?  Can you ping the upstream IP from the ASA?  Can you login into the DSL modem at the time the event happens and confirm that the DSL is still connected?
balintonAuthor Commented:
ok so i have been traveling and have not had a chance to get back to this thread...  I made the changes and am using a external DNS server and Internet browsing seems to be better but connections still drop and it seems to be coming from the asa my modem has perfect connection and does not drop on its own.  I thought it could of been the DHCP lease time because it was so short but that didnt do it either.  Does anyone have any suggestions this is killing me.  Latest running config is below
Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq 587 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0 
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0 
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0 
access-list outside_in extended permit icmp any any 
access-list outside_in extended permit tcp any any 
pager lines 24
logging enable
logging trap errors
logging asdm informational
logging host inside 192.168.1.5 format emblem
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200
ip local pool SSL_Pool 172.16.253.1-172.16.253.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255 
static (inside,outside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255 
static (inside,inside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255 
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WindowsIAS protocol radius
aaa-server WindowsIAS (inside) host 192.168.1.8
 key *****
 radius-common-pw *****
http server enable 4443
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.5 64.129.67.101
dhcpd lease 604800
dhcpd domain DOMAIN.COM
dhcpd auto_config outside
dhcpd update dns both 
!
dhcpd address 192.168.1.6-192.168.1.35 inside
dhcpd dns 192.168.1.5 64.129.67.101 interface inside
dhcpd lease 604800 interface inside
dhcpd domain DOMAIN.COM interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 port 8443
 enable outside
 dtls port 8443
 csd image disk0:/securedesktop_asa_3_2_1_103.pkg.zip
 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSL_Policy internal
group-policy SSL_Policy attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  svc ask enable
group-policy SSL-Users internal
group-policy SSL-Users attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  url-list value Webmail
  svc ask enable
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
 dns-server value 192.168.1.5
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
 split-dns value INKBAL.COM 
username user password xxxxxxxxxxxxx encrypted privilege 0
username user attributes
 vpn-group-policy SSL_Policy
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
 address-pool RA_VPN_POOL
 default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
 pre-shared-key *****
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
 address-pool SSL_Pool
 default-group-policy SSL-Users
tunnel-group SSLVPN webvpn-attributes
 group-alias Anyconnect enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:adfs;ldkfjas;dlkfasdfasdfS
: end

Open in new window

lrmooreCommented:
You need to remove these lines....

static (inside,outside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
static (inside,inside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255

lrmooreCommented:
Probably not part of the problem, but you can also remove these entries

dhcpd auto_config outside interface inside
dhcpd update dns both interface inside

balintonAuthor Commented:
Thanks irmoore how would i remove these entries using the cli?  i hate the gui its more confusing then anything...

Also what do these lines do?

0.0.0.0 = My outside interface

static (inside,outside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
static (inside,inside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
lrmooreCommented:
These create static 1-1 NAT from outside interface IP to the 1 host inside, and you also have static port translations to the same inside host....

Simple from the CLI:

asa(config)#no static (inside,outside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
asa(config)#no static (inside,inside) 192.168.1.5 0.0.0.0 netmask 255.255.255.255
asa(config)#clear xlate
asa(config)#no dhcpd auto_config outside interface inside
asa(config)#no dhcpd update dns both interface inside

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
balintonAuthor Commented:
Thank you irmoore i just added that change and the below is the latest running code.  Also not sure if these changes will fix this or not but i have the asa handing out DHCP and my server has a static ip of 192.168.1.5  when i reboot the server it gets an ip conflict but this address is outside of the pool so no one should get this address do you see anything that could cause that?

Again thank you for your genius...
Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq 587 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0 
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0 
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0 
access-list outside_in extended permit icmp any any 
access-list outside_in extended permit tcp any any 
pager lines 24
logging enable
logging trap errors
logging asdm informational
logging host inside 192.168.1.5 format emblem
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200
ip local pool SSL_Pool 172.16.253.1-172.16.253.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.1.5 www netmask 255.255.255.255 
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server WindowsIAS protocol radius
aaa-server WindowsIAS (inside) host 192.168.1.8
 key *****
 radius-common-pw *****
http server enable 4443
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http x.x.x.x.x 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.5 64.129.67.101
dhcpd lease 604800
dhcpd domain DOMAIN.COM
dhcpd auto_config outside
dhcpd update dns both 
!
dhcpd address 192.168.1.6-192.168.1.35 inside
dhcpd dns 192.168.1.5 64.129.67.101 interface inside
dhcpd lease 604800 interface inside
dhcpd domain DOMAIN.COM interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 port 8443
 enable outside
 dtls port 8443
 csd image disk0:/securedesktop_asa_3_2_1_103.pkg.zip
 svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy SSL_Policy internal
group-policy SSL_Policy attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  svc ask enable
group-policy SSL-Users internal
group-policy SSL-Users attributes
 vpn-tunnel-protocol svc webvpn
 webvpn
  url-list value Webmail
  svc ask enable
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
 dns-server value 192.168.1.5
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
 split-dns value DOMAIN.COM 
username user password XXXXXXXXXX encrypted privilege 0
username user attributes
 vpn-group-policy SSL_Policy
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
 address-pool RA_VPN_POOL
 default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
 pre-shared-key *****
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
 address-pool SSL_Pool
 default-group-policy SSL-Users
tunnel-group SSLVPN webvpn-attributes
 group-alias Anyconnect enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0c11ecf9f3439928481e4b3adcb25da5
: end

Open in new window

lrmooreCommented:
This looks much better.
I don't see anything that would cause an IP address conflict with the server.
Clear the arp cache on the ASA. It will proxy the .5 because of the static nats that you had.
asa# clear arp
balintonAuthor Commented:
Thank you irmoore i will mark this complete and monitor to see if this continues to happen and will open a new question if needed.

Thanks,
Brandon
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.