Cisco ASA 5505 Version 8.3(1)

Hi Experts!

i have an ASA that is working like a charm with all of its nat rules in place however, all clients that are behind the ASA are unable to browse the internet with the excpetion of the server with its nat rules.  

This new method of natting has me perplexed to say the least :)  


thanks a bunch

: Saved
ASA Version 8.3(1) 
hostname HATCH-ASA
domain-name xxxxxxxxxxxx
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group DSL
 ip address pppoe setroute 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name thehatchgroup.local
object network obj_any 
object network OWA 
object network inside-network 
object network Hatch-One-Email 
object network Hatch-One-OWA 
object network Hatch-One-RDP 
object network Hatch-One-Web 
object network OWA-6001 
object network OWA-6002 
object network OWA-6003 
object network OWA-6004 
object network OWA-HTTPS 
object network Hatch-PPTP 
object network Hatch-One-HTTPS 
object-group service DM_INLINE_TCP_4 tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq 3389
object-group service DM_INLINE_TCP_5 tcp
 port-object eq https
 port-object eq smtp
 port-object eq 3389
object-group service DM_INLINE_TCP_6 tcp
 port-object eq 3389
 port-object eq ftp
object-group service DM_INLINE_TCP_7 tcp
 port-object eq 3101
 port-object eq 3389
object-group service DM_INLINE_UDP_2 udp
 port-object eq snmp
 port-object eq snmptrap
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service tcp_data tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group service tcp_udp_data tcp-udp
 port-object eq www
object-group service tcp_ica tcp
 port-object eq 2598
 port-object eq citrix-ica
access-list global_access extended permit ip any any 
access-list global_access extended permit icmp any any 
access-list global_access extended permit tcp any host range 6001 6004 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit udp any any object-group DM_INLINE_UDP_2 
access-list acl_in_out extended permit tcp any any eq www 
access-list acl_in_out extended permit tcp any any eq https 
access-list acl_in_out extended permit tcp any any eq domain 
access-list acl_in_out extended permit tcp any any eq smtp 
access-list outside_access_in_1 extended permit ip any any 
access-list inbound extended permit icmp any any 
access-list inbound extended permit tcp any host eq www 
access-list inbound extended permit tcp any host eq smtp 
access-list inbound extended permit tcp any host eq https 
access-list inbound extended permit tcp any host eq pptp 
access-list inbound extended permit tcp any host eq 3389 
access-list inbound extended permit ip any any 
pager lines 24
logging enable
logging monitor informational
logging asdm informational
logging mail informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
 nat (inside,outside) dynamic interface
object network Hatch-One-Email
 nat (inside,outside) static interface service tcp smtp smtp 
object network Hatch-One-RDP
 nat (inside,outside) static interface service tcp 3389 3389 
object network Hatch-One-Web
 nat (inside,outside) static interface service tcp www www 
object network OWA-6001
 nat (inside,outside) static interface service tcp 6001 6001 
object network OWA-6002
 nat (inside,outside) static interface service tcp 6002 6002 
object network OWA-6003
 nat (inside,outside) static interface service tcp 6003 6003 
object network OWA-6004
 nat (inside,outside) static interface service tcp 6004 6004 
object network Hatch-PPTP
 nat (inside,outside) static interface service tcp pptp pptp 
object network Hatch-One-HTTPS
 nat (inside,outside) static interface service tcp https https 
access-group inside_access_in in interface inside
access-group inbound in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
vpdn group DSL request dialout pppoe
vpdn group DSL localname
vpdn group DSL ppp authentication pap
vpdn username password ***** store-local
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username xxxxxx password xxxxxxxxxxxx encrypted privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
service-policy global_policy global
prompt hostname context 
hpm topN enable
: end
no asdm history enable

Open in new window

Who is Participating?
lrmooreConnect With a Mentor Commented:
This "should" allow it

object network obj_any
 nat (inside,outside) dynamic interface

I'm trying to get a copy of a working config... back shortly
Enable icmp inspect so you can try to ping the dns servers from an inside host

policy-map global_policy
 class inspection_default
  inspect icmp

johnkesoglouAuthor Commented:
Hi lrmoore

thanks for responding to my question

i added the the global commands and see no change.  from the server located at i am able to browse the internet however all of the other clients that are behind this ASA are unable to get out.  (sorry if this sounds like i am repeating myself)
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

johnkesoglouAuthor Commented:
i did a show version for your viewing pleasures :)

is this correct? a 10 limit on hosts?
HATCH-ASA# show ver

Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)

Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"

HATCH-ASA up 2 days 12 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
 0: Int: Internal-Data0/0    : address is e05f.b948.3609, irq 11
 1: Ext: Ethernet0/0         : address is e05f.b948.3601, irq 255
 2: Ext: Ethernet0/1         : address is e05f.b948.3602, irq 255
 3: Ext: Ethernet0/2         : address is e05f.b948.3603, irq 255
 4: Ext: Ethernet0/3         : address is e05f.b948.3604, irq 255
 5: Ext: Ethernet0/4         : address is e05f.b948.3605, irq 255
 6: Ext: Ethernet0/5         : address is e05f.b948.3606, irq 255
 7: Ext: Ethernet0/6         : address is e05f.b948.3607, irq 255
 8: Ext: Ethernet0/7         : address is e05f.b948.3608, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 3              DMZ Restricted
Dual ISPs                      : Disabled       perpetual
VLAN Trunk Ports               : 0              perpetual
Inside Hosts                   : 10             perpetual
Failover                       : Disabled       perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 10             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual

This platform has a Base license.

Serial Number: JMX1452Z018
Running Permanent Activation Key: 0x3103cc7a 0x205b8342 0x5443a580 0x9ae8c4b8 0x
Configuration register is 0x1
Configuration last modified by enable_15 at 09:05:44.275 PST Mon Feb 14 2011

Open in new window

One other thing that you must keep in mind is that the ASA tracks inside MAC addresses and once that number exceeds 10 you will begin to see dropped traffic and messages in the event log that say the maximum number of user licenses has been exceeded. This is because your license only allows for 10 inside hosts as is shown in the sh ver output.

If the license is being exceeded you will need to purchase a license upgrade. The unlimited inside hosts license isn't too bad, it's like $300 USD.

You should be aware of this as well as it can lead to dropped traffic and other initially inexplicable errors, especially if you have virtualized servers or workstations using VMware or an equivalent.

lrmooreConnect With a Mentor Commented:
object network NETWORK_OBJ_192.168.15.0

nat (inside,outside) after-auto source dynamic NETWORK_OBJ_192.168.15.0 interface

This is from working ASA 8.3

johnkesoglouAuthor Commented:
thanks guys, ill give this a shot!

also i have never run into an ASA with restricted DHCP licensing on the inside

Hasnt it always been on the number of SSL, Site 2 Site VPNS, and client VPNS?

that is the case on all ASA platforms, except on the 5505 you also have an inside user license to watch out for. All ASAs other than the 5505 are unlimited inside, and of course you can buy the unlimited 5505 license.

lrmooreConnect With a Mentor Commented:
Yes, the 5505 is different. Your license only gives you 10 inside hosts
This is from your show version posted earlier

Inside Hosts                   : 10             perpetual

johnkesoglouAuthor Commented:
lrmoore, puggle

thank you for your responses - much appreciated.

if i get a 5510, will i still run into the same DHCP issue or is the device unlimited ?

thanks again
PugglewuggleConnect With a Mentor Commented:
it's not dhcp related, the firewall actually 'counts' the number of computers and blocks traffic once the limit is ecceeded. It is correct that a 5510 will not have this problem.

johnkesoglouAuthor Commented:
thank you for the prompt responses
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.