TheGeeksCentralCA
asked on
Cisco ASA 5505 wont work with Comcast Internet
Need some help. New to the cisco world. i have a cisco ASA 5505 that i need to get it to work with comcast business class internet. currently the ASA works fine with AT&T T1. We are switching from T1 to Cable internet. Once i change the route, i can get out just fine as i am plugged directly into one of the lan ports on the ASA, but within my LAN itself, nothing can get out to the internet.
My Public IP is as follow: 173.165.149.145. My ISP gateway is 173.165.149.150.
My internal LAN is 192.168.0.X and my ASA address is 192.168.0.254.
I can ping any box inside my lan and from any box can ping the ASA device but when trying to get internet, nothing will go out.
Can someone take a peek at my config and tell me what am i missing and why no one internally can get out to the internet?
My Public IP is as follow: 173.165.149.145. My ISP gateway is 173.165.149.150.
My internal LAN is 192.168.0.X and my ASA address is 192.168.0.254.
I can ping any box inside my lan and from any box can ping the ASA device but when trying to get internet, nothing will go out.
Can someone take a peek at my config and tell me what am i missing and why no one internally can get out to the internet?
Saved
:
ASA Version 8.2(1)
!
hostname fbc-asa
domain-name
enable password x0iupYW4U/0.tEmn encrypted
passwd x0iupYW4U/0.tEmn encrypted
names
name 69.94.233.75 test
name 172.17.0.0 nat-subnet
name 192.168.0.220 test
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.165.149.145 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.0.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name
same-security-traffic permit intra-interface
object-group network bad_hosts
network-object host 216.6.175.119
pager lines 24
logging enable
logging buffer-size 10000
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool clients 10.10.10.1-10.10.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (inside,outside) 12.70.62.92 test netmask 255.255.255.255 dns tcp 0 255
static (inside,outside) 12.70.62.84 192.168.0.106 netmask 255.255.255.255 tcp 0 255
static (inside,outside) 12.70.62.86 192.168.0.31 netmask 255.255.255.255
static (inside,outside) 12.70.62.87 192.168.0.46 netmask 255.255.255.255 tcp 0 2555
static (inside,outside) 12.70.62.85 192.168.0.61 netmask 255.255.255.255 tcp 0 255
static (inside,outside) nat-subnet access-list inside_vpn_outbound_1
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.165.149.150 1
route inside 207.242.115.80 255.255.255.255 192.168.0.253 1
route inside 207.242.115.89 255.255.255.255 192.168.0.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 12.36.120.0 255.255.254.0 outside
http 12.104.128.0 255.255.255.0 outside
http 192.168.0.0 255.255.255.0 inside
snmp-server host outside 12.36.120.12 poll community zzzpublic
snmp-server host outside 12.36.120.178 poll community zzzpublic
snmp-server host outside 12.36.120.63 poll community zzzpublic
scrypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 12.36.120.3
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet 10.10.0.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd address 172.16.0.50-172.16.0.79 dmz
dhcpd dns 12.36.120.5 12.24.45.150 interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 204.123.2.72 source outside prefer
ntp server 164.67.62.194 source outside
tftp-server outside 12.36.120.22 \
!
class-map inspection_default
match default-inspection-traffic
class-map P2P
match port tcp eq www
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
policy-map type inspect http P2P_HTTP
parameters
match request uri regex _default_gator
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
policy-map P2P
class P2P
inspect http P2P_HTTP
!
service-policy global_policy global
service-policy P2P interface inside
prompt hostname context
Cryptochecksum:d62c828934608dc47d27c0977e9e453c
: end
asdm image disk0:/asdm-621.bin
asdm location 12.70.62.93 255.255.255.255 inside
asdm history enableASKER
yes, i can go out by directly connecting into one of the lan ports on the ASA itself. however, DNS doesnt resolve though, but that is another story.
Take off nat-control with no nat-control
ASKER
hmm.. i will have to try no nat-control to see if it works. because switching back to the T1 line works fine with the nat control feature still enabled. what would cause the same config to not work with the ISP? any idea?
To check the new ISP works, try inputting the provided static IPs into the laptop and hook it up to the modem. Does it work? If not, it is an ISP issue. If it works, it is definately the 5505.
Apparently I didn't skim your question enough :)
Though unless you intend to force all traffic through nat then you might want to turn it off.
As for your issue....
WIth the comcast connection setup paste the output from the following command:
packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 44444
Though unless you intend to force all traffic through nat then you might want to turn it off.
As for your issue....
WIth the comcast connection setup paste the output from the following command:
packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 44444
>access-group inside_access_in in interface inside
I don't see a matching access-list definition. Remove this entry.
I don't see a matching access-list definition. Remove this entry.
lrmoore, lets see the packet-tracer result before we remove access-groups, also no access-lists are listed in the output, probably didn't include them
static (inside,outside) 12.70.62.92 test netmask 255.255.255.255 dns tcp 0 255
static (inside,outside) 12.70.62.84 192.168.0.106 netmask 255.255.255.255 tcp 0 255
static (inside,outside) 12.70.62.86 192.168.0.31 netmask 255.255.255.255
static (inside,outside) 12.70.62.87 192.168.0.46 netmask 255.255.255.255 tcp 0 2555
static (inside,outside) 12.70.62.85 192.168.0.61 netmask 255.255.255.255 tcp 0 255
All of the statics look like they are assigned AT&T addresses, not Comcast. NONE of these inside hosts can get out until you change or remove the static NAT.
static (inside,outside) 12.70.62.84 192.168.0.106 netmask 255.255.255.255 tcp 0 255
static (inside,outside) 12.70.62.86 192.168.0.31 netmask 255.255.255.255
static (inside,outside) 12.70.62.87 192.168.0.46 netmask 255.255.255.255 tcp 0 2555
static (inside,outside) 12.70.62.85 192.168.0.61 netmask 255.255.255.255 tcp 0 255
All of the statics look like they are assigned AT&T addresses, not Comcast. NONE of these inside hosts can get out until you change or remove the static NAT.
ASKER
Its definately the ASA because if i use my laptop and hard code the IP with one of the comcast ip's, it works fine. As for the static nats, yes, they are still AT&T for now because i havent changed them yet. i will change them once i confirm and find a resolution to the actual issue first as the hosts that you see on the static nat's are not as critical to get out anyways. The matching access-list definitions do exist, i just removed them because i felt that they wouldnt have had anything to do with the actual cause.
thanks for all your help and input so far, unfortunately, i wont be able to do anything until Sunday as i wont be able to bring down the current pipe as it is mission critical.
thanks for all your help and input so far, unfortunately, i wont be able to do anything until Sunday as i wont be able to bring down the current pipe as it is mission critical.
ASKER
well, it seems that the suggestions didnt work either. i still cant get out. i tried the no nat-control and still same thing. if i hard code a public DNS server, my laptop can get out. i can ping my DNS server but DNS doesnt seem to resolve.
PLEASE HELP!!!
PLEASE HELP!!!
Can you run the packet tracer I asked about?
packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 44444
Then paste the output in here.
packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 44444
Then paste the output in here.
ASKER
donmanrobb,
here are the packet tracer results.
fbc-asa# packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 444
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
here are the packet tracer results.
fbc-asa# packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 444
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Hmm something is up with the access-lists
paste the output for
show run access-list inside_access_in
show run access-list outside_access_in
paste the output for
show run access-list inside_access_in
show run access-list outside_access_in
ASKER
Here the are the results for the access list.
fbc-asa# show run access-list inside_access_in
access-list inside_access_in extended permit tcp any host falcons_mx eq smtp
access-list inside_access_in extended permit tcp host FG-Main any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
fbc-asa# show run access-list outside_access_in
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit gre 216.101.236.0 255.255.255.0 ho
st 12.70.62.82
access-list outside_access_in extended permit tcp any host 12.70.62.85 eq 3389
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq 4125
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq smtp
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq https
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq 3389
access-list outside_access_in extended permit tcp any host 12.70.62.84 eq 3389
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq www
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq 589
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq imap4
access-list outside_access_in extended permit tcp any host 12.70.62.86 range 200
00 20010
access-list outside_access_in extended permit udp any host 12.70.62.86 range 200
00 20010
access-list outside_access_in extended permit ip 12.36.120.0 255.255.255.0 host
12.70.62.85
access-list outside_access_in extended permit tcp any host 12.70.62.94 eq 161
access-list outside_access_in extended permit udp any host 12.70.62.94 eq snmp l
og
access-list outside_access_in extended permit ip any any
fbc-asa# show run access-list inside_access_in
access-list inside_access_in extended permit tcp any host falcons_mx eq smtp
access-list inside_access_in extended permit tcp host FG-Main any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
fbc-asa# show run access-list outside_access_in
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit gre 216.101.236.0 255.255.255.0 ho
st 12.70.62.82
access-list outside_access_in extended permit tcp any host 12.70.62.85 eq 3389
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq 4125
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq smtp
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq https
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq 3389
access-list outside_access_in extended permit tcp any host 12.70.62.84 eq 3389
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq www
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq 589
access-list outside_access_in extended permit tcp any host 12.70.62.92 eq imap4
access-list outside_access_in extended permit tcp any host 12.70.62.86 range 200
00 20010
access-list outside_access_in extended permit udp any host 12.70.62.86 range 200
00 20010
access-list outside_access_in extended permit ip 12.36.120.0 255.255.255.0 host
12.70.62.85
access-list outside_access_in extended permit tcp any host 12.70.62.94 eq 161
access-list outside_access_in extended permit udp any host 12.70.62.94 eq snmp l
og
access-list outside_access_in extended permit ip any any
Before we get too deep into this, if you haven't save the comcast config with wr
and reboot the asa with reload. Might as well clear out any arp/nat entries etc.
and reboot the asa with reload. Might as well clear out any arp/nat entries etc.
ASKER
let me do that right now...
ASKER
ok. arp has been cleared and ASA rebooted with the new config.
Ok now we'll remake the NAT global interface.
no nat (inside) 1 0.0.0.0 0.0.0.0
no global (outside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Once thats done, run that packet-tracer again if its not working.
no nat (inside) 1 0.0.0.0 0.0.0.0
no global (outside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Once thats done, run that packet-tracer again if its not working.
ASKER
here are the results after remaking the NAT global interface and running the packet tracer.
fbc-asa(config)# no nat (inside) 1 0.0.0.0 0.0.0.0
fbc-asa(config)# no global (outside) 1 interface
fbc-asa(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
fbc-asa(config)# nat (inside) 1 0.0.0.0 0.0.0.0
fbc-asa(config)# packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 44$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
fbc-asa(config)# no nat (inside) 1 0.0.0.0 0.0.0.0
fbc-asa(config)# no global (outside) 1 interface
fbc-asa(config)# global (outside) 1 interface
INFO: outside interface address added to PAT pool
fbc-asa(config)# nat (inside) 1 0.0.0.0 0.0.0.0
fbc-asa(config)# packet-tracer input inside tcp 192.168.0.254 44444 4.2.2.2 44$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Post the output for
packet-tracer input inside tcp 192.168.0.100 44444 4.2.2.2 44444
packet-tracer input inside tcp 192.168.0.100 44444 4.2.2.2 44444
ASKER
heres the results.
fbc-asa(config)# packet-tracer input inside tcp 192.168.0.100 44444 4.2.2.2 44$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) nat-subnet access-list inside_vpn_outbound_1
match ip inside 192.168.0.0 255.255.255.0 outside 192.168.2.0 255.255.255.0
static translation to nat-subnet
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (173.165.149.145 [Interface PAT])
translate_hits = 295, untranslate_hits = 6
Additional Information:
Dynamic translate 192.168.0.100/44444 to 173.165.149.145/60188 using netmask 255
.255.255.255
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4075, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
fbc-asa(config)#
fbc-asa(config)# packet-tracer input inside tcp 192.168.0.100 44444 4.2.2.2 44$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) nat-subnet access-list inside_vpn_outbound_1
match ip inside 192.168.0.0 255.255.255.0 outside 192.168.2.0 255.255.255.0
static translation to nat-subnet
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (173.165.149.145 [Interface PAT])
translate_hits = 295, untranslate_hits = 6
Additional Information:
Dynamic translate 192.168.0.100/44444 to 173.165.149.145/60188 using netmask 255
.255.255.255
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4075, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
fbc-asa(config)#
Looks good, is your lan still not able to connect?
ASKER
no, my lan can connect to the outside only if i hard code a public dns server to each machine. but if i leave it default, it will not resolve DNS properly from my DHCP/DNS server. i can ping the server just fine, but DNS resolution does not take. Wierd thing is, the server itself can not see ping outside to any IP outisde the the lan as well but can see everything inside. my server's ip is 192.168.0.220
Do a trace for
packet-tracer input inside tcp 192.168.0.220 44444 4.2.2.2 53
packet-tracer input inside tcp 192.168.0.220 44444 4.2.2.2 53
ASKER
heres the results to the server.
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) 12.70.62.92 FG-Main netmask 255.255.255.255 dns tcp 0 25
5
match ip inside host FG-Main outside any
static translation to 12.70.62.92
translate_hits = 3090, untranslate_hits = 1
Additional Information:
Static translate FG-Main/0 to 12.70.62.92/0 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 12.70.62.92 FG-Main netmask 255.255.255.255 dns tcp 0 25
5
match ip inside host FG-Main outside any
static translation to 12.70.62.92
translate_hits = 3094, untranslate_hits = 1
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4930, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
fbc-asa(config)#
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) 12.70.62.92 FG-Main netmask 255.255.255.255 dns tcp 0 25
5
match ip inside host FG-Main outside any
static translation to 12.70.62.92
translate_hits = 3090, untranslate_hits = 1
Additional Information:
Static translate FG-Main/0 to 12.70.62.92/0 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) 12.70.62.92 FG-Main netmask 255.255.255.255 dns tcp 0 25
5
match ip inside host FG-Main outside any
static translation to 12.70.62.92
translate_hits = 3094, untranslate_hits = 1
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4930, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
fbc-asa(config)#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Specifiically this rule
static (inside,outside) 12.70.62.92 test netmask 255.255.255.255 dns tcp 0 255
static (inside,outside) 12.70.62.92 test netmask 255.255.255.255 dns tcp 0 255
So i will say the problem is most likely somewhere else, have you checked the LAN sw?
sincerely