Cisco ASA 5505 blocks internet access after outside interface ip address change

Hello Experts,
I'm a complete noob with cisco asa, and really need some direction with this.

Here's the situation, our ASA 5505 device is up and working perfectly. The problem is we are changing isp's and as a result have a new public ip address that needs to be assigned to the outside interface of the ASA device.

So I applied these commands to the device, first, I changed the ip address with
config term
interface vlan 2
no ip address 206.xxx.xxx.94
ip address 217.xxx.xxx.98

Then, i changed the default route to the new gateway with
config term
no route outside 0.0.0.0 0.0.0.0 206.xxx.xxx.65
route outside 0.0.0.0 0.0.0.0 217.xxx.xxx.97 1

after I do this, I am able to ping to an outside domain such as, ping yahoo.com works.
however I am unable to browse to any website via any browser.

I pasted a copy of the running config as it is before I run the above commands.

any ideas?

Thank You
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name ciscoasa.mexipass.com
enable password WTOUlJHZbjUN1QWQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.100.100.200 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.xxx.xxx.94 255.255.255.0 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.100.222.1 255.255.255.0 
              
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
              
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server 10.100.100.4
 domain-name ciscoasa.mexipass.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service IMAPS tcp-udp
 description IMAPS
 port-object eq 993
object-group network neospire_local
 network-object 10.100.100.0 255.255.255.0
 network-object 10.100.222.0 255.255.255.0
object-group network neospire_remote
 network-object 10.2.63.0 255.255.255.0
 network-object 10.2.193.0 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP any any eq www 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any any eq smtp 
access-list outside_access_in extended permit tcp any 10.100.100.0 255.255.255.0 eq imap4 
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq pop3 inactive 
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq https inactive 
access-list outside_access_in extended permit object-group TCPUDP any any object-group IMAPS 
access-list outside_access_in extended permit tcp any any eq pop3 
access-list outside_access_in extended permit tcp any any eq imap4 
access-list outside_access_in extended permit tcp any 10.100.222.0 255.255.255.0 eq ftp 
access-list outside_access_in extended permit udp any any eq isakmp 
access-list outside_access_in extended permit esp any any 
access-list outside_access_in extended permit udp any any 
access-list outside_access_in extended permit tcp any any eq ssh 
access-list nat0_inside extended permit ip 10.100.100.0 255.255.255.0 10.100.222.0 255.255.255.0 
access-list nat0_inside extended permit ip any 10.100.100.64 255.255.255.192 
access-list nat0_inside extended permit ip object-group neospire_local object-group neospire_remote 
access-list nat0_dmz extended permit ip 10.100.222.0 255.255.255.0 10.100.100.0 255.255.255.0 
access-list nat0_dmz extended permit ip object-group neospire_local object-group neospire_remote 
access-list dmz_access_rule extended permit icmp any any echo-reply 
access-list dmz_access_in extended permit tcp any any eq ftp 
access-list dmz_access_in extended permit tcp any any 
access-list dmz_access_in extended permit tcp any any eq https 
access-list dmz_access_in extended permit object-group TCPUDP any any eq www 
access-list dmz_access_in extended permit icmp any any 
access-list vpn1 extended permit udp any any eq isakmp 
access-list vpn2 extended permit esp any any 
access-list vpn_neospire extended permit ip object-group neospire_local object-group neospire_remote 
pager lines 24
              
logging enable
logging asdm-buffer-size 200
logging buffered errors
logging asdm errors
logging from-address ciscoasa@mexipass.com
logging recipient-address richard@mexipass.com level errors
logging ftp-server 66.111.106.63 /home/richard/ciscologs root ****
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool mexipass_pool 10.100.100.90-10.100.100.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0_inside
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nat0_dmz
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 206.xxx.xxx.81 10.100.222.81 netmask 255.255.255.255 
static (dmz,outside) 206.xxx.xxx.82 10.100.222.82 netmask 255.255.255.255 
              
static (dmz,outside) 206.xxx.xxx.91 10.100.222.91 netmask 255.255.255.255 
static (inside,outside) 206.xxx.xxx.69 10.100.100.10 netmask 255.255.255.255 
static (inside,outside) 206.xxx.xxx.66 10.100.100.4 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.xxx.xxx.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address vpn_neospire
crypto map outside_map 10 set pfs group5
crypto map outside_map 10 set peer 66.111.107.48 
crypto map outside_map 10 set transform-set ESP-AES-SHA            
crypto map outside_map 10 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable dmz
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 3600
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000 
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh timeout 5
console timeout 0
              
dhcpd dns 10.100.100.4
!
dhcpd address 10.100.100.201-10.100.100.254 inside
dhcpd dns 10.100.100.4 interface inside
dhcpd enable inside
!

webvpn
 enable outside
group-policy Mexipass_Group internal
group-policy Mexipass_Group attributes
 vpn-tunnel-protocol IPSec 
username jorge password gxWf9RqWIffbByL8 encrypted privilege 0
username jorge attributes
 vpn-group-policy Mexipass_Group
username joseantonio password X.9By.IWKAKsCmfy encrypted privilege 0
username joseantonio attributes
 vpn-group-policy Mexipass_Group
username regina password w7WLAV517wOx7efr encrypted
username regina attributes
 vpn-group-policy Mexipass_Group
username richard password wBxSHv5oN3AiG2Vg encrypted privilege 0
username richard attributes
 vpn-group-policy Mexipass_Group
              
username alfredo password Iy53pi8FVlL0cdFp encrypted privilege 0
username alfredo attributes
 vpn-group-policy Mexipass_Group
tunnel-group Mexipass_Group type ipsec-ra
tunnel-group Mexipass_Group general-attributes
 address-pool mexipass_pool
 default-group-policy Mexipass_Group
tunnel-group Mexipass_Group ipsec-attributes
 pre-shared-key *
tunnel-group 66.111.107.48 type ipsec-l2l
tunnel-group 66.111.107.48 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
              
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 10.100.100.4
prompt hostname context 
Cryptochecksum:2a9ad4928360d69e72c0d5b6c149db6c
: end

Open in new window

gtrrichAsked:
Who is Participating?
 
Ernie BeekExpertCommented:
Allready a few things.
You were talking about ip address 217.xxx.xxx.98

But in your config I see:

interface Vlan2
 nameif outside
 security-level 0
 ip address 216.xxx.xxx.98 255.255.255.248

static (dmz,outside) 206.xxx.xxx.81 10.100.222.81 netmask 255.255.255.255
static (dmz,outside) 206.xxx.xxx.82 10.100.222.82 netmask 255.255.255.255
static (dmz,outside) 206.xxx.xxx.91 10.100.222.91 netmask 255.255.255.255
static (inside,outside) 206.xxx.xxx.69 10.100.100.10 netmask 255.255.255.255
static (inside,outside) 206.xxx.xxx.66 10.100.100.4 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 216.xxx.xxx.97


So you forgot to change some settings and the question is: what is the new address range, 216.x.x.x or 217.x.x.x?
0
 
mwblszCommented:
have you try to reboot the asa?
0
 
gtrrichAuthor Commented:
yes, but that only restores it to the previous settings and undoes my settings.  On purpose I didn't want to do a write mem so that I could revert my changes in case I mess things up.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
mwblszCommented:
when you say ping yahoo ok, was it from your workstation or from the ASA?
are you able to ping your gateway at the carrier?

by the way, since you are switching to new ips, all the static one to one NAT will stop working.

honestly, I did not see anything wrong on the ASA config, might want to look elsewhere, may be a firewall on the work station?

sincerely
0
 
gtrrichAuthor Commented:
thanks, I'll clarify. I did the ping from my xp machine on the inside network. And yes, I was able to ping the gateway at the carrier.

0
 
gtrrichAuthor Commented:
This morning I tried it again with the above command to change the ip address and the default route.
Here's the running config after I made the changes, hope this helps.

thanks
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name ciscoasa.mexipass.com
enable password WTOUlJHZbjUN1QWQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.100.100.200 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.xxx.xxx.98 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.100.222.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
 name-server 10.100.100.4
 domain-name ciscoasa.mexipass.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service IMAPS tcp-udp
 description IMAPS
 port-object eq 993
object-group network neospire_local
 network-object 10.100.100.0 255.255.255.0
 network-object 10.100.222.0 255.255.255.0
object-group network neospire_remote
 network-object 10.2.63.0 255.255.255.0
 network-object 10.2.193.0 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP any any eq www

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any 10.100.100.0 255.255.255.0 eq imap4
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq pop3 inactive
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq https inactive
access-list outside_access_in extended permit object-group TCPUDP any any object-group IMAPS
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq imap4
access-list outside_access_in extended permit tcp any 10.100.222.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit tcp any any eq ssh
access-list nat0_inside extended permit ip 10.100.100.0 255.255.255.0 10.100.222.0 255.255.255.0
access-list nat0_inside extended permit ip any 10.100.100.64 255.255.255.192
access-list nat0_inside extended permit ip object-group neospire_local object-group neospire_remote
access-list nat0_dmz extended permit ip 10.100.222.0 255.255.255.0 10.100.100.0
255.255.255.0
access-list nat0_dmz extended permit ip object-group neospire_local object-group neospire_remote
access-list dmz_access_rule extended permit icmp any any echo-reply
access-list dmz_access_in extended permit tcp any any eq ftp
access-list dmz_access_in extended permit tcp any any
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in extended permit object-group TCPUDP any any eq www
access-list dmz_access_in extended permit icmp any any
access-list vpn1 extended permit udp any any eq isakmp
access-list vpn2 extended permit esp any any
access-list vpn_neospire extended permit ip object-group neospire_local object-group neospire_remote
pager lines 24
logging enable
logging asdm-buffer-size 200
logging buffered errors
logging asdm errors
logging from-address ciscoasa@mexipass.com
logging recipient-address richard@mexipass.com level errors
logging ftp-server 66.111.106.63 /home/richard/ciscologs root ****
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool mexipass_pool 10.100.100.90-10.100.100.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0_inside
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nat0_dmz
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 206.xxx.xxx.81 10.100.222.81 netmask 255.255.255.255
static (dmz,outside) 206.xxx.xxx.82 10.100.222.82 netmask 255.255.255.255
static (dmz,outside) 206.xxx.xxx.91 10.100.222.91 netmask 255.255.255.255
static (inside,outside) 206.xxx.xxx.69 10.100.100.10 netmask 255.255.255.255
static (inside,outside) 206.xxx.xxx.66 10.100.100.4 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.xxx.xxx.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address vpn_neospire
crypto map outside_map 10 set pfs group5
crypto map outside_map 10 set peer 66.111.107.48
crypto map outside_map 10 set transform-set ESP-AES-SHA
crypto map outside_map 10 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable dmz
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 3600
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.100.100.4
!
dhcpd address 10.100.100.201-10.100.100.254 inside
dhcpd dns 10.100.100.4 interface inside
dhcpd enable inside
!

webvpn
 enable outside
group-policy Mexipass_Group internal
group-policy Mexipass_Group attributes
 vpn-tunnel-protocol IPSec
username jorge password gxWf9RqWIffbByL8 encrypted privilege 0
username jorge attributes
 vpn-group-policy Mexipass_Group
username joseantonio password X.9By.IWKAKsCmfy encrypted privilege 0
username joseantonio attributes
 vpn-group-policy Mexipass_Group
username regina password w7WLAV517wOx7efr encrypted
username regina attributes
 vpn-group-policy Mexipass_Group
username richard password wBxSHv5oN3AiG2Vg encrypted privilege 0
username richard attributes
 vpn-group-policy Mexipass_Group
username alfredo password Iy53pi8FVlL0cdFp encrypted privilege 0
username alfredo attributes
 vpn-group-policy Mexipass_Group
tunnel-group Mexipass_Group type ipsec-ra
tunnel-group Mexipass_Group general-attributes
 address-pool mexipass_pool
 default-group-policy Mexipass_Group
tunnel-group Mexipass_Group ipsec-attributes
 pre-shared-key *
tunnel-group 66.111.107.48 type ipsec-l2l
tunnel-group 66.111.107.48 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 10.100.100.4
prompt hostname context
Cryptochecksum:2a9ad4928360d69e72c0d5b6c149db6c
: end

Open in new window

0
 
Ernie BeekExpertCommented:
Hi there,

When you look at the logging in ASDM, is anything showing up when you try to browse?
0
 
gtrrichAuthor Commented:
here's a dump of the log file from ASDM.

Another thing, Last night I tried to do the ip address and gateway switch and was unable to both ping or browse the web from an xp machine on the inside interface with no enabled firewalls on the xp machine.

thank you


3|Mar 31 2011|08:29:24|710003|75.22.52.201|206.165.217.94|TCP access denied by ACL from 75.22.52.201/50593 to outside:206.165.217.94/80
3|Mar 31 2011|08:29:18|710003|75.22.52.201|206.165.217.94|TCP access denied by ACL from 75.22.52.201/50593 to outside:206.165.217.94/80
3|Mar 31 2011|08:29:15|710003|75.22.52.201|206.165.217.94|TCP access denied by ACL from 75.22.52.201/50593 to outside:206.165.217.94/80
3|Mar 31 2011|08:05:45|313001|80.93.118.3||Denied ICMP type=3, code=1 from 80.93.118.3 on interface outside
3|Mar 31 2011|08:05:45|313001|80.93.118.3||Denied ICMP type=3, code=1 from 80.93.118.3 on interface outside
3|Mar 31 2011|08:05:45|313001|80.93.118.3||Denied ICMP type=3, code=1 from 80.93.118.3 on interface outside
3|Mar 31 2011|07:21:32|710003|174.123.136.42|206.165.217.94|TCP access denied by ACL from 174.123.136.42/31448 to outside:206.165.217.94/22
3|Mar 31 2011|07:20:49|710003|88.226.158.52|206.165.217.94|TCP access denied by ACL from 88.226.158.52/1874 to outside:206.165.217.94/80
3|Mar 31 2011|07:20:43|710003|88.226.158.52|206.165.217.94|TCP access denied by ACL from 88.226.158.52/1874 to outside:206.165.217.94/80
3|Mar 31 2011|07:20:40|710003|88.226.158.52|206.165.217.94|TCP access denied by ACL from 88.226.158.52/1874 to outside:206.165.217.94/80
3|Mar 31 2011|06:59:54|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/50605 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:54|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63186 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:52|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/50605 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:52|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63186 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:52|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/53892 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:51|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/50605 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:51|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63186 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:50|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/50605 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:50|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63186 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:50|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/53892 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:49|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/53892 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:48|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/53892 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:43|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58370 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:40|305005|10.100.100.95||No translation group found for tcp src inside:10.100.100.215/2317 dst inside:10.100.100.95/3389
3|Mar 31 2011|06:59:39|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58178 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:39|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58370 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:39|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59274 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:37|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58370 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:37|305005|10.100.100.95||No translation group found for tcp src inside:10.100.100.215/2317 dst inside:10.100.100.95/3389
3|Mar 31 2011|06:59:36|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/49593 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:36|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58370 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:35|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58178 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:35|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58370 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:35|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59274 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:33|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58178 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:33|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59274 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:32|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/49593 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:32|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58178 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:32|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59274 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:31|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58178 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:31|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59274 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:31|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57865 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:30|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/49593 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:29|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/49593 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:28|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/49593 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:28|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/2313 dst inside:10.100.100.4/389
3|Mar 31 2011|06:59:27|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57865 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:25|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57865 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:24|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57865 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:23|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57865 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:22|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/2314 dst inside:10.100.100.4/389
3|Mar 31 2011|06:59:22|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/2314 dst inside:10.100.100.4/389
3|Mar 31 2011|06:59:21|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/56720 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:21|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58391 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:20|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/2313 dst inside:10.100.100.4/389
3|Mar 31 2011|06:59:17|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/56720 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:17|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58391 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:15|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/56720 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:15|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58391 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:14|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/56720 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:14|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58391 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:13|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/56720 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:13|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58391 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:06|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54854 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:06|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54902 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:02|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54854 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:02|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54902 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:00|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54854 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:00|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54902 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:59|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54854 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:59|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54902 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:58|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54854 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:58|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54902 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:51|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63076 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:51|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57877 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:47|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63076 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:47|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57877 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:45|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63076 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:45|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57877 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:44|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63076 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:44|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57877 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:43|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63076 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:43|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57877 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:36|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54215 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:32|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54215 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:30|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54215 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:29|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54215 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:28|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54215 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:19|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59375 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:16|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/65163 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:15|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59375 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:13|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59375 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:12|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59375 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:12|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/65163 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:11|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59375 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:10|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/65163 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:09|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/65163 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:08|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/65163 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:02|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58821 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:01|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/55780 dst inside:10.100.100.4/53

Open in new window

0
 
Ernie BeekExpertCommented:
Looking at it at the moment.

One question though, after you made the changes did you issue a clear xlate ?
0
 
gtrrichAuthor Commented:
oh sorry, that 217 should've been 216, that was a typo.
and no I didn't issue a clear xlate, I didn't know I was suppose to. I'll try it tonight.

and are you saying that I also need to change those static route settings? it makes sense now that I look at them. I'll also try that tonight, thanks so much.

0
 
Ernie BeekExpertCommented:
Good.

Make sure you also change them in your access list:

access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any 10.100.100.0 255.255.255.0 eq imap4
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq pop3 inactive
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq https inactive
access-list outside_access_in extended permit object-group TCPUDP any any object-group IMAPS
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq imap4
access-list outside_access_in extended permit tcp any 10.100.222.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit udp any any


Good luck, let me know how it works out.

0
 
gtrrichAuthor Commented:
Ok, still no luck, I tried updating those nat entries and I even deleted them altogether from the setup, but the problem of not being able to browse webpages or ping external domain names from the inside network persists.

I can't believe it's so difficult to simply change the outside interface  ip address and gateway on a Cisco ASA 5505 device.

thank you
0
 
Ernie BeekExpertCommented:
Well it shouldn't be.

Another thing, can you ping an address on the internet by ip? Like 8.8.8.8 instead of google-public-dns-a.google.com?

If so, what have you put in your tcp settings as DNS server?
0
 
gtrrichAuthor Commented:
I must've missed something before because now it works. Thanks everyone for your help!!!
0
 
Ernie BeekExpertCommented:
Glad it worked out :)

Thanks for the points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.