gtrrich
asked on
Cisco ASA 5505 blocks internet access after outside interface ip address change
Hello Experts,
I'm a complete noob with cisco asa, and really need some direction with this.
Here's the situation, our ASA 5505 device is up and working perfectly. The problem is we are changing isp's and as a result have a new public ip address that needs to be assigned to the outside interface of the ASA device.
So I applied these commands to the device, first, I changed the ip address with
config term
interface vlan 2
no ip address 206.xxx.xxx.94
ip address 217.xxx.xxx.98
Then, i changed the default route to the new gateway with
config term
no route outside 0.0.0.0 0.0.0.0 206.xxx.xxx.65
route outside 0.0.0.0 0.0.0.0 217.xxx.xxx.97 1
after I do this, I am able to ping to an outside domain such as, ping yahoo.com works.
however I am unable to browse to any website via any browser.
I pasted a copy of the running config as it is before I run the above commands.
any ideas?
Thank You
I'm a complete noob with cisco asa, and really need some direction with this.
Here's the situation, our ASA 5505 device is up and working perfectly. The problem is we are changing isp's and as a result have a new public ip address that needs to be assigned to the outside interface of the ASA device.
So I applied these commands to the device, first, I changed the ip address with
config term
interface vlan 2
no ip address 206.xxx.xxx.94
ip address 217.xxx.xxx.98
Then, i changed the default route to the new gateway with
config term
no route outside 0.0.0.0 0.0.0.0 206.xxx.xxx.65
route outside 0.0.0.0 0.0.0.0 217.xxx.xxx.97 1
after I do this, I am able to ping to an outside domain such as, ping yahoo.com works.
however I am unable to browse to any website via any browser.
I pasted a copy of the running config as it is before I run the above commands.
any ideas?
Thank You
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name ciscoasa.mexipass.com
enable password WTOUlJHZbjUN1QWQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.100.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 206.xxx.xxx.94 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.100.222.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 10.100.100.4
domain-name ciscoasa.mexipass.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service IMAPS tcp-udp
description IMAPS
port-object eq 993
object-group network neospire_local
network-object 10.100.100.0 255.255.255.0
network-object 10.100.222.0 255.255.255.0
object-group network neospire_remote
network-object 10.2.63.0 255.255.255.0
network-object 10.2.193.0 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP any any eq www
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any 10.100.100.0 255.255.255.0 eq imap4
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq pop3 inactive
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq https inactive
access-list outside_access_in extended permit object-group TCPUDP any any object-group IMAPS
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq imap4
access-list outside_access_in extended permit tcp any 10.100.222.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit tcp any any eq ssh
access-list nat0_inside extended permit ip 10.100.100.0 255.255.255.0 10.100.222.0 255.255.255.0
access-list nat0_inside extended permit ip any 10.100.100.64 255.255.255.192
access-list nat0_inside extended permit ip object-group neospire_local object-group neospire_remote
access-list nat0_dmz extended permit ip 10.100.222.0 255.255.255.0 10.100.100.0 255.255.255.0
access-list nat0_dmz extended permit ip object-group neospire_local object-group neospire_remote
access-list dmz_access_rule extended permit icmp any any echo-reply
access-list dmz_access_in extended permit tcp any any eq ftp
access-list dmz_access_in extended permit tcp any any
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in extended permit object-group TCPUDP any any eq www
access-list dmz_access_in extended permit icmp any any
access-list vpn1 extended permit udp any any eq isakmp
access-list vpn2 extended permit esp any any
access-list vpn_neospire extended permit ip object-group neospire_local object-group neospire_remote
pager lines 24
logging enable
logging asdm-buffer-size 200
logging buffered errors
logging asdm errors
logging from-address ciscoasa@mexipass.com
logging recipient-address richard@mexipass.com level errors
logging ftp-server 66.111.106.63 /home/richard/ciscologs root ****
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool mexipass_pool 10.100.100.90-10.100.100.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0_inside
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nat0_dmz
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 206.xxx.xxx.81 10.100.222.81 netmask 255.255.255.255
static (dmz,outside) 206.xxx.xxx.82 10.100.222.82 netmask 255.255.255.255
static (dmz,outside) 206.xxx.xxx.91 10.100.222.91 netmask 255.255.255.255
static (inside,outside) 206.xxx.xxx.69 10.100.100.10 netmask 255.255.255.255
static (inside,outside) 206.xxx.xxx.66 10.100.100.4 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.xxx.xxx.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address vpn_neospire
crypto map outside_map 10 set pfs group5
crypto map outside_map 10 set peer 66.111.107.48
crypto map outside_map 10 set transform-set ESP-AES-SHA
crypto map outside_map 10 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable dmz
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.100.100.4
!
dhcpd address 10.100.100.201-10.100.100.254 inside
dhcpd dns 10.100.100.4 interface inside
dhcpd enable inside
!
webvpn
enable outside
group-policy Mexipass_Group internal
group-policy Mexipass_Group attributes
vpn-tunnel-protocol IPSec
username jorge password gxWf9RqWIffbByL8 encrypted privilege 0
username jorge attributes
vpn-group-policy Mexipass_Group
username joseantonio password X.9By.IWKAKsCmfy encrypted privilege 0
username joseantonio attributes
vpn-group-policy Mexipass_Group
username regina password w7WLAV517wOx7efr encrypted
username regina attributes
vpn-group-policy Mexipass_Group
username richard password wBxSHv5oN3AiG2Vg encrypted privilege 0
username richard attributes
vpn-group-policy Mexipass_Group
username alfredo password Iy53pi8FVlL0cdFp encrypted privilege 0
username alfredo attributes
vpn-group-policy Mexipass_Group
tunnel-group Mexipass_Group type ipsec-ra
tunnel-group Mexipass_Group general-attributes
address-pool mexipass_pool
default-group-policy Mexipass_Group
tunnel-group Mexipass_Group ipsec-attributes
pre-shared-key *
tunnel-group 66.111.107.48 type ipsec-l2l
tunnel-group 66.111.107.48 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 10.100.100.4
prompt hostname context
Cryptochecksum:2a9ad4928360d69e72c0d5b6c149db6c
: end
have you try to reboot the asa?
ASKER
yes, but that only restores it to the previous settings and undoes my settings. On purpose I didn't want to do a write mem so that I could revert my changes in case I mess things up.
when you say ping yahoo ok, was it from your workstation or from the ASA?
are you able to ping your gateway at the carrier?
by the way, since you are switching to new ips, all the static one to one NAT will stop working.
honestly, I did not see anything wrong on the ASA config, might want to look elsewhere, may be a firewall on the work station?
sincerely
are you able to ping your gateway at the carrier?
by the way, since you are switching to new ips, all the static one to one NAT will stop working.
honestly, I did not see anything wrong on the ASA config, might want to look elsewhere, may be a firewall on the work station?
sincerely
ASKER
thanks, I'll clarify. I did the ping from my xp machine on the inside network. And yes, I was able to ping the gateway at the carrier.
ASKER
This morning I tried it again with the above command to change the ip address and the default route.
Here's the running config after I made the changes, hope this helps.
thanks
Here's the running config after I made the changes, hope this helps.
thanks
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name ciscoasa.mexipass.com
enable password WTOUlJHZbjUN1QWQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.100.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 216.xxx.xxx.98 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.100.222.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 10.100.100.4
domain-name ciscoasa.mexipass.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service IMAPS tcp-udp
description IMAPS
port-object eq 993
object-group network neospire_local
network-object 10.100.100.0 255.255.255.0
network-object 10.100.222.0 255.255.255.0
object-group network neospire_remote
network-object 10.2.63.0 255.255.255.0
network-object 10.2.193.0 255.255.255.0
access-list outside_access_in extended permit object-group TCPUDP any any eq www
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any 10.100.100.0 255.255.255.0 eq imap4
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq pop3 inactive
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq https inactive
access-list outside_access_in extended permit object-group TCPUDP any any object-group IMAPS
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq imap4
access-list outside_access_in extended permit tcp any 10.100.222.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit tcp any any eq ssh
access-list nat0_inside extended permit ip 10.100.100.0 255.255.255.0 10.100.222.0 255.255.255.0
access-list nat0_inside extended permit ip any 10.100.100.64 255.255.255.192
access-list nat0_inside extended permit ip object-group neospire_local object-group neospire_remote
access-list nat0_dmz extended permit ip 10.100.222.0 255.255.255.0 10.100.100.0
255.255.255.0
access-list nat0_dmz extended permit ip object-group neospire_local object-group neospire_remote
access-list dmz_access_rule extended permit icmp any any echo-reply
access-list dmz_access_in extended permit tcp any any eq ftp
access-list dmz_access_in extended permit tcp any any
access-list dmz_access_in extended permit tcp any any eq https
access-list dmz_access_in extended permit object-group TCPUDP any any eq www
access-list dmz_access_in extended permit icmp any any
access-list vpn1 extended permit udp any any eq isakmp
access-list vpn2 extended permit esp any any
access-list vpn_neospire extended permit ip object-group neospire_local object-group neospire_remote
pager lines 24
logging enable
logging asdm-buffer-size 200
logging buffered errors
logging asdm errors
logging from-address ciscoasa@mexipass.com
logging recipient-address richard@mexipass.com level errors
logging ftp-server 66.111.106.63 /home/richard/ciscologs root ****
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool mexipass_pool 10.100.100.90-10.100.100.99 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0_inside
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nat0_dmz
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 206.xxx.xxx.81 10.100.222.81 netmask 255.255.255.255
static (dmz,outside) 206.xxx.xxx.82 10.100.222.82 netmask 255.255.255.255
static (dmz,outside) 206.xxx.xxx.91 10.100.222.91 netmask 255.255.255.255
static (inside,outside) 206.xxx.xxx.69 10.100.100.10 netmask 255.255.255.255
static (inside,outside) 206.xxx.xxx.66 10.100.100.4 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.xxx.xxx.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address vpn_neospire
crypto map outside_map 10 set pfs group5
crypto map outside_map 10 set peer 66.111.107.48
crypto map outside_map 10 set transform-set ESP-AES-SHA
crypto map outside_map 10 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable dmz
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.100.100.4
!
dhcpd address 10.100.100.201-10.100.100.254 inside
dhcpd dns 10.100.100.4 interface inside
dhcpd enable inside
!
webvpn
enable outside
group-policy Mexipass_Group internal
group-policy Mexipass_Group attributes
vpn-tunnel-protocol IPSec
username jorge password gxWf9RqWIffbByL8 encrypted privilege 0
username jorge attributes
vpn-group-policy Mexipass_Group
username joseantonio password X.9By.IWKAKsCmfy encrypted privilege 0
username joseantonio attributes
vpn-group-policy Mexipass_Group
username regina password w7WLAV517wOx7efr encrypted
username regina attributes
vpn-group-policy Mexipass_Group
username richard password wBxSHv5oN3AiG2Vg encrypted privilege 0
username richard attributes
vpn-group-policy Mexipass_Group
username alfredo password Iy53pi8FVlL0cdFp encrypted privilege 0
username alfredo attributes
vpn-group-policy Mexipass_Group
tunnel-group Mexipass_Group type ipsec-ra
tunnel-group Mexipass_Group general-attributes
address-pool mexipass_pool
default-group-policy Mexipass_Group
tunnel-group Mexipass_Group ipsec-attributes
pre-shared-key *
tunnel-group 66.111.107.48 type ipsec-l2l
tunnel-group 66.111.107.48 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 10.100.100.4
prompt hostname context
Cryptochecksum:2a9ad4928360d69e72c0d5b6c149db6c
: end
Hi there,
When you look at the logging in ASDM, is anything showing up when you try to browse?
When you look at the logging in ASDM, is anything showing up when you try to browse?
ASKER
here's a dump of the log file from ASDM.
Another thing, Last night I tried to do the ip address and gateway switch and was unable to both ping or browse the web from an xp machine on the inside interface with no enabled firewalls on the xp machine.
thank you
Another thing, Last night I tried to do the ip address and gateway switch and was unable to both ping or browse the web from an xp machine on the inside interface with no enabled firewalls on the xp machine.
thank you
3|Mar 31 2011|08:29:24|710003|75.22.52.201|206.165.217.94|TCP access denied by ACL from 75.22.52.201/50593 to outside:206.165.217.94/80
3|Mar 31 2011|08:29:18|710003|75.22.52.201|206.165.217.94|TCP access denied by ACL from 75.22.52.201/50593 to outside:206.165.217.94/80
3|Mar 31 2011|08:29:15|710003|75.22.52.201|206.165.217.94|TCP access denied by ACL from 75.22.52.201/50593 to outside:206.165.217.94/80
3|Mar 31 2011|08:05:45|313001|80.93.118.3||Denied ICMP type=3, code=1 from 80.93.118.3 on interface outside
3|Mar 31 2011|08:05:45|313001|80.93.118.3||Denied ICMP type=3, code=1 from 80.93.118.3 on interface outside
3|Mar 31 2011|08:05:45|313001|80.93.118.3||Denied ICMP type=3, code=1 from 80.93.118.3 on interface outside
3|Mar 31 2011|07:21:32|710003|174.123.136.42|206.165.217.94|TCP access denied by ACL from 174.123.136.42/31448 to outside:206.165.217.94/22
3|Mar 31 2011|07:20:49|710003|88.226.158.52|206.165.217.94|TCP access denied by ACL from 88.226.158.52/1874 to outside:206.165.217.94/80
3|Mar 31 2011|07:20:43|710003|88.226.158.52|206.165.217.94|TCP access denied by ACL from 88.226.158.52/1874 to outside:206.165.217.94/80
3|Mar 31 2011|07:20:40|710003|88.226.158.52|206.165.217.94|TCP access denied by ACL from 88.226.158.52/1874 to outside:206.165.217.94/80
3|Mar 31 2011|06:59:54|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/50605 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:54|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63186 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:52|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/50605 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:52|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63186 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:52|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/53892 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:51|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/50605 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:51|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63186 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:50|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/50605 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:50|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63186 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:50|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/53892 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:49|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/53892 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:48|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/53892 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:43|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58370 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:40|305005|10.100.100.95||No translation group found for tcp src inside:10.100.100.215/2317 dst inside:10.100.100.95/3389
3|Mar 31 2011|06:59:39|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58178 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:39|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58370 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:39|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59274 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:37|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58370 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:37|305005|10.100.100.95||No translation group found for tcp src inside:10.100.100.215/2317 dst inside:10.100.100.95/3389
3|Mar 31 2011|06:59:36|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/49593 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:36|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58370 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:35|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58178 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:35|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58370 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:35|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59274 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:33|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58178 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:33|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59274 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:32|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/49593 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:32|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58178 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:32|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59274 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:31|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58178 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:31|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59274 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:31|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57865 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:30|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/49593 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:29|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/49593 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:28|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/49593 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:28|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/2313 dst inside:10.100.100.4/389
3|Mar 31 2011|06:59:27|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57865 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:25|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57865 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:24|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57865 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:23|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57865 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:22|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/2314 dst inside:10.100.100.4/389
3|Mar 31 2011|06:59:22|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/2314 dst inside:10.100.100.4/389
3|Mar 31 2011|06:59:21|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/56720 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:21|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58391 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:20|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/2313 dst inside:10.100.100.4/389
3|Mar 31 2011|06:59:17|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/56720 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:17|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58391 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:15|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/56720 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:15|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58391 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:14|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/56720 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:14|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58391 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:13|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/56720 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:13|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58391 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:06|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54854 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:06|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54902 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:02|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54854 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:02|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54902 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:00|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54854 dst inside:10.100.100.4/53
3|Mar 31 2011|06:59:00|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54902 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:59|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54854 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:59|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54902 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:58|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54854 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:58|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54902 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:51|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63076 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:51|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57877 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:47|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63076 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:47|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57877 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:45|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63076 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:45|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57877 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:44|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63076 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:44|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57877 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:43|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/63076 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:43|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/57877 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:36|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54215 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:32|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54215 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:30|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54215 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:29|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54215 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:28|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/54215 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:19|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59375 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:16|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/65163 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:15|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59375 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:13|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59375 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:12|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59375 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:12|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/65163 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:11|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/59375 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:10|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/65163 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:09|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/65163 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:08|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/65163 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:02|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/58821 dst inside:10.100.100.4/53
3|Mar 31 2011|06:58:01|305006|10.100.100.4||portmap translation creation failed for udp src inside:10.100.100.215/55780 dst inside:10.100.100.4/53
Looking at it at the moment.
One question though, after you made the changes did you issue a clear xlate ?
One question though, after you made the changes did you issue a clear xlate ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
oh sorry, that 217 should've been 216, that was a typo.
and no I didn't issue a clear xlate, I didn't know I was suppose to. I'll try it tonight.
and are you saying that I also need to change those static route settings? it makes sense now that I look at them. I'll also try that tonight, thanks so much.
and no I didn't issue a clear xlate, I didn't know I was suppose to. I'll try it tonight.
and are you saying that I also need to change those static route settings? it makes sense now that I look at them. I'll also try that tonight, thanks so much.
Good.
Make sure you also change them in your access list:
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any 10.100.100.0 255.255.255.0 eq imap4
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq pop3 inactive
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq https inactive
access-list outside_access_in extended permit object-group TCPUDP any any object-group IMAPS
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq imap4
access-list outside_access_in extended permit tcp any 10.100.222.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit udp any any
Good luck, let me know how it works out.
Make sure you also change them in your access list:
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any 10.100.100.0 255.255.255.0 eq imap4
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq pop3 inactive
access-list outside_access_in extended permit tcp host 206.xxx.xxx.68 any eq https inactive
access-list outside_access_in extended permit object-group TCPUDP any any object-group IMAPS
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq imap4
access-list outside_access_in extended permit tcp any 10.100.222.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit udp any any
Good luck, let me know how it works out.
ASKER
Ok, still no luck, I tried updating those nat entries and I even deleted them altogether from the setup, but the problem of not being able to browse webpages or ping external domain names from the inside network persists.
I can't believe it's so difficult to simply change the outside interface ip address and gateway on a Cisco ASA 5505 device.
thank you
I can't believe it's so difficult to simply change the outside interface ip address and gateway on a Cisco ASA 5505 device.
thank you
Well it shouldn't be.
Another thing, can you ping an address on the internet by ip? Like 8.8.8.8 instead of google-public-dns-a.google
If so, what have you put in your tcp settings as DNS server?
Another thing, can you ping an address on the internet by ip? Like 8.8.8.8 instead of google-public-dns-a.google
If so, what have you put in your tcp settings as DNS server?
ASKER
I must've missed something before because now it works. Thanks everyone for your help!!!
Glad it worked out :)
Thanks for the points.
Thanks for the points.