troubleshooting Question

Cisco ASA 5510 - Cant access outside / internet

Avatar of joe90kane
joe90kane asked on
CiscoHardware FirewallsSoftware Firewalls
4 Comments1 Solution1508 ViewsLast Modified:
Hi,

Im setting up a new ASA 8.4(1)

I can ping out from the ASA but any client PC's cant access the internet.
Is there something obvious im missing.

I have two internet connections outside & outside backup, In this test I only have outsideback enabled and working.

Config attached.

Tks, Joe
ASA Version 8.4(1) 
!
hostname testerfw
domain-name tester.ie
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 100.100.100.100 255.255.255.240 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
interface Ethernet0/2
 nameif outsidebackup
 security-level 0
 ip address 50.50.50.50 255.255.255.192 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.48
 name-server 192.168.1.50
 name-server 8.8.8.8
 domain-name tester.ie
same-security-traffic permit inter-interface
object service AS400SSL 
 service tcp destination eq 992 
 description AS400SSL 
object network Exchange 
 host 192.168.1.55
 description Exchange 
object network Exchange_Web_Access 
 host 192.168.1.55
object network WebServer
 host 192.168.1.24
 description WebServer
object network WebServer1 
 host 192.168.1.54
 description WebServer1 
object network Turkey 
 host 192.168.1.241
 description Turkey 
object network WebServer1 
 host 192.168.1.220
 description WebServer1 
object network Asterisk 
 host 192.168.1.3
 description Asterisk 
object network Asterisk_UDP 
 host 192.168.1.3
 description Asterisk_UDP 
object network NETWORK_OBJ_172.16.2.0_26 
 subnet 172.16.2.0 255.255.255.192
object network NETWORK_OBJ_192.168.1.0_24 
 subnet 192.168.1.0 255.255.255.0
object-group service outside_Outside
 description outside Outside Group
 service-object object AS400SSL 
 service-object tcp destination eq www 
 service-object tcp destination eq https 
 service-object tcp-udp destination eq sip 
 service-object icmp 
access-list outside_access_in extended permit object-group outside_Outside any interface outside 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any host 100.100.100.212 eq https 
access-list outside_access_in extended permit tcp any host 100.100.100.214 eq www 
access-list outside_access_in extended permit tcp any host 100.100.100.213 eq www 
access-list outside_access_in extended permit tcp any host 100.100.100.212 eq www 
access-list outside_access_in extended permit tcp any host 100.100.100.211 eq www 
access-list outsidebackup_access_in extended permit tcp any host 100.100.100.214 eq www 
access-list outsidebackup_access_in extended permit tcp any host 100.100.100.212 eq www 
access-list outsidebackup_access_in extended permit tcp any host 100.100.100.213 eq www 
access-list outsidebackup_access_in extended permit tcp any host 100.100.100.211 eq www 
access-list outsidebackup_access_in extended permit tcp any host 100.100.100.215 eq https 
access-list outsidebackup_access_in extended permit tcp any interface outside eq smtp 
access-list outsidebackup_access_in extended permit object-group outside_Outside any interface outside 
access-list inside_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu outsidebackup 1500
ip local pool VPNPOOL 172.16.2.1-172.16.2.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_172.16.2.0_26 NETWORK_OBJ_172.16.2.0_26
!
object network Exchange
 nat (outside,inside) static 100.100.100.212 service tcp https https 
object network WebServer
 nat (outside,inside) static 100.100.100.212 service tcp www www 
object network WebServer1
 nat (outside,inside) static 100.100.100.214 service tcp www www 
object network Turkey
 nat (outside,inside) static 100.100.100.213 service tcp www www 
object network WebServer1
 nat (outside,inside) static 100.100.100.211 service tcp www www 
object network Asterisk
 nat (any,outside) static interface service tcp sip sip 
object network Asterisk_UDP
 nat (any,outside) static interface service udp sip sip 
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group outsidebackup_access_in in interface outsidebackup
route outside 0.0.0.0 0.0.0.0 100.100.100.209 1 track 1
route outsidebackup 0.0.0.0 0.0.0.0 50.50.50.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.70 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 100.100.100.209 interface outside
 num-packets 2
 frequency 10
sla monitor schedule 123 life forever start-time now
!
track 1 rtr 123 reachability
telnet 192.168.1.70 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 87.32.12.19 source outside prefer
webvpn
group-policy vpngroupmap internal
group-policy vpngroupmap attributes
 wins-server value 192.168.1.48 192.168.1.50
 dns-server value 192.168.1.48 192.168.1.50
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpngroupmap_splitTunnelAcl
group-policy ClientGroup internal
group-policy ClientGroup attributes
 vpn-tunnel-protocol ikev1 ikev2 
tunnel-group vpngroupmap type remote-access
tunnel-group vpngroupmap general-attributes
 address-pool VPNPOOL
 default-group-policy vpngroupmap
tunnel-group vpngroupmap ipsec-attributes
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect ip-options 
  inspect http 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:203f8f79d9b5fa0b2ba61a72c6e68056
: end
ASKER CERTIFIED SOLUTION
kellemann

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros