Cisco ASA 5510 config help needed

Posted on 2011-10-10
Last Modified: 2012-05-12
Trying to connect my ASA 5510 to a new internet provider. The provider gave us a cisco router that we can connect the ASA into.

We get a /27 LAN. I tried to scrub the config file to things that are necessary.

When I use a laptop the config works find. When I input it into the ASA there's no internet access. I can ping the gateway, but nothing beyond.

Any help would be appreciated. Thank you.
: Saved
ASA Version 7.2(4) 

interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address *.*.*.130 
interface Management0/0
 nameif management
 security-level 100
 no ip address
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CST recurring
dns server-group DefaultDNS
 domain-name ****.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service tcp_jupiter tcp
 port-object range 5800 5999
 port-object eq www
 port-object eq imap4
 port-object eq ldap
 port-object eq https
 port-object eq sip
 port-object eq talk
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any host www_out eq www 
access-list outside_access_in extended permit tcp any host www_out eq ssh 
access-list no-nat-inside extended permit ip 
access-list no-nat-inside extended permit ip 
access-list no-nat-inside extended permit ip host mercury_in host 
access-list vpn extended permit ip 
access-list vpn extended permit ip 
access-list vpn extended permit ip 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip any 
access-list inside_access_in extended permit ip any 
pager lines 20
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz1 1500
mtu management 1500
mtu phone 1500
ip local pool vpnpool
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name gsp_info info action alarm
ip audit name gsp_attack attack action alarm drop reset
ip audit interface outside gsp_info
ip audit interface outside gsp_attack
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1
nat (inside) 0 access-list no-nat-inside
nat (inside) 1 tcp 20000 14000  udp 20000
nat (inside) 1 tcp 20000 14000  udp 20000
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 1
route outside *.*.*.129 1
timeout xlate 3:00:00
timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  3600
telnet timeout 5
ssh inside
ssh outside
ssh phone
ssh timeout 60
console timeout 0
management-access inside
ntp server source outside prefer
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value
 dns-server value
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec 
 password-storage disable
 ip-comp enable
 re-xauth disable
 group-lock value gspvpn
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value *-vpn
 default-domain value ****.com
 split-dns value *****.com 
 intercept-dhcp disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value vpnpool
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy gspvpn internal
group-policy gspvpn attributes
 vpn-idle-timeout none
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value gsp-vpn
tunnel-group ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group gspvpn
class-map global-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns default_dns
  message-length maximum 2048
policy-map global-policy
 class global-class
  inspect ctiqbe 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect icmp 
  inspect icmp error 
  inspect ipsec-pass-thru 
  inspect dns default_dns 
  inspect netbios 
  inspect pptp 
  inspect tftp 
 class inspection_default
  inspect ftp 
service-policy global-policy global
prompt hostname context 

Open in new window

Question by:michaeltegler
    LVL 35

    Accepted Solution

    At first glance, this is rather interesting:
    global (outside) 1
    nat (inside) 0 access-list no-nat-inside
    nat (inside) 1 tcp 20000 14000  udp 20000
    nat (inside) 1 tcp 20000 14000  udp 20000

    Try changing that to:

    global (outside) 1 interface
    nat (inside) 0 access-list no-nat-inside
    nat (inside) 1
    nat (inside) 1

    Then give a 'clear xlate' and see what happens.
    LVL 17

    Expert Comment

    Also, if you got a /27, why are you using a netmask of (/30)?


    Author Closing Comment

    Thank you very much. That did it.
    LVL 35

    Expert Comment

    by:Ernie Beek
    Glad to be of service ;)
    Thx for the points.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Suggested Solutions

    Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now