Cisco ASA 5505 Not Routing Public IPs

We recently changed Internet service providers and thusly our public IP range changed.  I was able to get the firewall configured and up and running to pass traffic and be remotely accessed, but the rest of the IP range is not working to pass traffic into our network.

I'm not a Cisco guy, but I followed the previously working config and thought I hit everything.  Can anyone point me in the right direction as to wha the check on the 5505?

Thanks!
perktechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
We would need to see the config to help you out.
0
perktechAuthor Commented:
Sure thing -- sorry -- I meant to include it!

: Saved
:
ASA Version 8.4(7) 
!
hostname upland
domain-name school.org
enable password b391KcJvI1DSokQY encrypted
passwd b391KcJvI1DSokQY encrypted
multicast-routing
names
name 10.10.1.2 adminserver.school.org
name 64.235.144.0 Barracuda description Anit-Sam
name 204.108.253.7 Workstation
name 204.108.201.12 FirstClass-Server
name 204.108.201.16 VCUint-00-External
name 10.10.1.67 VCUnit-00-Internal
name 10.10.0.190 PSX
name 204.108.201.19 PSX-Server
name 10.10.1.10 phone_system
name 204.108.201.20 VIP.school.org
name 204.108.201.18 jss.school.org
name 10.10.1.16 jss
dns-guard
!
interface Ethernet0/0
 shutdown
 nameif Outside
 security-level 0
 ip address 204.108.201.5 255.255.255.0 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.10.1.254 255.255.254.0 
 igmp limit 10
 igmp forward interface Outside
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description Verizon 50 MB Connection
 nameif OutboundVerizon
 security-level 0
 ip address 65.211.38.242 255.255.255.240 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa847-k8.bin
ftp mode passive
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 204.108.237.254
 name-server 204.108.253.95
 domain-name uplandcds.org
object network Weather_Bug
 host 10.10.1.3
 description Weather_Bug
object network obj-204.108.201.14
 host 204.108.201.14
object network Technoloogy_Server_Comm
 host 10.10.1.14
 description Technoloogy Server Comm
object network FileMaker_Server
 host 65.211.38.246
object network Techmology_Sever_FileMaker
 host 10.10.1.5
 description Techmology Sever FileMaker
object network Comm_Server
 host 65.211.38.245
object network adminserver.uplandcds.org
 host 10.10.1.2
object network Admin_Server
 host 65.211.38.247
object network VCUnit-00-Internal
 host 10.10.1.67
object network VCUint-00-External
 host 204.108.201.16
object network PSX
 host 10.10.0.190
object network PSX-Server
 host 204.108.201.19
object network Mitel_system
 host 10.10.1.10
 description Mitel Phone system
object network VIP.uplandcds.org
 host 65.211.38.244
 description MiTel Phone System
object network Finance_Server
 host 10.10.1.16
object network jss.uplandcds.org
 host 65.211.38.243
 description Finance, Casper, Help Desk Servers
object network UCSD_Network
 subnet 10.10.0.0 255.255.254.0
 description Inside ip address
object network Outside_Network
 range 204.108.201.40 204.108.201.200
 description Public IP Address
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
 host 0.0.0.0
object network obj_any-01
 subnet 0.0.0.0 0.0.0.0
object network Tims-Workstation
 host 204.108.253.7
 description Created during name migration
object network Barracuda
 subnet 64.235.144.0 255.255.240.0
 description Created during name migration
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
object-group service Tandberg-VC
 description Video Conferencing
 service-object tcp destination range 3230 3243 
 service-object tcp destination eq h323 
 service-object udp destination range 3230 3285 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 2195
 port-object eq 3389
 port-object eq 5334
 port-object eq 8443
 port-object eq www
object-group service DM_INLINE_TCP_2 tcp
 port-object eq 4000
 port-object eq 44000
access-list Inside_pnat_outbound extended permit ip 10.10.0.0 255.255.254.0 any 
access-list Outside_access_in extended permit icmp any any unreachable inactive 
access-list Outside_access_in extended permit icmp any any time-exceeded inactive 
access-list Outside_access_in extended permit icmp any 10.10.0.0 255.255.254.0 inactive 
access-list Outside_access_in extended permit tcp any any eq 2187 
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any host 204.108.201.14 
access-list Outside_access_in extended permit ip any object Admin_Server 
access-list Outside_access_in extended permit ip any host 204.108.201.15 
access-list Outside_access_in extended permit ip any host 204.108.201.13 
access-list Outside_access_in extended permit ip any object VCUint-00-External 
access-list Outside_access_in extended deny ip any any 
access-list Outside_access_in extended permit tcp any object PSX-Server eq www 
access-list Outside_access_in extended permit ip object Tims-Workstation any 
access-list Inside_access_in extended permit ip 10.10.0.0 255.255.254.0 any 
access-list Inside_access_in extended deny ip any any 
access-list Outside_access_in_1 extended permit tcp any object Finance_Server object-group DM_INLINE_TCP_1 
access-list Outside_access_in_1 remark Firstclass access via Web from outside of the network
access-list Outside_access_in_1 extended permit ip any object adminserver.uplandcds.org 
access-list Outside_access_in_1 extended permit tcp any object PSX eq www 
access-list Outside_access_in_1 extended permit tcp any object Mitel_system object-group DM_INLINE_TCP_2 
access-list OutboundVerizon_access_in extended permit ip any any log disable inactive 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
mtu OutboundVerizon 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static Finance_Server jss.uplandcds.org
nat (Inside,Outside) source static Technoloogy_Server_Comm Comm_Server
nat (Inside,Outside) source static Techmology_Sever_FileMaker FileMaker_Server
nat (Inside,Outside) source static adminserver.uplandcds.org Admin_Server
nat (Inside,Outside) source static VCUnit-00-Internal VCUint-00-External
nat (Inside,Outside) source static PSX PSX-Server
nat (Inside,Outside) source static Mitel_system VIP.uplandcds.org
!
object network UCSD_Network
 nat (Inside,OutboundVerizon) dynamic interface dns
object network obj_any
 nat (Inside,Outside) dynamic obj-0.0.0.0
object network obj_any-01
 nat (management,Outside) dynamic obj-0.0.0.0
access-group Outside_access_in_1 in interface Outside
access-group Inside_access_in in interface Inside
access-group OutboundVerizon_access_in in interface OutboundVerizon
route OutboundVerizon 0.0.0.0 0.0.0.0 65.211.38.241 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http Tims-Workstation 255.255.255.255 Outside
http 10.10.0.0 255.255.254.0 Inside
http 204.108.253.0 255.255.255.0 Outside
http 204.108.253.0 255.255.255.0 management
http 108.36.158.34 255.255.255.255 Outside
snmp-server host Outside 204.108.253.41 community ***** version 2c
snmp-server host Outside 204.108.238.252 community *****
snmp-server location 420 West Street Rd, Kennett Square, PA 19348
snmp-server contact Tim Currie
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change
telnet timeout 5
ssh 204.108.253.0 255.255.255.0 Outside
ssh 10.10.0.0 255.255.254.0 Inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Outside
dhcpd lease 36000
dhcpd option 3 ip 10.10.1.254
!
dhcpd address 10.10.0.50-10.10.1.49 Inside
dhcpd dns 204.108.253.95 204.108.237.254 interface Inside
dhcpd lease 14400 interface Inside
dhcpd ping_timeout 20 interface Inside
dhcpd domain uplandcds.org interface Inside
dhcpd option 3 ip 10.10.1.254 interface Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username dtcurrie password o7jxD10QzSP7dU/P encrypted
username dtcurrie attributes
 service-type remote-access
username bsarte password oqNIoVNyJi.X8LZA encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dd92b40a3a2756f4df4f308b39e22b7c
: end
asdm image disk0:/asdm-731-101.bin
asdm location Barracuda 255.255.240.0 Inside
no asdm history enable

Open in new window


THanks!!
0
Jan SpringerCommented:
If your subnet is attached to your outside interface and the provider does not route it to you, ask your new provider if they allow multiple IPs for a single MAC address.  If not, you'll have to alias each IP (other than the one on the WAN interface) to a dummy MAC address.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

perktechAuthor Commented:
Just  a note:  the interface Ethernet0/3 (Verizon) is the new one.  The IP range goes from 65.211.38.242 through 65.211.38.253 that I have, and trying to assign 243-246 at the moment to internal machines.
0
perktechAuthor Commented:
Jan - thank you for your comment, Verizon said they do support multiple IPs to Mac Addresses, but I'll double check on it.
0
Jan SpringerCommented:
proxy arp should be turned on by default, what is the output of:

   show running sysopt
0
Jan SpringerCommented:
also, let's see the nat detail:

  show nat detail
0
Ken BooneNetwork ConsultantCommented:
ok so you have a new provider that you connected to eth0/3 which is named OutboundVerizon.

You have a lot of nat statements that are still dealing with the other interface
i.e.
object network obj_any
 nat (Inside,Outside) dynamic obj-0.0.0.0

also...

nat (Inside,Outside) source static Finance_Server jss.uplandcds.org
nat (Inside,Outside) source static Technoloogy_Server_Comm Comm_Server
nat (Inside,Outside) source static Techmology_Sever_FileMaker FileMaker_Server
nat (Inside,Outside) source static adminserver.uplandcds.org Admin_Server
nat (Inside,Outside) source static VCUnit-00-Internal VCUint-00-External
nat (Inside,Outside) source static PSX PSX-Server
nat (Inside,Outside) source static Mitel_system VIP.uplandcds.org

replace Outside with OutboundVerizon


I see that you opened up all traffic form the ACL perspective  but there must be a proper NAT in place for it to work.
0
perktechAuthor Commented:
OK - that makes sense...

but shouldn't

nat (Inside,Outside) source static Finance_Server jss.uplandcds.org

reference the objects FInance_Server and jss.uplandcds.org?  

I see "name" in the very beginning of the config file -- what does that reference and how do I change it?  I'm asking because the Object jss.uplandcds.org and the Name jss.uplandcds.org have different IP addresses and I'm not sure how to change the "name".  I'm trying to do these changes remotely via ADSM -- if you could make note of how to do it in that it would be super helpful.  I don't have access to the command line from here.
0
Ken BooneNetwork ConsultantCommented:
Ok so the name is just a reference that really is probably left over from old code.

With the nat command in your version it should be referencing objects

To remove a name just do this:
no name 204.108.201.18 jss.school.org

But lets look at your objects:

object network Finance_Server
 host 10.10.1.16
object network jss.uplandcds.org
 host 65.211.38.243
 description Finance, Casper, Help Desk Servers

The right way to program this is is as follows:

object network Finance_Server
 host 10.10.1.16
 nat (Inside,OutboundVerizon) static 65.211.38.243

Now when you do that you will see the object listed twice in your config.

Up in the top part where it will define the host.. and then again near the bottom of the config where it will define its nat properties


So  what we said was we have an object that lives on the inside interface with a real ip address of 10.10.1.16.  When traffic to or from that real ip address of 10.10.1.6 traverses between the inside and OutboundVerizon interface, it will be known as 65.211.38.243 on the OutboundVerizon interface.  That is your static nat for that object.
0
perktechAuthor Commented:
Oh - I see.  So what you are saying is that the (Inside, Outside) portions are reference to the actual interface names.  And since the NAT commands all reference (Inside, Outside) instead of (Inside, Verizon) they don't work -- ah ha!

Let me work on getting that changed and see where it leads!
0
Ken BooneNetwork ConsultantCommented:
exactly!
0
perktechAuthor Commented:
So here's what I did... I am only working on the Finance server at this point, trying to get that working then I figure I'll change the other rules... but this still isn't working...

: Saved
:
ASA Version 8.4(7) 
!
hostname upland
domain-name school.org
enable password b391KcJvI1DSokQY encrypted
passwd b391KcJvI1DSokQY encrypted
multicast-routing
names
name 10.10.1.2 adminserver.school.org
name 64.235.144.0 Barracuda description Anit-Sam
name 204.108.253.7 Tims-Workstation
name 204.108.201.12 FirstClass-Server
name 204.108.201.16 VCUint-00-External
name 10.10.1.67 VCUnit-00-Internal
name 10.10.0.190 PSX
name 204.108.201.19 PSX-Server
name 10.10.1.10 phone_system
name 204.108.201.20 VIP.school.org
name 204.108.201.18 jss.school.org
name 10.10.1.16 jss
dns-guard
!
interface Ethernet0/0
 shutdown
 nameif Outside
 security-level 0
 ip address 204.108.201.5 255.255.255.0 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.10.1.254 255.255.254.0 
 igmp limit 10
 igmp forward interface Outside
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description Verizon 50 MB Connection
 nameif OutboundVerizon
 security-level 0
 ip address 65.211.38.242 255.255.255.240 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa847-k8.bin
ftp mode passive
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 204.108.237.254
 name-server 204.108.253.95
 domain-name school.org
object network Weather_Bug
 host 10.10.1.3
 description Weather_Bug
object network obj-204.108.201.14
 host 204.108.201.14
object network Technoloogy_Server_Comm
 host 10.10.1.14
 description Technoloogy Server Comm
object network FileMaker_Server
 host 65.211.38.246
object network Techmology_Sever_FileMaker
 host 10.10.1.5
 description Techmology Sever FileMaker
object network Comm_Server
 host 65.211.38.245
object network adminserver.school.org
 host 10.10.1.2
object network Admin_Server
 host 65.211.38.247
object network VCUnit-00-Internal
 host 10.10.1.67
object network VCUint-00-External
 host 204.108.201.16
object network PSX
 host 10.10.0.190
object network PSX-Server
 host 204.108.201.19
object network Mitel_system
 host 10.10.1.10
 description Mitel Phone system
object network VIP.school.org
 host 65.211.38.244
 description MiTel Phone System
object network Finance_Server
 host 10.10.1.16
object network jss.school.org
 host 65.211.38.243
 description Finance, Casper, Help Desk Servers
object network UCSD_Network
 subnet 10.10.0.0 255.255.254.0
 description Inside ip address
object network Outside_Network
 range 204.108.201.40 204.108.201.200
 description Public IP Address
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
 host 0.0.0.0
object network obj_any-01
 subnet 0.0.0.0 0.0.0.0
object network Tims-Workstation
 host 204.108.253.7
 description Created during name migration
object network Barracuda
 subnet 64.235.144.0 255.255.240.0
 description Created during name migration
object network Finance_Public
 host 65.211.38.243
 description FInance Server
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
object-group service Tandberg-VC
 description Video Conferencing
 service-object tcp destination range 3230 3243 
 service-object tcp destination eq h323 
 service-object udp destination range 3230 3285 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 2195
 port-object eq 3389
 port-object eq 5334
 port-object eq 8443
 port-object eq www
object-group service DM_INLINE_TCP_2 tcp
 port-object eq 4000
 port-object eq 44000
access-list Inside_pnat_outbound extended permit ip 10.10.0.0 255.255.254.0 any 
access-list Outside_access_in extended permit icmp any any unreachable inactive 
access-list Outside_access_in extended permit icmp any any time-exceeded inactive 
access-list Outside_access_in extended permit icmp any 10.10.0.0 255.255.254.0 inactive 
access-list Outside_access_in extended permit tcp any any eq 2187 
access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any host 204.108.201.14 
access-list Outside_access_in extended permit ip any object Admin_Server 
access-list Outside_access_in extended permit ip any host 204.108.201.15 
access-list Outside_access_in extended permit ip any host 204.108.201.13 
access-list Outside_access_in extended permit ip any object VCUint-00-External 
access-list Outside_access_in extended deny ip any any 
access-list Outside_access_in extended permit tcp any object PSX-Server eq www 
access-list Outside_access_in extended permit ip object Tims-Workstation any 
access-list Inside_access_in extended permit ip 10.10.0.0 255.255.254.0 any 
access-list Inside_access_in extended deny ip any any 
access-list Outside_access_in_1 extended permit tcp any object Finance_Server object-group DM_INLINE_TCP_1 
access-list Outside_access_in_1 remark Firstclass access via Web from outside of the network
access-list Outside_access_in_1 extended permit ip any object adminserver.school.org 
access-list Outside_access_in_1 extended permit tcp any object PSX eq www 
access-list Outside_access_in_1 extended permit tcp any object Mitel_system object-group DM_INLINE_TCP_2 
access-list OutboundVerizon_access_in extended permit ip any any log disable inactive 
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
mtu OutboundVerizon 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,OutboundVerizon) source static Finance_Server Finance_Public
nat (Inside,Outside) source static Technoloogy_Server_Comm Comm_Server
nat (Inside,Outside) source static Techmology_Sever_FileMaker FileMaker_Server
nat (Inside,Outside) source static adminserver.school.org Admin_Server
nat (Inside,Outside) source static VCUnit-00-Internal VCUint-00-External
nat (Inside,Outside) source static PSX PSX-Server
nat (Inside,Outside) source static Mitel_system VIP.school.org
!
object network UCSD_Network
 nat (Inside,OutboundVerizon) dynamic interface dns
object network obj_any
 nat (Inside,Outside) dynamic obj-0.0.0.0
object network obj_any-01
 nat (management,Outside) dynamic obj-0.0.0.0
access-group Outside_access_in_1 in interface Outside
access-group Inside_access_in in interface Inside
access-group OutboundVerizon_access_in in interface OutboundVerizon
route OutboundVerizon 0.0.0.0 0.0.0.0 65.211.38.241 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http Tims-Workstation 255.255.255.255 Outside
http 10.10.0.0 255.255.254.0 Inside
http 204.108.253.0 255.255.255.0 Outside
http 204.108.253.0 255.255.255.0 management
http 108.36.158.34 255.255.255.255 Outside
snmp-server host Outside 204.108.253.41 community ***** version 2c
snmp-server host Outside 204.108.238.252 community *****
snmp-server location 
snmp-server contact Tim Currie
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change
telnet timeout 5
ssh 204.108.253.0 255.255.255.0 Outside
ssh 10.10.0.0 255.255.254.0 Inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Outside
dhcpd lease 36000
dhcpd option 3 ip 10.10.1.254
!
dhcpd address 10.10.0.50-10.10.1.49 Inside
dhcpd dns 204.108.253.95 204.108.237.254 interface Inside
dhcpd lease 14400 interface Inside
dhcpd ping_timeout 20 interface Inside
dhcpd domain school.org interface Inside
dhcpd option 3 ip 10.10.1.254 interface Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username dtcurrie password o7jxD10QzSP7dU/P encrypted
username dtcurrie attributes
 service-type remote-access
username bsarte password oqNIoVNyJi.X8LZA encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:de9dc0ed30097839666cd006c732af1b
: end
asdm image disk0:/asdm-731-101.bin
asdm location Barracuda 255.255.240.0 Inside
no asdm history enable

Open in new window

0
Ken BooneNetwork ConsultantCommented:
Ok do this:

no nat (Inside,OutboundVerizon) source static Finance_Server Finance_Public

object network Finance_Server
   nat (Inside,OutboundVerizon) static 65.211.38.243

then issue this command
clear xlate

Then see what happens.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
perktechAuthor Commented:
I issued the commands and checked the running config, the entry is there as you suggested but still no luck.

Shouldn't I be able to see traffic hitting the firewall and being denied in the logs?  I don't see anything hitting that IP.
0
Ken BooneNetwork ConsultantCommented:
Check your ACL:

access-list OutboundVerizon_access_in extended permit ip any any log disable inactive

The last config you shared shows that it was inactive.. That needs to be there.

From the ASA make sure you can ping the inside ip address of the device.

Also make sure you do the clear xlate command any time you change NAT statements.
0
perktechAuthor Commented:
Woo hoo!  Success!  Thank you @Ken Boone!
0
perktechAuthor Commented:
Thank you for working through this with me Ken!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.