ASA 5525X - Multiple outside addresses PAT to one inside address

Similar Messages

• ASA 5525X - Multiple Outside Interface

  Hello,
  Question:
  I have a pair of ASA 5252X for VPN Traffic, the interfaces are:
  - Inside
  - DMZ
  - Outside - ISP1 - IP 1.1.1.1
  I can have two "outside" interfaces, multiple ISP's for VPN traffic(Site to Site)?
  - Inside
  - DMZ
  - Outside - ISP1 - IP 1.1.1.1
  - Outside2 - ISP2 - IP 2.2.2.2
  I need this because i have problems with only one ISP, so i need to install more one and in the remote peer add a second peer IP(for ISP2), so if the remote peer cannot establish the connection over the ISP1, he going to ISP2, it's possible?
  Tks.
  Rafael

  Yes Rafael, it possible.
  you need to configure SLA monitoring on ASA for the ISP failover.
  And for the VPN add the second ISP ip as a back up peer on the remote device.
  on your ASA where you have dual iSP, the same crypto map will be applied on both the interface.
  In case if you need any assistance regarding the configuration let me know.
  Configuration should look something like this:
  interface Ethernet0
  nameif outside
  security-level 0
  ip address 10.200.159.2 255.255.255.248
  interface Ethernet2
  nameif inside
  security-level 100
  ip address 172.22.1.163 255.255.255.0
  interface Ethernet1
  nameif backup
  security-level 0
  ip address 10.250.250.2 255.255.255.248
  access-list outside_crypto_1 permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
  access-list nonat permit ip 172.22.1.0 255.255.255.0 (your internal private ip) x.x.x.x x.x.x.x (remote site internal ip you want to access)
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
  isakmp policy 20 authentication pre-share
  isakmp policy 20 encryption 3des
  isakmp policy 20 hash md5
  isakmp policy 20 group 2
  isakmp policy 20 lifetime 86400
  crypto map outside_map 20 match address outside_crypto_1
  crypto map outside_map 20 set peer x.x.x.x (Public ip of the remote site)
  crypto map outside_map 20 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  crypto map outside_map interface backup
  crypto isakmp enable backup
  crypto isakmp enable outside
  global (outside) 1 interface
  global (backup) 1 interface
  nat (inside) 1 172.22.1.0 255.255.255.0
  nat (inside) 0 access-list nonat
  tunnel-group x.x.x.x (public ip of the remote site) type ipsec-l2l
  tunnel-group x.x.x.x ipsec-attributes
  pre-shared-key cisco123
  route outside 0.0.0.0 0.0.0.0 10.200.159.1 1 track 1
  route backup 0.0.0.0 0.0.0.0 10.250.250.1 254
  sla monitor 123
  type echo protocol ipIcmpEcho 10.0.0.1 interface outside
  num-packets 3
  frequency 10
  sla monitor schedule 123 life forever start-time now
  track 1 rtr 123 reachability
  Important Information:
  ===============================================
  ** With the use of track ASA will keep on monitor the MPLS interface (outside in this example) with the help of ICMP packets. The moment it will stop getting the replies it will flush the primary route and start pointing the routes toward the back up interface.
  ** Crypto map will be applied on the back up interface and the remote site should you the public ip of the back up interface as VPN peer.
  ** As soon as ASA will start getting the reply from the outside interface it will again start pointing the routes towards the MPLS interface.
  ** I hope this will answer your query.
  Thanks
  Jeet

• How to configure multiple IP addresses on one NIC?

  Hi,
  I just installed a OVM Server in version 3.2.1 and the according VMManager. Now i wanted to try to configure the Server/Server Pool. Now i come across a problem, which was already a big problem in OVM 2 while configuring the Networks.
  All our OVM Servers have three NICs in them. One is for VMs and Management, the others are for connection to our SAN (Dell PowerVault MD 3220i). My problem is, that due to the network setup, the two NICs for storage need two IP addresses in two different networks each. This shouldn't be a problem, because usually in linux all you have to do is configure something like eth1:1. I remember having huge trouble configuring it in our OVM 2 cluster up to the point where I had to write a shell script to configure the second IP.
  Anyways, I have configured two of the storage networks on eth1 and eth2 of the VM Server. Now i cannot configure any more IP addresses, because eth1 and eth2 are not available anymore for configuration in a third network. I really hoped that it would be possible in OVM 3 to configure multiple IP addresses. And probably it is only my lack of knowledge of how to configure it.
  So any advice is well appreciated.
  Thanks!
  Regards,
  Marek Hubatka

  You should be able to do this by using "VLAN Groups".
  http://docs.oracle.com/cd/E35328_01/E35332/E35332.pdf
  Check out the VLAN groups section. You must great the VLAN groups before you can assign them to interfaces.

• Multiple email address with one server account

  Why can't Mail have multiple email addresses on one email account? Like Thunderbird calls them Identities. As I remember, Outlook also supports this. I like Mail but it seems rather dated and clunky in this respect.
  I am using mainly IMAP so maybe I should switch to Thunderbird but I do still have some old messages in pop accounts in Mail.

  You can have multiple accounts, but only one "identity." Configure new mail accounts for all the different email addresses you may have. They can each have different configurations, different servers, etc. as well as be individually made active or inactive. All incoming mail will funnel into a single Inbox, but you can use rules to transfer incoming mail to separate mailboxes based on the account.
  What you cannot have are distinct "personalities."
  Bear in mind that Mail is intended for a single user and the vast number of single users only have one email account. I actually have four different email addresses but three of them are set to forward mail to the account I use with Mail. Mail works quite well with IMAP, POP, and Outlook mail accounts.

• How do I add multiple email addresses i have received (900) to my address book instead of doing it one by one?

  how do I add multiple email addresses i have received (+ -900) to my address book instead of having to do it one by one?

  Grab them all and drag them to the Address Book.
  Roger

• How do I copy multiple email addresses from one email sent TO me into a new message?

  How do I copy multiple email addresses from an email sent to me into a new message?

  Are they in the body of the mail?
  Hold your finger down in that mail until the little blue bubble pops up. One of the options should be to select all. Choose that and all will be hilighted. then a pop up comes up to copy, choose that, open your destination and hold your finger down to get the paste dialogue.

• I am sending emails to a Smart Group created in my address book.   The contact in my address book has multiple email addresses.  Is there a way for the email to go to both addresses?  (ex:  work and home email address under one contact)

  In my address book, I have contacts that have multiple email addresses.  (ex:  home and work)   I have created a smart group off of the company name in the contact.  When I send emails, I want it to go to both email address listed in the contact.  Is there a way to make this happen?  Or do I have to have a separate contact for each email address?    

  I will agree with you on this one. Version 31 and all the fixes so far are a mess. Since I have been here answering questions for a little more than a year now I have learned to wait to upgrade until all the dust settles. I see no end to the dust storm version 31 has caused. I am still on version 24.6 and plan on staying there for the duration. At least until the developers comes to their senses and put out a working product.

• Pick one of the multiple email address of a contact!

  Hi,
  In the current app that I am working on, the user is presented with the address book. Let's say the contact that is selected has multiple email addresses - Home, Work1, Work2 (in this order).
  How can the app know which one the user picks? Let's say the user wants to select the Work2 address.
  The code below has a for-loop that cycles thru all the values. I want to compare the value of mobileLabel to the value that the user selected in the AddressBook picker - how is that passed on to the app?
  ABMultiValueRef emailProperty = ABRecordCopyValue(person, kABPersonEmailProperty);
  NSString* email=@"";
  NSString* mobileLabel;
  for (CFIndex i = 0; i < ABMultiValueGetCount(emailProperty); i++)
  mobileLabel=(NSString*)ABMultiValueCopyLabelAtIndex(emailProperty, i);
  NSLog(@"mobileLabel = <%@>", mobileLabel);
  // if ([mobileLabel isEqualToString:@"_$!<Mobile>!$_"])
  // if ([mobileLabel isEqualToString:@"_$!<Home>!$_"])
  email=(NSString*)ABMultiValueCopyValueAtIndex(emailProperty,i);
  NSLog(@"email: <%@>", email);
  self.emailFromPicker = email;
  break;
  [email release];

  It's given to you in the delegate method.
  - (BOOL)personViewController:(ABPersonViewController *)personViewController shouldPerformDefaultActionForPerson:(ABRecordRef)person property:(ABPropertyID)property identifier:(ABMultiValueIdentifier)identifierForValue
  Parameters
  personViewController
  The sender.
  person
  The person personViewController is displaying.
  property
  The property whose value the user selected.
  valueIdentifier
  When property is a multivalue property, the value the user selected.
  See the +ABPersonViewControllerDelegate Protocol Reference+.
  Message was edited by: xnav

• How do I send to contacts multiple email addresses at one time?

  I have several contacts who ask that emails be sent to multiple emails address at the same time.  How do I do that without creating additional cards for each email address?

  Are you entering the addressees into Mail individually or are they included as part of an Address Book group? If you are using a group, I believe you will need to have multiple cards per individual.
  If you are typing the addressees into Mail's "To:" and "Cc:" boxes, you can select among multiple addresses on one contact card just as you would select among multiple people with the same first name; just repeat for each address.

• Setting up one contact with multiple email addresses-i.e Family & Friends

  Would like to setup one contact " Family & Friends " and show multiple email addresses - such as 20 or 30 addresses - can this be done >??

  I the Ipad contact app does not handle groups. However, there are apps such as Mail2Group. They have both free (lite) and more fully featured version.

• Submit button with multiple email addresses doesn't work while the same form with one email address does.  The multi email version works on windows computer.

  The email comes up when I press the "Submit" button but the email to field is blank.

  Hi,
  What is the separator character between two email addresses?  Is it a comma (,) semicolon(;) or something else?
  According to the mailto URI scheme (RFC 6068), you need to use a comma (,) to separate multiple email addresses.
  You can see the third example in the following Wikipedia page.
  mailto - Wikipedia, the free encyclopedia
  Would you double check the mailto value in your PDF form?

• Adding Multiple Email Addresses in one field

  Dear Staff,
  My staff submit progress reports that include two separate fields:
  Their own email address is requested so the staff member could receive a receipt of their progress report
  The email address of the recepient of the progress report requested, as well.  We would like to include multiple email address in that field because often, multiple individuals need to receive the progress report.
  Is there a work-around to including multiple email addresses or is this something you must accomplish on the development side?

  That is unfortunate but I hope this request catalyzes a remedy for this issue in the future.  Thank you for your swift reply, Randy... well-appreciated.  Happy New Year!

• Cisco asa 5505 issues ( ROUTING AND PAT)

  I have some issues with my cisco asa 5505 config. Please see details below:
  NETWORK SETUP:
  gateway( 192.168.223.191)   - cisco asa 5505 ( outside - 192.168.223.200 , inside - 192.168.2.253, DMZ - 172.16.3.253 )  -
  ISSUES:
  1)
  no route from DMZ to outside
  example:
  ping from 172.16.3201 to the gateway
  6          Jan 27 2014          11:15:33                    172.16.3.201          39728                              Failed to locate egress interface for ICMP from outside:172.16.3.201/39728 to 172.16.3.253/0
  2)
  not working access from external to DMZ AT ALL
  ASA DETAILS:
  cisco asa5505
  Device license          Base
  Maximum Physical Interfaces          8          perpetual
  VLANs          3      DMZ Restricted
  Inside Hosts          Unlimited          perpetual
  configuration:
  firewall200(config)# show run
  : Saved
  ASA Version 9.1(3)
  hostname firewall200
  domain-name test1.com
  enable password xxxxxxxxxxx encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd XXXXXXXXXXX encrypted
  names
  interface Ethernet0/0
  switchport access vlan 100
  interface Ethernet0/1
  switchport access vlan 200
  interface Ethernet0/2
  switchport access vlan 200
  interface Ethernet0/3
  switchport access vlan 200
  interface Ethernet0/4
  switchport access vlan 300
  interface Ethernet0/5
  switchport access vlan 300
  interface Ethernet0/6
  switchport access vlan 300
  interface Ethernet0/7
  switchport access vlan 300
  interface Vlan100
  nameif outside
  security-level 0
  ip address 192.168.223.200 255.255.255.0
  interface Vlan200
  mac-address 001b.539c.597e
  nameif inside
  security-level 100
  ip address 172.16.2.253 255.255.255.0
  interface Vlan300
  no forward interface Vlan200
  nameif DMZ
  security-level 50
  ip address 172.16.3.253 255.255.255.0
  boot system disk0:/asa913-k8.bin
  boot config disk0:/startup-config.cfg
  ftp mode passive
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns server-group DefaultDNS
  domain-name test1.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network office1-int
  host 172.16.2.1
  object network firewall-dmz-gateway
  host 172.16.3.253
  object network firewall-internal-gateway
  host 172.16.2.253
  object network com1
  host 192.168.223.227
  object network web2-ext
  host 192.168.223.201
  object network web2-int
  host 172.16.3.201
  object network gateway
  host 192.168.223.191
  object network office1-int
  host 172.16.2.1
  object-group network DMZ_SUBNET
  network-object 172.16.3.0 255.255.255.0
  object-group service www tcp
  port-object eq www
  port-object eq https
  access-list DMZ_access_in extended permit icmp any any
  access-list DMZ_access_in extended permit ip any any
  access-list outside_access_in extended permit tcp any object web2-ext eq www
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500 
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-714.bin
  no asdm history enable
  arp DMZ 172.16.4.199 001b.539c.597e alias
  arp DMZ 172.16.3.199 001b.539c.597e alias
  arp timeout 14400
  no arp permit-nonconnected
  object network web2-int
  nat (DMZ,outside) static web2-ext service tcp www www
  access-group outside_access_in in interface outside
  access-group DMZ_access_in in interface DMZ
  route inside 172.168.2.0 255.255.255.0 192.168.223.191 1
  route inside 172.168.3.0 255.255.255.0 192.168.223.191 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.223.227 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.223.227 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 inside
  ssh timeout 60
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd address 172.16.2.10-172.16.2.10 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 176.58.109.199 source outside prefer
  ntp server 81.150.197.169 source outside
  ntp server 82.113.154.206
  username xxxx password xxxxxxxxx encrypted
  class-map DMZ-class
  match any
  policy-map global_policy
  policy-map DMZ-policy
  class DMZ-class
    inspect icmp
  service-policy DMZ-policy interface DMZ
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:9c73fa27927822d24c75c49f09c67c24
  : end

  Thank you one more time for everthing. It is workingin indeed
  Reason why maybe sometimes I had some 'weird' results was because I had all devices connected to the same switch.Separtated all networks to a different switches helped.Anyway if you could take a look one last time to my configuration and let me know if it's good enough to deploy it on live ( only www for all , ssh restricted from outside, lan to dmz) .Thanks one more time.
  show run
  : Saved
  ASA Version 9.1(3)
  hostname firewall200
  domain-name test1.com
  enable password xxxxxxxxxx encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd xxxxxxxxxxxx encrypted
  names
  interface Ethernet0/0
  switchport access vlan 100
  interface Ethernet0/1
  switchport access vlan 200
  interface Ethernet0/2
  switchport access vlan 200
  interface Ethernet0/3
  switchport access vlan 200
  interface Ethernet0/4
  switchport access vlan 300
  interface Ethernet0/5
  switchport access vlan 300
  interface Ethernet0/6
  switchport access vlan 300
  interface Ethernet0/7
  switchport access vlan 300
  interface Vlan100
  nameif outside
  security-level 0
  ip address 192.168.223.200 255.255.255.0
  interface Vlan200
  mac-address 001b.539c.597e
  nameif inside
  security-level 100
  ip address 172.16.2.253 255.255.255.0
  interface Vlan300
  no forward interface Vlan200
  nameif DMZ
  security-level 50
  ip address 172.16.3.253 255.255.255.0
  boot system disk0:/asa913-k8.bin
  boot config disk0:/startup-config.cfg
  ftp mode passive
  clock timezone GMT/BST 0
  clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
  dns domain-lookup inside
  dns domain-lookup DMZ
  dns server-group DefaultDNS
  name-server 8.8.8.8
  name-server 8.8.4.4
  domain-name test1.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object network firewall-dmz-gateway
  host 172.16.3.253
  object network firewall-internal-gateway
  host 172.16.2.253
  object network com1
  host 192.168.223.227
  object network web2-ext
  host 192.168.223.201
  object network web2-int
  host 172.16.3.201
  object network gateway
  host 192.168.223.191
  object network office1-int
  host 172.16.2.1
  object-group network DMZ_SUBNET
  network-object 172.16.3.0 255.255.255.0
  object-group service www tcp
  port-object eq www
  port-object eq https
  access-list DMZ_access_in extended permit icmp any any
  access-list DMZ_access_in extended permit ip any any
  access-list DMZ_access_in extended permit tcp 172.16.3.0 255.255.255.0 interface outside eq ssh
  access-list outside_access_in extended permit tcp any object web2-int eq www
  access-list outside_access_in extended permit tcp any object web2-int eq ssh
  pager lines 24
  logging enable
  logging asdm informational
  mtu outside 1500
  mtu inside 1500
  mtu DMZ 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any DMZ
  asdm image disk0:/asdm-714.bin
  no asdm history enable
  arp DMZ 172.16.4.199 001b.539c.597e alias
  arp DMZ 172.16.3.199 001b.539c.597e alias
  arp timeout 14400
  no arp permit-nonconnected
  object network web2-int
  nat (DMZ,outside) static web2-ext net-to-net
  access-group outside_access_in in interface outside
  access-group DMZ_access_in in interface DMZ
  route outside 0.0.0.0 0.0.0.0 192.168.223.191 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.223.227 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 outside
  http 172.163.2.5 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 192.168.223.227 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 outside
  ssh 172.16.3.253 255.255.255.255 outside
  ssh 172.163.2.5 255.255.255.255 inside
  ssh timeout 60
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server 176.58.109.199 source outside prefer
  ntp server 81.150.197.169 source outside
  ntp server 82.113.154.206
  username xxxxx password xxxxxxxxx encrypted
  class-map DMZ-class
  match any
  policy-map global_policy
  policy-map DMZ-policy
  class DMZ-class
    inspect icmp
  service-policy DMZ-policy interface DMZ
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:f264c94bb8c0dd206385a6b72afe9e5b
  : end

• Multiple Public IP's on one physical interface for devices behind Router.

  Hi guys, I am trying to find information on applying multiple IP addresses to a router
  basically one for the Router itself and then some for the devices behind the router, Which i am sure I need to apply some 1 to 1 NATs. I just do not know if i need to specify all the IP addresses on the main interface.
  Example being I have a router with WAN ip of xxx.xxx.xxx.xxx/25 , it only has 2 interface one for WAN one for LAN, i have a server I would like assigned its own public IP address.  but still on the same LAN network.
  Could someone help me out and point me in the right direction with a sample config

  I agree with the previous response that you need a static NAT to allow outside resources to initiate traffic to your server. You also will need NAT or PAT using the router interface address to allow the other hosts in your network to access outside.
  You do not need to configure any other of the addresses on the router interface other than the primary IP that you assign to the router interface. As long as the other addresses are used for NAT/PAT they are configured in the nat statements and not on the physical interface.
  HTH
  Rick

• Can't get Internet working on ASA 5525X

  Hello
  i have a ASA 5525x
  im in testing proccess and cant make internet routing working
  im routing between 2 private ip cuz outside interface is connected to the lab switch.
  im able to ping anything from ASDM als i tried packet tracer using the ip that assigned to the end-user and it is working fro asa but not on the win7 machine .
  after enabing logging on asa i got asa teardown the icmp connection (when trying to ping 8.8.8.8)
  any ideas why  ?
  ASA Version 9.0(2)
  hostname MIKUNI-LA-ASA1
  enable password nsi9HaIu8epX9MzI encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0/0
  nameif outside
  security-level 0
  ip address 172.30.200.100 255.255.255.0
  interface GigabitEthernet0/1
  nameif inside
  security-level 100
  ip address 10.10.10.1 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/6
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/7
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  management-only
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  banner motd
  banner motd !!!!!!!!!!!!!!!DO NOT LOGON!!!!!!!!!!!!!!!
  boot system disk0:/asa902-smp-k8.bin
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 8.8.8.8
  same-security-traffic permit intra-interface
  object network internet
  host 172.30.200.100
  pager lines 24
  logging enable
  logging trap errors
  logging asdm informational
  mtu management 1500
  mtu inside 1500
  mtu outside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712-102.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,inside) source dynamic any interface dns
  route outside 0.0.0.0 0.0.0.0 172.30.200.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  sysopt noproxyarp inside
  sysopt noproxyarp outside
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption rc4-sha1
  username admin password y9JC1OmYlTqCYCh5 encrypted privilege 15
  username neocomp password zEZJ79.tgPiYxCsz encrypted privilege 15
  class-map inside-class
  match default-inspection-traffic
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  policy-map inside-policy
  class inside-class
    inspect dns
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect http
    inspect icmp
    inspect ip-options
    inspect ipsec-pass-thru
  service-policy global_policy global
  service-policy inside-policy interface inside
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:e8f3db05e9bce814811bac225d27ded8
  : end

  didnt work
  Itried clean configuration but its still same thing cant get to the internet thru firewall
  from asa i can ping everything but from end-user side it show DNS is not responding and i can not ping the outside interface on ASA
  ASA Version 9.0(2)
  hostname MIKUNI-LA-ASA2
  enable password 8Ry2YjIyt7RRXU24 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface GigabitEthernet0/0
  nameif OUTSIDE
  security-level 0
  ip address dhcp setroute
  interface GigabitEthernet0/1
  nameif INSIDE
  security-level 100
  ip address 192.168.100.1 255.255.255.0
  interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/4
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/5
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/6
  shutdown
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/7
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  management-only
  nameif management
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  banner motd !!!!!!!!!!!!!!!DO NOT LOGON!!!!!!!!!!!!!!!
  boot system disk0:/asa902-smp-k8.bin
  ftp mode passive
  dns domain-lookup OUTSIDE
  dns domain-lookup INSIDE
  dns server-group DefaultDNS
  name-server 8.8.8.8
  object network Internet
  subnet 192.168.100.0 255.255.255.0
  pager lines 24
  logging enable
  logging console warnings
  logging asdm informational
  mtu management 1500
  mtu OUTSIDE 1500
  mtu INSIDE 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712-102.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network Internet
  nat (any,OUTSIDE) dynamic interface dns
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication http console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 management
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcp-client client-id interface OUTSIDE
  dhcpd address 192.168.1.2-192.168.1.254 management
  dhcpd enable management
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl encryption rc4-sha1
  username admin password y9JC1OmYlTqCYCh5 encrypted privilege 15
  username neocomp password zEZJ79.tgPiYxCsz encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:8659ad01179820e90e68d3725961dc2c