Question : setup NAT on Cisco ASA

I do have two internet connection on my Cisco ASA, int eth 0/0 and int eth 0/3.
the IP on int eth 0/0 139.130.1.206 is pingable and this IP is natted to our server 192.168.80.7 we can RDP to this server from internet.

we need to terminate RDP/NAT access to int eth 0/3 link which is a PPOE link, i added new firewall and static NAT rule but we cannot ping the PPOE ip address or RDP to our server from this ip address (202.7.215.118).

Can someone advice what command i missed:
aurecsyd/surec.com.au# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname aurecsyd
domain-name surec.com.au
enable password szSEFtlV2mjLR77c encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.80.10 SBS_Server
name 192.168.80.7 Terminal_Server
name 192.168.12.0 AurecCanberra
name 192.168.13.0 AurecSingapore
name 192.168.14.0 AurecMelbourne
name 192.168.15.0 AurecHongKong
name 202.7.215.0 tpg
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 139.130.1.206 255.255.255.0
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.80.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 nameif outside_2
 security-level 0
 no ip address
!
interface Ethernet0/3
 nameif outside_3
 security-level 0
 pppoe client vpdn group TPG
 ip address pppoe
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.10.10.10 255.255.255.128
 management-only
!
regex domainlist1 "\.worldofwarcraft\.com"
regex domianlist2 "\.wow\.com"
regex domainlist3 "\.facebook\.com"
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
 domain-name surec.com.au
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 3389
 port-object eq 4125
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq 993
object-group network DM_INLINE_NETWORK_1
 network-object AurecCanberra 255.255.255.0
 network-object AurecSingapore 255.255.255.0
 network-object AurecMelbourne 255.255.255.0
 network-object AurecHongKong 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service HTTP
 service-object tcp eq www
object-group service DM_INLINE_TCP_2 tcp
 port-object eq 3389
 port-object eq 4125
 port-object eq 993
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
 port-object eq smtp
access-list inside_access_in extended permit object-group TCPUDP host SBS_Server any eq domain log disable
access-list inside_access_in extended deny tcp any any eq domain log disable
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit tcp host SBS_Server any eq smtp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1 log disable
access-list inside_access_in extended permit gre any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list outside_access_in extended permit ip any 139.130.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 139.130.1.206 object-group DM_INLINE_TCP_1 log disable
access-list outside_access_in extended permit tcp any any eq 444
access-list outside_1_cryptomap extended permit ip 192.168.80.0 255.255.255.0 AurecCanberra 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.80.0 255.255.255.0 AurecCanberra 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.80.0 255.255.255.0 AurecSingapore 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.80.0 255.255.255.0 AurecMelbourne 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.80.0 255.255.255.0 192.168.80.160 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.80.0 255.255.255.0 AurecHongKong 255.255.255.0
access-list BranchOffices_splitTunnelAcl standard permit 192.168.80.0 255.255.255.0
access-list outside_3_access_in extended permit ip any 139.130.1.0 255.255.255.0
access-list outside_3_access_in extended permit tcp any host 202.7.215.118 object-group DM_INLINE_TCP_2 log disable
access-list outside_3_access_in extended permit tcp any any eq 444
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu outside_2 1500
mtu outside_3 1492
ip local pool VPNPool 192.168.80.160-192.168.80.180 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (outside_2) 103 interface
global (outside_3) 102 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp SBS_Server ftp netmask 255.255.255.255
static (inside,outside) tcp interface smtp SBS_Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface https SBS_Server https netmask 255.255.255.255
static (inside,outside) tcp interface www SBS_Server www netmask 255.255.255.255
static (inside,outside) tcp interface 444 192.168.80.2 www netmask 255.255.255.255
static (inside,outside) tcp interface 4125 SBS_Server 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 993 SBS_Server 993 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Terminal_Server 3389 netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica Terminal_Server citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 81 Terminal_Server 81 netmask 255.255.255.255
static (inside,outside) tcp interface 2598 Terminal_Server 2598 netmask 255.255.255.255
static (inside,inside) tcp 192.168.14.50 smtp Terminal_Server smtp netmask 255.255.255.255
static (inside,outside_3) tcp interface 3389 Terminal_Server 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_3_access_in in interface outside_3
route outside 0.0.0.0 0.0.0.0 139.130.1.205 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 10.10.10.0 255.255.255.128 management
http 192.168.80.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.80.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
vpdn group TPG request dialout pppoe
vpdn group TPG localname [email protected]
vpdn group TPG ppp authentication pap
vpdn username [email protected] password *********
vpdn username [email protected] password *********
dhcp-client client-id interface outside_3
dhcpd address 10.10.10.11-10.10.10.126 management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy BranchOffices internal
group-policy BranchOffices attributes
 dns-server value 192.168.80.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value BranchOffices_splitTunnelAcl
 default-domain value aurec.com.au
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 nem enable
username aurecsig password cTMjLs6t2jB0v8J7 encrypted privilege 0
username aurecsig attributes
 vpn-group-policy BranchOffices
username aurechk password WNF5K5bx.CLd5SSa encrypted privilege 0
username aurechk attributes
 vpn-group-policy BranchOffices
username aureccan password vJSIcYRb43cBhk35 encrypted privilege 0
username aureccan attributes
 vpn-group-policy BranchOffices
username aurecmel password at.vbO43bPU/cXAz encrypted privilege 0
username aurecmel attributes
 vpn-group-policy BranchOffices
username admin password clofk8EM73OlZoFM encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate cert
tunnel-group BranchOffices type remote-access
tunnel-group BranchOffices general-attributes
 address-pool VPNPool
 default-group-policy BranchOffices
tunnel-group BranchOffices ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
class-map type inspect http match-all bannedsites
 match request uri regex domainlist3
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect http DomainList
 parameters
  protocol-violation action drop-connection
 match request uri regex domainlist3
  drop-connection log
 match request uri regex domainlist1
  drop-connection log
 match request uri regex domianlist2
  drop-connection log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname domain
Cryptochecksum:69b06f8d3ce8db846f7a72cc6a1770ff
:End

Answer : setup NAT on Cisco ASA

This is expected behavior.  You can't access the internet subnets through 2 interfaces on an ASA.  The ASA is receiving your ping request, but it's default route to the internet is out the other internet path.  This fails to go through because the traffic is trying to leave out a different interface then it came in.  If you disconnected or shutdown your primary internet connection, the DSL one might have it's default route automatically populate in the 'show route' command, and then you'd be able to ping that connection.

The only way you can use this DSL connection for traffic, and continue to have all of your normal Internet traffic use eth0/0 is to be able to set a static route in the ASA for the source of the traffic.  I.e.:

route outside_3 77.77.77.77 255.255.255.255 202.177.215.117

Then source your traffic from 77.77.77.77, and you should  be able to ping 202.177.215.118

 

Random Solutions  
 
programming4us programming4us