topic It is a little unclear if you in Network Security

ASA 9.1 Unable to allow traffic from internet to internal hosts using Static PAT

farooq.mirza — Tue, 12 Mar 2019 05:17:02 GMT

Hello, we have recently purchased a new Cisco ASA 5545-x running version 9.1 with ASDM 7.1. I was able to configure the firewall for internal access to the outside, and have our remote site-to-site VPN tunnels working.

However, when I try to configure static PAT and ACL for access to our internal servers,our ouside network unable to access our inside servers that are connected to the DMZ interface but the hosts in the inside are able to access the servers located in the DMZ .

Outside traffic are trying to access below servers from gateway through the dmz to the servers.

below are the ip's for the dmz,inside,outside interfaces:

Context: single_vf, Interface: DMZ
192.168.200.46 Active 0016.3e1a.6c1d hits 0
192.168.200.45 Active 00ff.4cdb.3a68 hits 353
192.168.200.37 Active 0026.557e.c22a hits 9
192.168.200.5 Active 0023.7de9.06f4 hits 17060
192.168.200.44 Active 18a9.0576.edd8 hits 193
192.168.200.220 Active 0023.ead2.34c0 hits 134
192.168.200.47 Active f4ce.4680.77c4 hits 5
192.168.200.35 Active 0026.557c.1d80 hits 10496
192.168.200.36 Active 0016.3e5c.6400 hits 40

Context: single_vf, Interface: inside
192.168.55.2 Active 0000.0c07.ac37 hits 491437

Context: single_vf, Interface: outside
87.101.181.165 Active 0024.1466.12e7 hits 3179
86.51.14.50 Active 0024.1466.12e7 hits 190993

I have attached a running config as well for your reference.

I have this configuration working on ASA-5510 unfortunately i had to do roll back to this firewall ASA 5510 from the new one connected to do the ASA 5545-x.

Please advise.

Thank you...
Farooq Mirza.

Hi,I think you would need to

Vibhor Amrodia — Tue, 30 Dec 2014 10:24:24 GMT

Hi,

I think you would need to share the Non-Working configuration from the ASA device as well.

Also , try to run the packet tracer simulating the traffic from the Outside to Inside and see which policy is dropping the traffic for you.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

It is a little unclear if you

Marius Gunnerud — Tue, 30 Dec 2014 13:12:40 GMT

It is a little unclear if you are trying to access the servers from the internet or if you are having problems accessing the servers over the VPN?

If you are trying to access the servers over the VPN then make sure that the server IP addresses are included in the VPN ACL and that this traffic is also excluded from being NATed. This needs to be done at both ends of the VPN tunnel.

If you require further help, please be more specific in where you are trying to access the servers from and, if this is over the VPN, please provide the running config from both sites. This should be the running config of the two ASAs that are working incorrectly and not the running config of the rollback ASA.

Please remember to select a correct answer and rate helpful posts

Hello,I am trying to access

farooq.mirza — Tue, 30 Dec 2014 14:12:45 GMT

Hello,

I am trying to access the the servers over L2TP VPN not over Site to Site VPN.

I have attached the Non-Working configuration from the ASA as well.

Please advise.

Thank you..

Hello,I am trying to access

farooq.mirza — Wed, 31 Dec 2014 05:59:20 GMT

Hello,

I am trying to access the the servers over L2TP VPN not over Site to Site VPN.

I have attached the Non-Working configuration from the ASA as well.

Please advise.

Thank you..