https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208518#M875679 <HTML><HEAD></HEAD><BODY><P>Says it's too many characters...?</P></BODY></HTML> Fri, 27 Feb 2009 15:46:00 GMT thomasmelvin 2009-02-27T15:46:00Z https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208514#M875671 <P>I have an MPLS network, with a main site running hosted applications [10.10.x.x/21, Router - 10.10.0.254], and 3 other sites [10.11.x.x/21, 10.12.x.x/21 and 10.13.x.x/21; GW for each router at each site is 10.11.0.254/21, etc.].</P><P></P><P>I have the 10.10.x.x/21 network behind an ASA 5510. It's inside interface is 10.10.0.252/21. The entire 10.10.x.x/21 network is behind the ASA. None of the other sites can access the hosts on the 10.10.x.x/21, nor can the 10.10.x.x/21 hosts access the other sites. </P><P>******************************************************</P><P></P> Mon, 11 Mar 2019 14:58:01 GMT https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208514#M875671 thomasmelvin 2019-03-11T14:58:01Z https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208515#M875673 <HTML><HEAD></HEAD><BODY><P>Tom</P><P></P><P>1) Do the other sites have a route to 10.10.x.x/21</P><P></P><P>2) Have you setup access on the ASA. So if you want the whole internal network to be accessible from the remote sites </P><P></P><P>static (inside,outside) 10.10.x.x 10.10.x.x netmask 255.255.248.0 </P><P></P><P>and then you need to have an access-list applied to the outside interface of your ASA allowing access eg.</P><P></P><P>access-list outside_in permit ip 10.11.x.x 255.255.248.0 10.10.x.x 255.255.248.0 </P><P>etc...</P><P></P><P>access-group outside_in in interface outside</P><P></P><P>Note i have used IP in the acl but you can tie it down to specific ports/IP addresses if you need to.</P><P></P><P>Jon</P></BODY></HTML> Fri, 27 Feb 2009 10:31:12 GMT https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208515#M875673 Jon Marshall 2009-02-27T10:31:12Z https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208516#M875676 <HTML><HEAD></HEAD><BODY><P>Jon,</P><P></P><P>Thanks for the reply.</P><P></P><P>1) Yes all sites have a route to the 10.10.0.0/21.</P><P></P><P>2) I added the static/acl and no change. I can't even ping.</P></BODY></HTML> Fri, 27 Feb 2009 15:20:05 GMT https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208516#M875676 thomasmelvin 2009-02-27T15:20:05Z https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208517#M875678 <HTML><HEAD></HEAD><BODY><P>Could you post the config of the ASA ?</P><P></P><P>Jon</P></BODY></HTML> Fri, 27 Feb 2009 15:21:50 GMT https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208517#M875678 Jon Marshall 2009-02-27T15:21:50Z https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208518#M875679 <HTML><HEAD></HEAD><BODY><P>Says it's too many characters...?</P></BODY></HTML> Fri, 27 Feb 2009 15:46:00 GMT https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208518#M875679 thomasmelvin 2009-02-27T15:46:00Z https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208519#M875680 <HTML><HEAD></HEAD><BODY><P>If you save it in a notepad or wordpad you should be able to add an attachment to your message.</P><P></P><P>Or you could try just pasting half of it into one message and the rest into another message.</P><P></P><P>Jon</P></BODY></HTML> Fri, 27 Feb 2009 15:56:10 GMT https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208519#M875680 Jon Marshall 2009-02-27T15:56:10Z https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208520#M875681 <HTML><HEAD></HEAD><BODY><P>Thank Jon...</P><P></P><P>Here's my config.</P><P></P><P> </P><P></P><P>As an FYI, I cannot get the Cisco VPN CLient to work either :O)</P><P></P></BODY></HTML> Fri, 27 Feb 2009 16:10:18 GMT https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208520#M875681 thomasmelvin 2009-02-27T16:10:18Z https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208521#M875682 <HTML><HEAD></HEAD><BODY><P>Tom</P><P></P><P>Could you give an example of an IP address you are trying to access from a remote site and what the source IP address is as well. Also what tcp port you are trying to access on so </P><P></P><P>src IP address = </P><P>destination IP address = </P><P>Port number = </P><P></P><P>Jon</P></BODY></HTML> Fri, 27 Feb 2009 16:21:11 GMT https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208521#M875682 Jon Marshall 2009-02-27T16:21:11Z https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208522#M875683 <HTML><HEAD></HEAD><BODY><P>John, sure...</P><P></P><P>src IP address = 10.10.1.16</P><P>destination IP address = 10.11.0.254</P><P>Port number = 0 [STD PING]</P><P></P><P>The same is true for the opposite.</P></BODY></HTML> Fri, 27 Feb 2009 16:24:11 GMT https://community.cisco.com/t5/network-security/internal-host-access/m-p/1208522#M875683 thomasmelvin 2009-02-27T16:24:11Z