topic Re: ASA Question-Help needed in Network Security

ASA Question-Help needed

sameoj1881 — Mon, 11 Mar 2019 13:57:12 GMT

I have configured and integrated an ASA to my network.

Inside----ASA----ROUTER-----Internet

I have 3 servers in my inside network,one of them is a proxy server which all other users use. The 3 servers have both public and private addresses.I have done two layers of nat,one on the ASA and the other on the router.

My inside users cannot ping the inside interface of the router neither can they browse.

I have attached the configs on the ASA and router.

Can someone please take a look at it and let me know where I got it wrong.

Re: ASA Question-Help needed

sameoj1881 — Thu, 16 Oct 2008 16:07:03 GMT

Some should please help me look into this.

Thanks.

Re: ASA Question-Help needed

JORGE RODRIGUEZ — Thu, 16 Oct 2008 19:13:13 GMT

Can you post a more complete asa sanatized config to get a better picture and see the nonat acls. You said that your inside users cannot get to the inside interface of the router facing asa outside interface and browse, if this is so you simply need a nat statement.

e.i

your asa already have this statement

global (outside) 1 interface

do you have these ?

nat (inside) 1 0 0

nat (inside ) 1

HTH

Jorge

Re: ASA Question-Help needed

Fernando_Meza — Thu, 16 Oct 2008 20:49:13 GMT

Hi,

Make sure you are not filtering out that traffic on the router by the use of access control lists ..?

I hope it helps .. please rate helpful posts

Re: ASA Question-Help needed

sameoj1881 — Fri, 17 Oct 2008 08:22:51 GMT

ASA Configs

static(inside,outside) x.x.103.5 x.x.101.5 netmask 255.255.255.255

static(inside,outside) x.x.103.250 x.x.101.250 netmask 255.255.255.255

static(inside,outside) x.x.103.2 x.x.101.2 netmask 255.255.255.255

access-list 100 extended permit icmp any any

access-list 100 extended permit tcp any host x.x.103.5 eq 80

access-list 100 extended permit tcp any host x.x.103.250 eq 80

access-list 100 extended permit tcp any host x.x.103.2 eq 25

int e0/1

access-group 100 in interface outside

access-list NO-NAT extended permit ip x.x.101.0 255.255.255.0 any

nat(inside) 1 access-list NO-NAT

global(outside) 1 interface

route outside 0.0.0.0 0.0.0.0. x.x.103.7

Router Configs

access-list 10 permit x.x.103.0 0.0.0.255

ip nat inside source list 10 interface fa0/0 overlaod

ip nat inside source static tcp x.x.103.5 80 x.x.39.155 80

ip nat inside source static tcp x.x.103.250 80 x.x.39.156 80

ip nat inside source static tcp x.x.103.2 25 x.x.39.73 25

int fa0/0

ip nat outside

int fa0/1

ip nat inside

Re: ASA Question-Help needed

marchanamendon — Tue, 21 Oct 2008 08:25:49 GMT

You can make the configuration as simple,by controlling all the nat operation at the firewall and allow only routing in the router.It will make as simple the configuration.

Archana.