topic Re: Proxy/mail server -ASA in Network Security

Proxy/mail server -ASA

CSCO10320953 — Mon, 11 Mar 2019 13:53:09 GMT

Hi All,

I have proxy server and having two interface.One int face isconnected to Lan(192.168.*.*) and another 192.168.3.100 which is connected to my firwall.

I have configured in ASA,inside ip 192.168.3.99 and outside ip 192.168.4.2.All lan user using proxy for the internet.From ASA ,I can ping all interface.but i cant ping 192.168.3.99 from the proxy server and internet is also is not working.What would be the problem.

Re: Proxy/mail server -ASA

abinjola — Sat, 04 Oct 2008 17:06:34 GMT

internet-<-----ASAx.x.3.100--<-----x.x.3.99ProxyServer----

a) from Lan can you ping 192.168.3.100 ?

b)In the Access-list applied on outside interface, add the line, access-list line 1 permit icmp any any

c)Now, ping 4.2.2.2 from the LAN, turn on "debug icmp trace" do you see icmp packet reaching firewall ?

If possible post your configuration here ...

Re: Proxy/mail server -ASA

CSCO10320953 — Tue, 07 Oct 2008 05:56:50 GMT

All lan traffic is coming through the Proxy server IPs :lan 192.168.*.*.LAn and proxy server is in the same network.

Proxy Second ip 192.168.3.100 which is connected inside interface 192.168.3.99.Ouside ip 192.168.4.2 which is connectd to BSNL modem 192.168.4.1

BMR1C# sh run

: Saved

ASA Version 7.0(6)

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.3.99 255.255.255.0

interface Ethernet0/0.1

shutdown

no vlan

no nameif

no security-level

no ip address

interface Ethernet0/0.2

shutdown

no vlan

no nameif

no security-level

no ip address

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/2

nameif Outside

security-level 0

ip address 192.168.4.2 255.255.255.0

interface Management0/0

nameif management

security-level 0

ip address *.*.*.* 255.255.255.128

management-only

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu inside 1500

mtu Outside 1500

mtu management 1500

no asdm history enable

arp timeout 14400

route inside 192.168.0.0 255.255.255.0 192.168.3.100 1

route Outside 0.0.0.0 0.0.0.0 192.168.4.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

Cryptochecksum:2143d98d4cd9274aabcf7c7d19e73c7d

: end

BMRC#

Re: Proxy/mail server -ASA

abinjola — Tue, 07 Oct 2008 06:28:48 GMT

Take care of following points :-

You have a ASA 5505 correct ? By default, port e0/0 is the outside Interface and rest 0/1-0/7 part of VLAN1 which is inside interface, but you have made e0/0 as inside, please make sure you have it assigned on VLAN 1 (inside) and e0/2 must be assigned in VLAN 2

b)Remove the logical VLANs

no interface Ethernet0/0.1

no interface Ethernet0/0.2

c)You never answered if you are able to ping inside interface from any inside LAN machine ?

d)On the Outside you have a private IP, who does the NATTing ? outside modem or ASA ?

I would like you to add following commands

policy-map global_policy

class inspection_default

inspect icmp

logg mon 7

term mon

logg on

Now onc you have thess commands in place, ping 4.2.2.2 and collect the logs, paste it here

Re: Proxy/mail server -ASA

CSCO10320953 — Tue, 07 Oct 2008 08:59:20 GMT

C.NO

d.Nat ASA I

BMRC# debug icmp trace

debug icmp trace enabled at level 1

BMRC# ping 4.2.2.2

ICMP echo request from 192.168.4.2 to 4.2.2.2 ID=4388 seq=4838

4 len=72

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

ICMP echo reply from 4.2.2.2 to 192.168.4.2 ID=4388 seq=48384 len=72

!ICMP echo request from 192.168.4.2 to 4.2.2.2 ID=4388 seq=48384 len=72

!ICMP echo reply from 4.2.2.2 to 192.168.4.2 ID=4388 seq=48384 len=72

ICMP echo request from 192.168.4.2 to 4.2.2.2 ID=4388 seq=48384 len=72

ICMP echo reply from 4.2.2.2 to 192.168.4.2 ID=4388 seq=48384 len=72

!ICMP echo request from 192.168.4.2 to 4.2.2.2 ID=4388 seq=48384 len=72

!ICMP echo reply from 4.2.2.2 to 192.168.4.2 ID=4388 seq=48384 len=72

ICMP echo request from 192.168.4.2 to 4.2.2.2 ID=4388 seq=48384 len=72

ICMP echo reply from 4.2.2.2 to 192.168.4.2 ID=4388 seq=48384 len=72

Re: Proxy/mail server -ASA

abinjola — Tue, 07 Oct 2008 09:05:59 GMT

add

nat (inside) 1 0 0

global (outside) 1 interface

Re: Proxy/mail server -ASA

CSCO10320953 — Tue, 07 Oct 2008 09:13:53 GMT

I am not able to ping 192.168.3.99

route Outside 0.0.0.0 0.0.0.0 192.168.4.1 1

route inside 192.168.0.0 255.255.255.0 192.168.3.99 1

Re: Proxy/mail server -ASA

CSCO10320953 — Tue, 07 Oct 2008 09:25:01 GMT

access-list outacc extended permit icmp any any

access-group outacc in interface Outside

Re: Proxy/mail server -ASA

abinjola — Tue, 07 Oct 2008 09:30:20 GMT

from the firewall are you able to ping proxy 3.99 ?

from the proxy ping 4.2.2.2 and turn on

logg on

logg mon 7

term mon

debug icmp trace

send me the above outputs