Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
731
Views
0
Helpful
6
Replies

ASA 5510 problem

Leo Bruni
Level 1
Level 1

‎07-10-2012 04:32 AM - edited ‎03-11-2019 04:28 PM

I have an ASA 5510 configured with three interfaces defined as inside outside and student. The inside network has a security level of 100 the outside is 0 and the student is 1. There is a server on the student subnet that serves as a DNS server for both the student and inside subnets. If I run a packet trace on the firewall from the inside to the sudent network to the server it says that the packet is alllowed, however any real traffic from PCs on the inside do not get to the server. FYI I do not see an arp entry on the firewall for the server. The firewall is configured in router mode. Devices on the student subnet can see the server. The only route stament is a default route to the outside subnet. This hould not be an issue since the other subnets are directly connected. Any ideas? Attaced is the firewall config.

Labels:
Preview file
7 KB
0 Helpful
6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-10-2012 06:03 AM

NAT exemption is incorrect, you can't specify "ANY" as the destination as traffic destined towards the internet will also be NAT exempted.

You can change the following;

FROM:

access-list inside_nat0_outbound extended permit ip 172.16.250.0 255.255.255.0 any

TO:

access-list inside_nat0_outbound extended permit ip 172.16.250.0 255.255.255.0 192.168.250.0 255.255.255.0

Also, you can remove the following as it is not required:

nat (student) 0 access-list student_nat0_outbound

If Student needs to access the Internet, then add the following:

nat (student) 1 192.168.250.0 255.255.255.0

Then "clear xlate".

In regards to ARP of the server, what is the server IP Address, mask, and its default gateway? Are you able to ping the server from the firewall, and is the server able to ping the firewall student interface (192.168.250.1)?

0 Helpful

Leo Bruni
Level 1
Level 1
In response to Jennifer Halim

‎07-10-2012 06:36 AM

I will make the suggested changes. Student does not and should not have access to the internet. I cannot ping the server from the firewall. The response I get is ????. I believe the the server can ping the firwall 192.168.250.1 address, but I will check. The server IP is 192.168.250.10. Mask 255.255.255.0. Gateway 192.168.250.1.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Leo Bruni

‎07-10-2012 06:39 AM

If you can't ping the server from the firewall, check if there is any firewall on the server itself that might be blocking incoming traffic.

How is the server connected?

0 Helpful

Leo Bruni
Level 1
Level 1
In response to Jennifer Halim

‎07-10-2012 06:52 AM

The Windows firewall is disabled on the server. The server is connected to a switch to which the firwall is also conceted. There are 2 VLAN on the switch one for the student network and one for the Teacher(inside) network. The firewall has 2 connection to the switch. one in each VLAN.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Leo Bruni

‎07-10-2012 06:56 AM

Just double checking, but I am assuming that both the firewall eth0/3 and the server has been configured with the same VLAN on the switch?

0 Helpful

Leo Bruni
Level 1
Level 1
In response to Jennifer Halim

‎07-10-2012 06:58 AM

That is correct.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card