Hi,

Thanks for replying. It is a live network, I am trying to connect. I attached the diagram. The cloud is a wireless network.

The connectivity looks simple. I am trying to connect 2 servers together using a firewall instead of a router. The left side of the cloud is customer's. That part I have no access to. They are using some other brand firewall. The right side is the Cisco ASA 5510. That is the ASA, I am trying to configure.

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.10.10.3 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.16.22.254 255.255.255.0

!

interface Ethernet0/2

nameif inside2

security-level 100

ip address 172.16.21.254 255.255.255.0

!

access-list outside-inside extended permit ip any any

access-list outside-inside extended permit icmp any any

!

static (inside,outside) 172.16.22.0 172.16.22.0 netmask 255.255.255.0

static (outside,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

!

access-group outside-inside in interface outside

Message was edited by: Surya Shiva

Hi,

Some questions still as we cant see the whole configuration.

• Is the idea to get both server networks connect to eachtother with their original IP addresses? In other words I assume that there is no need for actual NAT?
• Have you made sure that both your firewall has a route for the network 172.16.106.0/24 towards the other firewall and that the other firewall has a route for network 172.16.22.0/24 towards your firewall?

If I may suggest, you could try to remove those NAT configurations and go with the following

access-list INSIDE-NAT0 remark NO NAT Configurations

access-list INSIDE-NAT0 permit ip 172.16.22.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 172.16.22.0 255.255.255.0 172.16.106.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

Also make sure that you either have the default route or specific route towards the other firewall so that routing from your part will work

route outside 0.0.0.0 0.0.0.0 10.10.10.4

or

route outside 172.16.106.0 255.255.255.0 10.10.10.4

If this doesnt help I think we would need to see the whole firewall configuration. Also possibly will need to make sure that the other firewall is configured correctly.

- Jouni

Hi Jouni,

The problem is the other firewall is not Cisco. I think it is Juniper.

I will try the config tomorrow and update.

Thanks for your help

Hi,

Even if you can ping the other firewall from your firewall doesnt mean that the end to end routing is fine.

The firewalls are directly connected by the same network 10.10.10.0/24 so provided the actual connectivity is fine they should be able to ping eachtother. You not being able to ping their firewall might simply be due to their firewall prventing it or simply not replying to your ping.

But as I said, if this doesnt work would really need to see some more configurations.

Notice that you can also simulate traffic going through the ASA to see how the ASA would handle it. The command is "packet-tracer" and for you to simulate a HTTP connection coming from your server to the other could be tested with the command

packet-tracer input inside tcp 172.16.22.8 12345 172.16.106.8 80

The output of this command should tell what rules the traffic hits. It doesnt actually create that traffic but simulates how the ASA would handle this type of connection.

EDIT: For some reason when I check this discussion the page is all bent out of shape. I dont know if anyone else is seeing this.

- Jouni