10-04-2013 02:49 PM - edited 03-11-2019 07:47 PM
Hi!
I am actually replacing a PIX 515E unit with an ASA 5512X having version 8.6(1)2.
Starting from version 8.3 up, there is a difference in the way natting is done compared to previous ASA versions (8.2 and down) and PIX.
Scenario is as follows:
I have configured the ASA 5512X and router but I want to be sure that I have it in the correct way.
Please see the attached topology and configurations of router and ASA.
Thanks.
Solved! Go to Solution.
10-04-2013 03:16 PM
Hello,
Great job with the post To the point and clear.
That being said you almost have it right.
The problem is on the ACL syntax
ChangeThis
access-list OutIn extended permit tcp any host 10.0.0.60 eq smtp
access-list OutIn extended permit tcp any host 10.0.0.70 eq www
To this
access-list OutIn extended permit tcp any host 172.16.1.70 eq 80
access-list OutIn extended permit tcp any host 192.168.1.60 eq 25
Also check this
On the DMZ you are allowing the Webserver to only access HTTP services on the outside (This will need DNS included if you do not have a DNS server on the DMZ) so Add
accesslist DMZIN permit udp host 172.16.1.70 eq 53
Note: This if the webserver will access websites.
Starting on 8.3 the ASA now performs the security checks on a different order
This is why you point to the private IP address on the ACL.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-04-2013 03:16 PM
Hello,
Great job with the post To the point and clear.
That being said you almost have it right.
The problem is on the ACL syntax
ChangeThis
access-list OutIn extended permit tcp any host 10.0.0.60 eq smtp
access-list OutIn extended permit tcp any host 10.0.0.70 eq www
To this
access-list OutIn extended permit tcp any host 172.16.1.70 eq 80
access-list OutIn extended permit tcp any host 192.168.1.60 eq 25
Also check this
On the DMZ you are allowing the Webserver to only access HTTP services on the outside (This will need DNS included if you do not have a DNS server on the DMZ) so Add
accesslist DMZIN permit udp host 172.16.1.70 eq 53
Note: This if the webserver will access websites.
Starting on 8.3 the ASA now performs the security checks on a different order
This is why you point to the private IP address on the ACL.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-05-2013 12:31 AM
Dear Julio,
Thanks for the update.
Will edit the ACLs accordingly.
Regards,
Alvin
Sent from Cisco Technical Support iPhone App
10-05-2013 10:50 AM
Hey Alvin,
My pleasure man, Remember to rate all o fthe helpful posts
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: