12-11-2007 06:28 AM - edited 03-11-2019 04:42 AM
I tried to setup my Cisco ASA 5505 (Version 7.1(1)) @ my own office.
LAN --> ASA --> ADSL router --> Internet
I need to go from outside any to inside 192.168.1.5 eq (www and https)
I need to go from outside any to inside 192.168.1.5 eq (pptp and gre)
(I am not sure if it should go to 192.168.1.5 or 192.168.1.9) I need to go from outside any to inside 192.168.1.4 eq (smtp)
My overall network:
ADSL modem (200.0.0.169/29), which connected ASA outside VLAN2 (200.0.0.170/29) and then it connected to ASA inside VLAN1 (192.168.1.1/24)
200.0.0.169/29 - DSL modem
200.0.0.170/29 - cisco ASA (LAN IP: 192.168.1.1/24)
200.0.0.171/29 - exchange and VPN (LAN IP: 192.168.1.5/24)
no public IP - MAIL FILTER server (LAN IP: 192.168.1.9/24)
12-11-2007 08:23 AM
Hi Victor
MrHusy here from experts-exchange. Your internet problem is solved in EE, Lets handle your second problem here :)
I see in your config that you have following route
route outside 0.0.0.0 0.0.0.0 209.112.47.170
but your interface IP is 200.0.0.170/29 . So this route does not work.
You should either configure your DSL modem in bridged mode and assign the public ip to ASA interface, or add the following route in ASA
route outside 0.0.0.0 0.0.0.0 200.0.0.170/29
And forward port 25 in DSL modem to 200.0.0.171
Or, forward all ports in DSL modem to interface IP (some modems call this forwarding type BIMAP) of ASA 200.0.0.170 then add the following to your config
static (inside,outside) tcp interface smtp 192.168.1.9 smtp netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq smtp
Regards
12-11-2007 08:48 AM
Thank you for your reply.
I have updated the following in my ASA:
- route outside 0.0.0.0 0.0.0.0 200.0.0.170 1
- static (inside,outside) tcp 200.0.0.171 smtp 192.168.1.9 smtp netmask 255.255.255.255
- access-list outside_access_in extended permit tcp any host 200.0.0.171 eq smtp
Please let me know if I have make any mistake, and does this also fixed my OWA.
Currently still facing the VPN problem to the 200.0.0.171 server.
12-11-2007 12:06 PM
If your ADSL router is 200.0.0.169, the default route on the ASA should point at that i.e.
route outside 0.0.0.0 0.0.0.0 200.0.0.169
12-11-2007 12:38 PM
John is right, I got confused,. Do the following modification
no route outside 0.0.0.0 0.0.0.0 200.0.0.170
route outside 0.0.0.0 0.0.0.0 200.0.0.169
Did you do do port forwarding in modem?
12-11-2007 01:00 PM
Thanks for all the inputs, it's always good to heard something back from the experts.
I am not sure how to do the port forwarding for my modem yet, so I have to look into that, actually is there another work around on that?
Any idea regarding to the Window VPN access to 200.0.0.171?
12-11-2007 01:32 PM
Following link contains a huge list of routers/modems port forwarding instructions. Choose yours and follow the steps
http://www.portforward.com/english/routers/port_forwarding/routerindex.htm
What do you mean by VPN access to 200.0.0.171?
12-11-2007 01:57 PM
When I am @ home, I would need to VPN into my company's network, with IP 200.0.0.171, and then connect to any internal servers.
Acutally, it works when I VPN into our network if I use the 200.0.0.172 instead of 200.0.0.171, and all I have to change are following 2 access-list:
FROM
access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq pptp
TO
access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.172 eq pptp
FROM
access-list outside_access_in extended permit gre any host 200.0.0.171
TO
access-list outside_access_in extended permit gre any host 200.0.0.172
But we would like to allow users to VPN into the network with 200.0.0.171, any ideas? I am wondering if this
static (inside,outside) 200.0.0.172 192.168.1.3 netmask 255.255.255.255
12-11-2007 02:14 PM
So 192.168.1.3 is running RRAS or ISA a VPN server?
12-11-2007 02:42 PM
RRAS is on both 192.168.1.3 and 192.168.1.5, both servers are the domain controller.
Currently we have another firewall and users can VPN into our network with 200.0.0.171
Please let me know if you have any idea.
Much appreciated
12-12-2007 12:37 AM
static (inside,outside) tcp 200.0.0.171 pptp 192.168.1.3 pptp netmask 255.255.255.255
static (inside,outside) tcp 200.0.0.171 gre 192.168.1.3 gre netmask 255.255.255.255
And leave the access-lists that are applied to 200.0.0.171. Dont change them to 200.0.0.172
12-12-2007 06:40 AM
Correct me if I am wrong, but am I suppose to add the following instead?
static (inside,outside) tcp 200.0.0.171 pptp 192.168.1.5 pptp netmask 255.255.255.255
static (inside,outside) tcp 200.0.0.171 gre 192.168.1.5 gre netmask 255.255.255.255
since I don't want 192.168.1.3 have anything to do with the VPN anymore, since we are planning to remove this server very soon.
Please advise.
12-12-2007 07:25 AM
You are correct. I thought 1.3 was active.
12-12-2007 07:32 AM
asa5505(config)# static (inside,outside) tcp 200.0.0.171 gre ?
ERROR: % Unrecognized command
<0-65535> Enter port number (0 - 65535)
aol
bgp
chargen
cifs
citrix-ica
cmd
ctiqbe
daytime
discard
domain
echo
exec
finger
ftp
ftp-data
gopher
h323
hostname
http
https
ident
imap4
Please advise.
12-12-2007 07:51 AM
Hmm, dont forward gre, it is an IP protocol. Check if it is working without gre
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide