Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
526
Views
0
Helpful
4
Replies

ASA 9.1 Unable to allow traffic from internet to internal hosts using Static PAT

Go to solution
farooq.mirza
Level 1
Level 1

‎12-30-2014 02:15 AM - edited ‎03-11-2019 10:17 PM

Hello, we have recently purchased a new Cisco ASA 5545-x running version 9.1 with ASDM 7.1.   I was able to configure the firewall for internal access to the outside, and have our remote site-to-site VPN tunnels working. 

However, when I try to configure static PAT and ACL for access to our internal servers,our ouside network unable to access our inside servers that are connected to the DMZ interface but the hosts in the inside are able to access the servers located in the DMZ .

Outside traffic are trying  to access below servers from gateway through the dmz to the servers.

below are the ip's for the dmz,inside,outside interfaces:

Context: single_vf, Interface: DMZ
  192.168.200.46                          Active   0016.3e1a.6c1d hits 0
  192.168.200.45                          Active   00ff.4cdb.3a68 hits 353
  192.168.200.37                          Active   0026.557e.c22a hits 9
  192.168.200.5                           Active   0023.7de9.06f4 hits 17060
  192.168.200.44                          Active   18a9.0576.edd8 hits 193
  192.168.200.220                         Active   0023.ead2.34c0 hits 134
  192.168.200.47                          Active   f4ce.4680.77c4 hits 5
  192.168.200.35                          Active   0026.557c.1d80 hits 10496
  192.168.200.36                          Active   0016.3e5c.6400 hits 40

 
Context: single_vf, Interface: inside
  192.168.55.2                            Active   0000.0c07.ac37 hits 491437

Context: single_vf, Interface: outside
  87.101.181.165                          Active   0024.1466.12e7 hits 3179
  86.51.14.50                             Active   0024.1466.12e7 hits 190993

I have attached a running config as well for your reference.

 I have this configuration working on ASA-5510 unfortunately i had to do roll back to this firewall  ASA 5510 from the new one connected to do the ASA 5545-x.

Please advise.

Thank you...
Farooq Mirza.

Labels:
Preview file
21 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎12-30-2014 02:24 AM

Hi,

I think you would need to share the Non-Working configuration from the ASA device as well.

Also , try to run the packet tracer simulating the traffic from the Outside to Inside and see which policy is dropping the traffic for you.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎12-30-2014 05:12 AM

It is a little unclear if you are trying to access the servers from the internet or if you are having problems accessing the servers over the VPN?

If you are trying to access the servers over the VPN then make sure that the server IP addresses are included in the VPN ACL and that this traffic is also excluded from being NATed.  This needs to be done at both ends of the VPN tunnel.

If you require further help, please be more specific in where you are trying to access the servers from and, if this is over the VPN, please provide the running config from both sites.  This should be the running config of the two ASAs that are working incorrectly and not the running config of the rollback ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎12-30-2014 02:24 AM

Hi,

I think you would need to share the Non-Working configuration from the ASA device as well.

Also , try to run the packet tracer simulating the traffic from the Outside to Inside and see which policy is dropping the traffic for you.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
farooq.mirza
Level 1
Level 1
In response to Vibhor Amrodia

‎12-30-2014 06:12 AM

Hello,

I am trying to access the the servers over L2TP VPN not over Site to Site VPN.

I have attached the Non-Working configuration from the ASA as well.

Please advise.

Thank you..

 

 

 

 

Preview file
25 KB
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎12-30-2014 05:12 AM

It is a little unclear if you are trying to access the servers from the internet or if you are having problems accessing the servers over the VPN?

If you are trying to access the servers over the VPN then make sure that the server IP addresses are included in the VPN ACL and that this traffic is also excluded from being NATed.  This needs to be done at both ends of the VPN tunnel.

If you require further help, please be more specific in where you are trying to access the servers from and, if this is over the VPN, please provide the running config from both sites.  This should be the running config of the two ASAs that are working incorrectly and not the running config of the rollback ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
farooq.mirza
Level 1
Level 1
In response to Marius Gunnerud

‎12-30-2014 09:59 PM

Hello,

I am trying to access the the servers over L2TP VPN not over Site to Site VPN.

I have attached the Non-Working configuration from the ASA as well.

Please advise.

Thank you..

 

Preview file
25 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card