ASA5510 permit incoming connection from remote lan

dufour001 · ‎09-04-2011

Hello,

I actually have a config like this :

Main Site -- cisco 3750 -- ISP SDSL router -- ISP MPLS -- ISP SDLS router -- cisco 2821 -- Remote Site

|

ISP firewall (only for port forwarding)

internet

Actually all service from site to site is permitted, without restriction.

I want to insert an ASA to block some internet traffic on main site :

Main Site -- cisco 3750 -- ASA5510 -- ISP SDSL router -- ISP MPLS -- ISP SDLS router -- cisco 2821 -- Remote Site

|

ISP firewall (only for port forwarding)

internet

I try to configure my ASA5510.

No problem for outgoing connection or to permit a single service on main site.

But impossible to give access to all service/connection from all remote site to main site.

Main Site is 192.168.96/21

Remote site is 192.168.144.1/21

Here my config

ASA Version 8.4(2)

interface Ethernet0/1

nameif OUTSIDE

security-level 100

ip address 192.168.96.2 255.255.255.248

!

interface Ethernet0/2

nameif INSIDE

security-level 100

ip address 192.168.96.17 255.255.255.248

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list OUTSIDE_access_in extended permit ip any any

access-list INSIDE_access_out extended permit ip any any

access-list OUTSIDE_access_out extended permit ip any any

access-list INSIDE_access_in extended permit ip any any

object network obj_any

nat (INSIDE,OUTSIDE) dynamic interface

access-group OUTSIDE_access_in in interface OUTSIDE

access-group OUTSIDE_access_out out interface OUTSIDE

access-group INSIDE_access_in in interface INSIDE

access-group INSIDE_access_out out interface INSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.96.1 1

route INSIDE 192.168.99.0 255.255.255.0 192.168.96.18 1

route INSIDE 192.168.100.0 255.255.255.0 192.168.96.18 1

route INSIDE 192.168.101.0 255.255.255.0 192.168.96.18 1

route INSIDE 192.168.102.0 255.255.255.0 192.168.96.18 1

route INSIDE 192.168.103.0 255.255.255.0 192.168.96.18 1

Thx

varrao · ‎09-05-2011

Hi,

What do you see in the captures and logs on the ASA. Can you also explain in a bit more detail what the exact issue is?

You said one single service is permitted but not all, can you provide what services are working and what not??

Thanks,

Varun

Thanks,
Varun Rao

dufour001 · ‎09-05-2011

I can permit one single service with "normal" port forwarding.

But I want that all my remote lan can access all my main site for all services (file sharing, mail, TSE, ...).

Actually all connection from remote site to main site are blocked.

Tried som debug output but, without collect any interesting datas.

varrao · ‎09-05-2011

You would need a nat statement to allow the connections, I can see only one, which is for internal users to access internet. Cna you give me an example of any one machine on the main site that needs to be accesses from remote site?

Varun

Thanks,
Varun Rao

dufour001 · ‎09-05-2011

We have severals machines (File sharing, AD, TSE, lot of other services) that can be accessed from remote sites

for example 192.168.100.100 is a TSE on main site.

So I'm looking for a config to allow all incoming connections from remote site.

In place of allowing per IP/service.

Is it possible ?

varrao · ‎09-05-2011

Then you might need the following config:

object network remote_site

subnet 10.0.0.0 255.0.0.0

object network main_site

subnet 192.168.0.0 255.255.255.0

nat (outside,inside) source static remote_site remote_site destination static main_site main_site

This shoudl work for us, I have just assumed the subnets for your remote and main site, you can change them accordingly.

Hope this helps,

Thanks,

Varun

Thanks,
Varun Rao

dufour001 · ‎09-12-2011

I tried that but don't work.

With that, I can't access remote site from main site ...

I tried the same but in unidirectionnal mode.

So I can acces the remote site , but impossible to have connection from remote site to main site.

thx

dufour001 · ‎09-15-2011

Anyone has idea ?

Thx