05-27-2013 05:25 AM - edited 03-11-2019 06:49 PM
Hello!
I am new with Cisco Firewalls, I have a problem with an ASA 5505 device.
I need 3 interfaces:
1. OUTSIDE: this is the WAN connection (PPPOE)
2. MAINLAN: this is the LAN for internal computers and a windows server (AD...) (IP: 10.0.0.0)
3. WEBORDER: this is a webserver, running IIS (IP: 10.0.1.0)
I set some NAT and Access rules in device, so MAINLAN and WEBORDER can reach internet, but this two interfaces cannot reach each other.
I can access WEBORDER from external network (internet), but cannot access from MAINLAN.
How can I connect the two interfaces?
Thanks for your help.
Solved! Go to Solution.
05-27-2013 06:58 AM
Hi,
One quick question based on the private message.
Do you want all the local networks to be able to connect between eachother using the local IP addresses?
Or do you want to perhaps access the server at "Weborder" with its public IP address?
- Jouni
05-27-2013 07:34 AM
Hi,
Ok, so you want to access between the local 192.168.x.x/24 and 10.0.x.x/24 networks to use their original IP addresses.
I would suggest adding the following configurations through the same interface you used to get the CLI format configuration. Notice that you have to check the box titled "Multiple Line" so you can insert multiple lines of commands
Configuring NAT0 for traffic between Local Networks
access-list MAIN-LAN-NAT0 remark NO NAT for traffic between local networks
access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (MainLan) 0 access-list MAIN-LAN-NAT0
Remove some useless NAT configurations
no global (Weborder) 2 interface
no static (outside,Weborder) 10.0.1.240 xxx.xxx.xxx.xxx netmask 255.255.255.255
Your ACLs are configured a bit different than I would personally configure them but since you ASDM the format I see on the CLI is expected.
Guess we could try the above configurations changes first and then check if we need to try something else.
Hope this helps
- Jouni
05-27-2013 05:51 AM
Hi,
There might be several problems but they are very hard to check through the ASDM.
I would suggest that you go to the following section in the ASDM and provide us with the CLI format configuration
One possible problem can be if you have a Base License ASA. With this license the ASA is limited to 3 Vlan interface and one of those interface can only be configured as restricted DMZ. This means that the one interfaces connection forming is limited. Depending how this is configured on your ASA it might be the cause of the problem.
Problem could also be ACLs and/or "security-level" set on the interfaces.
- Jouni
05-27-2013 06:58 AM
Hi,
One quick question based on the private message.
Do you want all the local networks to be able to connect between eachother using the local IP addresses?
Or do you want to perhaps access the server at "Weborder" with its public IP address?
- Jouni
05-27-2013 07:10 AM
Thanks for your question!
Yes I want.
And one more thing...we have an SQL server on MainLan...the webserver on Weborder should access it.
Thanks!
I am very thankful for your help!
05-27-2013 07:34 AM
Hi,
Ok, so you want to access between the local 192.168.x.x/24 and 10.0.x.x/24 networks to use their original IP addresses.
I would suggest adding the following configurations through the same interface you used to get the CLI format configuration. Notice that you have to check the box titled "Multiple Line" so you can insert multiple lines of commands
Configuring NAT0 for traffic between Local Networks
access-list MAIN-LAN-NAT0 remark NO NAT for traffic between local networks
access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (MainLan) 0 access-list MAIN-LAN-NAT0
Remove some useless NAT configurations
no global (Weborder) 2 interface
no static (outside,Weborder) 10.0.1.240 xxx.xxx.xxx.xxx netmask 255.255.255.255
Your ACLs are configured a bit different than I would personally configure them but since you ASDM the format I see on the CLI is expected.
Guess we could try the above configurations changes first and then check if we need to try something else.
Hope this helps
- Jouni
05-27-2013 08:36 AM
Thank you very much your help!
I can try it in a few days, I will inform you about...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide