Solved: Cisco ASA 5505 (ASDM)

milanka989 · ‎05-27-2013

Hello!

I am new with Cisco Firewalls, I have a problem with an ASA 5505 device.

I need 3 interfaces:

1. OUTSIDE: this is the WAN connection (PPPOE)

2. MAINLAN: this is the LAN for internal computers and a windows server (AD...) (IP: 10.0.0.0)

3. WEBORDER: this is a webserver, running IIS (IP: 10.0.1.0)

I set some NAT and Access rules in device, so MAINLAN and WEBORDER can reach internet, but this two interfaces cannot reach each other.

I can access WEBORDER from external network (internet), but cannot access from MAINLAN.

How can I connect the two interfaces?

Thanks for your help.

Jouni Forss · ‎05-27-2013

Hi,

One quick question based on the private message.

Do you want all the local networks to be able to connect between eachother using the local IP addresses?

Or do you want to perhaps access the server at "Weborder" with its public IP address?

- Jouni

View solution in original post

Jouni Forss · ‎05-27-2013

Hi,

Ok, so you want to access between the local 192.168.x.x/24 and 10.0.x.x/24 networks to use their original IP addresses.

I would suggest adding the following configurations through the same interface you used to get the CLI format configuration. Notice that you have to check the box titled "Multiple Line" so you can insert multiple lines of commands

Configuring NAT0 for traffic between Local Networks

NO NAT will be performed for local traffic

access-list MAIN-LAN-NAT0 remark NO NAT for traffic between local networks

access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (MainLan) 0 access-list MAIN-LAN-NAT0

Remove some useless NAT configurations

The first command removes a "global" command that is not currently in use
The second command removes a "static" command that is not used (you have another command than handles the weborder servers NAT, this WILL NOT affect that)

no global (Weborder) 2 interface

no static (outside,Weborder) 10.0.1.240 xxx.xxx.xxx.xxx netmask 255.255.255.255

Your ACLs are configured a bit different than I would personally configure them but since you ASDM the format I see on the CLI is expected.

Guess we could try the above configurations changes first and then check if we need to try something else.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎05-27-2013

Hi,

There might be several problems but they are very hard to check through the ASDM.

I would suggest that you go to the following section in the ASDM and provide us with the CLI format configuration

Tools (Upper menu)
Command Line Interface
Enter "show run" to the Command section (without the "")
Copy/Paste the output here on the forums and remove possible public IP address references

One possible problem can be if you have a Base License ASA. With this license the ASA is limited to 3 Vlan interface and one of those interface can only be configured as restricted DMZ. This means that the one interfaces connection forming is limited. Depending how this is configured on your ASA it might be the cause of the problem.

Problem could also be ACLs and/or "security-level" set on the interfaces.

- Jouni

Jouni Forss · ‎05-27-2013

Hi,

One quick question based on the private message.

Do you want all the local networks to be able to connect between eachother using the local IP addresses?

Or do you want to perhaps access the server at "Weborder" with its public IP address?

- Jouni

milanka989 · ‎05-27-2013

Thanks for your question!

Yes I want.

And one more thing...we have an SQL server on MainLan...the webserver on Weborder should access it.

Thanks!

I am very thankful for your help!

Jouni Forss · ‎05-27-2013

Hi,

Ok, so you want to access between the local 192.168.x.x/24 and 10.0.x.x/24 networks to use their original IP addresses.

I would suggest adding the following configurations through the same interface you used to get the CLI format configuration. Notice that you have to check the box titled "Multiple Line" so you can insert multiple lines of commands

Configuring NAT0 for traffic between Local Networks

NO NAT will be performed for local traffic

access-list MAIN-LAN-NAT0 remark NO NAT for traffic between local networks

access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list MAIN-LAN-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (MainLan) 0 access-list MAIN-LAN-NAT0

Remove some useless NAT configurations

The first command removes a "global" command that is not currently in use
The second command removes a "static" command that is not used (you have another command than handles the weborder servers NAT, this WILL NOT affect that)

no global (Weborder) 2 interface

no static (outside,Weborder) 10.0.1.240 xxx.xxx.xxx.xxx netmask 255.255.255.255

Your ACLs are configured a bit different than I would personally configure them but since you ASDM the format I see on the CLI is expected.

Guess we could try the above configurations changes first and then check if we need to try something else.

Hope this helps

- Jouni

milanka989 · ‎05-27-2013

Thank you very much your help!

I can try it in a few days, I will inform you about...