The internal hosts should access the web getting translated to the outside IP of the ASA.

There's protection in terms that no inbound access is permitted by the ASA (with the exception of the replies for the outbound connections).

It's in fact a very basic configuration and normally you would want to change your internal addressing scheme to a private range of IPs.

Federico.

Now, the host behind the firewall will need to access other services:

Telnet

Printing thru Print Server

FTP

https

Microsoft DFS

Check EMail

And, in both internal networks, these computers are join to an active directory server located remotely. Therefore, the remote servers will need to have access to these two networks. Can you provide a simple rule(s) that allow the servers to make sure authentication, active directory communication does not get interrupted?

And, in some communication instances, the internal clients will have a direct communication to other network(s). In other words, communication between the internal subnet(s) and other remote subnet(s) should be opened. This is most certain between trusted network(s).

Thanks

Fransisco,

I made the changes in accord to the new configuration file, and the internal network can't still see any host on the 172.31.53.0/24 network. The 172.31.53.0/24 would be oustide of the firewall.

The internal networks can go to the Internet?

If so, then the ASA is allowing the traffic out fine.

According to the diagram, the external network is outside the ASA (but is not directly connected is it?).  Is this external network another office geographically located on a different site?

We need to check if the problem is with your ASA or with the external network not knowing how to reach your internal networks.

Federico.

The internal host can't see any host outside of the firewall.

Do the following for testing purposes:

access-list OUTSIDE permit icmp any any

access-group OUTSIDE in interface outside

Then, try to PING 172.31.53.106 from an internal host.

You should see a translation when doing ''sh xlate local x.x.x.x''  where x.x.x.x is the IP of the inside machine sourcing the PING packets.

Federico.

from inside of the network, ping from 146.186.174.133 thru the firewall to outside network and attempting to ping 172.31.53.106, it failed.

However, from inside of the firewall, I can ping both directions, internal and external hosts.

You say:

However, from inside of the firewall, I can ping both directions, internal and external hosts.

This means that you have Internet access from your internal network through the Firewall?

Federico.

Federico,

What I meant was within the firewall appliance. Not from the internal host(s).

In other words, if I connect to the firewall using putty, the firewall appliance can ping. But, both side of the network internal and external can not see each other.

Do you see the ''xlate''  created as i said?

Federico.

Yes, it says PAT GLOBALS 172.31.53.100(5) Local 146.186.174.133 ICMP

id 512

Eureka, pinging works from inside to outside.

Now, the host(s) behind the firewall will need to access other services:

Do I have to always use NAT? for example, if there is a remote network that I can trust (active directory) then, it needs to see the computers behind the firewall. otherwise, microsoft active directory won't be able to communicate properly

Next, I need to allow this type of traffic from inside to outside

Telnet

Printing thru Print Server

FTP

https

Microsoft DFS

Check EMail

And, in both internal networks, these computers are join to an active directory server located remotely. Therefore, the remote servers will need to have access to these two networks. Can you provide a simple rule(s) that allow the servers to make sure authentication, active directory communication does not get interrupted?

And, in some communication instances, the internal clients will have a direct communication to other network(s). In other words, communication between the internal subnet(s) and other remote subnet(s) should be opened. This is most certain between trusted network(s).

Thanks

Hi,

If you like to learn, the idea is simple:

Communication from inside to outside needs NAT and permit ACL.

Communication from outside to inside needs STATIC NAT and permit ACL.

This means that if you want to provide Internet access to your internal network x.x.x.x/24, you do:

nat (inside) 1 x.x.x.x 255.255.255.0

global (outside) 1 interface

For inbound access to an HTTP server:

static (in,out) public_IP_FTP z.z.z.z

z.z.z.z will be the real IP of the FTP server

public_IP_FTP will be the public IP assigned to the FTP server so that will be reachable from the Internet.

access-list OUTSIDE permit tcp any host public_IP_FTP eq 80

access-group OUTSIDE in interface outside

Same basic rules applies for all scenarios (like I said based on security levels).

Federico.

Hi,

Everything you say makes senses.

so for allowing:

1) internal host to browse the internet:

access-list inside permit tcp any any eq 80

2) internal host to ftp to a remote ftp server

access-list inside permit tcp any any eq 22

3) internal host to https websites

access-list inside permit tcp any any eq 443