Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
0
Helpful
2
Replies

Need help in ASA5550 configuration

Raghavendra Rai
Level 1
Level 1

‎02-09-2012 07:35 AM - edited ‎03-11-2019 03:26 PM

Dear all,

Can anyone tell me where i am going wrong in the attached config??

I just need to send all traffic destined to 164.100.80.121 and 164.100.80.122 servers (please refer attached diagram) from our LAN (192.168.0.0/24 and 172.16.0.0/24) via PTP link connected to ASA 5550.

I am able to ping 164.100.80.121 and 122 servers from firewall but not able to ping from my lan from lan i am able to ping firewall(172.16.0.4)

I am doing some mistake in my ASA 5550 firewall, can anyone please have a look at the attached config and help me in knowing where am i am going wrong?

Thanks in adavnce,

Raghavendra

Labels:
Preview file
49 KB
122181-ASA-5550-config.TXT.zip
0 Helpful
2 Replies 2

nagel
Level 1
Level 1

‎02-09-2012 07:47 AM

Just for starters - Anytime you create an access-list on a pix (or ASA) the appliance will AUTOMATICALLY add a DENY IP ANY ANY as the last statement in that access-list.  Even if you do not see it - it is there.

Next - it appears that you are using an IN to OUT access-list for PERMIT  statements.  Typically an IN to OUT access-list is used for DENY statements (traffic you don't want to escape from your network, blocked destinations etc)  So they way I read your config - this looks totally backward to me.

3rd - It also appears that you have the device placed between 2 private networks - Is that correct.  Maybe this is what you intended to do - but typically an ASA is an edge device that prevents OUTSIDE world (Internet bad stuff) from getting to your INSDIE private network (good stuff)

If none of this applies - maybe a network diagram might be of help to see what your are tying to accomplish.

0 Helpful

Raghavendra Rai
Level 1
Level 1
In response to nagel

‎02-09-2012 08:51 PM

Thank you Nagel,

Comments inline:

Just for starters - Anytime you create an access-list on a pix (or ASA) the appliance will AUTOMATICALLY add a DENY IP ANY ANY as the last statement in that access-list.  Even if you do not see it - it is there.

==>> I need to permit only object-group defined in my config, so it looks fine for me

Next - it appears that you are using an IN to OUT access-list for PERMIT  statements.  Typically an IN to OUT access-list is used for DENY statements (traffic you don't want to escape from your network, blocked destinations etc)  So they way I read your config - this looks totally backward to me.

===>> but in my case i need to permit only IP's defined in object group accessing 164.100.X.X IP's, rest all deny.. so for me it looks fine! correct me if I am wrong

3rd - It also appears that you have the device placed between 2 private networks - Is that correct.  Maybe this is what you intended to do - but typically an ASA is an edge device that prevents OUTSIDE world (Internet bad stuff) from getting to your INSDIE private network (good stuff)

===>> Yes, we want to use an existing ASA5550 for this purpose/ i want this firewall just work as a router and allowing only interested traffic

If none of this applies - maybe a network diagram might be of help to see what your are tying to accomplish.

--->> At this point all users in LAN are accessing 164.100.80.X server is DC via internet. now we bought a new Leased line which connect our office directly to DC, i just need to terminate this new Leased line on this ASA 5550 and send all traffice meant for 164.100.X.X  via this leased line.

Thanks,

Raghavendra

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card