cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
530
Views
0
Helpful
3
Replies

Need NAT and Access List Setup Help

Good Evening,

             I have been going crazy trying to get this working. I have a subnet of external IPs 1xx.xx.xx.104 255.255.255.248.

Services as follows:

Cable Modem Router is .105.

ASA 5505 .106

WWW/FTP .107

Exchange SMTP/EWS .108

ADFS .110

Internal Web/FTP 192.168.1.218

Internal Exchange: 192.168.1.225

ADFS in DMZ: 192.168.30.50

Internal ADFS: 192.168.1.50

VLANs work internally. I can get out to the internet just fine. I just cannot access any of my servers from external devices. I've tried looking at the logs and I cannot decipher them

I have attached my config for review. I cannot get to the Exchange Server OWA. SMTP does not work. Cannot get to the IIS web page either. All from external sources. I need ADFS in the DMZ to be the proxy and have access to the Internal ADFS Server. I figure it is NAT and/or my access lists that are not configured properly.

 

PLEASE HELP!!!!

Thanks,

Lance the Novice

1 Accepted Solution

Accepted Solutions

Lance,

the only thing  I can see in the config that doesn't look quite right are your service objects. FTP for example

 

object service FTP
 service tcp source eq ftp destination eq ftp
 description Protocol for FTP

You have both the source and destination ports eq FTP

If you are connecting to the ftp server then the destination port is FTP, but the source can be anything.

 

I would change your service objects just to have the destination set as below

object service FTP
 service tcp  destination eq ftp
 description Protocol for FTP

 

HTH

Richard.

View solution in original post

3 Replies 3

Lance,

the only thing  I can see in the config that doesn't look quite right are your service objects. FTP for example

 

object service FTP
 service tcp source eq ftp destination eq ftp
 description Protocol for FTP

You have both the source and destination ports eq FTP

If you are connecting to the ftp server then the destination port is FTP, but the source can be anything.

 

I would change your service objects just to have the destination set as below

object service FTP
 service tcp  destination eq ftp
 description Protocol for FTP

 

HTH

Richard.

HTH,

I changed those like you said and still no luck.

I can ping 106 (address of the asa), but cannot ping any of the other IPs in the range except the Cable Router .105

I'm really about to give up on this. Hopefully my support contract # will come in soon and I can get TAC on it.

Thanks for your help. I appreciate any help I can get at this point.

 

Lance 

 

UPDATE UPDATE UPDATE

When the cable company installed the modem, they did not set it to bridge across the IP range. Once I told the cable router to bridge the WAN addresses, everything started working!

 

Thanks again for all your help. I am leaving those statements that you told me to put in there. 

WOOHOO!

Lance

Review Cisco Networking for a $25 gift card