Thank You Varun for the reply,

                                              Presently ASA Version is  7.0(6), if you suggest then , i can upgrade the ASA OS. But after upgrading how it can be implemented please help me. I'll b very grateful to you.

Regards

Pawan

Hi Pawan,

Can you send me an output of your config on the ASA???

Varun

ciscoasa# sh run

: Saved

:

ASA Version 7.0(6)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.100.200 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list OUTIN extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp host 192.168.5.2 interface outs

ide

access-list inside_access_out extended permit tcp any any

access-list outside-in extended permit icmp any any

access-list outside-in extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

icmp permit any echo-reply outside

icmp permit any outside

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 192.168.5.0 255.255.255.0

access-group outside-in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password TOyVyM6G6TXcuQ5w encrypted privilege 15

http server enable

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.5.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

Cryptochecksum:38a13d957a4f0547239d18ea7ea19c67

: end

ciscoasa#

Hi Pawan,

You have three requirements here:

For servers to be accessible from internet, you would need to have a public IP address for the servers, which would be natted on the ASA, if you are using nat-control, so the network diagram and the configuration that you have provided is not very clear. You need to mention if nat-control is enabled on the ASA or not, if you are doing natting on some other upstream device, because without a public ip mapping, the servers would not be able to access the servers from internet.

You also want to access the servers from 172.16.105.0 network, for that you woudl need:

static (inside,inside) 10.34.249.0 10.34.249.0

same-security-traffic permit intra-interface

global (inside) 1 interface

sysopt noproxyarp inside

we are u-turning the tarffic here.

I am also not sure on what interface do you have the juniper router connected to the ASA. Could you please explain that?? Your diagram shows me devices connected to 3 interfaces on the ASA, but there are only two in the config. And what device is 192.168.100.1, i do not see it in the network diagram.

Thanks,

Varun

Actually i have only configured ASA for BSNL Internet. And there is no internet available on juniper router this is Private lease line came from HQ(Head Quarter) to access the SERVER (10.34.249.0) connected to Interface E0/2 of ASA.

My aim is that,

1) Server should be accesable from HQ and from 172.16.105.0 network only not from Internet.

2) And if Server (10.24.249.0) want to go to Internet then it should go to Internet using BSNL Modem.

Please guide for further configuration.

Hi Pawan,

You would need to configure a third interface to which the juniper router is connected:

interface e0/2

ip address 10.34.249.34 255.255.255.224

security-level 99

no shut

nameif dmz

and then you need to add the acl on interface dmz

access-list dmz_in permit ip any any

access-group dmz_in in interface dmz

and then a nat command:

static (inside,dmz) 10.34.249.0 10.34.249.0

I have already told you how the network 172.16.105.0 would access the servers.

and for servers to access the internet, you woudl need:

nat (inside) 1 10.34.249.0 255.255.255.224

Thats it.

Hoep this helps

Thanks,

Varun

Hi,

First you can upgrade it to 8.2 version not over it due to memory limitations. But answer to your questions

1.i want to communicate HQ PC to SERVER in range of 10.34.249.0

I assume that there is no nating done on Juniper PC and i assume the ip address of HQ to be 10.20.20.20

then you need to define interface

interface Ethernet0/2

no shutdown

nameif HQ_INT

security-level 50

ip address 10.20.20.1 255.255.255.0

Then you need ACL

ACL Source (IP):10.20.20.20 and destination (IP): 10.34.249.0/24

REturn Traffic will work since return traffic is from higher to lower interface.

2. Server IP 10.34.249.0 should communicate with 172.16.105.0.

Here i assume that both the subnets are having default gateway at your firewall. For that you will have to sub-divide your interface Inside in two parts

interface Ethernet0/1

nameif inside

security-level 100

no ip address 192.168.5.1 255.255.255.0

interface Ethernet0/1.249

vlan 249

security-level 80

nameif Inside-SRV

ip address 10.34.249.1 255.255.255.0

no shut

Interface Ethernet0/1.105

vlan 105

security-level 80

nameif Inside-

ip address 172.16.105.1 255.255.255.0

no shut

Now you can add acl.

Acl source (IP): 172.16.105.0 /24 destination (IP): 10.34.249.0 /24 and apply it as incoming on Eth0/1.105

Acl source (IP): 10.34.249.0 /24 destination (IP): 172.16.105.0 /24  and apply it as incoming on Eth0/1.249

Alternatively allow same-security-traffic permit inter-interface

3. Server Should able to acces Internet using BSNL modem

Add ACL source Destination : Any

Then add NATing :

Source:

Destination:Any

NAT: Outside Interface

I hope it helps

//Tiwana

Gursimranjeet singh Tiwana

As u suggested i have done the same, but stil it is not working, please help me. i have mentioned the config below

Version 8.0(3)

!

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 192.168.100.200 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet1.105

vlan 105

nameif L3LAN

security-level 80

ip address 172.16.105.1 255.255.255.0

!

interface Ethernet1.249

vlan 249

nameif SERVER

security-level 80

ip address 10.34.249.2 255.255.255.0

!

interface Ethernet2

nameif HQ

security-level 50

ip address 20.20.20.21 255.255.255.0

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

same-security-traffic permit inter-interface

access-list OUTIN extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit tcp host 192.168.5.2 interface outside

access-list inside_access_out extended permit tcp any any

access-list outside-in extended permit icmp any any

access-list outside-in extended permit ip any any

access-list 100 extended permit ip 172.16.105.0 255.255.255.0 10.34.249.0 255.255.255.0

access-list 101 extended permit ip 10.34.249.0 255.255.255.0 172.16.105.0 255.255.255.0

access-list 102 extended permit ip interface SERVER any

pager lines 24

mtu HQ 1500

mtu outside 1500

mtu inside 1500

mtu L3LAN 1500

mtu SERVER 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 access-list 102 outside

nat (inside) 1 192.168.5.0 255.255.255.0

access-group outside-in in interface outside

access-group 100 in interface L3LAN

access-group 101 in interface SERVER

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

route HQ 3.3.3.0 255.255.255.0 20.20.20.20 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

!

policy-map global_policy

!

prompt hostname context

Cryptochecksum:bbc9dd9cd02e6959f717f0d9ac61545f

: end

ASA#