05-08-2012 12:48 AM - edited 03-11-2019 04:03 PM
Hi.
I have a ASA 5510 with one external interface (eth0) and one internal interface (eth1) with 4 VLAN interfaces 'attached' to eth1.
I have external services published on VLAN 2, but are unable to reach these services (i.e webmail.domain.com) from the physical eth1 (or any of the other VLANs)
I am able to reach these services from external sites, but as long as I am on the inside network I am not.
When reading the log I see the following:
Service #1 - webmail.domain.com
Main IP for outside network is 109.x.x.12
IP for service webmail.domain.com is 109.x.x.15
6 | May 08 2012 | 09:42:54 | 305011 | 192.168.x.57 | 2758 | 109.x.x.12 | 33854 | Built dynamic TCP translation from any:192.168.x.57/2758 to OutsideISP:109.x.x.12/33854 |
6 | May 08 2012 | 09:42:54 | 302013 | 192.168.x.57 | 2758 | 109.x.x.15 | 443 | Built outbound TCP connection 1005229 for OutsideISP:109.x.x.15/443 (109.x.x.15/443) to insidenetwork.local:192.168.x.57/2758 (109.x.x.12/33854) |
And that is it, after a while the connection times out and I get a Teardown message in the log.
05-08-2012 01:23 AM
Hi Thomas,
Coould you post your configuration as well, it would be better to understand the issue.
Thanks,
Varun
05-08-2012 01:48 AM
Sure, I have to remove some of the stuff, but I think this will show the stuff you need:
ASA Version 8.4(2)
!
interface Ethernet0/0
nameif OutsideISP
security-level 0
ip address 109.x.x.12 255.255.255.x
!
interface Ethernet0/1
nameif inside.local
security-level 100
ip address 192.168.x.1 255.255.255.0
!
interface Ethernet0/1.2
vlan 2
nameif services.local
security-level 100
ip address 10.20.2.1 255.255.255.0
!
interface Ethernet0/1.3
vlan 3
nameif vlan3.local
security-level 100
ip address 10.20.3.1 255.255.255.0
!
interface Ethernet0/1.26
vlan 26
nameif guest.local
security-level 40
ip address 10.11.26.1 255.255.255.0
!
interface Ethernet0/1.60
vlan 211
nameif canteen.local
security-level 100
ip address 172.16.60.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name inside.local
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network [3]EXC-CAS-01
host 10.20.2.30
object network [0]webmail.domain.com
host 109.x.x.15
access-list services.local_access_in extended permit ip 10.20.2.0 255.255.255.0 any
access-list OutsideISP_access_in extended permit tcp any object [3]EXCH-CAS-01 eq https
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu OutsideISP 1500
mtu inside.local 1500
mtu vlan2.local 1500
mtu services.local 1500
mtu canteen.local 1500
mtu guest.local 1500
ip verify reverse-path interface OutsideISP
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
object network obj_any
nat (any,OutsideISP) dynamic interface
object network [3]EXCH-CAS-01
nat (services.local,OutsideISP) static [0]webmail.domain.com
access-group OutsideISP_access_in in interface OutsideISP
access-group inside.local_access_in in interface inside.local
access-group services.local_access_in in interface services.local
route OutsideISP0.0.0.0 0.0.0.0 109.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server SecurEnvoy-AAA protocol radius
aaa-server SecurEnvoy-AAA (inside.local) host 192.168.x.11
key xxxxxxxxxxxxxxxxxxx
authentication-port 1812
user-identity default-domain LOCAL
http server enable
http 192.168.x.x 255.255.255.0 inside.local
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 129.240.2.6 source OutsideISP
ssl trust-point ASDM_TrustPoint0 OutsideISP vpnlb-ip
ssl trust-point ASDM_TrustPoint0 OutsideISP
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
: end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: