01-27-2017 05:44 AM - edited 03-12-2019 01:50 AM
Hello!
I am new to the Cisco ASA world. I do have exp with Cisco Switching and Routing, however, the ASA is a new learning opportunity for me. With that I have a question of Remote Connections through the ASA Firewall.
Environment: Lab Firewalled off from the Corp. LAN with ASA 5525-X.
Corp Network: 10.110.X.X (outside), 10.120.X.X
Lab Network: 10.110.101.X (Inside)
Remote Users on Corp LAN: 20 (DHCP)
Servers to Attach to in LAB: 4
Needs:
Since the Corp. LAN is on DHCP, I need to create a rule (s) that allow all Remote Connections to the 10.110.101.X from the 2 Networks (10.110.X.X and 10.120.X.X) through the Firewall to connect to the LAB servers.
Hope this makes since. Thanks for your help in Advance.
Solved! Go to Solution.
01-27-2017 10:18 AM
Hi Scott,
Going with your query, it seems that we need to allow traffic from one subnet to another. This can be done by applying access lists on the required interface and allowing the interesting traffic.
If you need assistance with that, please draw a topology and let me know which traffic you want to allow.
-
Regards,
Pulkit
01-27-2017 11:13 AM
Scott,
Going with the attached diagram, we need to create an access list to allow the source subnet to the destination server's. We do not need to worry about the return traffic, since ASA being a stateful device will keep a track of it.
However, since the source subnet's are not directly connected, we also need to ensure that proper routing is there and we should be good.
Let me know if you have any additional query.
-
Pulkit
Please rate helpful posts.
01-27-2017 10:18 AM
Hi Scott,
Going with your query, it seems that we need to allow traffic from one subnet to another. This can be done by applying access lists on the required interface and allowing the interesting traffic.
If you need assistance with that, please draw a topology and let me know which traffic you want to allow.
-
Regards,
Pulkit
01-27-2017 10:58 AM
01-27-2017 11:13 AM
Scott,
Going with the attached diagram, we need to create an access list to allow the source subnet to the destination server's. We do not need to worry about the return traffic, since ASA being a stateful device will keep a track of it.
However, since the source subnet's are not directly connected, we also need to ensure that proper routing is there and we should be good.
Let me know if you have any additional query.
-
Pulkit
Please rate helpful posts.
03-02-2017 11:56 AM
Pulkit,
I have just gotten to the point where I could test the above and I am getting the below error when attempting to access the PC via RDP from another subnet. Please see below:
The message is seen when I attempt an RDP session to 10.190.201.232 from 10.190.80.196.
|
|
|
|
|
|
|
|
|
5 Mar 02 2017 14:50:53 10.190.80.196 64379 10.190.201.232 3389 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.190.80.196/64379 dst Deltav:10.190.201.232/3389 denied due to NAT reverse path failure
I can upload the configuration if need be.
Any help will be greatly appreciated.
04-23-2017 05:17 PM
Scott,
Yes, please upload the configuration and packet-tracer output for this setup.
Regards,
Pulkit
01-27-2017 10:45 AM
Just adding ACL entries to the outside interface allowing 10.110.x.x and 10.120.x.x to 10.110.101.x on a specified port or all ports (IP). depending on what the rest of your network looks like you might also need to establish routing to the 10.110.101.x network .
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide