07-28-2009 12:34 PM - edited 03-11-2019 09:00 AM
I am installing a ASA 5510 in transparent mode, it's behind a cisco 3745 router that has NAT translation in the configs.
After I set up the ASA 5510, I created access lists for web server access. All traffic inside passes thru fine however, when an outside user tries to access the web site, the page connection will not load.
Do I have to set a NAT rule for outside access? If not what other suggestions does anyone have.
Solved! Go to Solution.
08-03-2009 05:47 AM
These are the IPs we are concerned with correct?
172.21.0.75 & 172.21.9.172
08-03-2009 09:56 AM
No, these are not. I have been playing with the issue. The routing issue is in the asa. When removed from the network all traffic moves easily. With the ASA in line, traffic from remote subnets can go out to the web but not to the 172.21.0.0 network for email or file sharing. However I can ping computers in that subnet, but not traceroute.
I allowed eigrp to go thru the ASA, but I wonder if the commands are correct.
What commands should be used to allow eigrp to pass from 172.21.0.1 to 172.21.0.7 and vice versa?
08-03-2009 10:37 AM
You need to allow it with an extended access-list-
access-list Outside_WWW
extended permit eigrp host 1.1.1.1 host 2.2.2.2
A helpful link as well-
08-03-2009 02:45 PM
I have those configs in the ASA.
That one glitch is all that the problem is and I cannot figure it out.
Have to try again.
08-04-2009 10:29 AM
I resolved the issue. It was a matter of changing the servers gateway to the router handling the internal subnets.
Thanks for your help.
08-04-2009 11:51 AM
Glad to hear it's all working.
07-31-2009 10:32 AM
I have some interesting info, first,
I did a traceroute to the computers that cannot access the web server and traceroute reached the computer. Also, I tested the website access on PC's in remote building and it worked. It seems to affect the macs that are on the remote subnets.
Still poking around.
07-31-2009 10:54 AM
More interesting info, after I do a traceroute from the server to the machine that fails to connect, the computer can then access the mail server and website.
I tested that on 2 computers and they succeeded.
Any suggestions on how to eliminate this would be great.
07-29-2009 07:44 AM
The VPN access list is for VPN Server.
The WWW access list is for the WWW and Mail server. They are 2 different servers on a NAT scheme.
I need to apply the Access-list for WWW to the outside interface for HTTP traffic to our web server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide