Solved: Two FWs

support.edm · ‎09-19-2008

Cisco ASA 5510. Outside NIC connected to ISP with real internet IP

addresses. Inside NIC connected to DMZ 172.17.193.0/24 with address

172.17.193.100.

Brand new clean ISA 2006 SP1. Outside NIC connected to 172.17.193.0/24

DMZ with address 172.17.193.1. Inside NIC connected to UAT

44.44.44.0/24 with address 44.44.44.109.

VPN user connects to the ASA (gets a 192.168.20.0/24 IP address). On

the ASA, there is:

access-list split_tunnel_list standard permit 44.44.44.0 255.255.255.0

route inside 44.44.44.0 255.255.255.0 172.17.193.1 1

What I have now on the ISA FW policy:

1. Allow, RDP, From External, To Internal and Local host

2. Allow, All Outbound Traffic, From Internal and Local host, To External

Can 44.44.44.x browse Internet? No.

Can VPN Clients RDC 44.44.44.x devices? Yes.

Can VPN Clients RDC 44.44.44.109 (ISA)? Yes.

Can 44.44.44.x RDC 172.17.193.x devices? No.

Does anyone know if there's anything I have to make changes to on the ASA to make sure all the questions are YES?

Marwan ALshawi · ‎09-19-2008

do u have nat in the asa like

nat (inside) 1 0 0

global (outside) 1 interface

this for inside hosts to access internet

Marwan ALshawi · ‎09-19-2008

do u have nat in the asa like

nat (inside) 1 0 0

global (outside) 1 interface

this for inside hosts to access internet

support.edm · ‎09-22-2008

I have this:

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.17.193.0 255.255.255.0

support.edm · ‎09-22-2008

Your message gave me some clues. I had to add:

access-list inside_nat0_outbound extended permit ip 44.44.44.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 1 44.44.44.0 255.255.255.0

On a side note,

nat (inside) 1 44.44.44.0 255.255.255.0

nat (inside) 1 172.17.193.0 255.255.255.0

Can I just have nat (inside) 1 0 0 then instead of having the above 2?