John,

Thanks for the response.  Per the diagram, the e0/2 interface from the 5510 goes to the 5505. 

Thanks for the response.  Per the diagram, the e0/2 interface from the 5510 goes to the 5505. 

Not really what i asked. I can see the e0/2 goes to the 5505. What i asked was is that interface designated as "outside" on the 5510 because i would have though that would be e0/0 ?

Jon

E0/0 is outside on the 5510. 

Frank

Is this solved now ?

Jon

It's not resolved. I can't get to the Internet from behind the 5505.  Default route points to the 5510.  May be a DNS problem though. 

Frank

I only asked because you didn't respond to my original thread so i though perhaps it was resolved.

I thought the main issue currently was to be able to get to the 5505 from your management vlan ? You have this route on the 5510 -

outside 10.94.4.0 255.255.255.0 10.10.8.1

which is why i have been asking about the outside interface on the 5510. This says to get to the 10.94.4.0/24 network behind the 5505 go to the internet. That route should be -

route 10.94.4.0 255.255.255.0 10.10.8.1

does this make sense ?

Jon

Yes it does.  I got confused.  That route was since removed from the config.  Now the problem I'm having is that the default access rule on e0/2 (5510) is dropping traffic to the internet.  I'm using the packet trace tool and it's dropping at the ACL rule which I can't seem to override.

Frank

So the problem is getting to the internet from the ASA 5505 -  is that correct ?

If so, where you are natting the 10.94.x.x addresses before they go to the internet. Is it on the ASA5510 ?

Have you setup NAT on the ASA5510 on the e0/2 interface ?

Wihout a lot more details and a clear explanation of what you are trying to do it's going to be difficult to help you.

Jon

The 10.94.4.x subnet is being natted on the 5505.  I'm just passing traffic to the 5510 to go to the Internet.

Frank

Apologies, but i can't keep posting requests and getting one sentence answers ie. if the traffic is getting dropped on the 5510 would it not make sense to perhaps post the config of the 5510 together with some details of what IP you are pinging from and what IP you are pinging to on the internet.

The thread started off with the main problem being connectivity between your management vlan and the 10.94.x.x network. I don't know whether this has been fixed but you are now talking about a completely different problem.

We try our best to help but we can't guess what configs are. If you want to sort the problem out then you need to help us by providing all the relevant details ie. configs. testing details etc.

Jon

John, I apologize for the confusion based on my confusion of the network setup.  I'm still trying to wrap my head around the fact that we have two firewalls and a seperate company wants to add theirs behind ours.  I've decided to split the problem in  half instead of worrying about one monolithic configuration.  I abandoned plans to do management from the IT network since it's not our device.  I'm now focused on Internet access and then IPSEC which is easy to do once we have connectivity.

The 5510 is handling the NAT translation, I was mistaken.  The previous admin left things half-configured and I have to finish the configuration.  So at least you can understand why I'm a bit scatter-brained. 

Frank

No problem, wasn't getting annoyed, just trying to get the right information.

IPSEC won't necessarily be easy since you have a firewall with a private IP on it's outside interface ie. the 5505 so NAT/PAT issues arise.  Ideally the 5505 would have a public IP on it's outside interface but this is not the case.

What type of IPSEC are they talking about - client VPNs or site to site VPNs ?

Allowing access from the 10.94.x.x network to the internet should be relatively easy so lets sort that out first.

1) make sure you are allowing the traffic through the ASA5505. As long as you have not applied an acl on the inside interface then it should be.

2) make sure there is a default route on the ASA 5505 pointing to 10.10.8.1

3) on the 5510, it all depends on how your NAT is setup. Lets assume you have a standard setup ie. something like -

nat (inside) 1 0.0.0.0

global (outside) 1 0.0.0.0

this would be there for your networks to be able to go out to the internet.

now lets assume you have called e0/2 - dmz1. Then simply add this to the 5510 config -

nat (dmz1) 1 0.0.0.0 0.0.0.0

that should then allow 10.94.x.x clients to be natted as well.

4) the 5510 will need a route back to the 10.94.x.x network ie.

route dmz1 10.94.4.0 255.255.255.0 10.10.8.2

5) DNS. I don't know how internal clients on the 10.94.x.x are getting an IP address ie. DHCP or static. But the clients on the 10.94.x.x network will need valid DNS servers to be able to type a URL into a web browser and resolve the URL to an IP address. Note if DHCP is setup on the 5505 then you can the DNS servers there.  You really need to know how the client currently handles DNS because if they had their own DNS server internally then it would need to be setup to forward unknown requests to internet DNS servers (probably the same ISP DNS servers that you use).

6) access-list. If you have applied an acl to e0/2 then you need to allow their internet traffic through.

Jon

1. Check.

2. Check

3.  This is where it gets hairy.  We have a range of public IPs and I want the external company to have their own.  So I natted 0.0.0.0 to .  This should map any IP on e0/2 to that public IP right?

4.  Fixed.  I had this screwed up with a typo.

5.  DNS is okay.  There's no internal DNS server that I know of so I just had DHCP serve them up openDNS servers.

6. The only ACL on the e0/2 is the default one which is a deny any/any. Would this cause problems?