I am glad that my explanations are making more sense now. I encourage you to go ahead with trying to get this to work. You are right that the ASA is a very different kind of device and there is certainly a learning curve in learning how to configure and operate them. I am sure that you will have additional questions as you get deeper into the configuration and operation of your ASA. Feel free to come back to the forum and to ask additional questions.

HTH

Rick

Looking forward to playing around with this tonight.

Going to set up my Static NAT and then my ACL’s.

It just occurred to me why initially my (out of the box) configuration on 1/2 (ADSM) was able to get pinged by my PC but not ping the Gateway x.x.122.182 because what I am assuming was that it had no ACL to do so even though 1/2 is security 100 and 1/1 is security 0.

I will keep you updated. Thank you 

Matt

Matt

I am not sure what the issue was, but I do not believe that it was lack of an ACL on 1/2. A device on an interface with security level of 100 should be able to access a device on interface with security level of 0 without needing an AVL.

Do keep us posted as you continue to work with your ASA.

HTH

Rick

Alright.

I believe I got it all functioning. Each device is statically set with the 192.168.x.x IP address and is set with NAT on the router to translate  to its corresponding External IP. I have verified on each device that it is indeed the correct IP on the internet.

Next step is ACL to allow my Email to work. Being as you said anything 100 can touch 0 without an ACL, I assume I do not need to set any ports /access for "outgoing" Email. So I will work on incoming ports.

What I found to be weird is that each device can Ping it's Interface but can not ping the Router Gateway but can ping the Internet beyond.. Not sure if this is normal or permission based or just odd.

The most interesting thing of all is this;

When setting up my PPPoE and having it create it's own static route. Nothing inside could ping outside. Nothing.

I noticed that when PPPoE is active and I try to add a static route it says that the path is already set and the Gateway IP of x.x.121.182 is already assigned, so would not work.

I began messing around and left 1/1 disabled and created a 'route outside 0.0.0.0 0.0.0.0 x.x.121.182 and I could then, from either 1/2 and 1/3 Ping the world... I enabled 1/1 again and it stuck.

I tested my theory and started over, would not work unless I made a static route prior to setting up PPPoE.

Matt

You are correct about the ACL for email etc. Your outbound traffic should be permitted by default. So you need to configure ACL for inbound.

I hope this link will help you with the issue about ping to the outside interface

https://learningnetwork.cisco.com/thread/67899

so this is the expected behavior.

For pppoe default route have you specified setroute in the config?

HTH

Rick

Matt

I am glad to hear that you have your devices up and running. Needing to configure a specific rule to allow port 993 is not surprising.

It is certainly ok to have the static nat process just the IP (and not the port number) and to use ACL to control port access.

I am glad that my guidance has been helpful and has helped you transition from feeling defeated to having achieved your goal. When I was new in networking I had some people and a forum similar to this one who shared their expertise with me and helped me learn. I hope you will continue to be active in the forum and as your expertise increases that you will share what you know with others.

HTH

Rick

Good Morning

I was so fixated on higher security can connect to lower that I for whatever reason had assumed equal security would be able to pass data but the second I read what you wrote it clicked and occurred to me that that would make sense for security issues among the network.

Thank you .

Matt

It is a subtle aspect of the config and easy to not understand it correctly. As I mentioned in a previous response you can sort of think of the security levels as doing the same thing as the zones you configured on your router. And when you configure zones on the router then interfaces within a zone can freely communicate with each other. But the ASA was designed as a security device and takes a conservative approach that interfaces at the same security level do not by default communicate with each other. You have to specifically enable that communication.

HTH

Rick

This definitely was more complicated than I thought.. Not only did I have to make an ACL for SMTP/IMAP from 1/2 to 1/3 but I also, after scratching my head, realized I needed to create a NAT from 1/2 to 1/3.

I then learned that by creating an ACL on my 1/3 Mail (where prior there were none because 1/1 was allowing access and then NAT was redirecting) it then removed all other access such as domain and web access because by adding an ACL I removed the standard "allow all traffic to lesser security interface".

I am at the point where I can send from 1/2 (TPLink) to 1/3 (Mail) but can not send from my 1/3 (Mail) to the Internet. I keep getting "reject_unknown_recipient_domain: Recipient address rejected: Domain not found" so for whatever reason my MAIL is not accessing a Name server.

At this point, because I need my email, I simply removed all my settings I changed and simply made 1/3 a 99 Security so my 1/2 can access it and it[Mail] can send to the world.

I will spend more time in figuring out what I am missing. But I am definitely on the right path.

I am not sure why you need nat between 1/2 and 1/3. It is true that as you use ACL to permit traffic between interfaces you need to consider all the kinds of protocols that you might need to allow. And I wonder if you really did need an ACL between 1/2 and 1/3. I am glad that you did find a work around to get the traffic going and that you believe that you are on the right path. There is certainly a learning curve as you work on the ASA and you are making good progress.

HTH

Rick