Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3179
Views
0
Helpful
63
Replies

Segment from PIX to segment on ASA

Go to solution
Tyler Woods
Level 1
Level 1

‎11-19-2013 03:10 PM - edited ‎03-07-2019 04:41 PM

I need the following to happen:

Host at 12.x.x.134 to access host 10.50.2.32 on port 8888.

Host at 12.x.x.134 to access host 10.50 2.33 on port 1560.

I am at a complete loss on getting this accomplished. Have tried multiple configurations and nothing works. Ideally I would collapse this all to the ASA but I do not have the time to dedicate at the moment so I just need to get this working as it is. The ASA is under SMARTnet but CCO ID does not have permission to its serial number yet.

Any guidance on this would be greatly appreciated. Is below enough to go on?

ASA Interfaces

Ethernet0/0 outside 64.xx.xx.130 security-level   0 --> to RouterA via 2980

Ethernet0/1 inside  10.50.2.1    security-level 100 --> to 2980

Ethernet0/2 dmz1    10.10.10.2   security-level  50 --> to ASA e2

PIX

Ethernet0   outside 12.xx.xx.2   security-level   0 --> to RouterB via 2980

Ethernet1   dmz     12.x.x.129   security-level  50 --> to 2980

Ethernet2   dmz2    10.10.10.1   security-level  50 --> to PIX e0/2

Labels:
0 Helpful
63 Replies 63

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Tyler Woods

‎11-22-2013 02:15 PM

So you created the new acl purely for packet capture ?

Its the nat/global config for the 10.50.2.x network i think i confusing the issue but i have checked the docs and the statics we added should override the dynamic NAT.  Basically the nat/global statements translate all 10.50.2.x address to interface address of dmz1 on the ASA ie. 10.10.10.2 when going to the pix and your packet capture showed that. But we need a translation the other way which is what the statics we added should do.

In addition it seems when you try a connection to 10.50.2.33 you see hits increasing for the specific line in the acl outbound on the pix but can't capture packets with that so something is wrong there too.

I need to have a reread of the entire thread and look at configs again.

Jon

0 Helpful

Go to solution
Tyler Woods
Level 1
Level 1
In response to Jon Marshall

‎11-22-2013 02:23 PM

Yes, I created an ACL purely for capture and didn't apply it to the interface. The ACL on the interface saw the hits but the ACL that was identical and not on the interface did not get hits. I applied the capture to the interface using the ACL not on the interface and got no data.

Was that not correct?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Tyler Woods

‎11-22-2013 02:33 PM

Tyler

I am just narrowing down the configs to what we need to see. Can you do me a favour. Can you start a new thread with the same original post ie. the very first post. And then i will post the new configs into that and we can pick it up there. I ask because this thread is taking ages to load and getting a bit too long.

When you post the new thread can you just make a note it is a continuation of the exisitng thread.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card