i'm new to cisco's ios on ASA 5505 Version 8.4(2) and try to configure the whole weekend the following setup but not successfully :-(
This is the actually network Setup, but the ASA 5505's are new
instead of old Greengate VPNgateways which have a to small network bandwidth on VPN.
HomeWorker with AnyConnect Essential
Client | Client Printer
10.27.5.0/24 | 10.27.200.50-200 10.27.200.30-40
| ASA 5505 ASA 5505 | |
--------------------- inside: 10.27.1.230/24 inside: 10.27.200.2 ---------------------------------------------------
| outside: 80.xxx.xxx.180/29 -------ISP------ outside:188.zzz.zzz.11/29
| Proxy/DNS Server
| Http Server
| some other Server
1.) WORKS: The clients on the left connect to the internet threw the proxy server
2.) WORKS: The clients on the left can connect to all other server
3.) WORKS: The servers on the left can connect to the internet (from inside to outside)
4.) NOTworking: The clients/printers on the right should connect to the 10.27.1.0/24 network on the right via ASA's Site2Site
5.) NOTworking: Some servers like HTTP/s SMTP/s IMAP/s on the left should available from outside (everybody without VPN)
80.xxx.xxx.180:80 -> 10.27.1.30:80
80.xxx.xxx.180:443 -> 10.27.1.30:443
80.xxx.xxx.180:25 -> 10.27.1.20:25
80.xxx.xxx.180:587 -> 10.27.1.20:587
80.xxx.xxx.180:993 -> 10.27.1.20:993
Now I need your help to get Step 5 running...
Step 4 is on todo for the future, because i have to move the city to setup the ASA
I don't know how to setup the ACL an NAT/PAT settings in the ASA5505, every howto i have found by google is f0r older CLI version :-(
Please help !!!!! or tell me what you need (show running-config) for example ?
post your running config and also do a packet-tracer for traffic not working and post the results along with the config.
Hey cadet alain,
thank you for your answer :-)
I have deleted all such attempts not working, so a packet-trace will be not very useful conent...
Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:
|3||Nov 21 2011||18:29:56||77.xxx.xxx.99||59068||80.xxx.xxx.180||80||TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80|
The attached file is only the show running-config
Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too
Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)
traffic originated from a low security level destined to a high security levl is denied by default and you must permit the desired traffic by configuring an ACL and applying it inbound on the low security level interface.Since 8.3 you must specify the private IP address of your server in this ACL, not the public IP like before 8.3.
You didn't configure such an ACL and that's why traffic is dropped.
I've never configured AnyConnect so I can't help you for this part but other CSC members will for sure.