Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3975
Views
0
Helpful
3
Replies

ASA 5505 8.4(2) (server:80 inside) from (outside:80) NAT/PAT/ACL

Christian Vielhauer
Level 1
Level 1

‎11-20-2011 01:08 PM

Hi,

i'm new to cisco's ios on ASA 5505  Version 8.4(2) and try to configure the whole weekend the following setup but not successfully :-(

This is the actually network Setup, but the ASA 5505's are new

instead of old Greengate VPNgateways which have a to small network bandwidth on VPN.

                     HomeWorker with AnyConnect Essential

                                   10.27.100.0/24

                                              |

                                              |

                                            ISP------- everybody

      Client                                |                                                                                             Client                       Printer

10.27.5.0/24                            |                                                                                      10.27.200.50-200        10.27.200.30-40

          |                            ASA 5505                                                 ASA 5505                          |                              |

          ---------------------  inside: 10.27.1.230/24                              inside: 10.27.200.2 ---------------------------------------------------

          |                    outside: 80.xxx.xxx.180/29  -------ISP------  outside:188.zzz.zzz.11/29

           |

          |

          |     Proxy/DNS Server

          |----   10.27.1.4

          |

          |     Http Server

          |----- 10.27.1.30

          |

          |     some other Server

          |----  10.27.1....

1.) WORKS:      The clients on the left connect to the internet threw the proxy server

2.) WORKS:      The clients on the left can connect to all other server

3.) WORKS:      The servers on the left can connect to the internet (from inside to outside)

4.) NOTworking: The clients/printers on the right should connect to the 10.27.1.0/24 network on the right via ASA's Site2Site

5.) NOTworking: Some servers like HTTP/s SMTP/s IMAP/s on the left should available from outside (everybody without VPN)

80.xxx.xxx.180:80       -> 10.27.1.30:80

80.xxx.xxx.180:443     -> 10.27.1.30:443

80.xxx.xxx.180:25       -> 10.27.1.20:25

80.xxx.xxx.180:587     -> 10.27.1.20:587

80.xxx.xxx.180:993     -> 10.27.1.20:993

Now I need your help to get Step 5 running... 

Step 4 is on todo for the future, because i have to move the city to setup the ASA

I don't know how to setup the ACL an NAT/PAT settings in the ASA5505, every howto i have found by google is f0r older CLI version :-(

Please help !!!!!   or tell me what you need (show running-config) for example ?

Kindly regards

Christian

Labels:
0 Helpful
3 Replies 3

cadet alain
VIP Alumni
VIP Alumni

‎11-21-2011 02:20 AM

Hi,

post your running config and also do a packet-tracer for traffic not working and post the results along with the config.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Christian Vielhauer
Level 1
Level 1
In response to cadet alain

‎11-21-2011 05:33 PM

Hey cadet alain,

thank you for your answer :-)

I have deleted all such attempts not working, so a packet-trace will be not very useful conent...

Here is the LogLine when i try to browse port 80 from outside (80.xxx.xxx.180:80) without VPN connection:

3Nov 21 201118:29:56
77.xxx.xxx.995906880.xxx.xxx.18080TCP access denied by ACL from 77.xxx.xxx.99/59068 to outside:80.xxx.xxx.180/80



The attached file is only the show running-config

Now i can with my AnyConnect Clients, too, but after connection is up, my vpnclients can't surf the web any longer because anyconnect serves as default route on 0.0.0.0 ... that's bad, too

Actually the AnyConnect and Nat/ACL Problem are my last two open Problems until i setup the second ASA on the right ;-)

Regards.

Chris

117593-running-config.txt.zip
0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Christian Vielhauer

‎11-22-2011 02:59 AM

Hi,

traffic originated from a low security level destined to a high security levl is denied by default and you must permit the desired traffic by configuring an ACL and applying it inbound on the low security level interface.Since 8.3 you must specify the private IP address of your server in this ACL, not the public IP like before 8.3.

You didn't configure such an ACL and that's why traffic is dropped.

I've never configured AnyConnect so I can't help you for this part but other CSC members will for sure.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents