ASA/PIX/ISA Configuration

Unanswered Question
May 29th, 2007
User Badges:

My company has purchased a ASA 5510 and a ISA 2006 server to replace the existing Front End/Back End Pix 520's we currently have. Instead of doing a full cutover, I have decided to bring them up in tandem and test the configuration. I have set up the ASA how I want to and pretty much modified the existing Front-End Pix config to fit the Front End ASA. When running some tests in the DMZ like basic web traffic, I am unable to reach the internet using the ASA as the default gateway form a pc/server in the DMZ. My nat and global statements are correct and my route is pointing to the Internet Router. I have included a diagram to help see what I am trying to accomplish.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Tue, 05/29/2007 - 09:22
User Badges:
  • Blue, 1500 points or more

you haven't overlapped your nat statements between the ASA and existing firewall?

Is the traffic making it to your internet router (the 2500?)?

can you post the nat and global statements from the asa?

Frank Durham Tue, 05/29/2007 - 09:33
User Badges:

Nat Statements

nat (VPN) 0 access-list nonat

nat (Inside) 1 0.0.0.0 0.0.0.0


Global Statement

global (Outside) 1 interface


The traffic is making it to the Internet Router.


What I also noticed as well is the ISA server which is the backend for the ASA can surf the web but is real slow. Haven't been able to troubleshoot that yet.


Frank


srue Tue, 05/29/2007 - 09:45
User Badges:
  • Blue, 1500 points or more

what is the ISA servers' dg?


try pinging something on the internet from the ASA device itself, then try pinging the same thing from the DMZ pc.

www.yahoo.com 69.147.114.210 appears to be pingable.


what happens when the PC tries to ping 216.x.x.1?

Frank Durham Tue, 05/29/2007 - 09:55
User Badges:

The ISA server's dg interface facing the DMZ is blank. This is how the ISA is setup for a backend config.


When I ping from ASA, I get a response. When I ping from pc/server in the DMZ, I get a response.


Must be a config problem on the ASA...


Frank

Frank Durham Tue, 05/29/2007 - 10:56
User Badges:

I found the G D&%@ problem. The server I was using already has a static nat statement on the ASA and on the Pix. So when I try to access the web, it was sending the return packet back to the PIX. I used a laptop and gave it a ip that wasn't static natted, and it works. Now trying to work out the issue on why the web is so slow using the ASA.


Frank

Actions

This Discussion