Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
0
Helpful
5
Replies

ASA/PIX/ISA Configuration

Cisco4Life
Level 1
Level 1

‎05-29-2007 09:15 AM - edited ‎03-11-2019 03:21 AM

My company has purchased a ASA 5510 and a ISA 2006 server to replace the existing Front End/Back End Pix 520's we currently have. Instead of doing a full cutover, I have decided to bring them up in tandem and test the configuration. I have set up the ASA how I want to and pretty much modified the existing Front-End Pix config to fit the Front End ASA. When running some tests in the DMZ like basic web traffic, I am unable to reach the internet using the ASA as the default gateway form a pc/server in the DMZ. My nat and global statements are correct and my route is pointing to the Internet Router. I have included a diagram to help see what I am trying to accomplish.

Labels:
Preview file
317 KB
0 Helpful
5 Replies 5

srue
Level 7
Level 7

‎05-29-2007 09:22 AM

you haven't overlapped your nat statements between the ASA and existing firewall?

Is the traffic making it to your internet router (the 2500?)?

can you post the nat and global statements from the asa?

0 Helpful

Cisco4Life
Level 1
Level 1
In response to srue

‎05-29-2007 09:33 AM

Nat Statements

nat (VPN) 0 access-list nonat

nat (Inside) 1 0.0.0.0 0.0.0.0

Global Statement

global (Outside) 1 interface

The traffic is making it to the Internet Router.

What I also noticed as well is the ISA server which is the backend for the ASA can surf the web but is real slow. Haven't been able to troubleshoot that yet.

Frank

0 Helpful

srue
Level 7
Level 7
In response to Cisco4Life

‎05-29-2007 09:45 AM

what is the ISA servers' dg?

try pinging something on the internet from the ASA device itself, then try pinging the same thing from the DMZ pc.

www.yahoo.com 69.147.114.210 appears to be pingable.

what happens when the PC tries to ping 216.x.x.1?

0 Helpful

Cisco4Life
Level 1
Level 1
In response to srue

‎05-29-2007 09:55 AM

The ISA server's dg interface facing the DMZ is blank. This is how the ISA is setup for a backend config.

When I ping from ASA, I get a response. When I ping from pc/server in the DMZ, I get a response.

Must be a config problem on the ASA...

Frank

0 Helpful

Cisco4Life
Level 1
Level 1
In response to srue

‎05-29-2007 10:56 AM

I found the G D&%@ problem. The server I was using already has a static nat statement on the ASA and on the Pix. So when I try to access the web, it was sending the return packet back to the PIX. I used a laptop and gave it a ip that wasn't static natted, and it works. Now trying to work out the issue on why the web is so slow using the ASA.

Frank

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card