I'm trying to replace my PIX505E with the new ASA5505; I have a single public global IP address and I'm currently using some PATS in order to allow some external access to some services provided by "internal" hosts. I also allow VPN connections on PIX (honestly both PPTP and CISCO native VPNs - but I don't use PPTP anymore).
I'm getting crazy trying to configure the ASA and porting the current PIX configuration on ASA: the biggest problem is that ASA doesn't allow the incoming external traffic to the inside LAN and I'm not able to activate it; it seems that it ignores all ACEs and all incoming packets are dropped by the implicit default rule (deny rule).
I have read that ASA by default cuts all incoming traffic and is not sufficient to allow it using ACL.
I tried the same configuration on a multi global IP environment (8 public IPs) and, also there, I was NOT able to allow the incoming traffic on the public IP of the firewall; Just to be clearer:
Let's assume that my IP pool is:
22.214.171.124/29, that means:
126.96.36.199 = net
.241 = router
.242 = ASA 5505 (interface outside)
.243 to 246 = services / available
.247 = broadcast
I can allow (by ACL and STATIC) the incoming traffic on IPs from 243 to 246.
I can establish a VPN connection on the ASA IP (188.8.131.52) but all incoming traffic on IP 184.108.40.206 is dropped also if ACL are set.
Can someone help me? How can I allow the incoming traffic with a single global IP?Could you please provide a sample configuration where IP address of outside interface is 220.127.116.11/30, the router IP is 18.104.22.168 and I can forward the incoming traffic on port 80 to the internal host with IP address 192.168.1.1 on LAN (inside) interface?
Many thanks in advance and best Regards
Mail to: [email protected]
Can you change the ACL and static to the following format. Reference the outside interface instead of the IP address in the access list and static.
access-list acl_out extended permit tcp any host 192.168.5.2 eq www
change it to:
access-list acl_out extended permit tcp any interface outside eq www
static (inside,outside) tcp 192.168.5.2 www 192.168.11.200 www netmask 255.255.255.255
change it to:
static (inside,outside) tcp interface www 192.168.11.200 www netmask 255.255.255.255