PIX506E (IOS 6.3) to ASA 5505 (IOS 7.2(3))

Answered Question

Hi,

I'm trying to replace my PIX505E with the new ASA5505; I have a single public global IP address and I'm currently using some PATS in order to allow some external access to some services provided by "internal" hosts. I also allow VPN connections on PIX (honestly both PPTP and CISCO native VPNs - but I don't use PPTP anymore).

I'm getting crazy trying to configure the ASA and porting the current PIX configuration on ASA: the biggest problem is that ASA doesn't allow the incoming external traffic to the inside LAN and I'm not able to activate it; it seems that it ignores all ACEs and all incoming packets are dropped by the implicit default rule (deny rule).

I have read that ASA by default cuts all incoming traffic and is not sufficient to allow it using ACL.

I tried the same configuration on a multi global IP environment (8 public IPs) and, also there, I was NOT able to allow the incoming traffic on the public IP of the firewall; Just to be clearer:

Let's assume that my IP pool is:

123.10.10.240/29, that means:

123.10.10.240 = net

.241 = router

.242 = ASA 5505 (interface outside)

.243 to 246 = services / available

.247 = broadcast

I can allow (by ACL and STATIC) the incoming traffic on IPs from 243 to 246.

I can establish a VPN connection on the ASA IP (123.10.10.242) but all incoming traffic on IP 123.10.10.242 is dropped also if ACL are set.

Can someone help me? How can I allow the incoming traffic with a single global IP?Could you please provide a sample configuration where IP address of outside interface is 123.10.10.2/30, the router IP is 123.10.10.1 and I can forward the incoming traffic on port 80 to the internal host with IP address 192.168.1.1 on LAN (inside) interface?

Many thanks in advance and best Regards

Giorgio

Mail to: [email protected]

I have this problem too.
0 votes
Correct Answer by sundar.palaniappan about 8 years 8 months ago

Can you change the ACL and static to the following format. Reference the outside interface instead of the IP address in the access list and static.

access-list acl_out extended permit tcp any host 192.168.5.2 eq www

change it to:

access-list acl_out extended permit tcp any interface outside eq www

static (inside,outside) tcp 192.168.5.2 www 192.168.11.200 www netmask 255.255.255.255

change it to:

static (inside,outside) tcp interface www 192.168.11.200 www netmask 255.255.255.255

HTH

Sundar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

In the attached file, you can find all the relevant CLI configuration; it has been automatically converted by the ASA when I "put" the Pix506 configuration where I don't have any problem.

On ASA all incoming traffic is dropped and I don't understand why.

Could be veru helpfull if you could "create" a simple configuration for asa in a single global ip configuration where some incoming traffic is allowed (e.g. hhtp, ftp) to the inside interface.

Thank you very much

Correct Answer
sundar.palaniappan Tue, 04/01/2008 - 17:11

Can you change the ACL and static to the following format. Reference the outside interface instead of the IP address in the access list and static.

access-list acl_out extended permit tcp any host 192.168.5.2 eq www

change it to:

access-list acl_out extended permit tcp any interface outside eq www

static (inside,outside) tcp 192.168.5.2 www 192.168.11.200 www netmask 255.255.255.255

change it to:

static (inside,outside) tcp interface www 192.168.11.200 www netmask 255.255.255.255

HTH

Sundar

Sundar,

now it works perfectly!!!

Really many many thanks! It was making me crazy. Also if it makes sense (on ASA the interface concept is different than on Pix), I didn't suppose it was the problem; also I didn't imagine that it could "translate" the Pix configuration in bed way; now I understand why I didn't find posts asking for the same problem (thousands of people should have the same issue..).

You have make me a big gift and I really appreciated your great and valued support.

Many manythanks again.

Sincerly

Giorgio

Actions

This Discussion