04-01-2008 03:21 PM - edited 03-11-2019 05:25 AM
Hi,
I'm trying to replace my PIX505E with the new ASA5505; I have a single public global IP address and I'm currently using some PATS in order to allow some external access to some services provided by "internal" hosts. I also allow VPN connections on PIX (honestly both PPTP and CISCO native VPNs - but I don't use PPTP anymore).
I'm getting crazy trying to configure the ASA and porting the current PIX configuration on ASA: the biggest problem is that ASA doesn't allow the incoming external traffic to the inside LAN and I'm not able to activate it; it seems that it ignores all ACEs and all incoming packets are dropped by the implicit default rule (deny rule).
I have read that ASA by default cuts all incoming traffic and is not sufficient to allow it using ACL.
I tried the same configuration on a multi global IP environment (8 public IPs) and, also there, I was NOT able to allow the incoming traffic on the public IP of the firewall; Just to be clearer:
Let's assume that my IP pool is:
123.10.10.240/29, that means:
123.10.10.240 = net
.241 = router
.242 = ASA 5505 (interface outside)
.243 to 246 = services / available
.247 = broadcast
I can allow (by ACL and STATIC) the incoming traffic on IPs from 243 to 246.
I can establish a VPN connection on the ASA IP (123.10.10.242) but all incoming traffic on IP 123.10.10.242 is dropped also if ACL are set.
Can someone help me? How can I allow the incoming traffic with a single global IP?Could you please provide a sample configuration where IP address of outside interface is 123.10.10.2/30, the router IP is 123.10.10.1 and I can forward the incoming traffic on port 80 to the internal host with IP address 192.168.1.1 on LAN (inside) interface?
Many thanks in advance and best Regards
Giorgio
Mail to: reader65@gmail.com
Solved! Go to Solution.
04-01-2008 05:11 PM
Can you change the ACL and static to the following format. Reference the outside interface instead of the IP address in the access list and static.
access-list acl_out extended permit tcp any host 192.168.5.2 eq www
change it to:
access-list acl_out extended permit tcp any interface outside eq www
static (inside,outside) tcp 192.168.5.2 www 192.168.11.200 www netmask 255.255.255.255
change it to:
static (inside,outside) tcp interface www 192.168.11.200 www netmask 255.255.255.255
HTH
Sundar
04-01-2008 04:16 PM
Can you post your outside ACL configuration?
04-01-2008 04:55 PM
In the attached file, you can find all the relevant CLI configuration; it has been automatically converted by the ASA when I "put" the Pix506 configuration where I don't have any problem.
On ASA all incoming traffic is dropped and I don't understand why.
Could be veru helpfull if you could "create" a simple configuration for asa in a single global ip configuration where some incoming traffic is allowed (e.g. hhtp, ftp) to the inside interface.
Thank you very much
04-01-2008 05:11 PM
Can you change the ACL and static to the following format. Reference the outside interface instead of the IP address in the access list and static.
access-list acl_out extended permit tcp any host 192.168.5.2 eq www
change it to:
access-list acl_out extended permit tcp any interface outside eq www
static (inside,outside) tcp 192.168.5.2 www 192.168.11.200 www netmask 255.255.255.255
change it to:
static (inside,outside) tcp interface www 192.168.11.200 www netmask 255.255.255.255
HTH
Sundar
04-01-2008 06:58 PM
Sundar,
now it works perfectly!!!
Really many many thanks! It was making me crazy. Also if it makes sense (on ASA the interface concept is different than on Pix), I didn't suppose it was the problem; also I didn't imagine that it could "translate" the Pix configuration in bed way; now I understand why I didn't find posts asking for the same problem (thousands of people should have the same issue..).
You have make me a big gift and I really appreciated your great and valued support.
Many manythanks again.
Sincerly
Giorgio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide