problem with ASA 5540..

Unanswered Question
Jul 14th, 2008
User Badges:

I am facing a problem with ASA for providing Application connectivity to intranet hosts. The details are explained below:

The Network structure is as follows:

- Intranet gateway router = 172.16.150.1

- ASA outside interface = 172.16.150.3

- NAt'ed IP to app server = 172.16.150.2

- remote network gateway = 172.16.151.1


Problem:

- Intranet Gateway routers and all hosts to router at all ends can ping each other except ASA.

- Only hosts conected to the router to which ASA is connected can ping ASA outside interface and also get tcp access through ASA.

- but Intranet gateway router to which ASA is connected cant ping ASA.

- The remote hosts cant get tcp access through ASA, getting no hits on ASA interface.

- If ASA connected to Public IP over Internet with same settings (only IP changed) all host on internet can ping ASA outside interface and access web server inside.


The ASA config file is attached. Please help in resolving this problem. I want to enable access to web server inside ASA to outside Intranet on private IP's.





Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Mon, 07/14/2008 - 04:11
User Badges:
  • Gold, 750 points or more

and what is your problem?

punyarthisa Mon, 07/14/2008 - 05:31
User Badges:

problem is that Intranet hosts outside ASA cannot get tcp/http access to web servers residing inside ASA even after permitting any host to inside network by access-list.



a.alekseev Mon, 07/14/2008 - 05:35
User Badges:
  • Gold, 750 points or more

You should have static NAT for the Intranet hosts.

a.alekseev Mon, 07/14/2008 - 05:37
User Badges:
  • Gold, 750 points or more

Which networks have private ip addresses and which networks have public ip?

punyarthisa Mon, 07/14/2008 - 05:49
User Badges:

I have used static NAT as given below


# static (inside,outside) 172.16.150.2 192.168.8.21 netmask 255.255.255.255


here no public IP is involved, 172.16.0.0/ 24 is Intranet network connected on outside interface of ASA through router 172.16.150.1, and 192.168.8.21 is web server IP connected to inside interface of ASA.

a.alekseev Mon, 07/14/2008 - 06:18
User Badges:
  • Gold, 750 points or more

no access-group inside in interface inside

no access-group inside_out out interface inside


and try again

punyarthisa Mon, 07/14/2008 - 06:27
User Badges:

does it mean no access list required on inside interface. I shall try out tomorrow and revert you back.


Thanks for guidance.

Actions

This Discussion