multiple IPs on ASA 5505 - connection problem

Unanswered Question

see attached config of my ASA 5505

I can access all 3 internal networks: 200.0 201.0 42.0 and they all access the internet

I get mail on 63.x.y.126\SERVER_MAIL which is the configured IP on vlan2 (WAN)

I can't access other external IPs (SERVER_RU & SERVER_WWW are configured but not accessible)

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 08/27/2008 - 23:25

Your route entry seems strange:

route inside 192.168.42.0 255.255.255.0 192.168.42.4 1

192.168.42.4 is supposed to be in the same subnet as your inside interface. Also is it possible to post any syslogs for this denied traffic?

You can also run a 'packet-tracer' simulating this traffic coming from the outside interface.

Regards

Farrukh

Farrukh Haroon Thu, 08/28/2008 - 05:26

"that both ASA & the 42 subnet connect to "

The ASA has three VLAN interfaces, none of which belong to 192.168.42.x

?

Regards

Farrukh

this is how my network is configured:

192.168.42.0/24 <-> Cisco3560 Vlan42 192.168.42.4

192.168.200.0/24 <-> Cisco3560 Vlan200 192.168.200.254 <-> ASA inside=192.168.200.4

192.168.201.0/24 <-> Cisco3560 Vlan201 192.168.201.254

using this all my LAN traffic go to Cisco 3560 that have a default route 0.0.0.0 0.0.0.0 192.168.200.4

this is the part that does not have problems.

in my post I asked about routing traffic coming from the internet into my LAN

the access-list\static combination for inbound smtp is working (using the interface public IP). any other public IP (as in different then the specified interface .126 IP) fail

Farrukh Haroon Thu, 08/28/2008 - 05:49

Change this:

route inside 192.168.42.0 255.255.255.0 192.168.42.4 1

To

route inside 192.168.42.0 255.255.255.0

192.168.200.254

You have a Class C from your ISP?

Regards

Farrukh

Farrukh Haroon Thu, 08/28/2008 - 06:25

Did u change the route?

Change it and run a packet tracer

packet-tracer input outside tcp 4.4.4.4 1045

63.x.y.110 443 detailed

Regards

Farrukh

Farrukh Haroon Thu, 08/28/2008 - 06:34

You don't need to worry about this command making any changes. Its just a 'diagnostic' command run from enable mode. You don't even have to do 'config t' to run it!

This will simulate the desired traffic flow and tell you WHERE its failing (NAT,RPF check, ACL, Spoofing etc.)

Regards

Farrukh

Farrukh Haroon Fri, 08/29/2008 - 13:03

Output seems perfect and the respective traffic should work.

A next step would be perhaps to capture traffic on the ASA outside interface for these public IPs to see if any traffic 'actually' reaches them from the internet or not.

Regards

Farrukh

Actions

This Discussion