multiple IPs on ASA 5505 - connection problem

Unanswered Question

see attached config of my ASA 5505

I can access all 3 internal networks: 200.0 201.0 42.0 and they all access the internet

I get mail on 63.x.y.126\SERVER_MAIL which is the configured IP on vlan2 (WAN)

I can't access other external IPs (SERVER_RU & SERVER_WWW are configured but not accessible)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Wed, 08/27/2008 - 23:25

Your route entry seems strange:

route inside 1 is supposed to be in the same subnet as your inside interface. Also is it possible to post any syslogs for this denied traffic?

You can also run a 'packet-tracer' simulating this traffic coming from the outside interface.



Farrukh Haroon Thu, 08/28/2008 - 05:26

"that both ASA & the 42 subnet connect to "

The ASA has three VLAN interfaces, none of which belong to 192.168.42.x




this is how my network is configured: <-> Cisco3560 Vlan42 <-> Cisco3560 Vlan200 <-> ASA inside= <-> Cisco3560 Vlan201

using this all my LAN traffic go to Cisco 3560 that have a default route

this is the part that does not have problems.

in my post I asked about routing traffic coming from the internet into my LAN

the access-list\static combination for inbound smtp is working (using the interface public IP). any other public IP (as in different then the specified interface .126 IP) fail

Farrukh Haroon Thu, 08/28/2008 - 05:49

Change this:

route inside 1


route inside

You have a Class C from your ISP?



Farrukh Haroon Thu, 08/28/2008 - 06:25

Did u change the route?

Change it and run a packet tracer

packet-tracer input outside tcp 1045

63.x.y.110 443 detailed



Farrukh Haroon Thu, 08/28/2008 - 06:34

You don't need to worry about this command making any changes. Its just a 'diagnostic' command run from enable mode. You don't even have to do 'config t' to run it!

This will simulate the desired traffic flow and tell you WHERE its failing (NAT,RPF check, ACL, Spoofing etc.)



Farrukh Haroon Fri, 08/29/2008 - 13:03

Output seems perfect and the respective traffic should work.

A next step would be perhaps to capture traffic on the ASA outside interface for these public IPs to see if any traffic 'actually' reaches them from the internet or not.




This Discussion