08-29-2008 11:08 PM - edited 03-11-2019 06:37 AM
Hi
Due to the fact that pix520 (version 5.2(3)) is not supported more i have decided to go in ASA5550-BUN-K9 (7.1(2))
I have performed one copy & paste of the configuration(including extended in my access-lists),excluding inspect esmtp (no fixup protocol smtp 25 is already configured in my pix 520).After realizing the cable connection disconnecting the cables from pix i have not good results:
I can't browse internet through proxy
I can't send e-mails outside
Connectivity from in to out is like blocked and access lists does not show hits
I have already added inspect http
but i see that is a kind of traffic blocked [%ASA-4-106023 =i not sure this can help you]
I'm not sure that is problem of service global policy or something else.ASA configuration is performed with simple access-lists extended and no with object-groups.[When i turned back my connection i need to reload my pix 520 because the outside interface did not respond to the pings from my outside router fa0/0
08-30-2008 07:46 AM
Without seeing the config - I think your issue lies with your NAT config.
I suggest you look in that direction - or post your config for review.
HTH>
08-30-2008 11:22 PM
Hi Andrew Thanks For Your Reply Dear Sir
I think that nat is ok for the whole lan
(Just take a look to the notepad file)
Do you think that i can modify my nat or to connect the inside interface with another ip address inside the lan in order to leave time to this to reply with the whole network because 10 minutes are not enough to complete the transition with the same configurations
Thank You Sir
08-31-2008 03:37 AM
You have a NAT mis-configuration, on your outbound and your inbound.
What IP address space do you currently have in the .240 range?
for the internal to external NAT I would have as an example I would have something like:-
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 217.24.240.1 255.255.255.240
nat (inside) 2 0.0.0.0 0.0.0.0
global (outside) 1 interface
global (outside) 2 217.24.240.2
~~~******~~~
For the acl:-
static (dmz1,outside) 217.24.240.ggg 217.24.240.ggg netmask 255.255.255.255
access-list acl_out extended permit udp any host 217.24.240.ggg eq domain
THIS MAKES NO SENSE
static (inside,dmz1) 217.24.240.ver www.ww1.ser.roa netmask 255.255.255.255
access-list acl_inside extended permit ip host www.ww1.ser.roa any
I think is incorrect, if you want internal servers to access a proxy server in the DMZ? the NAT is wrong.
What are you actually trying to do?
08-31-2008 10:49 PM
Thanks for your suggestion but my proxy server
is not in the dmz zone but in the internal zone and in order to communicate as it needs communication also with dns i need first to translate it at the dmz public zone (for the DNS) and for the www it goes through nat outside.This is the sense. As for the global nat due to the fact that i have a lot of traffic going in internet i need to have a bundle of addresses to do the nat(proxy connection is included when goes out for www)so this is the fact that i do not use my external ip for nat.As for the line static (dmz1 out) if you will notice this is udp port 53 so it's domain no proxy.It's correct
09-01-2008 06:31 AM
MEHMET,
static (dmz1,outside) 217.24.240.ggg 217.24.240.ggg netmask 255.255.255.255
This indicates you have allocated a subnet to the DMZ from the 217.24.240.x - is this correct? As you are translating 217.24.240.ggg that sits in the DMZ to the outside?
access-list acl_out extended permit udp any host 217.24.240.ggg eq domain
This indicates you want to allow any device the query this server via DNS? is this correct?
static (inside,dmz1) 217.24.240.ver www.ww1.ser.roa netmask 255.255.255.255
Indicates that whatever server IP address www.ww1.ser.roa it will be translated to 217.24.240.ver when it enters the DMZ - is this correct???? I think this is wrong.
09-01-2008 06:41 AM
For the ggg host this is correct that is my dns so each dns has realtionships with my dns
+outside mail(realy) server
www.ww1.ser.roa is the web proxy server and it goes in dmz segment to contact dns only
If i start one web connection my proxy get one of my nat addresses bundle and goes out for the www (i'm i clear)
09-01-2008 06:54 AM
I am confused - perhaps another netpro reading this will understand and help you.
09-01-2008 07:09 AM
Do not be confused
Internal mail server + Domain server goes in dmz translated from pix(private-public)
In dmz they meet public domain + public mail server
this public ip are translated outside also from pix
if i will go to my internal proxy this catch one ip address from the nat pool and i.m able to open the internet site right now
But i need also dns to open internet so proxy goes in dmz to meet the dns
The nat is ok and i have connected asa with the same config as pix but with another internal ip address (from yesterday) to see if this needs time to replicate with my network because is an copy paste of the configuration and the fact that asa do not want to pass www traffic from in to out is strange for me and seems as nat problem (as U said=note at the end of cisco pdf books) (but i don't think so)
09-01-2008 03:43 PM
Hi ..
I suggest you posting a sanitized config and a visio diagram .. that will help !!!
09-08-2008 06:52 AM
Hi Andrew
Said honestly i use always comand line interface (not GUI via ASDM)
I have readed cisco Document ID: 63880
The response maybe is in page 9 point 11
I have already investigated via asdm connectivity from my laptop connecting it via cross cable with asa5550 internal interface and the box was checked(by default).This explains why NAT has found problems.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: