Two FWs

Answered Question
Sep 19th, 2008
User Badges:

Cisco ASA 5510. Outside NIC connected to ISP with real internet IP

addresses. Inside NIC connected to DMZ 172.17.193.0/24 with address

172.17.193.100.


Brand new clean ISA 2006 SP1. Outside NIC connected to 172.17.193.0/24

DMZ with address 172.17.193.1. Inside NIC connected to UAT

44.44.44.0/24 with address 44.44.44.109.


VPN user connects to the ASA (gets a 192.168.20.0/24 IP address). On

the ASA, there is:


access-list split_tunnel_list standard permit 44.44.44.0 255.255.255.0

route inside 44.44.44.0 255.255.255.0 172.17.193.1 1


What I have now on the ISA FW policy:


1. Allow, RDP, From External, To Internal and Local host

2. Allow, All Outbound Traffic, From Internal and Local host, To External


Can 44.44.44.x browse Internet? No.

Can VPN Clients RDC 44.44.44.x devices? Yes.

Can VPN Clients RDC 44.44.44.109 (ISA)? Yes.

Can 44.44.44.x RDC 172.17.193.x devices? No.


Does anyone know if there's anything I have to make changes to on the ASA to make sure all the questions are YES?

Correct Answer by Marwan ALshawi about 8 years 7 months ago

do u have nat in the asa like


nat (inside) 1 0 0

global (outside) 1 interface


this for inside hosts to access internet


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Marwan ALshawi Fri, 09/19/2008 - 18:48
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

do u have nat in the asa like


nat (inside) 1 0 0

global (outside) 1 interface


this for inside hosts to access internet


support.edm Mon, 09/22/2008 - 08:12
User Badges:

I have this:


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.17.193.0 255.255.255.0


support.edm Mon, 09/22/2008 - 09:57
User Badges:

Your message gave me some clues. I had to add:


access-list inside_nat0_outbound extended permit ip 44.44.44.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 1 44.44.44.0 255.255.255.0



On a side note,


nat (inside) 1 44.44.44.0 255.255.255.0

nat (inside) 1 172.17.193.0 255.255.255.0


Can I just have nat (inside) 1 0 0 then instead of having the above 2?

Actions

This Discussion