Proxy/mail server -ASA

Answered Question
Oct 4th, 2008
User Badges:

Hi All,


I have proxy server and having two interface.One int face isconnected to Lan(192.168.*.*) and another 192.168.3.100 which is connected to my firwall.

I have configured in ASA,inside ip 192.168.3.99 and outside ip 192.168.4.2.All lan user using proxy for the internet.From ASA ,I can ping all interface.but i cant ping 192.168.3.99 from the proxy server and internet is also is not working.What would be the problem.

Correct Answer by abinjola about 8 years 7 months ago

from the firewall are you able to ping proxy 3.99 ?


from the proxy ping 4.2.2.2 and turn on


logg on

logg mon 7

term mon

debug icmp trace


send me the above outputs

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
abinjola Sat, 10/04/2008 - 10:06
User Badges:
  • Cisco Employee,

internet-<-----ASAx.x.3.100--<-----x.x.3.99ProxyServer----


a) from Lan can you ping 192.168.3.100 ?


b)In the Access-list applied on outside interface, add the line, access-list line 1 permit icmp any any


c)Now, ping 4.2.2.2 from the LAN, turn on "debug icmp trace" do you see icmp packet reaching firewall ?


If possible post your configuration here ...



CSCO10320953 Mon, 10/06/2008 - 22:56
User Badges:

All lan traffic is coming through the Proxy server IPs :lan 192.168.*.*.LAn and proxy server is in the same network.

Proxy Second ip 192.168.3.100 which is connected inside interface 192.168.3.99.Ouside ip 192.168.4.2 which is connectd to BSNL modem 192.168.4.1



BMR1C# sh run

: Saved

:

ASA Version 7.0(6)

!

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.3.99 255.255.255.0

!

interface Ethernet0/0.1

shutdown

no vlan

no nameif

no security-level

no ip address

!

interface Ethernet0/0.2

shutdown

no vlan

no nameif

no security-level

no ip address

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

nameif Outside

security-level 0

ip address 192.168.4.2 255.255.255.0

!

interface Management0/0

nameif management

security-level 0

ip address *.*.*.* 255.255.255.128

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu inside 1500

mtu Outside 1500

mtu management 1500

no asdm history enable

arp timeout 14400

route inside 192.168.0.0 255.255.255.0 192.168.3.100 1

route Outside 0.0.0.0 0.0.0.0 192.168.4.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart


telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:2143d98d4cd9274aabcf7c7d19e73c7d

: end

BMRC#

abinjola Mon, 10/06/2008 - 23:28
User Badges:
  • Cisco Employee,

Take care of following points :-



You have a ASA 5505 correct ? By default, port e0/0 is the outside Interface and rest 0/1-0/7 part of VLAN1 which is inside interface, but you have made e0/0 as inside, please make sure you have it assigned on VLAN 1 (inside) and e0/2 must be assigned in VLAN 2


b)Remove the logical VLANs


no interface Ethernet0/0.1


no interface Ethernet0/0.2


c)You never answered if you are able to ping inside interface from any inside LAN machine ?


d)On the Outside you have a private IP, who does the NATTing ? outside modem or ASA ?


I would like you to add following commands


policy-map global_policy

class inspection_default

inspect icmp

logg mon 7

term mon

logg on


Now onc you have thess commands in place, ping 4.2.2.2 and collect the logs, paste it here

CSCO10320953 Tue, 10/07/2008 - 01:59
User Badges:


C.NO

d.Nat ASA I

BMRC# debug icmp trace

debug icmp trace enabled at level 1

BMRC# ping 4.2.2.2

ICMP echo request from 192.168.4.2 to 4.2.2.2 ID=4388 seq=4838

4 len=72

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

ICMP echo reply from 4.2.2.2 to 192.168.4.2 ID=4388 seq=48384 len=72

!ICMP echo request from 192.168.4.2 to 4.2.2.2 ID=4388 seq=48384 len=72

!ICMP echo reply from 4.2.2.2 to 192.168.4.2 ID=4388 seq=48384 len=72

ICMP echo request from 192.168.4.2 to 4.2.2.2 ID=4388 seq=48384 len=72

ICMP echo reply from 4.2.2.2 to 192.168.4.2 ID=4388 seq=48384 len=72

!ICMP echo request from 192.168.4.2 to 4.2.2.2 ID=4388 seq=48384 len=72

!ICMP echo reply from 4.2.2.2 to 192.168.4.2 ID=4388 seq=48384 len=72

ICMP echo request from 192.168.4.2 to 4.2.2.2 ID=4388 seq=48384 len=72

ICMP echo reply from 4.2.2.2 to 192.168.4.2 ID=4388 seq=48384 len=72


abinjola Tue, 10/07/2008 - 02:05
User Badges:
  • Cisco Employee,

add


nat (inside) 1 0 0


global (outside) 1 interface

CSCO10320953 Tue, 10/07/2008 - 02:13
User Badges:

I am not able to ping 192.168.3.99


route Outside 0.0.0.0 0.0.0.0 192.168.4.1 1

route inside 192.168.0.0 255.255.255.0 192.168.3.99 1

CSCO10320953 Tue, 10/07/2008 - 02:25
User Badges:

access-list outacc extended permit icmp any any


access-group outacc in interface Outside

Correct Answer
abinjola Tue, 10/07/2008 - 02:30
User Badges:
  • Cisco Employee,

from the firewall are you able to ping proxy 3.99 ?


from the proxy ping 4.2.2.2 and turn on


logg on

logg mon 7

term mon

debug icmp trace


send me the above outputs

Actions

This Discussion