02-22-2009 02:55 AM - edited 03-11-2019 07:54 AM
hi,
i have 16 global IPs - i.e. 80.80.80.112 / 255.255.255.240
ASA IF:
eth0/0 - inside - 10.10.10.2
eth0/1 - outside - 80.80.80.114
eth0/2 - DMZ - 172.16.2.1
eth0/3 - not used
GW Provider: 80.80.80.113
ASA-OUTSIDE-IP: 80.80.80.114 (IP used to surf the Internet from the inside network NAT)
DMZ: 172.16.10.0 /24
DMZ-ASA-IP: 172.16.2.1 /24 (connected to a switch)
DMZ-SERVER-01: 172.16.2.10 (connected to the same switch like ASA)
DMZ-SERVER-02: 172.16.2.11 (connected to the same switch like ASA)
DMZ-SERVER-01 NAT: 80.80.80.115
DMZ-SERVER-01 NAT: 80.80.80.116
this configuration is working fine with PIX515-E, 6.3.
now my problem:
if i replace the pix with the new ASA5520, one of the DMZ Server will not be reached from outside? it seems that the outside interface do not use the whole range from 80.80.80.112/255.255.255.240
sometime works only 80.80.80.115, and sometimes only the .116 from outside if i switch off/on the asa.
has someone any idea, what can it be or what i can do?
NAT DMZ Servers:
static (dmz, outside) 80.80.80.115 172.16.2.10 netmask 255.255.255.255
static (dmz, outside) 80.80.80.116 172.16.2.11 netmask 255.255.255.255
thx
02-22-2009 09:16 AM
Hello Konrad,
Make sure that you permit desired traffic a outside interface ACL destined to 80.80.80.115 and 116. Also enable logging and check syslogs at ASDM (Web interface) when you try to establihs a connection and it fails.
Regards
02-22-2009 10:53 AM
hi,
the acls are ok, they are the same they i have configured on the pix.
short - acl outside_access_in bind on the outside if:
permit tcp any 80.80.80.115 http
permit tcp any 80.80.80.116 http
if server-01 (.115) is working, and now i change NAT that server-01 will be server-02 and server-02 will be translated to server-01 external IP, server-02 is working, but not server-01 now with IP .116
the syslog does not log any error, if i will connect from outside. it doesnt log any error on the .115 or .116 address.
...
02-22-2009 01:34 PM
Konrad,
I couldnt understand what you mean by "if server-01 (.115) is working, and now i change NAT that server-01 will be server-02 and server-02 will be translated to server-01 external IP, server-02 is working, but not server-01 now with IP .116 " but as I assume, you are going through some IP and translation changes. I recommend you to run following commands
clear arp
clear xlate
clear local-host all
Sanitized partial config and an elaborated explanation will be helpfull.
Regards
02-23-2009 12:54 AM
hi huseyin,
thanks for your help, and sorry for my bad description of the problem.
thats my config:
global (outside) 1 interface
global (dmz-outside) 1 172.16.2.10-172.16.2.11 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,dmz-outside) INTERNAL-LAN INTERNAL-LAN netmask 255.255.0.0
static (inside,dmz-inside) INTERNAL-LAN INTERNAL-LAN netmask 255.255.0.0
static (dmz-outside,outside) 80.80.80.115 172.16.2.10 netmask 255.255.255.255 dns
static (dmz-outside,outside) 80.80.80.116 172.16.2.11 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group dmz-outside_access_in in interface dmz-outside
route outside 0.0.0.0 0.0.0.0 80.80.80.113 1
route inside INTERNAL-LAN 255.255.0.0 INTERNAL-GW 1
that must be ok?
thx
03-04-2009 01:31 PM
could it be the router of the provider? that he has saved the arp table?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: