I installed a new Internet router and ASA5510 cluster as the following, if looking from ISP:
ISP -- router -- ASA5510 -- edge 6509
router Loopback: 10.1.1.4
router LAN port: 22.214.171.124
router sends 126.96.36.199/24 to ISP
ASA management: 10.1.1.2
ASA outside: 188.8.131.52
ASA inside: 10.10.10.2
ASA DMZ: 192.168.1.1 (DMZ subnet 192.168.1.0/24)
6509 management: 10.1.1.1
6509 has 10.10.10.1 talking with ASA inside
I have verified routing between router, ASA, and 6509 is fine, and ASA clustering is fine too.
This is brand new ASA, so except for interface and routing configurations, everything else is still the default with a new box.
Issue 1: can't ping or telnet from 6509 to any router IP, or ASA outside and DMZ IP.
6509 has correct routes to outside IP's. Do I need to configure ACL to ASA outside interface and DMZ interface, to allow ICMP, Telnet, SSH, etc coming into ASA inside? Does this have anything to do with IP Inspection also?
Issue 2: can't telnet or ssh from ASA
I can ping from ASA to any of those addresses, but seems ASA does not accept telnet or ssh command when doing it from itself. Is this true?
Issue 3: NAT and PAT from DMZ to outside
I want to static NAT some DMZ hosts and PAT everything else, such as:
static (DMZ, outside) 184.108.40.206 192.168.1.20
static (DMZ, outside) 220.127.116.11 192.168.1.21
global (outside) 1 18.104.22.168
nat (inside) 1 192.168.1.0 255.255.255.0
Do I need to have an ACL to exclude the statically NATTed address from PAT?
Issue 4: prevent PAT for traffic going through IPSec tunnel
This is from inside to outside. All internal users are PATTed when going to Internet, but some traffic going from internal to clients needs to go through IPSec tunnel. So I should block those traffic from being PATTed. Is that right?
access-list IPSec-traffic extended permit ip any 172.20.20.0 255.255.255.0
access-list IPSec-traffic extended permit ip any 172.26.20.0 255.255.255.0
nat (inside) 0 access-list IPSec-traffic
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
The same access-list IPSec-traffic is used to crypto-map on the outside interface to activate IPSec tunnel.
Is this the right configuration?
Thanks a lot for any help