ā03-19-2010 11:48 AM - edited ā03-11-2019 10:23 AM
My Objectives:
I have attached my current config file but it wasn't working. Using this configuration OFFICE and INTERNET is not reachable, not even the router 10.11.10.1
Can anyone help me out there to config my ASA properly according my objectives?
Thanks in Advance.
Regards,
r3linquish3d
Solved! Go to Solution.
ā03-19-2010 09:44 PM
If no translation is required, you can configure "no nat-control".
For traffic from low security level to high security level, you would need to have static translation configured, and it works bidirectionally:
static (inside,outside) 192.168.107.0 192.168.107.0 netmask 255.255.255.0
static (dmz,outside) 192.168.109.0 192.168.109.0 netmask 255.255.255.0
This is assuming that the office ASA firewall is configured correctly.
If you would like to ping through the ASA, you would also need to add the following:
policy-map global_policy
class inspection_default
inspect icmp
Hopefully the above should allow most of your objectives to work.
ā03-19-2010 09:44 PM
If no translation is required, you can configure "no nat-control".
For traffic from low security level to high security level, you would need to have static translation configured, and it works bidirectionally:
static (inside,outside) 192.168.107.0 192.168.107.0 netmask 255.255.255.0
static (dmz,outside) 192.168.109.0 192.168.109.0 netmask 255.255.255.0
This is assuming that the office ASA firewall is configured correctly.
If you would like to ping through the ASA, you would also need to add the following:
policy-map global_policy
class inspection_default
inspect icmp
Hopefully the above should allow most of your objectives to work.
ā03-21-2010 06:30 AM
ā03-21-2010 03:57 PM
Great to hear, thanks for updating and rating.
ā03-22-2010 01:19 AM
You are welcome.
Now from OFFICE_LAN firewall im getting INSIDE and DMZ, but from the local lan i can't. OFFICE_LAN side firewall IP is 192.168.2.1 and OFFICE_LAN outside IP is 192.168.108.2 which is connected to router(192.168.108.1).
How can I solve that? any help
ā03-22-2010 01:28 AM
Do you mean you can't connect to DMZ from Inside LAN? If that is a true statement, you need to configure the following:
static (inside,dmz) 192.168.107.0 192.168.107.0 netmask 255.255.255.0
Hope that helps.
ā03-22-2010 01:57 AM
INSIDE and DMZ is working smooth and fine. I am talking OFFICE_LAN.
From OFFICE_LAN_FW, im getting INSIDE and DMZ, but not from OFFICE_LAN.
ā03-22-2010 02:02 AM
Sorry, I am a bit confused from where to where is the traffic. Can you please advise the source and destination subnet, and also share the current configuration on OFFICE_LAN_FW. Thanks.
ā03-22-2010 03:37 AM
ā03-22-2010 03:41 AM
Thanks for that.
Here is what needs to be configured:
static (insidelan,insideremotelan) 192.168.107.0 192.168.107.0 netmask 255.255.255.0
static (insidelan,insideremotelan) 192.168.109.0 192.168.109.0 netmask 255.255.255.0
Hope that helps.
ā03-22-2010 04:11 AM
Its not working
ā03-22-2010 04:17 AM
Please clear the xlate table just in case it created a dynamic translation prior to the configuration: clear xlate
ā03-22-2010 05:19 AM
Not working
ā03-22-2010 05:23 AM
Do you still have the ACL configured with "permit ip any any" on all interfaces?
What about the router? Does it have route for the OFFICE_LAN pointing towards the OFFICE_LAN_FW interface (192.168.108.2)?
ā03-22-2010 05:51 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: