×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Reach published services from internal network

Unanswered Question
May 8th, 2012
User Badges:

Hi.


I have a ASA 5510 with one external interface (eth0) and one internal interface (eth1) with 4 VLAN interfaces 'attached' to eth1.


I have external services published on VLAN 2, but are unable to reach these services (i.e webmail.domain.com) from the physical eth1 (or any of the other VLANs)

I am able to reach these services from external sites, but as long as I am on the inside network I am not.


When reading the log I see the following:


Service #1 - webmail.domain.com


Main IP for outside network is 109.x.x.12

IP for service webmail.domain.com is 109.x.x.15


6May 08 201209:42:54305011192.168.x.572758109.x.x.1233854

Built dynamic TCP translation from any:192.168.x.57/2758 to OutsideISP:109.x.x.12/33854


6May 08 201209:42:54302013192.168.x.572758109.x.x.15443Built outbound TCP connection 1005229 for OutsideISP:109.x.x.15/443 (109.x.x.15/443) to insidenetwork.local:192.168.x.57/2758 (109.x.x.12/33854)


And that is it, after a while the connection times out and I get a Teardown message in the log.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
varrao Tue, 05/08/2012 - 01:23
User Badges:
  • Red, 2250 points or more

Hi Thomas,


Coould you post your configuration as well, it would be better to understand the issue.


Thanks,

Varun

bridge_it Tue, 05/08/2012 - 01:48
User Badges:

Sure, I have to remove some of the stuff, but I think this will show the stuff you need:


ASA Version 8.4(2)

!

interface Ethernet0/0

nameif OutsideISP

security-level 0

ip address 109.x.x.12 255.255.255.x

!

interface Ethernet0/1

nameif inside.local

security-level 100

ip address 192.168.x.1 255.255.255.0

!

interface Ethernet0/1.2

vlan 2

nameif services.local

security-level 100

ip address 10.20.2.1 255.255.255.0

!

interface Ethernet0/1.3

vlan 3

nameif vlan3.local

security-level 100

ip address 10.20.3.1 255.255.255.0

!

interface Ethernet0/1.26

vlan 26

nameif guest.local

security-level 40

ip address 10.11.26.1 255.255.255.0

!

interface Ethernet0/1.60

vlan 211

nameif canteen.local

security-level 100

ip address 172.16.60.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name inside.local

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network [3]EXC-CAS-01

host 10.20.2.30

object network [0]webmail.domain.com

host 109.x.x.15

access-list services.local_access_in extended permit ip 10.20.2.0 255.255.255.0 any

access-list OutsideISP_access_in extended permit tcp any object [3]EXCH-CAS-01 eq https

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu OutsideISP 1500

mtu inside.local 1500

mtu vlan2.local 1500

mtu services.local 1500

mtu canteen.local 1500

mtu guest.local 1500

ip verify reverse-path interface OutsideISP

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

object network obj_any

nat (any,OutsideISP) dynamic interface

object network [3]EXCH-CAS-01

nat (services.local,OutsideISP) static [0]webmail.domain.com

access-group OutsideISP_access_in in interface OutsideISP

access-group inside.local_access_in in interface inside.local

access-group services.local_access_in in interface services.local

route OutsideISP0.0.0.0 0.0.0.0 109.x.x.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server SecurEnvoy-AAA protocol radius

aaa-server SecurEnvoy-AAA (inside.local) host 192.168.x.11

key xxxxxxxxxxxxxxxxxxx

authentication-port 1812

user-identity default-domain LOCAL

http server enable

http 192.168.x.x 255.255.255.0 inside.local

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no sysopt connection permit-vpn

!

threat-detection basic-threat

threat-detection scanning-threat shun duration 3600

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 129.240.2.6 source OutsideISP

ssl trust-point ASDM_TrustPoint0 OutsideISP vpnlb-ip

ssl trust-point ASDM_TrustPoint0 OutsideISP

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

: end

Actions

This Discussion

Related Content