I have an ASA 5510 configured with three interfaces defined as inside outside and student. The inside network has a security level of 100 the outside is 0 and the student is 1. There is a server on the student subnet that serves as a DNS server for both the student and inside subnets. If I run a packet trace on the firewall from the inside to the sudent network to the server it says that the packet is alllowed, however any real traffic from PCs on the inside do not get to the server. FYI I do not see an arp entry on the firewall for the server. The firewall is configured in router mode. Devices on the student subnet can see the server. The only route stament is a default route to the outside subnet. This hould not be an issue since the other subnets are directly connected. Any ideas? Attaced is the firewall config.
NAT exemption is incorrect, you can't specify "ANY" as the destination as traffic destined towards the internet will also be NAT exempted.
You can change the following;
access-list inside_nat0_outbound extended permit ip 172.16.250.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 172.16.250.0 255.255.255.0 192.168.250.0 255.255.255.0
Also, you can remove the following as it is not required:
nat (student) 0 access-list student_nat0_outbound
If Student needs to access the Internet, then add the following:
nat (student) 1 192.168.250.0 255.255.255.0
Then "clear xlate".
In regards to ARP of the server, what is the server IP Address, mask, and its default gateway? Are you able to ping the server from the firewall, and is the server able to ping the firewall student interface (192.168.250.1)?
I will make the suggested changes. Student does not and should not have access to the internet. I cannot ping the server from the firewall. The response I get is ????. I believe the the server can ping the firwall 192.168.250.1 address, but I will check. The server IP is 192.168.250.10. Mask 255.255.255.0. Gateway 192.168.250.1.
The Windows firewall is disabled on the server. The server is connected to a switch to which the firwall is also conceted. There are 2 VLAN on the switch one for the student network and one for the Teacher(inside) network. The firewall has 2 connection to the switch. one in each VLAN.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...