Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA/PIX/ISA Configuration

My company has purchased a ASA 5510 and a ISA 2006 server to replace the existing Front End/Back End Pix 520's we currently have. Instead of doing a full cutover, I have decided to bring them up in tandem and test the configuration. I have set up the ASA how I want to and pretty much modified the existing Front-End Pix config to fit the Front End ASA. When running some tests in the DMZ like basic web traffic, I am unable to reach the internet using the ASA as the default gateway form a pc/server in the DMZ. My nat and global statements are correct and my route is pointing to the Internet Router. I have included a diagram to help see what I am trying to accomplish.

5 REPLIES
Gold

Re: ASA/PIX/ISA Configuration

you haven't overlapped your nat statements between the ASA and existing firewall?

Is the traffic making it to your internet router (the 2500?)?

can you post the nat and global statements from the asa?

New Member

Re: ASA/PIX/ISA Configuration

Nat Statements

nat (VPN) 0 access-list nonat

nat (Inside) 1 0.0.0.0 0.0.0.0

Global Statement

global (Outside) 1 interface

The traffic is making it to the Internet Router.

What I also noticed as well is the ISA server which is the backend for the ASA can surf the web but is real slow. Haven't been able to troubleshoot that yet.

Frank

Gold

Re: ASA/PIX/ISA Configuration

what is the ISA servers' dg?

try pinging something on the internet from the ASA device itself, then try pinging the same thing from the DMZ pc.

www.yahoo.com 69.147.114.210 appears to be pingable.

what happens when the PC tries to ping 216.x.x.1?

New Member

Re: ASA/PIX/ISA Configuration

The ISA server's dg interface facing the DMZ is blank. This is how the ISA is setup for a backend config.

When I ping from ASA, I get a response. When I ping from pc/server in the DMZ, I get a response.

Must be a config problem on the ASA...

Frank

New Member

Re: ASA/PIX/ISA Configuration

I found the G D&%@ problem. The server I was using already has a static nat statement on the ASA and on the Pix. So when I try to access the web, it was sending the return packet back to the PIX. I used a laptop and gave it a ip that wasn't static natted, and it works. Now trying to work out the issue on why the web is so slow using the ASA.

Frank

235
Views
0
Helpful
5
Replies