Hi Kanishka

Thanks very much for your reply.

It sounds like a natting issue on router. Do you have a public ip address on ASA's outside Interface ? Or its a private ip but natted to some public ip on the router ?

I do have a public IP on ASA itself and there is no nat on the router

Are you able to ping the internet (say 4.2.2.2) from the ASA itself ?

Yes, I can ping internet from ASA outside interface

Also, the static nat you created for internal servers wud not work as this has to be done on the router itself not on the ASA.

static (inside,outside) tcp k.k.k.2 www y.y.y.4 www netmask 255.255.255.255

Is there anyway that we can do on ASA as we want to have all natting and acls on firewall? Router would just forward the traffic to ASA

I would like to get more information about your topology. Seems like its configuration issue on Router.

I have used dummy IPs and I have attached the configs in the excel (3 sheets). I will attach my network diagram shortly.

Please advise.

Thanks and Regards

venkat

Hi Kanishka

I have added my network diagram.

Thanks

venkat

Hi Venkat,

The access-list "outside-to-inside" is denying the echo replies and http traffic from outside for internal hosts. The statements you have in the ACL do not apply anywhere as the host 65.154.19.149 is not in the inside network of ASA.

To start with :

1: The static NAT statements will not do any good, as router will not forward the traffic inside unless you configure it to do so.

You mentioned you want to do all natting on ASA, then you have to use either the outside ip address of ASA or any other free public ip of thesame network for this purpose. e.g.

static(inside,outside) tcp 210.55.6.49 www 20.0.14.30 www netmask 255.255.255.255

This way all the internal servers will use the ASA outside ip for natting.

2: For internal hosts to go to the internet, you have to do the following :

access-list outside-to-inside extended permit icmp any any

access-list outside-to-inside extended permit tcp any eq 80 any

And for statically natted internal servers :

access-list outside-to-inside extended permit tcp any 210.55.6.49 eq 80

Try this and let me know if it works.

Hi Kanishka

Thanks very much for your reply.

1. As as you mentioned, that I have to use 210.55.6.49 as my public IP for outside traffic to come inside, I can still use 65.154.19.149 as a public address on the router and however this will not be used as a reference for inside and outside traffic, right?

2. For internal hosts to go to the internet, as I dont have any rules on ASA for inside traffic to go out, my understanding of is that all the traffic from inside is allowed to outside right?

I was doing some testing last night in my lab on existing T1, I have removed the router and I am able to browse the internet without any acls.

ASA -- T1 -- remote pix. So I dont understand if something wrong between ASA and the router thats stopping me to browse the internet.

So do we still require the below rules.

access-list outside-to-inside extended permit icmp any any

access-list outside-to-inside extended permit tcp any eq 80 any

And as you see, "access-group outside-to-inside in interface outside" is applied at outside interface.

If we require these rules, I think I should apply this on inside interface for internet traffic from inside. So will the config be as below?

access-list inside-to-outside extended permit icmp any any

access-list inside-to-outside extended permit tcp any eq 80 any

access-group inside-to-outside in interface inside

can you please advise if other configs on ASA, router and remote pix are looking good? Especially I have a doubt on the routes on the router.

thanks for your help

venkat

Hi Venkat,

Yes, you can use the same ip address on the router.

You require the ACL entries only for your internal servers. You dont need any ACL entry for hosts going out to Internet. (My mistake ! ;) )

On the router, remove the route :

ip route 210.55.6.49 255.255.255.255 FastEthernet0/0

as its a directly connected subnet and sometimes this route might cause some issues.

I would like you to try it and let me know if this works.

Thanks

Kanishka

Hi Kanishka

Unfortunately I cant test this now with the same scenario. I can only test on thursday as the client has an outage scheduled.

But as per the config which I sent to you, we have tested on live environment with the router last week and I was not able to browse the internet through ASA.

As per the discussions we had, I believe the changes you advised is for outside traffic coming inside.(static & nat statements). So with the current config, I should be able to access the internet through ASA and PIX right? But I was not able to do so at both locations. Can you please advise on this.

As I advised before, without the router in my lab, I am able to access the internet through ASA, however am not able to browse through remote pix.

thanks

venkat

Hi Kanishka

I did some testing in my lab yesterday and found that the tunnel is up and running between PIX and ASA without the router connected to ASA. I have no issues browsing etc. I have added only icmp config on both firewalls to allow any traffic and havent done any other changes to current config. I was not able to test the statics which I will do this tomorrow according to the rules advised by you.

My only concern is to browse the Internet with router connected to ASA. I am not sure if this is going to work tomorrow. Can we terminate a T1 on ASA by inserting any module in it, that way I dont have to use the router.

Any advise on this is highly appreciated.

Best Regards

venkat

Hi

Can someone advise me on this please ?

Thanks

venkat

Hello Sarat,

Below are the wrong lines in your config:

1700:

------

no ip route 210.55.6.49 255.255.255.255 FastEthernet0/0

No need for the above route. It is already directly connected to the router.

On the ASA:

All you statics won't work because the ASA does your 1700 router does not have any route for the 65.154.19.149.

If the 65.154.19.149 is assigned by your ISP then you have to add a route for this subnet on your 1700 router so it passes traffic to the ASA.

IPSEC config loooks OK however to check if the tunnel is up:

1- Try to ping end to end

2- go the asa and PIX issue the command " show crypto isakmp sa" You should see status QMIDLE

Issue the above command more than once to make sure the VPN tunnel doest not drop.

Let me know how it goes,

Regards,

Hi

Thanks for the reply. with the current configuration, I was unable to browse the internet from local site. I believe this is the basic thing to check before testing VPN. As I understand my statics are wrong and however these are used for outside traffic coming in, do you see any problem to access the internet from local site with the current config.(inside traffic going out)

I have attached my updated configs and network diagram. I have tested this in my lab, but without having router in between. ie VPN is built between ASA and pix. Everything was successful. However I am not sure if that works if the router comes in.

On the local site, the IPs between ASA and the router (210.55.x.x) and IPs between router and ISP (65.154.x.x) are all public IPs as mentioned in my diagram.

thanks

attached the updated configs and network diagram. can you please advise if this config works for browsing and for VPN with the router in place.

thanks

Hello Sarat,

Below you can find the modification you need to do:

1700:

no ip route 20.0.14.0 255.255.255.0 210.55.6.49

ASA:

no static (inside,outside) tcp 210.55.6.49 www 20.0.14.30 www netmask 255.255.255.255

no static (inside,outside) tcp 210.55.6.49 81 20.0.14.30 81 netmask 255.255.255.255

no static (inside,outside) tcp 210.55.6.49 82 20.0.14.30 82 netmask 255.255.255.255

no static (inside,outside) tcp 210.55.6.49 ftp 20.0.14.31 ftp netmask 255.255.255.255

no static (inside,outside) tcp 210.55.6.49 3389 20.0.14.32 3389 netmask 255.255.255.255

no static (inside,outside) tcp 210.55.6.49 https 20.0.14.33 https netmask 255.255.255.255

no static (inside,outside) tcp 210.55.6.49 smtp 20.0.14.34 smtp netmask 255.255.255.255

no static (inside,outside) tcp 210.55.6.49 8080 20.0.14.35 8080 netmask 255.255.255.255

no static (inside,outside) tcp 210.55.6.49 8008 20.0.14.33 8008 netmask 255.255.255.255

no static (inside,outside) tcp 210.55.6.49 4433 20.0.14.30 4433 netmask 255.255.255.255

static (inside,outside) tcp interface www 20.0.14.30 www netmask 255.255.255.255

static (inside,outside) tcp interface 81 20.0.14.30 81 netmask 255.255.255.255

static (inside,outside) tcp interface 82 20.0.14.30 82 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 20.0.14.31 ftp netmask 255.255.255.255

static (inside,outside) tcp interface 3389 20.0.14.32 3389 netmask 255.255.255.255

static (inside,outside) tcp interface https 20.0.14.33 https netmask 255.255.255.255

static (inside,outside) tcp interface smtp 20.0.14.34 smtp netmask 255.255.255.255

static (inside,outside) tcp interface 8080 20.0.14.35 8080 netmask 255.255.255.255

static (inside,outside) tcp interface 8008 20.0.14.33 8008 netmask 255.255.255.255

static (inside,outside) tcp interface 4433 20.0.14.30 4433 netmask 255.255.255.255

Clear xlate

Other config should be correct.

Please let me know how it goes,

Regards,

Hi

Thanks for the reply. Last time you advised me to remove the below route which I removed.

no ip route 210.55.6.49 255.255.255.255 FastEthernet0/0

Can you please advise, if I remove the below route, how would the router reach the internal network?

no ip route 20.0.14.0 255.255.255.0 210.55.6.49

And removing the above 2 routes, I will have only the default route which is pointing to ISP router.

And can you also please advise what would be the difference if I use the ip address instead of interface in static commands? The interface would be referring to the ip address right?

Your early reply is much appreciated. I will be doing the final test this afternoon.

Thanks