I hope you can help me do bear with me as I'm still starting with Cisco products,
We have a Cisco ASA 5510 Base License with 7.08 our provider assigned us x.x.199.41 as gateway while the ASA is on x.x.199.42 in the 255.255.255.248 subnet... I tried mapping our servers with x.x.199.43 on server1 and x.x.199.44 on server2... server2 can be reached from outside while server1 is unreacheable and our provider is insisting the issue is with our firewall configuration below is our running config.. hope anyone can point me in the right direction... thanks!
ASA Version 7.0(8)
ip address x.x.199.42 255.255.255.248
ip address 192.168.10.250 255.255.255.0
no ip address
ip address x.x.0.1 255.255.255.0
ftp mode passive
object-group network inside-network
access-list Private_access_in extended permit ip any any
access-list Private_access_in extended permit icmp any any
access-list Private_access_out extended permit ip any any
access-list Private_access_out extended permit icmp any any
access-list Public_access_in extended permit ip any any
access-list Public_access_in extended permit icmp any any
access-list Public_access_out extended permit ip interface Public any
access-list Public_access_out extended permit icmp interface Public any
access-list MYLIST1 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0
access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0
access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.6.0
access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.7.0
access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 192.168.100.0
access-list MYLIST2 extended permit ip 192.168.10.0 255.255.255.0 192.168.6.0
access-list MYLIST3 extended permit ip 192.168.10.0 255.255.255.0 192.168.7.0
access-list MYLIST3 extended permit ip 192.168.10.0 255.255.255.0
The "static" statement seems to be normal atleast. (Though we can't see the whole statement. But I assume you've made sure the public IP is entered correctly)
Your ACL setup seems strange though.
You are using the same access-list for both interfaces for both directions.
This is just my personal opinion but you will be fine with using a separate access-list for both interfaces and only apply them to "in" direction.
My basic access-list that I do is INSIDE-IN and OUTSIDE-IN and have the interface names as "inside" and "outside". Configuration stays really simple.
Also your security-level configurations seem abit unsual (although I guess it doesnt really cause any problems in this case) Again, the very basic setup would be to have "inside" as "100" and "outside" as "0"
Personally I would first have someone try connection to the service that you are running on the server thats not working. At the same time I would open the ASAs ASDM and see from the monitoring what is happening to the connection. Is it showing up on the firewall and if it is, what is happening to the connection.
I'm not sure if the "packet-tracer" command was included in the 7.0 software (didn't find it in the command reference for 7.0 atleast) but if it does exist in your software, try to command out and see whats happening to the connections from outside.
Also does the problem server have its default gateway set correctly? As you are using an address ending with .250 as the ASA interface IP address. Though this question is due to my personal preference again since I usually use the first address after the network address as the interface address.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...