Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

CISCO ASA 5520 configuration doesn't working

net_diagram.JPG

My Objectives:

  1. INSIDE  can access OFFICE (mail, billing, application, dns) and  INTERNET
  2. DMZ can communicate with OFFICE and INTERNET
  3. INSIDE and DMZ can access each other (all permissive)
  4. OFFICE can access DMZ especially http (e.g websvr ip is 192.169.109.15)
  5. OFFICE can access INSIDE's web (mrtgsvr IP is 192.168.107.29)
  6. OFFICE can pool snmp and WMI information from DMZ and INSIDE.

I have attached my current config file but it wasn't working. Using this configuration OFFICE and INTERNET is not reachable, not even the router 10.11.10.1

Can anyone help me out there to config my ASA properly according my objectives?

Thanks in Advance.

Regards,

r3linquish3d

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: CISCO ASA 5520 configuration doesn't working

If no translation is required, you can configure "no nat-control".

For traffic from low security level to high security level, you would need to have static translation configured, and it works bidirectionally:

static (inside,outside) 192.168.107.0 192.168.107.0 netmask 255.255.255.0

static (dmz,outside) 192.168.109.0 192.168.109.0 netmask 255.255.255.0

This is assuming that the office ASA firewall is configured correctly.

If you would like to ping through the ASA, you would also need to add the following:

policy-map global_policy
class inspection_default

     inspect icmp

Hopefully the above should allow most of your objectives to work.

14 REPLIES
Cisco Employee

Re: CISCO ASA 5520 configuration doesn't working

If no translation is required, you can configure "no nat-control".

For traffic from low security level to high security level, you would need to have static translation configured, and it works bidirectionally:

static (inside,outside) 192.168.107.0 192.168.107.0 netmask 255.255.255.0

static (dmz,outside) 192.168.109.0 192.168.109.0 netmask 255.255.255.0

This is assuming that the office ASA firewall is configured correctly.

If you would like to ping through the ASA, you would also need to add the following:

policy-map global_policy
class inspection_default

     inspect icmp

Hopefully the above should allow most of your objectives to work.

New Member

Re: CISCO ASA 5520 configuration doesn't working

Hello halijenn,

Thanks for ur reply. Its working. COOL.....

Take a bunch of Thanks.

Regards,

Didar

Cisco Employee

Re: CISCO ASA 5520 configuration doesn't working

Great to hear, thanks for updating and rating.

New Member

Re: CISCO ASA 5520 configuration doesn't working

You are welcome.

Now from OFFICE_LAN firewall im getting INSIDE and DMZ, but from the local lan i can't. OFFICE_LAN side firewall IP is 192.168.2.1 and OFFICE_LAN outside IP is 192.168.108.2 which is connected to router(192.168.108.1).

How can I solve that? any help

Cisco Employee

Re: CISCO ASA 5520 configuration doesn't working

Do you mean you can't connect to DMZ from Inside LAN? If that is a true statement, you need to configure the following:

static (inside,dmz) 192.168.107.0 192.168.107.0 netmask 255.255.255.0

Hope that helps.

New Member

Re: CISCO ASA 5520 configuration doesn't working

INSIDE and DMZ is working smooth and fine. I am talking OFFICE_LAN.

From OFFICE_LAN_FW, im getting INSIDE and DMZ, but not from OFFICE_LAN.

Cisco Employee

Re: CISCO ASA 5520 configuration doesn't working

Sorry, I am a bit confused from where to where is the traffic. Can you please advise the source and destination subnet, and also share the current configuration on OFFICE_LAN_FW. Thanks.

New Member

Re: CISCO ASA 5520 configuration doesn't working

INSIDE and DMZ communication is fully ok. I can reach INSIDE and DMZ from OFFICE_LAN_FW. But i can't reach INSIDE and DMZ from OFFICE_LAN.

Cisco Employee

Re: CISCO ASA 5520 configuration doesn't working

Thanks for that.

Here is what needs to be configured:

static (insidelan,insideremotelan) 192.168.107.0 192.168.107.0 netmask 255.255.255.0

static (insidelan,insideremotelan) 192.168.109.0 192.168.109.0 netmask  255.255.255.0

Hope that helps.

New Member

Re: CISCO ASA 5520 configuration doesn't working

Its not working

Cisco Employee

Re: CISCO ASA 5520 configuration doesn't working

Please clear the xlate table just in case it created a dynamic translation prior to the configuration: clear xlate

New Member

Re: CISCO ASA 5520 configuration doesn't working

Not working

Cisco Employee

Re: CISCO ASA 5520 configuration doesn't working

Do you still have the ACL configured with "permit ip any any" on all interfaces?

What about the router? Does it have route for the OFFICE_LAN pointing towards the OFFICE_LAN_FW interface (192.168.108.2)?

New Member

Re: CISCO ASA 5520 configuration doesn't working

  • ACL is only applied to insideremotelan interface.

     access-group 121 in interface insideremotelan

  • all the necessary routes had been added in the firewall. From INSIDE and DMZ I can access everything and reversly from the OFFICE_LAN_FW, I can reach INSIDE and DMZ.
2233
Views
0
Helpful
14
Replies
CreatePlease to create content