Still cannot get traffic to flow correctly. If I configure the same as my current firewall nothing works.I think I'm missing something simple but just cannot figure it out.

Could you post latest config without all the extra characters that were included in your last one?

Also, it's ok to block out your external ip's with x's but could you just change the external addresses to something we can follow throughout the config, like 64.x.x.x? That way we know you haven't flipped your statics etc.

ASA Version 7.2(2)19

!

hostname ciscoasa

Encryp

shun

domain-name fvxxc.comering of packets from un

enable password xnxxxsdsXC1MM encrypted

names

dns-guardconnect a

!p

interface GigabitEthernet0/0te-MC-Boot-Cisco-1.2t_static

nameif Wan

terminal

security-level 0f syslogging to t

ip address 65.444.444.98 255.255.255.224KE microcode: CNlite-MC-IP

test

!

interface GigabitEthernet0/1d interfacesg asdm informati

nameif Lan

security-level 100 undebug Di

ip address 10.146.4.12 255.255.255.0

no failover

!

no security-levelon to memory, netw

no ip addressl.0 0.0.0.0

!

interface Management0/0 |||

nameif managementoasa#

cis

security-level 100.0 0

cisco

ip address 192.168.1.1 255.255.255.0-19-k8.bin

timeout xlate 3:00:00

management-only

INFO:

!n

passwd 2KxxxxdU encrypted disk0:/asa722-19-k8.bin

boot system disk0:/asa722-19-k8.bin C i s c o S y

ciscoasa(con

ftp mode passive00:00 mgcp 0:05:

dns server-group DefaultDNSrsion 7.0(6)---------------

domain-name dsfff.com------------

domain-na

access-list Wan_access_in extended permit tcp host 205.333.33.36 host 10.146.4.3hxxxC1MM encryptedtware Version 7.2(2)19

names

time

dns-g

2 eq 3286

!

mtu Lan 1500local countr

mtu Wan 1500dress

no failovernterface Gi

icmp unreachable rate-limit 1 burst-size 1e

shutdown.

no nameifle timeout

asdm image disk0:/asdm-522.bin Cisc

no ip address products

no asdm history enableitEthernet0/3

arp timeout 14400m

shutdownparty

nat-controlifmport, ex

nat (Lan) 0 0.0.0.0 0.0.0.0context

no ip address

static (Lan,Wan) 65.444.444.106 10.146.4.32 netmask 255.255.255.255if management

security-level 100ors and users ar

static (Lan,Wan) 65.444.444.101 10.146.4.47 netmask 255.255.255.255

management-only and local count

!

passwd 2KdsdsfdsfsdfK

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

How are you capturing your config, it's still got a lot of extra/missing words and characters. But anyway your acl is wrong, and you have no access-group command to apply it. You need to use the 65. address in the acl, not the 10. Also not sure what you are trying to allow as it's not showing up in the config. I did this one for smtp.

access-list Wan_access_in extended permit tcp host 205.333.33.36 host 65.444.444.106 eq smtp

access-group Wan_access_in in interface Wan

I am capturing a config by sh run and then pasting it into notepad.

So basically when configuring this firewall I have to think public to public and then nat will translate to the correct inside address?

do i need to use the above command for the rest of the addresses or can i put them in via the gui.

what does the access-group Wan_access_in in interface Wan do?

Yes, when the request is coming from the Wan, it is for 65.x.x.x, it is not for 10.x.x.x. So the firewall will allow the packet then it will be translated to the proper address. You can do them by the gui if you wish.

"access-group Wan_access_in in interace Wan" applies the access-list Wan_access_in to the Wan interface in an inbound direction. Without this, the access-list is not applied and will not do anything.

How would you do this in the gui?

"access-group Wan_access_in in interace Wan" applies the access-list Wan_access_in to the Wan interface in an inbound direction. Without this, the access-list is not applied and will not do anything.

You don't do it in the gui, it should be there automatically when you create an access rule from the gui.

Do this instead from gui...

File -> Show Running Configuration in New Window

Then paste the config here, for some reason your config is not right when you capture it and is just most likely missing the command.

interface GigabitEthernet0/0

nameif Wan

security-level 0

ip address 65.444.444.98 255.255.255.224

!

interface GigabitEthernet0/1

nameif Lan

security-level 100

ip address 10.333.3.12 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255

management-only

!

passwd xxx encrypted

boot system disk0:/asa722-19-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name 2323232.com

access-list Wan_access_in extended permit tcp any host 10.333.3.47 eq https

access-list Wan_access_in extended permit tcp host 205.333.33.36 host 65.333.333

.101 eq smtp

access-list wan_access_in extended permit tcp host 207.333.33.36 host 65.444.444

.106 eq 3286

access-list wan_access_in extended permit tcp any host 65.444.444.101 eq smtp

pager lines 24

logging asdm informational

mtu Wan 1500

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

nat (Lan) 0 0.0.0.0 0.0.0.0

static (Lan,Wan) 65.444.444.106 10.333.3.32 netmask 255.255.255.255

static (Lan,Wan) 65.444.444.101 10.333.3.47 netmask 255.255.255.255

access-group wan_access_in in interface Wan

route Wan 0.0.0.0 0.0.0.0 65.444.444.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:1

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

Much better thanks :)

This one is still wrong

access-list Wan_access_in extended permit tcp any host 10.333.3.47 eq https

it should be...

access-list Wan_access_in extended permit tcp any host 65.444.444.101 eq https

You have no other translation for other inside hosts to get outside, is that what you want?

I have many other i just want to get 1 to work and then i will understand what needs to be done. I have to fix that 1 above still.

My understanding from what we have done leads me to believe that I will need more public addresses since some of mine are not natted on my current firewall...would this be correct.

By the way thank you so much for your help!!!

What would be the command to delete an access list

no access-list Wan_access_in extended permit tcp any host 10.333.3.47 eq https

no access-list Wan_access_in extended permit tcp host 205.333.33.36 host 65.333.333

.101 eq smtp

no access-list wan_access_in extended permit tcp host 207.333.33.36 host 65.444.444

.106 eq 3286

no access-list wan_access_in extended permit tcp any host 65.444.444.101 eq smtp

"I have many other i just want to get 1 to work and then i will understand what needs to be done. I have to fix that 1 above still."

-That's ok, I was referring to inside host going out.

"My understanding from what we have done leads me to believe that I will need more public addresses since some of mine are not natted on my current firewall...would this be correct."

-That's hard to answer for you as I'm not sure where you're going in the future or what you need to support now. You don't necessarily have to have 1-to-1 statics either. You could also do port translation so you could take 1 outside address and have different translations for http, https smtp etc all on one outside ip.

"By the way thank you so much for your help!!!"

-No problem, please rate posts if they help.