Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need help in ASA5550 configuration

Dear all,

Can anyone tell me where i am going wrong in the attached config??

I just need to send all traffic destined to 164.100.80.121 and 164.100.80.122 servers (please refer attached diagram) from our LAN (192.168.0.0/24 and 172.16.0.0/24) via PTP link connected to ASA 5550.

I am able to ping 164.100.80.121 and 122 servers from firewall but not able to ping from my lan from lan i am able to ping firewall(172.16.0.4)

I am doing some mistake in my ASA 5550 firewall, can anyone please have a look at the attached config and help me in knowing where am i am going wrong?

Thanks in adavnce,

Raghavendra

2 REPLIES
New Member

Need help in ASA5550 configuration

Just for starters - Anytime you create an access-list on a pix (or ASA) the appliance will AUTOMATICALLY add a DENY IP ANY ANY as the last statement in that access-list.  Even if you do not see it - it is there.

Next - it appears that you are using an IN to OUT access-list for PERMIT  statements.  Typically an IN to OUT access-list is used for DENY statements (traffic you don't want to escape from your network, blocked destinations etc)  So they way I read your config - this looks totally backward to me.

3rd - It also appears that you have the device placed between 2 private networks - Is that correct.  Maybe this is what you intended to do - but typically an ASA is an edge device that prevents OUTSIDE world (Internet bad stuff) from getting to your INSDIE private network (good stuff)

If none of this applies - maybe a network diagram might be of help to see what your are tying to accomplish.

New Member

Need help in ASA5550 configuration

Thank you Nagel,

Comments inline:

Just for starters - Anytime you create an access-list on a pix (or ASA) the appliance will AUTOMATICALLY add a DENY IP ANY ANY as the last statement in that access-list.  Even if you do not see it - it is there.

==>> I need to permit only object-group defined in my config, so it looks fine for me

Next - it appears that you are using an IN to OUT access-list for PERMIT  statements.  Typically an IN to OUT access-list is used for DENY statements (traffic you don't want to escape from your network, blocked destinations etc)  So they way I read your config - this looks totally backward to me.

===>> but in my case i need to permit only IP's defined in object group accessing 164.100.X.X IP's, rest all deny.. so for me it looks fine! correct me if I am wrong

3rd - It also appears that you have the device placed between 2 private networks - Is that correct.  Maybe this is what you intended to do - but typically an ASA is an edge device that prevents OUTSIDE world (Internet bad stuff) from getting to your INSDIE private network (good stuff)

===>> Yes, we want to use an existing ASA5550 for this purpose/ i want this firewall just work as a router and allowing only interested traffic

If none of this applies - maybe a network diagram might be of help to see what your are tying to accomplish.

--->> At this point all users in LAN are accessing 164.100.80.X server is DC via internet. now we bought a new Leased line which connect our office directly to DC, i just need to terminate this new Leased line on this ASA 5550 and send all traffice meant for 164.100.X.X  via this leased line.

Thanks,

Raghavendra

316
Views
0
Helpful
2
Replies