I am having problem with my asa 5510 forwarding outside requests to the appropriate inside servers. I included a test config file. I am replacing an older pix that is going bad and copied a lot of the information into the new config as far as access lists and nat information go. It seems as though my problems are intermittent, some things get hits sometimes on the incoming acl's and sometimes there are 0 hits. The main worry is smtp traffic although web and ftp don't work either when I have them configured. Let me know if this is vague and I will explain as well as I can. Thank you.
I would try enabling 'nat-control' on your ASA. The static and ACL entries you have look correct to me. I would also add the following configuration to your ASA for active FTP to work properly:
service-policy asa_global_fw_policy global
From your config I get the following:
You have only private IP addresses and the SMTP server is 192.168.200.137
What you need to allow traffic from a lower security interface (outside) to a higher security interface (inside) is a static statement and an ACL. I see that you have them in place for the SMTP server, but the're no rules for web or FTP.
Maybe explain a little bit more the issue that you're having so we'll see if we can help you out.
This is just a simple test config to get traffic flowing from the outside to the inside, I am using Nat(overloaded) or Pat for all normal inside outside internet connections and we have a /27 public address space we use for our servers. I had a complete config for all my server but when that didn't work I simplified it to try to get just mail working since it is most important then I will go from there. I also systematically add ACL's and I get hits on traffic going in the inside interface but 0 hits on any acl's I put for outside traffic coming in. xlate shows Pat translations are happening, but internet does not work. I have to hook this up during production, we are 24/7 so I have limited windows to make changes and test. Someone mentioned enabling nat-control also, i will try this and any other suggestions when I test it later today when production slows down. Hope this helps even though I might have rambled a little.
To get internet working through the ASA you need the following:
nat (inside) 1
global (outside) 1
To get outside traffic coming into the ASA to the inside interface you need:
access-list OUTSIDE permit .....
access-group OUTSIDE in interface outside
In other words...
Traffic should flow from the INSIDE interface to the OUTSIDE by just having
the nat and global statements appropiately. Keep in mind that if you apply an
ACL to the INSIDE interface, everything not specified in this ACL is denied
by the ASA...
Traffic should flow from the OUTSIDE interface to the INSIDE by just having the
STATIC statement and the ACLs applied to the OUTSIDE interface permitting the
I would also assume that there's another Layer 3 device in front of the ASA
doing NAT again, to translate the private IP addresses to Public IP addresses
(to get Internet to work).
Let me know if you need aditional help.
My 10.10.'s represent my public addresses in the test config I posted. Everything looks to be set up correct but im not getting any hits at all on my incoming ACL's. I slowly add more and more less secure acls hoping I will see something but nothing. Lots of hits on the inside to outside acls though. Here is the exact test config I tested on the network tonight, with and without nat-control, nothing came through to the servers and nobody could get out to the internet.
What is the outside interface of the ASA plugged into? Switch/router? Do you control it? Have you tried powercycling this device when you complete the switchover? Do you get a complete arp entry (sh arp) on the ASA for the default gateway?
Several tests that can be done:
1. Can you get to the Internet from the ASA itself? For example, can you PING 188.8.131.52 or any reachable public IP address from the ASA?
ASA(config)# ping 184.108.40.206
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds:
If you get Internet access from the ASA itself, we jump to the second step.
2. Check if the ASA is building the translation correctly for the inside computer that its trying to get to the Internet. For example, you're testing from computer 18.104.22.168
On the ASA, check the command:
show xlate local 22.214.171.124
That will show if it is being NATed correctly to the IP address 126.96.36.199
3. If the traffic is reaching the inside interface of the ASA, and the translation is being build, then the ASA should be sending the traffic to the outside interface. One way to test this is to temporary allow ICMP replies on the OUTSIDE interface of the ASA, and then from the INSIDE computer, try to PING 188.8.131.52 or try to PING the Internet. In this way, we can determine what the problem is...
4. For dealing with the inbound connections, let's make sure that the INSIDE networks get Internet access thorugh the ASA first....
What do you think?
Sounds good guys,
I will test these things tomorrow during downtime and get back
Also there is a router between the cloud and the asa, It is in our rack but I don't have access to it, this was all set up before I started and there is very little documentation. I will try power cylcing it, thanks.
Seems like restarting the Router in front of the ASA worked. You think it wasn't building arp tables properly or what? I'm glad it was something that simple but feel kinda dumb, haha