Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Outside access to servers through asa 5510

I am having problem with my asa 5510 forwarding outside requests to the appropriate inside servers. I included a test config file. I am replacing an older pix that is going bad and copied a lot of the information into the new config as far as access lists and nat information go. It seems as though my problems are intermittent, some things get hits sometimes on the incoming acl's and sometimes there are 0 hits. The main worry is smtp traffic although web and ftp don't work either when I have them configured. Let me know if this is vague and I will explain as well as I can. Thank you.

10 REPLIES

Re: Outside access to servers through asa 5510

I would try enabling 'nat-control' on your ASA. The static and ACL entries you have look correct to me. I would also add the following configuration to your ASA for active FTP to work properly:

class-map inspection_default

match default-inspection-traffic

!

!

policy-map asa_global_fw_policy

class inspection_default

inspect ftp

!

service-policy asa_global_fw_policy global

New Member

Re: Outside access to servers through asa 5510

From your config I get the following:

You have only private IP addresses and the SMTP server is 192.168.200.137

What you need to allow traffic from a lower security interface (outside) to a higher security interface (inside) is a static statement and an ACL. I see that you have them in place for the SMTP server, but the're no rules for web or FTP.

Maybe explain a little bit more the issue that you're having so we'll see if we can help you out.

Thank you!

New Member

Re: Outside access to servers through asa 5510

Can do...

This is just a simple test config to get traffic flowing from the outside to the inside, I am using Nat(overloaded) or Pat for all normal inside outside internet connections and we have a /27 public address space we use for our servers. I had a complete config for all my server but when that didn't work I simplified it to try to get just mail working since it is most important then I will go from there. I also systematically add ACL's and I get hits on traffic going in the inside interface but 0 hits on any acl's I put for outside traffic coming in. xlate shows Pat translations are happening, but internet does not work. I have to hook this up during production, we are 24/7 so I have limited windows to make changes and test. Someone mentioned enabling nat-control also, i will try this and any other suggestions when I test it later today when production slows down. Hope this helps even though I might have rambled a little.

New Member

Re: Outside access to servers through asa 5510

To get internet working through the ASA you need the following:

nat (inside) 1

global (outside) 1

To get outside traffic coming into the ASA to the inside interface you need:

static (inside,outside)

access-list OUTSIDE permit .....

access-group OUTSIDE in interface outside

In other words...

Traffic should flow from the INSIDE interface to the OUTSIDE by just having

the nat and global statements appropiately. Keep in mind that if you apply an

ACL to the INSIDE interface, everything not specified in this ACL is denied

by the ASA...

Traffic should flow from the OUTSIDE interface to the INSIDE by just having the

STATIC statement and the ACLs applied to the OUTSIDE interface permitting the

traffic.

I would also assume that there's another Layer 3 device in front of the ASA

doing NAT again, to translate the private IP addresses to Public IP addresses

(to get Internet to work).

Let me know if you need aditional help.

New Member

Re: Outside access to servers through asa 5510

My 10.10.'s represent my public addresses in the test config I posted. Everything looks to be set up correct but im not getting any hits at all on my incoming ACL's. I slowly add more and more less secure acls hoping I will see something but nothing. Lots of hits on the inside to outside acls though. Here is the exact test config I tested on the network tonight, with and without nat-control, nothing came through to the servers and nobody could get out to the internet.

New Member

Re: Outside access to servers through asa 5510

Also here is the pix config that works perfectly when I plug it back in

Re: Outside access to servers through asa 5510

What is the outside interface of the ASA plugged into? Switch/router? Do you control it? Have you tried powercycling this device when you complete the switchover? Do you get a complete arp entry (sh arp) on the ASA for the default gateway?

New Member

Re: Outside access to servers through asa 5510

Several tests that can be done:

1. Can you get to the Internet from the ASA itself? For example, can you PING 4.2.2.2 or any reachable public IP address from the ASA?

ASA(config)# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

If you get Internet access from the ASA itself, we jump to the second step.

2. Check if the ASA is building the translation correctly for the inside computer that its trying to get to the Internet. For example, you're testing from computer 192.9.200.1

On the ASA, check the command:

show xlate local 192.9.200.1

That will show if it is being NATed correctly to the IP address 66.162.124.3

3. If the traffic is reaching the inside interface of the ASA, and the translation is being build, then the ASA should be sending the traffic to the outside interface. One way to test this is to temporary allow ICMP replies on the OUTSIDE interface of the ASA, and then from the INSIDE computer, try to PING 66.162.124.1 or try to PING the Internet. In this way, we can determine what the problem is...

4. For dealing with the inbound connections, let's make sure that the INSIDE networks get Internet access thorugh the ASA first....

What do you think?

New Member

Re: Outside access to servers through asa 5510

Sounds good guys,

I will test these things tomorrow during downtime and get back

Also there is a router between the cloud and the asa, It is in our rack but I don't have access to it, this was all set up before I started and there is very little documentation. I will try power cylcing it, thanks.

New Member

Re: Outside access to servers through asa 5510

Seems like restarting the Router in front of the ASA worked. You think it wasn't building arp tables properly or what? I'm glad it was something that simple but feel kinda dumb, haha

161
Views
0
Helpful
10
Replies
CreatePlease to create content