I'm trying to replace my PIX505E with the new ASA5505; I have a single public global IP address and I'm currently using some PATS in order to allow some external access to some services provided by "internal" hosts. I also allow VPN connections on PIX (honestly both PPTP and CISCO native VPNs - but I don't use PPTP anymore).
I'm getting crazy trying to configure the ASA and porting the current PIX configuration on ASA: the biggest problem is that ASA doesn't allow the incoming external traffic to the inside LAN and I'm not able to activate it; it seems that it ignores all ACEs and all incoming packets are dropped by the implicit default rule (deny rule).
I have read that ASA by default cuts all incoming traffic and is not sufficient to allow it using ACL.
I tried the same configuration on a multi global IP environment (8 public IPs) and, also there, I was NOT able to allow the incoming traffic on the public IP of the firewall; Just to be clearer:
Let's assume that my IP pool is:
188.8.131.52/29, that means:
184.108.40.206 = net
.241 = router
.242 = ASA 5505 (interface outside)
.243 to 246 = services / available
.247 = broadcast
I can allow (by ACL and STATIC) the incoming traffic on IPs from 243 to 246.
I can establish a VPN connection on the ASA IP (220.127.116.11) but all incoming traffic on IP 18.104.22.168 is dropped also if ACL are set.
Can someone help me? How can I allow the incoming traffic with a single global IP?Could you please provide a sample configuration where IP address of outside interface is 22.214.171.124/30, the router IP is 126.96.36.199 and I can forward the incoming traffic on port 80 to the internal host with IP address 192.168.1.1 on LAN (inside) interface?
Really many many thanks! It was making me crazy. Also if it makes sense (on ASA the interface concept is different than on Pix), I didn't suppose it was the problem; also I didn't imagine that it could "translate" the Pix configuration in bed way; now I understand why I didn't find posts asking for the same problem (thousands of people should have the same issue..).
You have make me a big gift and I really appreciated your great and valued support.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :