Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA routing question

Customer has a T1 for internet coming into a 1700 series router. Ethernet connection goes into an ASA 5510. I have their data network connected via Eth0/2 and a guest network connected via Eth0/1. The users on the data network can access everything correctly. Users on the Guest network should not be able to access anything on the data network, except for Outlook Web Access on the Exchange server using the public address. On the data network, OWA can be accessed by the Exchange server's internal address. And on the Guest network, we want users to use the public IP address that will forward port 80 to Exchange server for OWA, just like they were on their internet at home or another site. To access OWA, users on the internet would point their browsers to which is what we would like users on the guest network to do also, but the traceroute stops at the ASA and doesn't route to where it should go.

Is this something with the NAT commands? I have attached the config.

Thanks in advance for any suggestions!



Re: ASA routing question

hello kevin,

with the present configuration, the guest users will not be able to access the OWA servers. You have configured static (inside,outside) only, and there are no statics or access-lists onto the guest interface... you need to do a static (inside,guest) and give an access-list to allow the required ports to come into the guest interface....

do this and let us know if it solves ur problem...


New Member

Re: ASA routing question


Thanks! I have it working now with the proper static and access-list commands. But, I had to call TAC due to a strange issue. All incoming mail and www traffic stopped. We upgraded to 7.2(1) code on the ASA box and if you look at the config I posted, I have a couple static(inside,outside) and matching access-lists for SMTP and WWW to go to our email server. We are using the public IP address on the outside interface. The customer has a block of 5 usable IPs, so I changed the static and access-list commands to use another public IP instead of the one I have assigned on the outside interface and everything started working again. TAC said they have seen some strange things when using static(inside,outside) commands using the same IP as the outside interface.

Anyone seen this before?

The other thing I am trying to accomplish is this:

Outside Eth0/0 interface -

Guest Eth0/1 interface -

Inside Eth0/2 interface -

Users on the internet currently use the Cisco VPN client to authenticate to local users configured on the ASA which allows them access to the network. If I have users on the Guest network that want to use the VPN client to access the Inside network, what issues should I be aware of when configuring this?



CreatePlease to create content