I have a new ASA 5520 installed, with much thanks to this group, and its working perfectly.
I did notice one caveat that isnt quite right, and cant figure out however.
When we had a linksys as the firewall, it did NAT and DHCP for the clients and in that DHCP pool we had DNS servers specified. Same is true with the ASA, however with the ASA, clients from within the LAN can not resolve our own domain. We can get to every other domain in the world except our own! We need to refer to our servers as 10.0.0.x/xxx instead of domain.com etc.
Any suggestions? We do not host our own DNS, our ISP does this for us, however we could. When we did we had other problems with PAT.
If you are using Microsoft AD DNS servers for your clients, then what I have done before is to create a primary zone for your internet domain and resolve to your RFC1918 addresses as needed. Only your lan hosts will use this so it doesn't affect anything else. There are other tricks if your servers are on a DMZ interface but you didn't mention that.
Thanks for the info. Youre right, I failed to mention a few things, we really have no MS on our network and certainly no AD. Strictly a SUN solaris infrastructure with a couple of XP laptops, thats about it. No DMZ either, strictly internal network.
Well the MS/AD was just a common scenario where lan hosts use an "internal" dns server that fetches internet dns resolution on their behalf. Is yours such a scenario or do all lan hosts resolve directly from internet DNS servers?
If your servers are behind the firewall and your linksys was letting you access them via an address that resides on the outside of the firewall then your convenience amounted to a security hole that is no longer. The only solution to your dilemma is to use an internal DNS server that will perform the lookups for your internet hosts authoritativley for only your lan hosts and forward all other request as I described before. Resolving directly from internet servers has many limitations besides your current situation.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...