Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two FWs

Cisco ASA 5510. Outside NIC connected to ISP with real internet IP

addresses. Inside NIC connected to DMZ 172.17.193.0/24 with address

172.17.193.100.

Brand new clean ISA 2006 SP1. Outside NIC connected to 172.17.193.0/24

DMZ with address 172.17.193.1. Inside NIC connected to UAT

44.44.44.0/24 with address 44.44.44.109.

VPN user connects to the ASA (gets a 192.168.20.0/24 IP address). On

the ASA, there is:

access-list split_tunnel_list standard permit 44.44.44.0 255.255.255.0

route inside 44.44.44.0 255.255.255.0 172.17.193.1 1

What I have now on the ISA FW policy:

1. Allow, RDP, From External, To Internal and Local host

2. Allow, All Outbound Traffic, From Internal and Local host, To External

Can 44.44.44.x browse Internet? No.

Can VPN Clients RDC 44.44.44.x devices? Yes.

Can VPN Clients RDC 44.44.44.109 (ISA)? Yes.

Can 44.44.44.x RDC 172.17.193.x devices? No.

Does anyone know if there's anything I have to make changes to on the ASA to make sure all the questions are YES?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Two FWs

do u have nat in the asa like

nat (inside) 1 0 0

global (outside) 1 interface

this for inside hosts to access internet

3 REPLIES

Re: Two FWs

do u have nat in the asa like

nat (inside) 1 0 0

global (outside) 1 interface

this for inside hosts to access internet

New Member

Re: Two FWs

I have this:

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.17.193.0 255.255.255.0

New Member

Re: Two FWs

Your message gave me some clues. I had to add:

access-list inside_nat0_outbound extended permit ip 44.44.44.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 1 44.44.44.0 255.255.255.0

On a side note,

nat (inside) 1 44.44.44.0 255.255.255.0

nat (inside) 1 172.17.193.0 255.255.255.0

Can I just have nat (inside) 1 0 0 then instead of having the above 2?

108
Views
0
Helpful
3
Replies