Announcement

Collapse
No announcement yet.

help me in configure asa 5540

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • help me in configure asa 5540

    hello for best fourms and all members
    i bought cisco asa 5540
    i have cisco router 2811 with static ip
    84.219.22.96/30
    and make nat to conected to internet pat nat
    and have
    84.219.22.80/29 for exchange server

    i want to confiure asa behind router
    i mean leave all configure on cisco router
    when i make out side and inside lan all is ok
    but all pc conected on inside interface of asa 5540 cannot access to internet
    and also cannot ping from pc ip on interface outside i permet icmp in servise poilcy and incpection icmp
    but i mean no conection not ping only
    can any one help me in this

  • #2
    Re: help me in configure asa 5540

    Can you post some sanitized configs of these devices. IMO I would do nat on the ASA. Im also not sure what ip scheme you are using on the router or the ASA. It would really help to see configs if possible or at least post the ip addressing on these intertfaces maybe with a diagram etc.

    Wouldnt think nat-control would be an issue here as it is turned off on anything 8.0 but again I cannot tell without a config.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: help me in configure asa 5540

      firist thank u
      can u post basic configure for this senaro
      my problem no traffic betweeen inside and outside
      my problem no internet access from inside interface
      best regards
      and thanks again
      i make this command
      no nat-control

      Comment


      • #4
        Re: help me in configure asa 5540

        Without configs on both devices there isn't much I can do but guess where the problem is. Please post sanitized configs.

        Could be access-lists, NAT not configured right, interfaces down etc.

        Do you have basic connectivity between the ASA and the upstream router? Do your lan hosts have connectivity to the ASA? Are your ports in the correct vlans for that subnet.

        You need to start with the basics before configuring anything advanced.
        Last edited by auglan; 17th April 2012, 18:20.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: help me in configure asa 5540

          config t
          interfce g0/0
          nameif outside
          ip address 192.168.193.3 255.255.255.0
          no sh
          interface g0/1
          nameif inside
          ip add 192.168.191.1 255.255.255.0
          no sh
          --
          nat
          nat (inside) 1 192.168.191.1 255.255.255.0
          global (outside) 1 interface
          no nat-control
          hostname Global-Firewall
          domain-name GlobalInvestment
          fixup protocol dns maximum-length 512 fixup protocol ftp 21
          fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80
          fixup protocol rsh 514
          fixup protocol rtsp 554
          fixup protocol sip 5060
          fixup protocol sip udp 5060
          fixup protocol skinny 2000
          fixup protocol smtp 25
          exit
          http server enable
          username cisco password cisco privliged 15
          http 0.0.0.0 0.0.0.0 inside
          route outside 0.0.0.0 0.0.0.0 192.168.193.2

          link digram by paket tracer

          http://www.mediafire.com/?4xo3z2goszogcf1
          king regards

          Comment


          • #6
            Re: help me in configure asa 5540

            Well it looks like you are running PAT on the ASA. I thought in your original post that you where running nat on the router? Can you clarify? Would be nice to see a config of the router as well.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: help me in configure asa 5540

              Originally posted by auglan View Post
              Well it looks like you are running PAT on the ASA. I thought in your original post that you where running nat on the router? Can you clarify? Would be nice to see a config of the router as well.
              yes i just want to allow internet to and allow mail server exchange 2010 to recive and send
              router have also nat pat
              and all was work fine before put asa
              i dont have configure right now to router
              can u help me paste configure right on asa complity on my senaro
              cuz i think access list problem or missing configration on asa
              best regards for help me and many thanks agaian to try help me

              Comment


              • #8
                Re: help me in configure asa 5540

                If it where me I would remove the nat config on the router. Then use PAT on the ASA. You would need to apply your public ip's on the outside interface of the ASA and also on the upstream router. You would also need routes for your internal servers but the routes will be for your public ip range on the upstream router with a next hop of the ASA's outside interfaace. Change the default route on the ASA to point to the new ip on the router. Then configure your statics for your servers and setup any access-control. You will need access-lists for traffic originating from the outside coming in on the ASA's outside interface. I would also apply an ACL for traffic coming inbound on the routers outside interface. For your internal hosts they can PAT off the outside interface of the ASA.

                I would also consider creating a dmz on the ASA on its own vlan for your servers. Internet traffic should never be able to get to your internal network. Then you can create static nat's for the dmz hosts. Apply a security level of 50 on the DMZ interface as well. This way traffic on your internal lan will be able to reach the servers on the DMZ without any ACL's. If your servers in the dmz need to initiate communicate with your hosts on the internal lan then you would need to apply ACL's on the dmz to allow the traffic through to the internal lan.


                Other options would be to ditch the upstream router and just use the ASA as your edge device if possible.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: help me in configure asa 5540

                  i cannot remove router
                  i want
                  lan------------ asa ---------router-------internet
                  this is required from me
                  and dmz i make it already secirty level 50
                  and inside 100
                  outside 0
                  but probelm now i have to make all lan access to internet behind firewall and router
                  thanks again for try to help

                  Comment


                  • #10
                    Re: help me in configure asa 5540

                    I didnt say you had to remove the router. That is an option though. If you read my first statement from the last post I suggested you take the NAT configuration off of the router and let the ASA handle NAT. There is no reason for both devices to do NAT. Remove the nat config from the router and make the changes I mentioned. I am assuming you are running NAT on the router, as I havent seen a config of the router. If you cant produce a config for the router, there isn't much I can help with as I only see 1 piece of the puzzle. If you are not comfortable making these changes (and it doen't look like you are) then I suggest hiring a consultant to help.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: help me in configure asa 5540

                      router#sh
                      router#show run
                      router#show running-config
                      Building configuration...
                      Current configuration : 6218 bytes
                      !
                      version 15.0
                      service timestamps debug datetime msec
                      service timestamps log datetime msec
                      no service password-encryption
                      !
                      hostname router
                      !
                      boot-start-marker
                      boot-end-marker
                      !
                      logging buffered 51200 warnings
                      !
                      no aaa new-model
                      !
                      no ipv6 cef
                      ip source-route
                      ip cef

                      ip dhcp pool Internet
                      network 192.168.193.0 255.255.255.0
                      default-router 192.168.193.2
                      dns-server 84.235.6.xx 84.235.57.xxx
                      lease infinite
                      ip domain name hosted.net.sa
                      ip name-server 84.235.6.xx
                      ip name-server 84.235.57.xxx
                      multilink bundle-name authenticated
                      crypto pki trustpoint TP-s
                      enrollment selfsigned
                      subject-name cn=IOS-Self-Signed-Certificate-4038588294
                      revocation-check none
                      rsakeypair TP-self-signed-4038588294
                      crypto pki certificate chain TP-self-signed-4038588294
                      certificate self-signed 01
                      3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
                      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
                      69666963 6174652D 34303338 35383832 3934301E 170D3131 30393037 31303535
                      34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 0313
                      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30333835
                      38383239 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
                      8100B026 8B479786 27010FB7 C47A39BB 3563AFD5 437FFB78 C1F1456A 82691CC9
                      CE3B4F97 B1D62C35 9E8AF0D1 3BF4B6C2 164705D5 1A41E85E 99B82F97 0E2BB08D
                      334A5172 ACDC16D6 66B1F2FF 8D579642 F15F4560 3E064E40 5FE83AA8 C6363E06
                      7A37355A CBBC2A81 A3786FEA 7125DA64 B74E7082 20834C8A EA81A2B7 32EC1048
                      7D0B0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 302106
                      551D1104 1A301882 164E616A 72616E4D 4F492E73 61756469 2E6E6574 2E736130
                      1F060355 1D230418 30168014 4E6C9815 D28A155B 0D8CB718 CCE74CE2 58D68621
                      301D0603 551D0E04 1604144E 6C9815D2 8A155B0D 8CB718CC E74CE258 D6862130
                      0D06092A 864886F7 0D010104 05000381 8100540A 521F52E2 F16C92CE E3A457E8
                      872D998E E702075A 8383D506 EC9A3207 36C1351F BA3A0676 1491D6C8 33C35B54
                      B733FC86 78B0B7A9 AB4DFB5D 7F495B94 62945799 724CF137 2D5CF0BB 629DBBD2
                      CCD13350 FED2676B 994983CD 85CAA52E 9CC7A08F 3F8DBBF8 EB6641FF 39D765
                      2B1A0051 3BCDFA32 DF12A97D 6641B29D 78BA
                      quit
                      license udi pid C3900-SPE100/K9 sn FOC15074HMG
                      !
                      !
                      username cisco privilege 15 secret 5 $1$bBcM$DG8ZzlbJPMbKIGwsswNSN1
                      !
                      interface GigabitEthernet0/0
                      description NJRNJNAD-RYAD16_34 DIA1
                      no ip address
                      ip virtual-reassembly
                      duplex full
                      speed auto
                      no keepalive
                      !
                      interface GigabitEthernet0/0.3130
                      description NJRNJNAD-RYAD16_34 DIA1
                      encapsulation dot1Q 3130
                      ip address 84.235.40.xx 255.255.255.252
                      ip nat outside
                      ip virtual-reassembly
                      !
                      interface Gigab
                      description "Connection to internal LAN"
                      ip address 192.168.193.2 255.255.255.0
                      ip nat inside
                      ip virtual-reassembly
                      duplex full
                      speed auto
                      media-type rj45
                      no keepalive
                      no cdp enable
                      !
                      interface GigabitEthernet0/2
                      no ip address
                      shutdown
                      duplex auto
                      speed auto
                      no ip forward-protocol nd
                      ip http server
                      ip http access-class 23
                      ip http authentication local
                      ip http secure-server
                      ip http timeout-policy idle 60 life 86400 requests 10000
                      ip nat pool smtp_nat 84.235.81.xx 84.235.81.xx netmask 255.255.255.248
                      ip nat inside source list 101 interface GigabitEthernet0/0.3130 overload
                      ip nat inside source list 102 pool smtp_nat overload
                      ip nat inside source static tcp 192.168.193.3 25 84.235.81.xx 25 extendable
                      ip nat inside source static tcp 192.168.193.3 80 84.235.81.xx 80 extendable
                      ip nat inside source static tcp 192.168.193.3 443 84.235.81.xx 443 extendable
                      ip nat inside source static tcp 192.168.193.3 587 84.235.81.xx 587 extendable
                      ip route 0.0.0.0 0.0.0.0 84.235.40.x
                      ip route 10.64.0.0 255.255.0.0 192.168.193.3
                      !
                      access-list 23 permit 10.10.10.0 0.0.0.7
                      access-list 101 deny tcp host 192.168.193.3 any eq smtp
                      access-list 101 deny tcp host 192.168.193.3 any eq 587
                      access-list 101 permit ip 192.0.0.0 0.255.255.255 any
                      access-list 102 permit tcp host 192.168.193.3 any eq smtp
                      access-list 102 permit tcp host 192.168.193.3 any eq 587
                      access-list 102 deny ip any any
                      !
                      !
                      !
                      control-plane
                      !
                      banner exec ^C
                      % Password expiration warning.
                      -----------------------------------------------------------------------
                      exit
                      this session.

                      It is strongly suggested that you create a new username with a privilege level
                      of 15 using the following command.

                      username <myuser> privilege 15 secret 0 <mypassword>

                      Replace <myuser> and <mypassword> with the username and password you want to
                      use.


                      line con 0
                      login local
                      line aux 0
                      line vty 0 4
                      access-class 23 in
                      privilege level 15
                      password cisco
                      login local
                      transport input telnet
                      line vty 5 15
                      access-class 23 in
                      privilege level 15
                      login local
                      transport input telnet ssh
                      !
                      scheduler allocate 20000 1000
                      end

                      router#
                      this is configration for router

                      Comment


                      • #12
                        Re: help me in configure asa 5540

                        Originally posted by loverzizo View Post
                        router#sh
                        router#show run
                        router#show running-config
                        Building configuration...
                        Current configuration : 6218 bytes
                        !
                        version 15.0
                        service timestamps debug datetime msec
                        service timestamps log datetime msec
                        no service password-encryption
                        !
                        hostname router
                        !
                        boot-start-marker
                        boot-end-marker
                        !
                        logging buffered 51200 warnings
                        !
                        no aaa new-model
                        !
                        no ipv6 cef
                        ip source-route
                        ip cef

                        ip dhcp pool Internet
                        network 192.168.193.0 255.255.255.0
                        default-router 192.168.193.2
                        dns-server 84.235.6.xx 84.235.57.xxx
                        lease infinite
                        ip domain name hosted.net.sa
                        ip name-server 84.235.6.xx
                        ip name-server 84.235.57.xxx
                        multilink bundle-name authenticated
                        crypto pki trustpoint TP-s
                        enrollment selfsigned
                        subject-name cn=IOS-Self-Signed-Certificate-4038588294
                        revocation-check none
                        rsakeypair TP-self-signed-4038588294
                        crypto pki certificate chain TP-self-signed-4038588294
                        certificate self-signed 01
                        3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
                        31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
                        69666963 6174652D 34303338 35383832 3934301E 170D3131 30393037 31303535
                        34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 0313
                        4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30333835
                        38383239 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
                        8100B026 8B479786 27010FB7 C47A39BB 3563AFD5 437FFB78 C1F1456A 82691CC9
                        CE3B4F97 B1D62C35 9E8AF0D1 3BF4B6C2 164705D5 1A41E85E 99B82F97 0E2BB08D
                        334A5172 ACDC16D6 66B1F2FF 8D579642 F15F4560 3E064E40 5FE83AA8 C6363E06
                        7A37355A CBBC2A81 A3786FEA 7125DA64 B74E7082 20834C8A EA81A2B7 32EC1048
                        7D0B0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 302106
                        551D1104 1A301882 164E616A 72616E4D 4F492E73 61756469 2E6E6574 2E736130
                        1F060355 1D230418 30168014 4E6C9815 D28A155B 0D8CB718 CCE74CE2 58D68621
                        301D0603 551D0E04 1604144E 6C9815D2 8A155B0D 8CB718CC E74CE258 D6862130
                        0D06092A 864886F7 0D010104 05000381 8100540A 521F52E2 F16C92CE E3A457E8
                        872D998E E702075A 8383D506 EC9A3207 36C1351F BA3A0676 1491D6C8 33C35B54
                        B733FC86 78B0B7A9 AB4DFB5D 7F495B94 62945799 724CF137 2D5CF0BB 629DBBD2
                        CCD13350 FED2676B 994983CD 85CAA52E 9CC7A08F 3F8DBBF8 EB6641FF 39D765
                        2B1A0051 3BCDFA32 DF12A97D 6641B29D 78BA
                        quit
                        license udi pid C3900-SPE100/K9 sn FOC15074HMG
                        !
                        !
                        username cisco privilege 15 secret 5 $1$bBcM$DG8ZzlbJPMbKIGwsswNSN1
                        !
                        interface GigabitEthernet0/0
                        description NJRNJNAD-RYAD16_34 DIA1
                        no ip address
                        ip virtual-reassembly
                        duplex full
                        speed auto
                        no keepalive
                        !
                        interface GigabitEthernet0/0.3130
                        description NJRNJNAD-RYAD16_34 DIA1
                        encapsulation dot1Q 3130
                        ip address 84.235.40.xx 255.255.255.252
                        ip nat outside
                        ip virtual-reassembly
                        !
                        interface Gigab
                        description "Connection to internal LAN"
                        ip address 192.168.193.2 255.255.255.0
                        ip nat inside
                        ip virtual-reassembly
                        duplex full
                        speed auto
                        media-type rj45
                        no keepalive
                        no cdp enable
                        !
                        interface GigabitEthernet0/2
                        no ip address
                        shutdown
                        duplex auto
                        speed auto
                        no ip forward-protocol nd
                        ip http server
                        ip http access-class 23
                        ip http authentication local
                        ip http secure-server
                        ip http timeout-policy idle 60 life 86400 requests 10000
                        ip nat pool smtp_nat 84.235.81.xx 84.235.81.xx netmask 255.255.255.248
                        ip nat inside source list 101 interface GigabitEthernet0/0.3130 overload
                        ip nat inside source list 102 pool smtp_nat overload
                        ip nat inside source static tcp 192.168.193.3 25 84.235.81.xx 25 extendable
                        ip nat inside source static tcp 192.168.193.3 80 84.235.81.xx 80 extendable
                        ip nat inside source static tcp 192.168.193.3 443 84.235.81.xx 443 extendable
                        ip nat inside source static tcp 192.168.193.3 587 84.235.81.xx 587 extendable
                        ip route 0.0.0.0 0.0.0.0 84.235.40.x
                        ip route 10.64.0.0 255.255.0.0 192.168.193.3
                        !
                        access-list 23 permit 10.10.10.0 0.0.0.7
                        access-list 101 deny tcp host 192.168.193.3 any eq smtp
                        access-list 101 deny tcp host 192.168.193.3 any eq 587
                        access-list 101 permit ip 192.0.0.0 0.255.255.255 any
                        access-list 102 permit tcp host 192.168.193.3 any eq smtp
                        access-list 102 permit tcp host 192.168.193.3 any eq 587
                        access-list 102 deny ip any any
                        !
                        !
                        !
                        control-plane
                        !
                        banner exec ^C
                        % Password expiration warning.
                        -----------------------------------------------------------------------
                        exit
                        this session.

                        It is strongly suggested that you create a new username with a privilege level
                        of 15 using the following command.

                        username <myuser> privilege 15 secret 0 <mypassword>

                        Replace <myuser> and <mypassword> with the username and password you want to
                        use.


                        line con 0
                        login local
                        line aux 0
                        line vty 0 4
                        access-class 23 in
                        privilege level 15
                        password cisco
                        login local
                        transport input telnet
                        line vty 5 15
                        access-class 23 in
                        privilege level 15
                        login local
                        transport input telnet ssh
                        !
                        scheduler allocate 20000 1000
                        end

                        router#
                        this is configration for router
                        asa

                        ---------------asa
                        : Saved
                        : Written by enable_15 at 02:02:15.239 UTC Wed Apr 18 2012
                        : Call-home enabled from prompt by enable_15 at 00:42:06 UTC Apr 18 2012
                        !
                        ASA Version 8.2(5)
                        !
                        hostname fwcicso
                        domain-name server
                        enable password 8Ry2YjIyt7RRXU24 encrypted
                        passwd 2KFQnbNIdI.2KYOU encrypted
                        names
                        name 192.168.193.3 outside description nat
                        !
                        interface GigabitEthernet0/0
                        nameif outside
                        security-level 0
                        ip address outside 255.255.255.0
                        !
                        interface GigabitEthernet0/1
                        nameif inside
                        security-level 100
                        ip address 192.168.191.1 255.255.255.0
                        !
                        interface GigabitEthernet0/2
                        shutdown
                        no nameif
                        no security-level
                        no ip address
                        !
                        interface GigabitEthernet0/3
                        shutdown
                        no nameif
                        no security-level
                        no ip address
                        !
                        interface Management0/0
                        nameif management
                        security-level 100
                        ip address 192.168.1.1 255.255.255.0
                        management-only
                        !
                        boot system disk0:/asa825-k8.bin
                        ftp mode passive
                        dns server-group DefaultDNS
                        name-server 4.4.4.4
                        domain-name server
                        same-security-traffic permit inter-interface
                        same-security-traffic permit intra-interface
                        object-group service DM_INLINE_SERVICE_1
                        service-object icmp echo-reply
                        service-object tcp eq echo
                        service-object tcp eq www
                        service-object tcp eq https
                        service-object tcp eq smtp
                        object-group service DM_INLINE_TCP_1 tcp
                        port-object eq www
                        port-object eq https
                        port-object eq smtp
                        object-group service DM_INLINE_SERVICE_2
                        service-object icmp echo
                        service-object icmp echo-reply
                        service-object tcp eq www
                        service-object tcp eq https
                        service-object tcp eq smtp
                        ccess-list OUTSIDE extended permit ip any any
                        access-group OUTSIDE in interface outside
                        access-list INSIDE_nat0_outbound extended permit ip any any
                        access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.191.0 255.255.255.0 192.168.193.0 255.255.255.0
                        access-list inside_access_in extended permit ip 192.168.191.0 255.255.255.0 192.168.193.0 255.255.255.0
                        access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 any host outside
                        access-list outside_access_in extended permit tcp any 192.168.191.0 255.255.255.0 object-group DM_INLINE_TCP_1
                        access-list no-nat standard permit any
                        pager lines 24
                        logging asdm informational
                        mtu management 1500
                        mtu inside 1500
                        mtu outside 1500
                        no failover
                        icmp unreachable rate-limit 1 burst-size 1
                        asdm location outside 255.255.255.255 inside
                        no asdm history enable
                        arp timeout 14400
                        global (outside) 1 interface
                        nat (inside) 1 192.168.191.0 255.255.255.0 dns
                        access-group inside_access_in in interface inside
                        access-group outside_access_in in interface outside
                        route outside 0.0.0.0 0.0.0.0 outside 1

                        timeout xlate 3:00:00
                        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
                        timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
                        timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

                        timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
                        timeout tcp-proxy-reassembly 0:01:00
                        timeout floating-conn 0:00:00
                        dynamic-access-policy-record DfltAccessPolicy
                        http server enable
                        http 192.168.1.0 255.255.255.0 management
                        no snmp-server location
                        no snmp-server contact
                        crypto ipsec security-association lifetime seconds 28800
                        crypto ipsec security-association lifetime kilobytes 4608000
                        crypto ca trustpoint _SmartCallHome_ServerCA
                        crl configure
                        crypto ca certificate chain _SmartCallHome_ServerCA
                        telnet timeout 5
                        ssh timeout 5
                        console timeout 0
                        dhcpd address 192.168.1.2-192.168.1.254 management
                        dhcpd enable management
                        !
                        threat-detection basic-threat
                        threat-detection statistics access-list
                        no threat-detection statistics tcp-intercept
                        webvpn
                        username ciscox password wjo38N3qjbkMNQ/7 encrypted privilege 15
                        !
                        class-map inspection_default
                        match default-inspection-traffic
                        !
                        !
                        policy-map type inspect dns preset_dns_map
                        parameters
                        message-length maximum client auto
                        message-length maximum 512
                        policy-map global_policy
                        class inspection_default
                        inspect dns preset_dns_map
                        inspect ftp
                        inspect h323 h225
                        inspect h323 ras
                        inspect rsh
                        inspect rtsp
                        inspect esmtp
                        inspect sqlnet
                        inspect skinny
                        inspect sunrpc
                        inspect xdmcp
                        inspect sip
                        inspect netbios
                        inspect tftp
                        inspect ip-options
                        inspect icmp
                        inspect icmp error
                        !
                        service-policy global_policy global
                        prompt hostname context
                        call-home reporting anonymous
                        Cryptochecksum:d208bf91538cd8ff97172fddc766f5f2
                        : end
                        ---------
                        problem i cannnot access from internet

                        Comment


                        • #13
                          Re: help me in configure asa 5540

                          Like I said previously you are natting on the ASA and then again on the router. Is there any reason for this?

                          If this where my network and you had to keep the router in place, I would assign public ip's to my outside ASA interface and to the inside router interface. Then apply another public ip to your outside interface connecting to your provider. This way you can NAT on the ASA to the "public ip space" and just use the router as a conduit between you and your isp. You can even setup ZBF or CBAC on the router for added security. So if you have the available ip's thats the way I would do it. As long as your routing correctly to your public ip space on the router you will be fine.

                          The other option would be to remove the nat config on the ASA and just let the router handle nat. This way you don't have to change much at all on any device. There is no reason for a double nat which is what your doing now. I would also temporarily remove any ACL's on the ASA to rule out any traffic getting filtered. Once you know its working you can build onto the config.

                          I have to say your configs are a mess. You have alot of config such as access-lists not applied anywhere. Your use of object-groups is very confusing. Basically it tells me that your not really comfortable with this configuration. Is this for a production network? If so I suggest hiring a consultant.


                          With that being said, are your hosts getting dhcp from the ASA? I see dhcp running on the router and ASA this is why I ask. You dont need both. I would remove dhcp from the router and run it on the ASA, a local server etc. Also why is your management interface handing out dhcp to your clients. The management interface is used for just that "managment". It does not route traffic. So if your clients are getting dhcp from the management interface with the management interface as their default gateway then its not gonna pass any traffic through that interface. Move the dhcpd pool to your inside interface. This may be part of the problem. You didnt say if the hosts where getting dhcp or running static so I am guessing here.
                          Last edited by auglan; 21st April 2012, 14:27.
                          CCNA, CCNA-Security, CCNP
                          CCIE Security (In Progress)

                          Comment


                          • #14
                            Re: help me in configure asa 5540

                            The other option would be to remove the nat config on the ASA and just let the router handle nat. This way you don't have to change much at all on any device. There is no reason for a double nat which is what your doing now. I would also temporarily remove any ACL's on the ASA to rule out any traffic getting filtered. Once you know its working you can build onto the config.
                            can u explan more
                            i have 2 interface on asa one have this subnet 192.168.193.3/24


                            and other 192.168.191.1/24
                            ok
                            can u explan if i make it without nating lan 192.168.193.0/24 access to internat
                            and other i make network object for try and access-list also
                            and forget remove it
                            so
                            i dont have dhcp on asa and dhcp_pool for mangment is defult on asa

                            Comment


                            • #15
                              Re: help me in configure asa 5540

                              192.168.191.1/24 is for your inside hosts

                              192.168.193.3/24 is for your outside interface. This should be on the same subnet and vlan as your router.


                              When traffic is coming from the your inside subnet 192.168.191.1/24 going to the internet the ASA will use the default route and route it to your upstream router. The router will then translate per your nat rules and use its default route out to your ISP/Internet.

                              Your are still natting but the router is doing it instead of the ASA. With newer ASA code you dont have to nat for traffic to pass through the ASA. Nat control should be turned off by default. Instead the router is natting your private ip space to your public ip space.
                              CCNA, CCNA-Security, CCNP
                              CCIE Security (In Progress)

                              Comment

                              Working...
                              X