jvpgr
IS-IT--Management
- Nov 7, 2008
- 6
Hi all,
I need to connect an ASA 5510 through an ADSL Router to the internet, in a way that the internal web & mail servers to be accessible from
the outside, right now there are no problems accessing the outside zone (internet) from the inside but I have no success with the opposite.
Any help would be greatly appreciated!
the network layout is as follows
INTERNET -- x.x.181.68-ADSL-192.168.2.1 -- 5510-192.168.2.2
for the outside interfase and
192.168.1.241-5510---192.168.1.254 www
|--192.168.1.252 pop3/imap4
|--192.168.1.142 - 192.168.1.250 w-tations
execpt the x.x.181.68 static ip there is another pool of 8 static ips from which x.x.140.60 xoresponds to the web server and x.x.140.59 to the email server.
the current configuration of the 5510 is
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/3
nameif Inside3
security-level 100
ip address 192.168.1.241 255.255.255.240
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.240
management-only
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside1
dns domain-lookup Inside2
dns domain-lookup Inside3
dns name-server 192.168.2.1
dns name-server 193.92.150.3
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit tcp any host 192.168.1.252 eq 25
access-list 100 extended permit tcp any host 192.168.1.252 eq 110
access-list 100 extended permit tcp any host 192.168.1.252 eq 143
access-list 100 extended permit tcp any host 192.168.1.254 eq 80
!
tcp-map mss-map
exceed-mss allow
!
tcp-map opmap
check-retransmission
checksum-verification
exceed-mss allow
!
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside1 1500
mtu Inside2 1500
mtu Inside3 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside1
monitor-interface Inside2
monitor-interface Inside3
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside1) 1 192.168.1.0 255.255.255.0
nat (Inside2) 1 192.168.1.0 255.255.255.0
nat (Inside3) 1 192.168.1.0 255.255.255.0
static (Inside3,Outside) tcp x.x.140.60 255.255.255.255
static (Inside3,Outside) tcp x.x.140.59 25 192.168.1.252 25 netmask 255.255.255.255
static (Inside3,Outside) tcp x.x.140.59 110 192.168.1.252 110 netmask 255.255.255.255
static (Inside3,Outside) tcp x.x.140.59 143 192.168.1.252 143 netmask 255.255.255.255
access-group 100 in interface Outside
route Outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.240 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.18-192.168.1.30 Inside1
dhcpd address 192.168.1.34-192.168.1.46 Inside2
dhcpd address 192.168.1.242-192.168.1.254 Inside3
dhcpd address 192.168.1.2-192.168.1.14 management
dhcpd dns 192.168.2.1 193.92.150.3
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config Outside
dhcpd enable Inside1
dhcpd enable Inside2
dhcpd enable Inside3
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:333398fceae822750f40077386cb3867
: end
except from the pairs:
static (Inside3,Outside) tcp x.x.140.60 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 80
static (Inside3,Outside) tcp x.x.140.59 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.252 eq 25
static (Inside3,Outside) tcp x.x.140.59 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.252 eq 110
static (Inside3,Outside) tcp x.x.140.59 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.252 eq 143
I have tried also
static (Inside3,Outside) tcp x.x.140.60 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.60 eq 80
static (Inside3,Outside) tcp x.x.140.59 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 25
static (Inside3,Outside) tcp x.x.140.59 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 110
static (Inside3,Outside) tcp x.x.140.59 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 143
and
static (Inside3,Outside) tcp interface 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.60 eq 80
static (Inside3,Outside) tcp interface 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 25
static (Inside3,Outside) tcp interface 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 110
static (Inside3,Outside) tcp interface 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 143
or
static (Inside3,Outside) tcp interface 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 80
static (Inside3,Outside) tcp interface 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 25
static (Inside3,Outside) tcp interface 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 110
static (Inside3,Outside) tcp interface 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 143
but with no success (
Please help!!
any help would be most highly appreciated.
I need to connect an ASA 5510 through an ADSL Router to the internet, in a way that the internal web & mail servers to be accessible from
the outside, right now there are no problems accessing the outside zone (internet) from the inside but I have no success with the opposite.
Any help would be greatly appreciated!
the network layout is as follows
INTERNET -- x.x.181.68-ADSL-192.168.2.1 -- 5510-192.168.2.2
for the outside interfase and
192.168.1.241-5510---192.168.1.254 www
|--192.168.1.252 pop3/imap4
|--192.168.1.142 - 192.168.1.250 w-tations
execpt the x.x.181.68 static ip there is another pool of 8 static ips from which x.x.140.60 xoresponds to the web server and x.x.140.59 to the email server.
the current configuration of the 5510 is
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/3
nameif Inside3
security-level 100
ip address 192.168.1.241 255.255.255.240
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.240
management-only
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside1
dns domain-lookup Inside2
dns domain-lookup Inside3
dns name-server 192.168.2.1
dns name-server 193.92.150.3
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit tcp any host 192.168.1.252 eq 25
access-list 100 extended permit tcp any host 192.168.1.252 eq 110
access-list 100 extended permit tcp any host 192.168.1.252 eq 143
access-list 100 extended permit tcp any host 192.168.1.254 eq 80
!
tcp-map mss-map
exceed-mss allow
!
tcp-map opmap
check-retransmission
checksum-verification
exceed-mss allow
!
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside1 1500
mtu Inside2 1500
mtu Inside3 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside1
monitor-interface Inside2
monitor-interface Inside3
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside1) 1 192.168.1.0 255.255.255.0
nat (Inside2) 1 192.168.1.0 255.255.255.0
nat (Inside3) 1 192.168.1.0 255.255.255.0
static (Inside3,Outside) tcp x.x.140.60 255.255.255.255
static (Inside3,Outside) tcp x.x.140.59 25 192.168.1.252 25 netmask 255.255.255.255
static (Inside3,Outside) tcp x.x.140.59 110 192.168.1.252 110 netmask 255.255.255.255
static (Inside3,Outside) tcp x.x.140.59 143 192.168.1.252 143 netmask 255.255.255.255
access-group 100 in interface Outside
route Outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.240 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.18-192.168.1.30 Inside1
dhcpd address 192.168.1.34-192.168.1.46 Inside2
dhcpd address 192.168.1.242-192.168.1.254 Inside3
dhcpd address 192.168.1.2-192.168.1.14 management
dhcpd dns 192.168.2.1 193.92.150.3
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config Outside
dhcpd enable Inside1
dhcpd enable Inside2
dhcpd enable Inside3
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:333398fceae822750f40077386cb3867
: end
except from the pairs:
static (Inside3,Outside) tcp x.x.140.60 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 80
static (Inside3,Outside) tcp x.x.140.59 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.252 eq 25
static (Inside3,Outside) tcp x.x.140.59 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.252 eq 110
static (Inside3,Outside) tcp x.x.140.59 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.252 eq 143
I have tried also
static (Inside3,Outside) tcp x.x.140.60 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.60 eq 80
static (Inside3,Outside) tcp x.x.140.59 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 25
static (Inside3,Outside) tcp x.x.140.59 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 110
static (Inside3,Outside) tcp x.x.140.59 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 143
and
static (Inside3,Outside) tcp interface 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.60 eq 80
static (Inside3,Outside) tcp interface 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 25
static (Inside3,Outside) tcp interface 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 110
static (Inside3,Outside) tcp interface 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 143
or
static (Inside3,Outside) tcp interface 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 80
static (Inside3,Outside) tcp interface 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 25
static (Inside3,Outside) tcp interface 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 110
static (Inside3,Outside) tcp interface 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 143
but with no success (
Please help!!
any help would be most highly appreciated.