ASA 5510 with ADSL Router Problems

[jvpgr]

Hi all,

I need to connect an ASA 5510 through an ADSL Router to the internet, in a way that the internal web & mail servers to be accessible from

the outside, right now there are no problems accessing the outside zone (internet) from the inside but I have no success with the opposite.

Any help would be greatly appreciated!

the network layout is as follows

INTERNET -- x.x.181.68-ADSL-192.168.2.1 -- 5510-192.168.2.2
for the outside interfase and

192.168.1.241-5510---192.168.1.254 www
|--192.168.1.252 pop3/imap4
|--192.168.1.142 - 192.168.1.250 w-tations

execpt the x.x.181.68 static ip there is another pool of 8 static ips from which x.x.140.60 xoresponds to the web server and x.x.140.59 to the email server.

the current configuration of the 5510 is

!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/3
nameif Inside3
security-level 100
ip address 192.168.1.241 255.255.255.240
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.240
management-only
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside1
dns domain-lookup Inside2
dns domain-lookup Inside3
dns name-server 192.168.2.1
dns name-server 193.92.150.3
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit tcp any host 192.168.1.252 eq 25
access-list 100 extended permit tcp any host 192.168.1.252 eq 110
access-list 100 extended permit tcp any host 192.168.1.252 eq 143
access-list 100 extended permit tcp any host 192.168.1.254 eq 80

!
tcp-map mss-map
exceed-mss allow
!
tcp-map opmap
check-retransmission
checksum-verification
exceed-mss allow
!
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside1 1500
mtu Inside2 1500
mtu Inside3 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside1
monitor-interface Inside2
monitor-interface Inside3
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400

global (Outside) 1 interface

nat (Inside1) 1 192.168.1.0 255.255.255.0
nat (Inside2) 1 192.168.1.0 255.255.255.0
nat (Inside3) 1 192.168.1.0 255.255.255.0

static (Inside3,Outside) tcp x.x.140.60

http://www 192.168.1.254

http://www netmask

255.255.255.255
static (Inside3,Outside) tcp x.x.140.59 25 192.168.1.252 25 netmask 255.255.255.255
static (Inside3,Outside) tcp x.x.140.59 110 192.168.1.252 110 netmask 255.255.255.255
static (Inside3,Outside) tcp x.x.140.59 143 192.168.1.252 143 netmask 255.255.255.255

access-group 100 in interface Outside

route Outside 0.0.0.0 0.0.0.0 192.168.2.1 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.240 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.18-192.168.1.30 Inside1
dhcpd address 192.168.1.34-192.168.1.46 Inside2
dhcpd address 192.168.1.242-192.168.1.254 Inside3
dhcpd address 192.168.1.2-192.168.1.14 management
dhcpd dns 192.168.2.1 193.92.150.3
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config Outside
dhcpd enable Inside1
dhcpd enable Inside2
dhcpd enable Inside3
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:333398fceae822750f40077386cb3867
: end

except from the pairs:

static (Inside3,Outside) tcp x.x.140.60

http://www 192.168.1.254

http://www netmask

255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 80

static (Inside3,Outside) tcp x.x.140.59 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.252 eq 25

static (Inside3,Outside) tcp x.x.140.59 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.252 eq 110

static (Inside3,Outside) tcp x.x.140.59 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.252 eq 143

I have tried also

static (Inside3,Outside) tcp x.x.140.60

http://www 192.168.1.254

http://www netmask

255.255.255.255
access-list 100 extended permit tcp any host x.x.140.60 eq 80

static (Inside3,Outside) tcp x.x.140.59 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 25

static (Inside3,Outside) tcp x.x.140.59 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 110

static (Inside3,Outside) tcp x.x.140.59 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 143

and

static (Inside3,Outside) tcp interface

http://www 192.168.1.254

http://www netmask

255.255.255.255
access-list 100 extended permit tcp any host x.x.140.60 eq 80

static (Inside3,Outside) tcp interface 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 25

static (Inside3,Outside) tcp interface 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 110

static (Inside3,Outside) tcp interface 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host x.x.140.59 eq 143

or

static (Inside3,Outside) tcp interface

http://www 192.168.1.254

http://www netmask

255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 80

static (Inside3,Outside) tcp interface 25 192.168.1.252 25 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 25

static (Inside3,Outside) tcp interface 110 192.168.1.252 110 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 110

static (Inside3,Outside) tcp interface 143 192.168.1.252 143 netmask 255.255.255.255
access-list 100 extended permit tcp any host 192.168.1.254 eq 143

but with no success (

Please help!!
any help would be most highly appreciated.

 

[unclerico]

I believe the issue that you are having is that the ASA does not have a public IP assigned to it. If you are able to set your ADSL modem to bridged mode you can move the public address space off of the ADSL modem and onto the ASA.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jvpgr]

thank you for the advice unclerico, but how I will configure 5510 to handle the PPP then ?

 

[jvpgr]

... and something that came to my mind after posting the previous post ...

would it be (almost) the same if I forward on the ADSL the required ips/ports to the outside interface instead (I allready tryed to the servers themselves, dut it didn't worked) ? Even though I though that the ADSL should do the same itself since not knowing what to do with them

 

[unclerico]

The config would be something like this:

ASA(config)# vpdn username <username> password <password>
ASA(config)# vpdn group <group_name> localname <username_defined_in_prev_command>
ASA(config)# vpdn group <group_name> ppp authentication {pap | chap | mschap}
ASA(config)# vpdn group <group_name> request dialout pppoe
ASA(config)# interface outside
ASA(config-if)# ip address <ip_address> <mask> pppoe

This should work. Now you should be able to configure your NAT statements as before and it should be gravy.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jvpgr]

thank you very much unclerico!!

just another question, the ADSL supports DMZ on one ip. If I put the outside interface's ip as DMZ for the ADSL would have some similar result and would it will be a bad security case ?

 

[unclerico]

Honestly, I would let the ASA handle it all. Whenever I setup a security device connecting to DSL or Cable I always set the modem to bridge mode and let the security device handle the heavy lifting. ASA's are the best in the biz (partisan opinion of course )

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[unclerico]

I really wish this place had an Edit button...I want to add taht the other option I will go with is getting two CIDR blocks from the ISP and placing a router in front of the ASA (some clients prefer this setup). The router outside interface will get a /30 prefix. The ASA Outside and Router Inside interfaces will usually get a /29 prefix.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)