Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5510 Configuration- Help plz

Status
Not open for further replies.
rjanakan

rjanakan

Technical User
Sep 2, 2004
9
US
Hi,

I'm trying to setup ASA 5510 in my test lab to allow all incoming traffic to inside webserver. I created only one static NAT entry to translate outside public address to inside private address. I created a reverse static xlation too. I allowed all tcp,ip,icmp, udp traffic both outside and inside. When I hit the page using public address, I can see the syslog that an inbound tcp connection is established with NAT. However the page doesn't comeup and after 30seconds the connection gets teared down. I also checked my IIS log and no connection attempts made from ASA to my webserver.

I'm using ASDM to configure


Please find my current config:
Any help would be greatly appreciated.

Thank you,
Janakan Rajendran

ASA Version 7.0(4)12
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif Inside
security-level 100
ip address 10.18.45.18 255.0.0.0
!
interface Ethernet0/1
nameif Outside
security-level 0
ip address 66.x.x.x 255.0.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
nameif management
security-level 0
ip address 192.168.1.12 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list Outside_access_in extended permit tcp any any
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit udp any any
access-list Outside_access_in extended permit icmp any any
access-list Inside_access_in extended permit tcp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
asdm image disk0:/asdm-504.bin
no asdm history enable
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:a36f49769d043b2ef4acec7410f39d2b
: endrp timeout 14400
static (Outside,Inside) 10.18.45.19 66.x.x.x netmask 255.255.255.255
static (Inside,Outside) 66.x.x.x 10.18.45.19 netmask 255.255.255.255
access-group Inside_access_in in interface Inside
access-group Outside_access_in in interface Outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!


 
Sort by date Sort by votes

I'm assuming the webserver's IP is 10.18.45.19.

You can get rid of this entry, since it's not doing anything:

static (Outside,Inside) 10.18.45.19 66.x.x.x netmask 255.255.255.255

What is the IP address of the client machine trying to bring up the webpage? Is it a part of the 66.x.x.x network?

Does the webserver have his default route set to 10.18.45.18?

Have you verified basic connectivity? Can you ping the webserver private IP from the firewall?
 
Upvote 0 Downvote
Add this line
route outside 10.0.0.0 255.0.0.0 next_hop_router_ip_address metric

You have the static in place so you won't need this if the webserver is the only box on the inside, but if you have others that need connections out you will need a NAT and Global pair

nat (inside) 1 10.0.0.0 255.0.0.0
global (outside) 1 66.x.x.x netmask 255.0.0.0



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Thanks a lot dozier and Brent. It was just the default gateway on the test webserver :) (shy). I appreciate your help guys.

Thx again.

Janakan Rajendran
 
Upvote 0 Downvote
No problem, I've definitely been on the other end of those kinds of easy resolutions. :)
 
Upvote 0 Downvote
Hi Guys i know you been over this one, but iam having the same problem! I need help as this has been driving me crazy for 3 weeks now!

It builds the connection the tares it down after 30 seconds (in syslog) check the server i am going to 172.168.100.104 and it's gateway is 172.168.100.100 so it's not that. Any ideas please! :)

My Config.

ciscoasa# config terminal
ciscoasa(config)# show config
: Saved
: Written by enable_15 at 12:10:11.896 GMT/BDT Thu Oct 12 2006
!
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name xxxxxxxxxxxxxxxxxxxxx
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.x.82 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.16.100.100 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.
boot system disk0:/pix721.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name xxxxxxxxxxxxxxxxxxx
object-group service 4XDealer tcp
port-object range 4000 4100
access-list Outside_access_in extended permit tcp any host x.x.x.83 eq 3389

pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool RemoteIPs 172.16.250.1-172.16.250.254 mask 255
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Outside,Inside) 172.16.100.104 x.x.x.83 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute

Regards,
Darren
 
Upvote 0 Downvote
Need to start a new thread
Post the whole config and be a little more specific with the problem.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
958
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
825
intel233
intel233
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
305
PauS0n
PauS0n
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
562
gkreg
gkreg

Part and Inventory Search

Sponsor

Back
Top