[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.6

Unabled to communicate over Outside interface?

Asked by menreeq in Cisco PIX Firewall, Voice Over IP, Network Routers

Tags: asa, interface, outside

This is kind of a tough one to explain, below is the running config of my ASA 5500. I am trying to help out the phone vendor by setting up access rules that will allow a teleworker to connect to the phone system over the net. The phone system is located on the PT2PT vlan with an private IP of 192.168.30.12 . The DMZ/Teleworker interface is the teleworker server and it has a private IP of 192.168.40.2 . The problem we have is related to the phones audio which is only working in one direction. This requires that UDP traffic be allowed between the VLANSwhich I have allowed. The problem appears to be that the telephone server on the PT2PT vlan needs to  be able to reach the DMZ/Teleworker VLAN via its public IP(66.186.39.68). I don't believe this is a problem of the right outside-access-in rules being set up but rather the ASA not allowing public traffic in and out simultaneously . I think that enabling the ability to ping 66.186.39.68 from the host 192.168.30.12 may resolve the problem, if that simplifies the problem for anyone.
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password zIt08HFc1ASHTQRr encrypted
names
name 66.186.39.70 TerminalServer
name 66.186.39.68 Teleworker
name 66.186.39.71 DRAC
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.186.39.67 255.255.255.240
!
interface Vlan12
 nameif PT2PT
 security-level 100
 ip address 192.168.30.2 255.255.255.0
!
interface Vlan22
 nameif DMZ/Teleworker
 security-level 100
 ip address 192.168.40.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 22
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SRTP udp
 description 10
 port-object range 19000 23010
object-group service RDP tcp
 port-object range 3389 3391
object-group service Teleworker tcp
 port-object range 2114 2114
 port-object range 2116 2116
 port-object range ssh ssh
 port-object range 3300 3300
 port-object range 35000 35000
 port-object range 37000 37000
 port-object range https https
 port-object range 3398 3398
 port-object range 6800 6802
 port-object range 3999 3999
 port-object range 6880 6880
object-group service RTP udp
 port-object range 1024 65535
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit gre any any
access-list PT2PT_access_in extended permit tcp any any
access-list PT2PT_access_in extended permit ip any any
access-list PT2PT_access_in extended permit icmp any any
access-list PT2PT_access_in extended permit udp any any
access-list PT2PT_access_in extended permit tcp interface PT2PT eq https any eq https
access-list PT2PT_access_in extended permit icmp host Teleworker 192.168.30.0 255.255.255.0
access-list outside_access_in extended permit tcp any host TerminalServer eq smtp
access-list outside_access_in extended permit tcp any host TerminalServer eq pptp
access-list outside_access_in extended permit tcp any host TerminalServer eq www
access-list outside_access_in extended permit tcp any host TerminalServer eq https
access-list outside_access_in extended permit icmp any host TerminalServer
access-list outside_access_in extended permit tcp any host TerminalServer eq 4125
access-list outside_access_in extended permit tcp any host TerminalServer eq 3389
access-list outside_access_in extended permit tcp any host TerminalServer eq 1433
access-list outside_access_in extended permit udp any host Teleworker object-group SRTP
access-list outside_access_in extended permit tcp any host Teleworker eq 47
access-list outside_access_in extended permit tcp any host Teleworker eq pptp
access-list outside_access_in extended permit tcp any host Teleworker object-group Teleworker
access-list outside_access_in extended permit icmp any host Teleworker
access-list outside_access_in extended permit tcp any host DRAC eq ssh
access-list outside_access_in extended permit tcp any host DRAC eq 5900
access-list outside_access_in extended permit tcp any host DRAC eq 5901
access-list outside_access_in extended permit tcp any host DRAC eq 6668
access-list outside_access_in extended permit tcp any host DRAC eq 3668
access-list outside_access_in extended permit tcp any host DRAC eq 3669
access-list inside_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
access-list DMZ/Teleworker_access_in extended permit icmp any any
access-list DMZ/Teleworker_access_in extended permit udp any any
access-list DMZ/Teleworker_access_in extended permit ip any any
access-list DMZ/Teleworker_access_in extended permit tcp any any
access-list DMZ/Teleworker_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list DMZ/Teleworker_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list DMZ/Teleworker_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.0
access-list DMZ/Teleworker_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list PT2PT_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu PT2PT 1500
mtu DMZ/Teleworker 1500
no failover
monitor-interface inside
monitor-interface outside
monitor-interface PT2PT
monitor-interface DMZ/Teleworker
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 66.186.39.67 netmask 255.255.255.240
global (outside) 2 Teleworker netmask 255.255.255.240
global (outside) 3 66.186.39.69 netmask 255.255.255.240
global (outside) 4 TerminalServer netmask 255.0.0.0
global (outside) 5 DRAC netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 4 192.168.3.0 255.255.255.0
nat (PT2PT) 0 access-list PT2PT_nat0_outbound
nat (PT2PT) 1 192.168.30.0 255.255.255.0
nat (DMZ/Teleworker) 0 access-list DMZ/Teleworker_nat0_outbound
nat (DMZ/Teleworker) 2 192.168.40.0 255.255.255.0
static (DMZ/Teleworker,outside) Teleworker 192.168.40.2 netmask 255.255.255.255
static (inside,outside) DRAC 192.168.3.120 netmask 255.255.255.255
static (inside,outside) TerminalServer 192.168.3.5 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group PT2PT_access_in in interface PT2PT
access-group DMZ/Teleworker_access_in in interface DMZ/Teleworker
route outside 0.0.0.0 0.0.0.0 66.186.39.65 1
route PT2PT 192.168.2.0 255.255.255.0 192.168.30.1 1
route PT2PT 192.168.10.0 255.255.255.252 192.168.30.1 1
route PT2PT 192.168.20.0 255.255.255.0 192.168.30.1 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.20.0 255.255.255.0 PT2PT
http 192.168.30.0 255.255.255.0 PT2PT
http 192.168.2.0 255.255.255.0 PT2PT
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.2-192.168.3.254 inside
!

!
class-map PPTP
 description PPTP
 match port tcp eq pptp
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map PPTP
 class PPTP
  inspect pptp
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
service-policy PPTP interface outside
prompt hostname context
Cryptochecksum:9d371e31450cfdf7272f7fb605700a9a
: end
asdm image disk0:/asdm-522.bin
no asdm history enable

 
Related Solutions
Keywords: Unabled to communicate over Outside i…
Title
1 ASA 5510 and 5505 VPN Routin…
 
Loading Advertisement...
 
[+][-]03/20/08 08:21 AM, ID: 21172429Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Cisco PIX Firewall, Voice Over IP, Network Routers
Tags: asa, interface, outside
Sign Up Now!
Solution Provided By: batry_boy
Participating Experts: 3
Solution Grade: B
 
[+][-]11/19/07 05:12 PM, ID: 20316975Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/19/07 05:31 PM, ID: 20317025Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/19/07 05:50 PM, ID: 20317070Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/19/07 05:57 PM, ID: 20317102Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/27/07 09:47 AM, ID: 20359761Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]11/27/07 10:00 AM, ID: 20359865Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]02/12/08 06:48 PM, ID: 20881261Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]02/12/08 10:07 PM, ID: 20882023Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091118-EE-VQP-93 / EE_QW_2_20070628