	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

10/30/2009 at 05:56AM PDT, ID: 24857885

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.1

asa 5510 configuration

Asked by Hahaciok in Cisco PIX Firewall, Network Routers

Tags: asa 5510, nat

Hi,

First sorry for bad English

We have old Cisco 2600 series router and have purchased ASA 5510. Now I want to replace router with ASA, but cannot... When I test ASA 5510 in test environment, it seems as if everything is fine, but when I connect to a real environment, that's what happens:

1. As you can see from my network diagram, our LAN address range is 172.30.16.0/24, all users go to the Internet through a proxy server (172.30.16.253), my computer goes directly to the Internet. Now when I connect ASA 5510 to a real environment, when I try to access the web directly nothing happens, I cannot ping website, the dns is not reachable, but proxy server can reach dns server(but very slow), and users can surf the Internet. Log show nothing shows, except, when I turn on skype, log show portmap translation failed for my ip address...

2. Mail server cannot reach DNS server, ping anything and s.o. Packet tracer shows, that packets must go correctly...

I dont understand, what is wrong, because, as I say, in test environment everything is ok, but in real....

Any ideas, how to solve my problem?

View the Solution FREE for 30 Days

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:

           
           
             object-group service DM_INLINE_SERVICE_1
 service-object tcp eq domain 
 service-object udp eq domain 
 service-object tcp eq www 
 service-object tcp eq https 
 service-object tcp eq smtp 
 service-object icmp 
 service-object icmp echo
 service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
 service-object tcp eq domain 
 service-object udp eq domain 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
object-group network DM_INLINE_NETWORK_1
 network-object host xx.xx.81.19
 network-object host xx.xx.81.20
access-list LAN_nat0_out extended permit ip 172.30.16.0 255.255.255.0 192.168.4.0 255.255.255.0 
access-list LAN_nat0_out extended permit ip 172.30.16.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list MAIL_nat0_out extended permit ip 192.168.4.0 255.255.255.0 172.30.16.0 255.255.255.0 
access-list MAIL_nat0_out extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list WAN_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any 
access-list WAN_access_in extended permit tcp any host xx.xx.66.19 eq www 
access-list WAN_access_in extended permit tcp any host xx.xx.66.20 object-group DM_INLINE_TCP_1 
access-list WAN_access_in extended permit tcp any host xx.xx.66.20 gt 10000 
access-list MAIL_access_in extended permit ip 192.168.4.0 255.255.255.0 172.30.16.0 255.255.255.0 
access-list MAIL_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.4.0 255.255.255.0 any inactive 
access-list MAIL_access_in extended permit ip any any 
access-list WWW_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.30.16.0 255.255.255.0 
access-list WWW_access_in extended permit ip host 192.168.1.1 host 172.30.16.207 
access-list WWW_access_in extended permit object-group DM_INLINE_SERVICE_2 host 192.168.1.1 host 172.30.16.230 
access-list WWW_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 
pager lines 24
logging enable
logging trap debugging
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu WWW 1500
mtu MAIL 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
icmp permit any LAN
icmp permit any WWW
icmp permit any MAIL
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (WAN) 101 xx.xx.66.21-xx.xx.66.22 netmask 255.255.255.248
global (WWW) 101 xx.xx.66.19 netmask 255.255.255.248
global (MAIL) 101 xx.xx.66.20 netmask 255.255.255.248
nat (LAN) 0 access-list LAN_nat0_out
nat (LAN) 101 0.0.0.0 0.0.0.0
nat (WWW) 0 access-list WWW_nat0_outbound_1
nat (WWW) 0 access-list WWW_nat0_outbound outside
nat (MAIL) 0 access-list MAIL_nat0_out
nat (MAIL) 101 192.168.4.3 255.255.255.255
static (LAN,WAN) tcp interface www 172.30.16.231 www netmask 255.255.255.255 
static (LAN,WAN) tcp interface ftp 172.30.16.231 ftp netmask 255.255.255.255 
static (LAN,WAN) tcp interface 8080 172.30.16.217 8080 netmask 255.255.255.255 
static (MAIL,WAN) tcp xx.xx.66.20 smtp 192.168.4.3 smtp netmask 255.255.255.255 
static (WWW,WAN) xx.xx.66.19 192.168.1.1 netmask 255.255.255.255 
static (MAIL,WAN) xx.xx.66.20 192.168.4.1 netmask 255.255.255.255 
access-group WAN_access_in in interface WAN
access-group WWW_access_in in interface WWW
access-group MAIL_access_in in interface MAIL
route WAN 0.0.0.0 0.0.0.0 xx.xx.66.17 1
route LAN 172.30.16.0 255.255.255.0 192.168.200.254 1
route LAN 192.168.101.0 255.255.255.0 192.168.200.254 1
 
 
Part of log:
 
3|Oct 30 2009|14:30:06|305006|82.128.187.109|58428|||portmap translation creation failed for tcp src LAN:172.30.16.207/8000 dst WAN:82.128.187.109/58428
3|Oct 30 2009|14:30:06|305006|213.100.51.213|443|||portmap translation creation failed for tcp src LAN:172.30.16.207/7999 dst WAN:213.100.51.213/443
3|Oct 30 2009|14:30:06|305006|84.112.146.184|80|||portmap translation creation failed for tcp src LAN:172.30.16.207/7998 dst WAN:84.112.146.184/80
3|Oct 30 2009|14:30:06|305006|85.11.219.194|80|||portmap translation creation failed for tcp src LAN:172.30.16.207/7997 dst WAN:85.11.219.194/80
3|Oct 30 2009|14:30:06|305006|81.225.88.54|80|||portmap translation creation failed for tcp src LAN:172.30.16.207/7996 dst WAN:81.225.88.54/80
3|Oct 30 2009|14:30:06|305006|193.10.218.219|80|||portmap translation creation failed for tcp src LAN:172.30.16.207/7995 dst WAN:193.10.218.219/80
3|Oct 30 2009|14:30:06|305006|84.115.2.141|80|||portmap translation creation failed for tcp src LAN:172.30.16.207/7994 dst WAN:84.115.2.141/80
3|Oct 30 2009|14:30:06|305006|213.100.51.213|50131|||portmap translation creation failed for tcp src LAN:172.30.16.207/7993 dst WAN:213.100.51.213/50131
3|Oct 30 2009|14:30:06|305006|84.112.146.184|443|||portmap translation creation failed for tcp src LAN:172.30.16.207/7992 dst WAN:84.112.146.184/443
3|Oct 30 2009|14:30:06|305006|85.11.219.194|443|||portmap translation creation failed for tcp src LAN:172.30.16.207/7991 dst WAN:85.11.219.194/443
3|Oct 30 2009|14:30:06|305006|81.225.88.54|443|||portmap translation creation failed for tcp src LAN:172.30.16.207/7990 dst WAN:81.225.88.54/443
3|Oct 30 2009|14:30:06|305006|193.10.218.219|443|||portmap translation creation failed for tcp src LAN:172.30.16.207/7989 dst WAN:193.10.218.219/443
3|Oct 30 2009|14:30:06|305006|84.115.2.141|443|||portmap translation creation failed for tcp src LAN:172.30.16.207/7988 dst WAN:84.115.2.141/443
3|Oct 30 2009|14:30:06|305006|80.244.73.123|80|||portmap translation creation failed for tcp src LAN:172.30.16.207/7987 dst WAN:80.244.73.123/80

           
         

Attachments:

Network.JPG (50 KB) (File Type Details)

network diagram

20091111-EE-VQP-91 - Hierarchy / EE_QW_3_20080625

1. JFrederic...459,465
2. MikeKane299,205
3. lrmoore297,968
4. ikalmar186,760
5. 3nerds173,965
6. asavener135,520
7. PeteLong134,501
8. bignewf107,905
9. Voltz-dk102,615
10. nodisco86,087
11. MrHusy80,063
12. kenboonejr75,275
13. jodylemoine67,552
14. ccie2292159,700
15. that1guy1549,812
16. ricks_v49,349
17. rsivanandan48,563
18. RPPreacher46,718
19. stsonline46,325
20. debuggerau43,450
21. Cyclops3...41,004
22. Donboo40,930
23. rochey2...38,714
24. Quori38,050
25. egyptco36,150

1. lrmoore2,923,121
2. batry_boy1,055,485
3. JFrederic...654,665
4. PeteLong479,334
5. rsivanandan404,347
6. MikeKane385,826
7. nodisco363,574
8. grblades351,435
9. Voltz-dk335,524
10. MrHusy334,309
11. Cyclops3...262,318
12. calvinetter254,590
13. ikalmar186,760
14. 3nerds173,965
15. harbor235163,330
16. asavener135,520
17. bignewf130,085
18. RPPreacher122,741
19. tim_holman120,177
20. mkielar116,985
21. keith_ala...113,219
22. _jesper_109,205
23. carribeant...108,132
24. Pugglewu...89,432
25. decoleur83,309

asa 5510 configuration

Asked by Hahaciok in Cisco PIX Firewall, Network Routers

Tags: asa 5510, nat

About this solution