[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

CIsco ASA device challenges

Posted on 2007-03-21
7
Medium Priority
?
945 Views
Last Modified: 2013-11-12
Cisco ASA device.

I am not able to do tracerts, ping or to see my websites with my public IP adreses just the private IP's
0
Comment
Question by:NetNinja
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18765316
Need a little more info...are you trying to perform these actions from inside the ASA or from an external host (outside the ASA)?
0
 

Author Comment

by:NetNinja
ID: 18766843
trying to perform these actions from inside the network.
I guess I would have to create Nat rules to translate those public IP's?

So for instance my mail server is available via 38.116.1.1\exchange but it's private IP is 10.1.10.2
if I try to get to the public IP address from inside my network I get a page cannot be found. however I can reach it via my private IP via 10.1.10.2\exchange
I also have problems with my other websites as well.
users don't remember private IP's to well :)

So on the ASA I would add a Static IP and then what would I need to do from there?

Also I discovered I canno't do any tracerts or Pings to the outside world and want to be able to do this.
It makes the developers nervous when they are unable to do this.


0
 
LVL 28

Accepted Solution

by:
batry_boy earned 1000 total points
ID: 18766933
The tracerts and pings to the outside world are easy to allow...enter the following commands on the ASA:

access-list acl_outside_in permit icmp any any echo-reply
access-list acl_outside_in permit icmp any any unreachable
access-list acl_outside_in permit icmp any any time-exceeded
access-group acl_outside_in in interface outside

Substitute whatever ACL name you have applied to your outside interface in the above commands.

As for the website access, your users are using the public IP address of an inside web server to access them?  Why don't they use the DNS hostname of those servers?  That's an atypical way of accessing inside web servers.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:NetNinja
ID: 18766995
Awesome! You da man! well at least that is working


0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18767131
Can you elaborate on the other problem you are seeing?  In my personal opinion, you should not make your firewall have to process traffic for inside to inside traffic.  Can your internal users use a hostname that you could put in your internal DNS server and let them access your internal web servers that way?
0
 

Author Comment

by:NetNinja
ID: 18768326
Lets see if this makes any sense.
If I go into properties and click on the DNS client I noticed there were no DNS entires there.
So I placed my ISP's DNS servers there.
Should I enable DNS Lookup on both the inside and outside interface?

we had a contractor come in a install the device. I have some experience with Cisco Pix 520 firewalls so I am trying to understand why there were no DNS entries. Sometimes looking over the installers shoulders does not help very much. :)
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18769047
When you say you "go into properties and click on the DNS client" are you talking about in the ASDM GUI for the ASA or are you talking about the DNS settings for an end user workstation?  Judging from your wording in the next two lines, it sounds like you're talking about the DNS settings for the ASA itself and not a workstation, but I wanted to verify.

If you are talking about the DNS settings for the ASA itself, you can put in a DNS server entry but this would only enable DNS name resolution from the ASA firewall itself, not your end user workstations.  The workstations themselves have to have a DNS server entry in their IP configuration for them to perform DNS name resolution.  Having said this, there are few times when it becomes useful for the ASA to perform DNS resolution.  What I was referring to in my last post was to have your end user workstations resolve the hostname of your internal web servers via DNS rather than making them type in http://38.116.1.1/exchange to get to OWA (I assume this is what you are doing).  What I mean is to allow your users to use something like http://mail.yourcompany.com/exchange instead, where the DNS hostname mail.yourcompany.com resolves to 10.1.10.2.  If this was configured, then your internal users would not even hit the ASA for this traffic flow to happen.  Of course, you would have to have your own internal DNS server to have an entry to a private address like the 10.1.10.2 address.  Do you have an internal DNS server?  If you don't there is a way called DNS rewrite to perform what I think you want to do.  Post back and elaborate on your particular situation and we'll take a look!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question