troubleshooting Question

ASA 5510 2 public IP blocks

Avatar of wesallen
wesallen asked on
SecurityHardware FirewallsCisco
5 Comments1 Solution826 ViewsLast Modified:
I have an ASA 5510 with the Security Plus License so I have five ports that I can use.  My design is as follows:
 
Internet
    |
Router
    |
ASA5510        DMZ       -
    |
Internal LAN

We jus received another block of public IP addresses and I am trying to figure out how to set the ASA up to handle this.  I know I could do subinterfaces but I do not currently have a switch to do this and I need this by tomorrow so I can't get one ordered.  What I did was assigned one of the new public ip address to one of the other ports on the ASA and created the correct ACL to allow my inbound traffic and outbound traffice to my servers internally.  I also allowed pings to my new interface and set it at the same security level as the other outside interface.  I can ping from this interface to my router but I can not ping from the router to this interface.  If I hook a laptop up between the router and ASA I can ping the ASA just fine to that external port.  I also can not access my servers that I am NATing using the new public ip.  Any help would be appreciated.  Below is my router and ASA config.  The 70 block is my new public ip.  Everything works fine to my old ip blocks.  Any suggestions?

Router
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname contcem
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
ip name-server 151.164.14.xxx
ip name-server 151.164.1.xxx!
!
controller T1 0/0
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64 !
controller T1 0/1
 framing esf
 linecode b8zs
 channel-group 0 timeslots 1-24 speed 64 !
!
interface MFR0
 description no ip address  encapsulation frame-relay IETF  no ip route-cache cef  frame-relay multilink bid test  frame-relay lmi-type ansi !
interface MFR0.671 point-to-point
 description WAN to  Internet Service  ip address 151.164.16.xxx 255.255.255.252  no cdp enable  frame-relay interface-dlci 671 IETF !
interface FastEthernet0/0
 description Ethernet to  Network
 ip address 70.xxx.xxx.49 255.255.255.xxx secondary  ip address 67.67.99.xxx 255.255.255.xxx duplex auto  speed auto !
interface Serial0/0:0
 description Circuit ID: 43.YHGP.000496.001  no ip address  encapsulation frame-relay MFR0  no arp frame-relay  frame-relay multilink lid link1 !
interface Serial0/1:0
 description Circuit ID: no ip address  encapsulation frame-relay MFR0  no arp frame-relay  frame-relay multilink lid link2 !
no ip forward-protocol nd
no ip forward-protocol udp
ip route 0.0.0.0 0.0.0.0 151.164.16.xxx
!
no ip http server
no ip http secure-server
!
no cdp run
!
control-plane
!
!
dial-peer cor custom
!
!
line con 0

 login
line aux 0
 transport input all
 flowcontrol hardware
line vty 0 4

 login
!
!
end

ASA 5510

ASA Version 7.2(2)
!
hostname ASAxxx
domain-name xxxxx
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 67.xxx.xxx.86 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.xxx.xxx 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.xxx.1 255.255.255.0
!
interface Ethernet0/3
 nameif outside2
 security-level 0
 ip address 70.xxx.xxx.62 255.255.255.240
!
interface Management0/0
 nameif Contractor_Net
 security-level 5
 ip address 192.168.xxx.1 255.255.255.0
!
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxxxx.com
same-security-traffic permit inter-interface
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq smtp
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.3 any eq https
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq https
access-list inside_in extended permit tcp host 192.168.xxx.2 any eq ftp
access-list inside_in extended permit tcp host 192.168.xxx.4 any eq www
access-list inside_in extended permit tcp host 192.168.xxx.4 any eq https
access-list inside_in extended deny tcp any any eq www
access-list inside_in extended deny tcp any any eq ftp
access-list inside_in extended deny tcp any any eq https
access-list inside_in extended permit ip any any
access-list inside_in extended permit icmp any any
access-list outside_in extended permit tcp any host 67.xxx.xxx.84 eq smtp
access-list outside_in extended permit tcp any host 67.xxx.xxx.84 eq https
access-list outside_in extended permit tcp any host 67.xxx.xxx.82 eq 8093
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended permit icmp any any time-exceeded
access-list outside_in extended permit icmp any any unreachable
access-list outside_in extended deny ip any any
access-list csc extended permit ip any any
access-list outside2_access_in extended permit tcp any host 70.xxx.xxx.50 eq https
access-list outside2_access_in extended permit icmp any any echo-reply
access-list outside2_access_in extended permit icmp any any time-exceeded
access-list outside2_access_in extended permit icmp any any unreachable
pager lines 24
logging enable
logging asdm emergencies
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu outside2 1500
mtu Contractor_Net 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface dmz
monitor-interface outside2
monitor-interface Contractor_Net
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 67.xxx.xxx.84 netmask 255.255.255.255
global (dmz) 1 interface
nat (inside) 2 192.168.xxx.3 255.255.255.255
nat (inside) 1 192.168.xxx.0 255.255.255.0
nat (dmz) 1 192.168.xx2.0 255.255.255.0
static (inside,outside) tcp 67.xxx.xxx.84 smtp 192.168.xxx.3 smtp netmask 255.255.255.255
static (inside,outside) tcp 67.xxx.xxx.84 https 192.168.xxx.2 https netmask 255.255.255.255
static (dmz,outside) tcp 67.xxx.xxx.82 80xx 192.168.xxx.6 80xx netmask 255.255.255.255
static (inside,outside2) tcp 70.xxx.xxx.50 https 192.168.xxx.4 https netmask 255.255.255.255
static (inside,dmz) 192.168.xxx.6 192.168.xxx.6 netmask 255.255.255.255
access-group outside_in in interface outside
access-group inside_in in interface inside
access-group outside2_access_in in interface outside2
route outside 0.0.0.0 0.0.0.0 67.xxx.xxx.81 1
route inside 192.168.xxx.19 255.255.255.255 192.168.xxx.2 1
route inside 192.168.xxx.18 255.255.255.255 192.168.xxx.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server CCCRADIUS protocol radius
http server enable
http 192.168.xxx.xxx 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.xxx.xxx 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address xxxx-xxxxx Contractor_Net
!
!
class-map csc-scanning
 match access-list csc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns dns_map
 parameters
  message-length maximum 1500
policy-map asa_global_fw_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
  inspect icmp
  inspect esmtp
  inspect dns dns_map
!
service-policy asa_global_fw_policy global
ntp authentication-key 10 md5 *
ntp authenticate
ntp trusted-key 10
ntp server 192.168.xxx.xxx key 10 source inside
tftp-server inside 192.168.xxx.xxx /asaconfig.txt
ssl encryption des-sha1 rc4-md5
prompt hostname context
asdm image disk0:/asdm522.bin
no asdm history enable



ASKER CERTIFIED SOLUTION
batry_boy

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 5 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros