Solved

firewall ASA 5505

Posted on 2009-04-06
3
288 Views
Last Modified: 2012-05-06
Dear expert

plz i need  help  in this issue . We put website for external users outside our network
with public ip address 91.73.x.x .we connect  this server to specific port on firewall ASA5505.
so i can do nslookup for this URL successfully .but we cannot ping this public ip address internally .............and external  user can not open this link
plz  i need help
0
Comment
Question by:bu_7maid66
  • 2
3 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Can you post the configuration?
0
 

Author Comment

by:bu_7maid66
Comment Utility


User Access Verification

Password:
Type help or '?' for a list of available commands.
DSC-ASA5505> ena
Password: ********
DSC-ASA5505# show run
DSC-ASA5505# show running-config
DSC-ASA5505# show running-config
: Saved
:
ASA Version 7.2(4)
!
hostname DSC-ASA5505
domain-name dsc.local
enable password 6yuqq2cgUL6uOrL2 encrypted
passwd 6yuqq2cgUL6uOrL2 encrypted
names
name 192.168.11.10 BorderWare1-dmz
name 192.168.11.11 BorderWare2-dmz
name 91.73.236.130 BorderWare1-outside
name 91.73.236.131 BorderWare2-outside
name 91.73.236.132 DSCPISA-outside
name 172.16.20.0 Server-Vlan
name 172.16.2.0 Old-Servers
name 172.16.2.13 Old-Exchange
name 192.168.11.15 DSCPISA-dmz
name 172.16.20.13 Exchange_Servers
name 192.168.11.100 PC295-dmz
name 172.16.20.200 AWalid-Inside
name 91.73.236.133 Ouside-Inf
name 172.16.20.132 deg-inside
name 91.73.236.244 deg-outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.4.4 255.255.255.0 standby 172.16.4.5
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Ouside-Inf 255.255.255.248 standby 91.73.236.134
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 192.168.11.1 255.255.255.0 standby 192.168.11.2
!
interface Vlan4
 description LAN Failover Interface
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 4
!
ftp mode passive
dns server-group DefaultDNS
 domain-name dsc.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside-acl extended permit tcp any host BorderWare1-outside eq smtp

access-list outside-acl extended permit tcp any host BorderWare2-outside eq smtp

access-list outside-acl extended permit tcp any host DSCPISA-outside eq www
access-list outside-acl extended permit tcp any host DSCPISA-outside eq https
access-list outside-acl extended permit ip any host deg-inside inactive
access-list dmz-acl extended permit ip host BorderWare1-dmz any
access-list dmz-acl extended permit ip host BorderWare2-dmz any
access-list dmz-acl extended permit ip host DSCPISA-dmz any
access-list inside_nat0_outbound extended permit ip any 172.16.4.192 255.255.255
.192
access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255
.0
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote 172.16.4.200-172.16.4.240 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Vlan4
failover key *****
failover interface ip failover 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.2.20 255.255.255.255
nat (inside) 1 172.16.20.24 255.255.255.255
nat (inside) 1 Server-Vlan 255.255.255.0
nat (dmz) 1 192.168.11.0 255.255.255.0
static (dmz,outside) tcp DSCPISA-outside www DSCPISA-dmz www netmask 255.255.255
.255
static (dmz,outside) tcp DSCPISA-outside https DSCPISA-dmz https netmask 255.255
.255.255
static (inside,dmz) Server-Vlan Server-Vlan netmask 255.255.255.0
static (dmz,outside) BorderWare2-outside BorderWare2-dmz netmask 255.255.255.255

static (dmz,outside) BorderWare1-outside BorderWare1-dmz netmask 255.255.255.255

static (inside,outside) deg-outside deg-inside netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside-acl in interface outside
access-group dmz-acl in interface dmz
route inside 172.16.0.0 255.255.0.0 172.16.4.1 1
route inside 10.250.14.0 255.255.255.0 172.16.4.1 1
route inside 192.168.160.0 255.255.255.0 172.16.4.1 1
route outside 0.0.0.0 0.0.0.0 91.73.236.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.16.0.0 255.255.0.0 inside
http Server-Vlan 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 10

group-policy DSC_Tunnel internal
group-policy DSC_Tunnel attributes
 dns-server value 172.16.20.5 172.16.20.6
 vpn-tunnel-protocol IPSec
 default-domain value dsc.local
username Sasi password TW5xbntfOI0nz4bd encrypted
username Sasi attributes
 vpn-group-policy DSC_Tunnel
username user1 password 0dldJICVF//EH4X3 encrypted
username user1 attributes
 vpn-group-policy DSC_Tunnel
username emadhalim password qgh/1vfBy9lQoxO7 encrypted privilege 15
username emadhalim attributes
 vpn-group-policy DSC_Tunnel
username ahmarashda password gIxrK24/413Nfznv encrypted
username ahmarashda attributes
 vpn-group-policy DSC_Tunnel
tunnel-group DSC_Tunnel type ipsec-ra
tunnel-group DSC_Tunnel general-attributes
 address-pool remote
 default-group-policy DSC_Tunnel
tunnel-group DSC_Tunnel ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:142bdd1c5c325de92c74e81a48ddcd3c
: end
DSC-ASA5505#
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
Your ASA config is fine.  You won't be able to ping the external IP from the inside.

Is the website on the ISA server?  Can you pull up the website from the server itself?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now