Solved

firewall ASA 5505

Posted on 2009-04-06
3
309 Views
Last Modified: 2012-05-06
Dear expert

plz i need  help  in this issue . We put website for external users outside our network
with public ip address 91.73.x.x .we connect  this server to specific port on firewall ASA5505.
so i can do nslookup for this URL successfully .but we cannot ping this public ip address internally .............and external  user can not open this link
plz  i need help
0
Comment
Question by:bu_7maid66
  • 2
3 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24076684
Can you post the configuration?
0
 

Author Comment

by:bu_7maid66
ID: 24094200


User Access Verification

Password:
Type help or '?' for a list of available commands.
DSC-ASA5505> ena
Password: ********
DSC-ASA5505# show run
DSC-ASA5505# show running-config
DSC-ASA5505# show running-config
: Saved
:
ASA Version 7.2(4)
!
hostname DSC-ASA5505
domain-name dsc.local
enable password 6yuqq2cgUL6uOrL2 encrypted
passwd 6yuqq2cgUL6uOrL2 encrypted
names
name 192.168.11.10 BorderWare1-dmz
name 192.168.11.11 BorderWare2-dmz
name 91.73.236.130 BorderWare1-outside
name 91.73.236.131 BorderWare2-outside
name 91.73.236.132 DSCPISA-outside
name 172.16.20.0 Server-Vlan
name 172.16.2.0 Old-Servers
name 172.16.2.13 Old-Exchange
name 192.168.11.15 DSCPISA-dmz
name 172.16.20.13 Exchange_Servers
name 192.168.11.100 PC295-dmz
name 172.16.20.200 AWalid-Inside
name 91.73.236.133 Ouside-Inf
name 172.16.20.132 deg-inside
name 91.73.236.244 deg-outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.4.4 255.255.255.0 standby 172.16.4.5
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Ouside-Inf 255.255.255.248 standby 91.73.236.134
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 192.168.11.1 255.255.255.0 standby 192.168.11.2
!
interface Vlan4
 description LAN Failover Interface
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 4
!
ftp mode passive
dns server-group DefaultDNS
 domain-name dsc.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside-acl extended permit tcp any host BorderWare1-outside eq smtp

access-list outside-acl extended permit tcp any host BorderWare2-outside eq smtp

access-list outside-acl extended permit tcp any host DSCPISA-outside eq www
access-list outside-acl extended permit tcp any host DSCPISA-outside eq https
access-list outside-acl extended permit ip any host deg-inside inactive
access-list dmz-acl extended permit ip host BorderWare1-dmz any
access-list dmz-acl extended permit ip host BorderWare2-dmz any
access-list dmz-acl extended permit ip host DSCPISA-dmz any
access-list inside_nat0_outbound extended permit ip any 172.16.4.192 255.255.255
.192
access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255
.0
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote 172.16.4.200-172.16.4.240 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Vlan4
failover key *****
failover interface ip failover 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.2.20 255.255.255.255
nat (inside) 1 172.16.20.24 255.255.255.255
nat (inside) 1 Server-Vlan 255.255.255.0
nat (dmz) 1 192.168.11.0 255.255.255.0
static (dmz,outside) tcp DSCPISA-outside www DSCPISA-dmz www netmask 255.255.255
.255
static (dmz,outside) tcp DSCPISA-outside https DSCPISA-dmz https netmask 255.255
.255.255
static (inside,dmz) Server-Vlan Server-Vlan netmask 255.255.255.0
static (dmz,outside) BorderWare2-outside BorderWare2-dmz netmask 255.255.255.255

static (dmz,outside) BorderWare1-outside BorderWare1-dmz netmask 255.255.255.255

static (inside,outside) deg-outside deg-inside netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside-acl in interface outside
access-group dmz-acl in interface dmz
route inside 172.16.0.0 255.255.0.0 172.16.4.1 1
route inside 10.250.14.0 255.255.255.0 172.16.4.1 1
route inside 192.168.160.0 255.255.255.0 172.16.4.1 1
route outside 0.0.0.0 0.0.0.0 91.73.236.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.16.0.0 255.255.0.0 inside
http Server-Vlan 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 10

group-policy DSC_Tunnel internal
group-policy DSC_Tunnel attributes
 dns-server value 172.16.20.5 172.16.20.6
 vpn-tunnel-protocol IPSec
 default-domain value dsc.local
username Sasi password TW5xbntfOI0nz4bd encrypted
username Sasi attributes
 vpn-group-policy DSC_Tunnel
username user1 password 0dldJICVF//EH4X3 encrypted
username user1 attributes
 vpn-group-policy DSC_Tunnel
username emadhalim password qgh/1vfBy9lQoxO7 encrypted privilege 15
username emadhalim attributes
 vpn-group-policy DSC_Tunnel
username ahmarashda password gIxrK24/413Nfznv encrypted
username ahmarashda attributes
 vpn-group-policy DSC_Tunnel
tunnel-group DSC_Tunnel type ipsec-ra
tunnel-group DSC_Tunnel general-attributes
 address-pool remote
 default-group-policy DSC_Tunnel
tunnel-group DSC_Tunnel ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:142bdd1c5c325de92c74e81a48ddcd3c
: end
DSC-ASA5505#
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24096083
Your ASA config is fine.  You won't be able to ping the external IP from the inside.

Is the website on the ISA server?  Can you pull up the website from the server itself?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now