Solved

firewall ASA 5505

Posted on 2009-04-06
3
339 Views
Last Modified: 2012-05-06
Dear expert

plz i need  help  in this issue . We put website for external users outside our network
with public ip address 91.73.x.x .we connect  this server to specific port on firewall ASA5505.
so i can do nslookup for this URL successfully .but we cannot ping this public ip address internally .............and external  user can not open this link
plz  i need help
0
Comment
Question by:bu_7maid66
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24076684
Can you post the configuration?
0
 

Author Comment

by:bu_7maid66
ID: 24094200


User Access Verification

Password:
Type help or '?' for a list of available commands.
DSC-ASA5505> ena
Password: ********
DSC-ASA5505# show run
DSC-ASA5505# show running-config
DSC-ASA5505# show running-config
: Saved
:
ASA Version 7.2(4)
!
hostname DSC-ASA5505
domain-name dsc.local
enable password 6yuqq2cgUL6uOrL2 encrypted
passwd 6yuqq2cgUL6uOrL2 encrypted
names
name 192.168.11.10 BorderWare1-dmz
name 192.168.11.11 BorderWare2-dmz
name 91.73.236.130 BorderWare1-outside
name 91.73.236.131 BorderWare2-outside
name 91.73.236.132 DSCPISA-outside
name 172.16.20.0 Server-Vlan
name 172.16.2.0 Old-Servers
name 172.16.2.13 Old-Exchange
name 192.168.11.15 DSCPISA-dmz
name 172.16.20.13 Exchange_Servers
name 192.168.11.100 PC295-dmz
name 172.16.20.200 AWalid-Inside
name 91.73.236.133 Ouside-Inf
name 172.16.20.132 deg-inside
name 91.73.236.244 deg-outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.4.4 255.255.255.0 standby 172.16.4.5
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Ouside-Inf 255.255.255.248 standby 91.73.236.134
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 192.168.11.1 255.255.255.0 standby 192.168.11.2
!
interface Vlan4
 description LAN Failover Interface
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 4
!
ftp mode passive
dns server-group DefaultDNS
 domain-name dsc.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside-acl extended permit tcp any host BorderWare1-outside eq smtp

access-list outside-acl extended permit tcp any host BorderWare2-outside eq smtp

access-list outside-acl extended permit tcp any host DSCPISA-outside eq www
access-list outside-acl extended permit tcp any host DSCPISA-outside eq https
access-list outside-acl extended permit ip any host deg-inside inactive
access-list dmz-acl extended permit ip host BorderWare1-dmz any
access-list dmz-acl extended permit ip host BorderWare2-dmz any
access-list dmz-acl extended permit ip host DSCPISA-dmz any
access-list inside_nat0_outbound extended permit ip any 172.16.4.192 255.255.255
.192
access-list inside_nat0_outbound extended permit ip any 192.168.11.0 255.255.255
.0
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remote 172.16.4.200-172.16.4.240 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Vlan4
failover key *****
failover interface ip failover 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.2.20 255.255.255.255
nat (inside) 1 172.16.20.24 255.255.255.255
nat (inside) 1 Server-Vlan 255.255.255.0
nat (dmz) 1 192.168.11.0 255.255.255.0
static (dmz,outside) tcp DSCPISA-outside www DSCPISA-dmz www netmask 255.255.255
.255
static (dmz,outside) tcp DSCPISA-outside https DSCPISA-dmz https netmask 255.255
.255.255
static (inside,dmz) Server-Vlan Server-Vlan netmask 255.255.255.0
static (dmz,outside) BorderWare2-outside BorderWare2-dmz netmask 255.255.255.255

static (dmz,outside) BorderWare1-outside BorderWare1-dmz netmask 255.255.255.255

static (inside,outside) deg-outside deg-inside netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside-acl in interface outside
access-group dmz-acl in interface dmz
route inside 172.16.0.0 255.255.0.0 172.16.4.1 1
route inside 10.250.14.0 255.255.255.0 172.16.4.1 1
route inside 192.168.160.0 255.255.255.0 172.16.4.1 1
route outside 0.0.0.0 0.0.0.0 91.73.236.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.16.0.0 255.255.0.0 inside
http Server-Vlan 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 172.16.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 10

group-policy DSC_Tunnel internal
group-policy DSC_Tunnel attributes
 dns-server value 172.16.20.5 172.16.20.6
 vpn-tunnel-protocol IPSec
 default-domain value dsc.local
username Sasi password TW5xbntfOI0nz4bd encrypted
username Sasi attributes
 vpn-group-policy DSC_Tunnel
username user1 password 0dldJICVF//EH4X3 encrypted
username user1 attributes
 vpn-group-policy DSC_Tunnel
username emadhalim password qgh/1vfBy9lQoxO7 encrypted privilege 15
username emadhalim attributes
 vpn-group-policy DSC_Tunnel
username ahmarashda password gIxrK24/413Nfznv encrypted
username ahmarashda attributes
 vpn-group-policy DSC_Tunnel
tunnel-group DSC_Tunnel type ipsec-ra
tunnel-group DSC_Tunnel general-attributes
 address-pool remote
 default-group-policy DSC_Tunnel
tunnel-group DSC_Tunnel ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:142bdd1c5c325de92c74e81a48ddcd3c
: end
DSC-ASA5505#
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24096083
Your ASA config is fine.  You won't be able to ping the external IP from the inside.

Is the website on the ISA server?  Can you pull up the website from the server itself?
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question