Cisco ASA 5510 - LAN users cannot access DMZ web server

Please post the config and I will take a look at it.  This should be an easy one to resolve.

: Saved
:
ASA Version 8.2(2)
!
hostname MainGate
domain-name reprographix.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name 192.168.1.101 Barracuda description
name 192.168.1.120 Loki description
name 192.168.1.118 Apollo description
name 192.168.1.5 Autocad description
name 192.168.1.209 Ray2 description
name 192.168.1.254 IT description
name 192.168.1.10 ePlanroomTest description
name 216.135.46.185 calendar.reprographix.com description
name 192.168.1.200 ePlanroom description
name 192.168.1.9 eplanner.repro.local description
name 216.135.46.186 eplanroom.reprographix.com description
ddns update method 192.168.1.100
 ddns both
 interval maximum 0 1 0 0
!
ddns update method 192.168.1.241
 ddns both
 interval maximum 0 0 15 0
!
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 216.205.208.138 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ddns update hostname poseidon.repro.local
 ddns update 192.168.1.100
 dhcp client update dns server both
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.100
 name-server 192.168.1.241
 domain-name reprowall.com
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
access-list outside_access_in remark Barracuda - Email
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in remark Apollo
access-list outside_access_in extended permit tcp any interface outside eq 4002
access-list outside_access_in remark Dave Johnson - RDP
access-list outside_access_in extended permit tcp any interface outside eq 35
access-list outside_access_in remark Ray's New PC - RDP
access-list outside_access_in extended permit tcp any interface outside eq 36
access-list outside_access_in remark ePlanroom Test Server
access-list outside_access_in extended permit tcp any interface outside eq 7007
access-list outside_access_in remark IT Access - RDP
access-list outside_access_in extended permit tcp any interface outside eq 7001
access-list outside_access_in remark Dave Lucas - RDP
access-list outside_access_in extended permit tcp any interface outside eq 1417
access-list outside_access_in remark FTP to Loki
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any host 216.135.46.186 object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip any any
access-list CAPI extended permit tcp 192.168.1.0 255.255.255.0 host 216.205.208.139 inactive
access-list CAPI extended permit tcp host 216.205.208.139 192.168.1.0 255.255.255.0 inactive
access-list CAPO extended permit tcp host 216.205.208.138 host 216.205.208.139 inactive
access-list CAPO extended permit tcp host 216.205.208.139 host 216.205.208.138 inactive
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered informational
logging trap debugging
logging asdm informational
logging mail emergencies
logging from-address Cisco@reprographix.com
logging recipient-address sdowling@reprographix.com level errors
logging host inside 192.168.1.241
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.101 smtp netmask 255.255.255.255  dns
static (inside,outside) tcp interface ftp 192.168.1.120 ftp netmask 255.255.255.255  dns
static (inside,outside) tcp interface ftp-data 192.168.1.120 ftp-data netmask 255.255.255.255  dns
static (inside,outside) tcp interface 4002 192.168.1.118 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 35 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 36 192.168.1.209 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1417 192.168.1.9 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 7007 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 7001 192.168.1.254 3389 netmask 255.255.255.255
static (inside,outside) tcp 216.135.46.186 www 192.168.1.200 www netmask 255.255.255.255  dns
static (inside,outside) tcp 216.135.46.186 https 192.168.1.200 https netmask 255.255.255.255  dns
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 216.205.208.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca server
 shutdown
 cdp-url http://baylor.repro.local/+CSCOCA+/asa_ca.crl
 issuer-name CN=baylor.repro.local
 smtp from-address admin@baylor.repro.local
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
dhcp-client client-id interface inside
dhcp-client update dns server both
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd dns 8.8.8.8 8.8.4.4 interface outside
!
dhcpd address 192.168.1.150-192.168.1.235 inside
dhcpd dns 192.168.1.100 192.168.1.241 interface inside
dhcpd ping_timeout 500 interface inside
dhcpd domain repro.local interface inside
dhcpd update dns both interface inside
dhcpd option 4 ip 198.30.92.2 137.146.28.85 interface inside
dhcpd option 6 ip 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 192.5.41.40 source outside prefer
ntp server 198.30.92.2 source outside prefer
webvpn
 internal-password enable
username r3pr0 password f6CE7iDS67FP8WsZ encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect ip-options
  inspect dns dynamic-filter-snoop
  inspect ftp strict
policy-map type inspect esmtp Base
 description rudament
 parameters
  no mask-banner
  allow-tls
 match sender-address length gt 320
  log
 match MIME filename length gt 255
  log
 match cmd line length gt 512
  log
 match cmd RCPT count gt 100
  log
 match body line length gt 998
  log
!
service-policy global_policy global
smtp-server 216.205.208.139
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:71d99da02a87d58d0f2b8f906847c1f3
: end
asdm image disk0:/asdm-625.bin
asdm location 216.135.46.186 255.255.255.255 inside
asdm history enable

I must be over simplifying this.....Are you trying to reach 192.168.1.200 from another 192.168.1.X host?  If that's the case then the issue is not the ASA.  Are you trying to reach it by DNS name which resolves to the public address?  That could definitely be a problem.

I'm trying to reach 192.168.1.200 from the inside yes.  

The previous IT Director had this server sitting on the internet, no firewall.  The end users internally have always gone out to the internet to access the server.  I'm trying to shore things up and at least get it behind the firewall and working temporally.  At least until I can configure an inside access setup.  

More Info-
From the inside I would like to have the users go about things like they always have and not see or notice any major changes.  Unless i'm not thinking about this enough... You tell me, bad idea? I just don't know how best to get internal access through the LAN at this time.  Better to secure and leave user access alone for now until I can develop something.

So if you've got a PC with an address of 192.168.1.10 (or any 192.168.1.X address) and it can't ping 192.168.1.200 then the issue is on the LAN.  That traffic is going to take the shortest route on the LAN and won't be passing through the firewall at all.

As far as your plan goes, you are definitely on the right  track.  Really you would be best to use a DMZ....ie configure another port on the firewall (say eth0/2) with a different private address range like 192.168.5.0 255.255.255.0.  Put any of your publicly accessed devices on that network.  That gains you the ability to build rules and monitor the traffic going from the server to the LAN.  The scenario is your webserver gets hacked or acquires a virus and because it is in a different broadcast domain it is not going to spread to your LAN....hopefully.  Smaller businesses ignore this practice a lot, but larger organizations will always do it this way.  Having the server behind the firewall and limiting access to port 80 and 443 is minimal, but also pretty standard.

So...back to your issue.  If you can't ping 192.168.1.200 (use the IP not the name) then we need to look at the LAN topology.  I see a reference to a Baracuda device in the ASA config.  If that is a pass-through device and located between your test PC and the server I would start there.  If you can give me an idea of what LAN components you've got we should be able to get this resolved pretty quickly.

Can you ping 192.168.1.200 from the ASA command line?

Ok, from any PC within my network that is any PC on the Inside Interface, I can ping 192.168.1.200.
I can also type that address within my browser and access the web server with no issue.  

From the ASA command line I receive a successful ping result.

I think I see where your going with this. But i'm tired so I'm a little slow.

More Info-
This web server had 4 separate external IP address associated with it through 1 network card within TCP/IP. This was connected to a 4 port router. Another port straight into the T1. Another port of the router went into the old firewall. The old firewall connected then connected to a switch and the internal LAN.

My idea was to take this guy.  Give him 1 internal IP (192.168.1.200). Then use host headers in IIS to trim down the number of needed IP addresses and have the firewall manage the external IP address routing until I can split sites and services from this 1 server out to other servers.

Sounds like your on it.  I would guess that your internal DNS is resolving the name to the public IP address.  Do an NSLOOKUP on the name and see what it gives you.

I am not an IIS guy, but I believe that when you have multiple interfaces you can tell IIS which interface/ip address to listen on for a given website.  So given the boxes history, you might need to make sure that all your IIS setting are using the NIC that has 192.168.1.200 on it and not the old public address or who knows what else.

Yes the internal DNS is resolving the name of the public IP address. But it's the public name of that website and the name that I have setup the NAT to route to 192.168.1.200.  Not the public IP of the ASA which is a different external IP address.  

I'm going through the DNS settings on the ASA as well as the DHCP settings.  I'm also taking a look at my Internal DNS Server settings and making sure I don't have a problem there.  

I think if you create an entry on your DNS server for the public name with the private address your issue will be resolved.

Hi,

there is two problems:
1. As ReproGraphix said you need to create DNS settings for inside address
2. you need to move the mgmt port because it is collosing with 443 port:

http server enable 444

And there is a workaround:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

Forgive my asking a simple question.  I read your config, and your outside interface has this subnet:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 216.205.208.138 255.255.255.248

Yet your statics are trying to translate your internal IP to this external IP:

static (inside,outside) tcp 216.135.46.186 www 192.168.1.200 www netmask 255.255.255.255  dns
static (inside,outside) tcp 216.135.46.186 https 192.168.1.200 https netmask 255.255.255.255  dns

That external IP is outside the subnet on your outside interface.

Good catch...something smells funny because he said it works from outside...I think that is impossible if the outside interface isn't listening on that network....maybe the config is old an half altered?

Using port 443 won't be an issue unless u r trying to forward the addtress assigned to the interface.

Old xlate's could be the culprit - that and DNS could be completely mangled.  

Yes DNS has been something I know is not setup correctly.  But this subnet and IP address configuration is one that I have had set for some time.  But for different IP's though they  all had the same subnets and were from the same networks.  A Cisco Tech set that for me originally.

Heres my running config from only a few moments ago.

: Saved
:
ASA Version 8.2(2)
!
hostname baylor
domain-name repro.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name 192.168.1.101 Barracuda description Email Firewall
name 192.168.1.120 Loki description FTP Server
name 192.168.1.118 Apollo description Traverse
name 192.168.1.5 Autocad description Ray's PC - 1
name 192.168.1.202 eyeRepro description Testing
name 192.168.1.242 IT description Spid3r's w3b
name 216.135.46.185 access.acementorindiana.org description ACE FTP
name 192.168.1.209 Ray2 description Ray's PC - 2
ddns update method 192.168.1.100
 ddns both
 interval maximum 0 1 0 0
!
ddns update method 192.168.1.241
 ddns both
 interval maximum 0 0 15 0
!
ddns update method 8.8.8.8
 ddns both
 interval maximum 0 0 12 0
!
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ddns update hostname google-public-dns-a.google.com
 ddns update 8.8.8.8
 dhcp client update dns
 ip address 216.205.208.138 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ddns update hostname poseidon.repro.local
 ddns update 192.168.1.100
 dhcp client update dns server both
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.100
 name-server 192.168.1.241
 domain-name repro.local
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
access-list outside_access_in remark Barracuda - Email
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in remark Apollo
access-list outside_access_in extended permit tcp any interface outside eq 4002
access-list outside_access_in remark Autocad
access-list outside_access_in extended permit tcp any interface outside eq 35
access-list outside_access_in remark Ray2
access-list outside_access_in extended permit tcp any interface outside eq 36
access-list outside_access_in remark Spid3r
access-list outside_access_in extended permit tcp any interface outside eq 7007
access-list outside_access_in remark eyeRepro
access-list outside_access_in extended permit tcp any host 216.135.46.185 object-group DM_INLINE_TCP_1 inactive
access-list outside_access_in remark FTP to Loki
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list inside_access_in extended permit ip any any
access-list CAPI extended permit tcp 192.168.1.0 255.255.255.0 host 216.205.208.139
access-list CAPI extended permit tcp host 216.205.208.139 192.168.1.0 255.255.255.0
access-list CAPO extended permit tcp host 216.205.208.138 host 216.205.208.139
access-list CAPO extended permit tcp host 216.205.208.139 host 216.205.208.138
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered informational
logging trap debugging
logging asdm informational
logging mail emergencies
logging from-address Cisco@reprographix.com
logging recipient-address sdowling@reprographix.com level errors
logging host inside 192.168.1.241
logging class auth mail emergencies asdm emergencies
logging class config asdm emergencies
logging class email asdm emergencies
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.101 smtp netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.120 ftp netmask 255.255.255.255  dns
static (inside,outside) tcp interface ftp-data 192.168.1.120 ftp-data netmask 255.255.255.255  dns
static (inside,outside) tcp interface 4002 192.168.1.118 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 35 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 36 192.168.1.209 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 7007 192.168.1.242 3389 netmask 255.255.255.255
static (inside,outside) tcp 216.135.46.185 https 192.168.1.202 https netmask 255.255.255.255
static (inside,outside) tcp 216.135.46.185 ftp 192.168.1.202 ftp netmask 255.255.255.255
static (inside,outside) tcp 216.135.46.185 www 192.168.1.202 www netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 216.205.208.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca server
 shutdown
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
dhcp-client client-id interface inside
dhcp-client update dns server both
dhcpd dns 216.135.0.10 216.135.1.10
!
dhcpd dns 216.135.0.10 216.125.1.10 interface outside
!
dhcpd address 192.168.1.150-192.168.1.235 inside
dhcpd dns 192.168.1.100 192.168.1.241 interface inside
dhcpd ping_timeout 500 interface inside
dhcpd domain repro.local interface inside
dhcpd update dns interface inside
dhcpd option 4 ip 198.30.92.2 137.146.28.85 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 192.5.41.40 source outside prefer
ntp server 198.30.92.2 source outside
webvpn
 internal-password enable
username r3pr0 password f6CE7iDS67FP8WsZ encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect ftp
  inspect ip-options
policy-map type inspect esmtp Base
 description rudament
 parameters
  no mask-banner
  allow-tls
 match sender-address length gt 320
  log
 match MIME filename length gt 255
  log
 match cmd line length gt 512
  log
 match cmd RCPT count gt 100
  log
 match body line length gt 998
  log
!
service-policy global_policy global
smtp-server 216.205.208.139
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:91b7eaa0eeab5960837a89b52c8d3655
: end
asdm image disk0:/asdm-625.bin
asdm history enable

Can you describe your ISP CPE and any equipment in front of and behind the ASA?  I still don't get your outside network and statics.

I have a Bonded T-1 connecting into the ASA 5510.  the ASA is running out to to 3 48 port switches and to the end users.  I have 10 servers mixed within that inside portion of the ASA.  4 of those servers are web application servers that each have their own static IP.  Those IP's share the same subnet and gateway that the outside connection has.

I recently brought on another T-1 but it is not connected to the ASA.  I have also purchased a Cisco RV082 which I had hoped I could use to load balance the old T-1 and the new T-1 then connect into the front of the ASA and gain some performance.  Though my last attempt at that failed miserably.

What do you mean by a bonded T1?  Is it two, three, four T1s?  The actual T1 circuits terminate on a CPE device.  The ASA cannot terminate a T1 circuit directly.  The CPE must connect via Ethernet to the ASA.  What is your IP assignment from your ISP?

If you have "internal" servers that share outside addresses, you likely have VLANning involved - and those servers may bypass the ASA altogether.  Reprogramming the ASA won't do anything at that point.  It can be very confusing when VLANs are involved.  You can have one switch were ALL of the interfaces of the ASA connect to the same switch.  Only the switch configs can show you where traffic is really going at that point.  

The RV082 is a Linksys device, rebranded as Cisco.  I would return it and get your money back ASAP.

You can't "load balance" and get more bandwidth.  Only bonding via MLPPP or other protocol with coordination from your ISP can get your more absolute bandwidth.  

If you have multiple ISPs, this protects you from a single ISP outage, but will never gain you more total bandwidth.  You can share the load over multiple connections, but you can never take multiple connections from multiple ISPs and get a total aggregate bandwidth which equals the sum of all connections.

The 1st T-1 gives me 5 external IP addresses and has a speed of 3 mbps down and 1.5 mbps up. Those IP addresses are used for FTP, Web Server, Spam AV Email Filter and a Mail Server (including the IP for the front of the ASA 5510 I have used those 5 IP addresses.).

The Other T-1 has the same speed specs.  It was brought in due to the old T-1's expiring contract and waning to do some testing with 2 connections.  I understand that the device has it's limitations I just wanted to see what I might be able to do with it.  Load balancing is something I need in place desperately. Those T-1's aren't that fast but we do a lot of file transferring and the speed stays steady so it works.

In the server rack I have a 48 port switch that connects my VMware servers and physical servers.  A network connection runs to another server rack and 48 port switch to the other end of the building.  Then a final switch roughly 50 feet from that spot in another part of the building connects a large number of plotter printers and some WiFi access points.

I have no VLans and I only have the 192.168.1.0 IP config internally.

The Outside IP scheme is

Usable IP Block - 216.205.208.138 to 217.205.208.142
also 217.135.46.185 and 217.135.46.186
Gateway- 216.205.208.138
Subnet - 255.255.255.248

I have NAT and ACL access rules pointing those external IP to the outside interface and so forth to the internal server IP. As you can see in my config file.

FYI....T1's can't go faster than 1.54Mbs and don't have different upload and download speeds.