Solved

Cisco ASA 5510 - LAN users cannot access DMZ web server

Posted on 2011-02-26
21
3,790 Views
Last Modified: 2013-11-30
-Setup-

Cisco ASA 5510
with two active interfaces:
Interface 0/0 = Outside
Interface 0/1 = Inside

I have configured a web server using NAT which connects the Outside IP to the Inside IP. This configuration is only opening ports 80 and 443.  

This web server is 100% functional and working when you are outside of the ASA 5510.

-Issue-
From behind the ASA 5510 on the Inside Interface you can not access the web server.  You are met with a "webpage not available" or similar error message.  When sending a ping to the IP or the Domain name it does resolve from both Inside and Outside but ICMP is blocked so you get a time out.
-------------------------------------------------------------------------------------
I have Tried DNS Rewrite on my NAT rules.  This did not work.

I have enabled ICMP and allowed it to passthrough. This did not work.


I'm stuck. . . .

Hope someone can help,

Steve

0
Comment
Question by:ReproGraphix
  • 8
  • 8
  • 4
  • +1
21 Comments
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34989792
Please post the config and I will take a look at it.  This should be an easy one to resolve.
0
 

Author Comment

by:ReproGraphix
ID: 34989808
: Saved
:
ASA Version 8.2(2)
!
hostname MainGate
domain-name reprographix.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name 192.168.1.101 Barracuda description
name 192.168.1.120 Loki description
name 192.168.1.118 Apollo description
name 192.168.1.5 Autocad description
name 192.168.1.209 Ray2 description
name 192.168.1.254 IT description
name 192.168.1.10 ePlanroomTest description
name 216.135.46.185 calendar.reprographix.com description
name 192.168.1.200 ePlanroom description
name 192.168.1.9 eplanner.repro.local description
name 216.135.46.186 eplanroom.reprographix.com description
ddns update method 192.168.1.100
 ddns both
 interval maximum 0 1 0 0
!
ddns update method 192.168.1.241
 ddns both
 interval maximum 0 0 15 0
!
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 216.205.208.138 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ddns update hostname poseidon.repro.local
 ddns update 192.168.1.100
 dhcp client update dns server both
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.100
 name-server 192.168.1.241
 domain-name reprowall.com
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
access-list outside_access_in remark Barracuda - Email
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in remark Apollo
access-list outside_access_in extended permit tcp any interface outside eq 4002
access-list outside_access_in remark Dave Johnson - RDP
access-list outside_access_in extended permit tcp any interface outside eq 35
access-list outside_access_in remark Ray's New PC - RDP
access-list outside_access_in extended permit tcp any interface outside eq 36
access-list outside_access_in remark ePlanroom Test Server
access-list outside_access_in extended permit tcp any interface outside eq 7007
access-list outside_access_in remark IT Access - RDP
access-list outside_access_in extended permit tcp any interface outside eq 7001
access-list outside_access_in remark Dave Lucas - RDP
access-list outside_access_in extended permit tcp any interface outside eq 1417
access-list outside_access_in remark FTP to Loki
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any host 216.135.46.186 object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip any any
access-list CAPI extended permit tcp 192.168.1.0 255.255.255.0 host 216.205.208.139 inactive
access-list CAPI extended permit tcp host 216.205.208.139 192.168.1.0 255.255.255.0 inactive
access-list CAPO extended permit tcp host 216.205.208.138 host 216.205.208.139 inactive
access-list CAPO extended permit tcp host 216.205.208.139 host 216.205.208.138 inactive
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered informational
logging trap debugging
logging asdm informational
logging mail emergencies
logging from-address Cisco@reprographix.com
logging recipient-address sdowling@reprographix.com level errors
logging host inside 192.168.1.241
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.101 smtp netmask 255.255.255.255  dns
static (inside,outside) tcp interface ftp 192.168.1.120 ftp netmask 255.255.255.255  dns
static (inside,outside) tcp interface ftp-data 192.168.1.120 ftp-data netmask 255.255.255.255  dns
static (inside,outside) tcp interface 4002 192.168.1.118 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 35 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 36 192.168.1.209 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 1417 192.168.1.9 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 7007 192.168.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 7001 192.168.1.254 3389 netmask 255.255.255.255
static (inside,outside) tcp 216.135.46.186 www 192.168.1.200 www netmask 255.255.255.255  dns
static (inside,outside) tcp 216.135.46.186 https 192.168.1.200 https netmask 255.255.255.255  dns
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 216.205.208.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca server
 shutdown
 cdp-url http://baylor.repro.local/+CSCOCA+/asa_ca.crl
 issuer-name CN=baylor.repro.local
 smtp from-address admin@baylor.repro.local
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
dhcp-client client-id interface inside
dhcp-client update dns server both
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd dns 8.8.8.8 8.8.4.4 interface outside
!
dhcpd address 192.168.1.150-192.168.1.235 inside
dhcpd dns 192.168.1.100 192.168.1.241 interface inside
dhcpd ping_timeout 500 interface inside
dhcpd domain repro.local interface inside
dhcpd update dns both interface inside
dhcpd option 4 ip 198.30.92.2 137.146.28.85 interface inside
dhcpd option 6 ip 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 192.5.41.40 source outside prefer
ntp server 198.30.92.2 source outside prefer
webvpn
 internal-password enable
username r3pr0 password f6CE7iDS67FP8WsZ encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect ip-options
  inspect dns dynamic-filter-snoop
  inspect ftp strict
policy-map type inspect esmtp Base
 description rudament
 parameters
  no mask-banner
  allow-tls
 match sender-address length gt 320
  log
 match MIME filename length gt 255
  log
 match cmd line length gt 512
  log
 match cmd RCPT count gt 100
  log
 match body line length gt 998
  log
!
service-policy global_policy global
smtp-server 216.205.208.139
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:71d99da02a87d58d0f2b8f906847c1f3
: end
asdm image disk0:/asdm-625.bin
asdm location 216.135.46.186 255.255.255.255 inside
asdm history enable
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34989898
I must be over simplifying this.....Are you trying to reach 192.168.1.200 from another 192.168.1.X host?  If that's the case then the issue is not the ASA.  Are you trying to reach it by DNS name which resolves to the public address?  That could definitely be a problem.
0
 

Author Comment

by:ReproGraphix
ID: 34989908
I'm trying to reach 192.168.1.200 from the inside yes.  

The previous IT Director had this server sitting on the internet, no firewall.  The end users internally have always gone out to the internet to access the server.  I'm trying to shore things up and at least get it behind the firewall and working temporally.  At least until I can configure an inside access setup.  
0
 

Author Comment

by:ReproGraphix
ID: 34989913
More Info-
From the inside I would like to have the users go about things like they always have and not see or notice any major changes.  Unless i'm not thinking about this enough... You tell me, bad idea? I just don't know how best to get internal access through the LAN at this time.  Better to secure and leave user access alone for now until I can develop something.
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34989978
So if you've got a PC with an address of 192.168.1.10 (or any 192.168.1.X address) and it can't ping 192.168.1.200 then the issue is on the LAN.  That traffic is going to take the shortest route on the LAN and won't be passing through the firewall at all.

As far as your plan goes, you are definitely on the right  track.  Really you would be best to use a DMZ....ie configure another port on the firewall (say eth0/2) with a different private address range like 192.168.5.0 255.255.255.0.  Put any of your publicly accessed devices on that network.  That gains you the ability to build rules and monitor the traffic going from the server to the LAN.  The scenario is your webserver gets hacked or acquires a virus and because it is in a different broadcast domain it is not going to spread to your LAN....hopefully.  Smaller businesses ignore this practice a lot, but larger organizations will always do it this way.  Having the server behind the firewall and limiting access to port 80 and 443 is minimal, but also pretty standard.

So...back to your issue.  If you can't ping 192.168.1.200 (use the IP not the name) then we need to look at the LAN topology.  I see a reference to a Baracuda device in the ASA config.  If that is a pass-through device and located between your test PC and the server I would start there.  If you can give me an idea of what LAN components you've got we should be able to get this resolved pretty quickly.

Can you ping 192.168.1.200 from the ASA command line?
0
 

Author Comment

by:ReproGraphix
ID: 34990014
Ok, from any PC within my network that is any PC on the Inside Interface, I can ping 192.168.1.200.
I can also type that address within my browser and access the web server with no issue.  

From the ASA command line I receive a successful ping result.

I think I see where your going with this. But i'm tired so I'm a little slow.

More Info-
This web server had 4 separate external IP address associated with it through 1 network card within TCP/IP. This was connected to a 4 port router. Another port straight into the T1. Another port of the router went into the old firewall. The old firewall connected then connected to a switch and the internal LAN.

My idea was to take this guy.  Give him 1 internal IP (192.168.1.200). Then use host headers in IIS to trim down the number of needed IP addresses and have the firewall manage the external IP address routing until I can split sites and services from this 1 server out to other servers.
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34990031
Sounds like your on it.  I would guess that your internal DNS is resolving the name to the public IP address.  Do an NSLOOKUP on the name and see what it gives you.

I am not an IIS guy, but I believe that when you have multiple interfaces you can tell IIS which interface/ip address to listen on for a given website.  So given the boxes history, you might need to make sure that all your IIS setting are using the NIC that has 192.168.1.200 on it and not the old public address or who knows what else.
0
 

Author Comment

by:ReproGraphix
ID: 34990097
Yes the internal DNS is resolving the name of the public IP address. But it's the public name of that website and the name that I have setup the NAT to route to 192.168.1.200.  Not the public IP of the ASA which is a different external IP address.  

I'm going through the DNS settings on the ASA as well as the DHCP settings.  I'm also taking a look at my Internal DNS Server settings and making sure I don't have a problem there.  
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34990269
I think if you create an entry on your DNS server for the public name with the private address your issue will be resolved.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34990361
Hi,

there is two problems:
1. As ReproGraphix said you need to create DNS settings for inside address
2. you need to move the mgmt port because it is collosing with 443 port:

http server enable 444

And there is a workaround:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
0
 
LVL 1

Expert Comment

by:orbistechnology
ID: 34993832
Forgive my asking a simple question.  I read your config, and your outside interface has this subnet:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 216.205.208.138 255.255.255.248

Yet your statics are trying to translate your internal IP to this external IP:

static (inside,outside) tcp 216.135.46.186 www 192.168.1.200 www netmask 255.255.255.255  dns
static (inside,outside) tcp 216.135.46.186 https 192.168.1.200 https netmask 255.255.255.255  dns

That external IP is outside the subnet on your outside interface.
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34993941
Good catch...something smells funny because he said it works from outside...I think that is impossible if the outside interface isn't listening on that network....maybe the config is old an half altered?

Using port 443 won't be an issue unless u r trying to forward the addtress assigned to the interface.
0
 
LVL 1

Expert Comment

by:orbistechnology
ID: 34993985
Old xlate's could be the culprit - that and DNS could be completely mangled.  
0
 

Author Comment

by:ReproGraphix
ID: 34994074
Yes DNS has been something I know is not setup correctly.  But this subnet and IP address configuration is one that I have had set for some time.  But for different IP's though they  all had the same subnets and were from the same networks.  A Cisco Tech set that for me originally.

Heres my running config from only a few moments ago.

: Saved
:
ASA Version 8.2(2)
!
hostname baylor
domain-name repro.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name 192.168.1.101 Barracuda description Email Firewall
name 192.168.1.120 Loki description FTP Server
name 192.168.1.118 Apollo description Traverse
name 192.168.1.5 Autocad description Ray's PC - 1
name 192.168.1.202 eyeRepro description Testing
name 192.168.1.242 IT description Spid3r's w3b
name 216.135.46.185 access.acementorindiana.org description ACE FTP
name 192.168.1.209 Ray2 description Ray's PC - 2
ddns update method 192.168.1.100
 ddns both
 interval maximum 0 1 0 0
!
ddns update method 192.168.1.241
 ddns both
 interval maximum 0 0 15 0
!
ddns update method 8.8.8.8
 ddns both
 interval maximum 0 0 12 0
!
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ddns update hostname google-public-dns-a.google.com
 ddns update 8.8.8.8
 dhcp client update dns
 ip address 216.205.208.138 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ddns update hostname poseidon.repro.local
 ddns update 192.168.1.100
 dhcp client update dns server both
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.100
 name-server 192.168.1.241
 domain-name repro.local
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
access-list outside_access_in remark Barracuda - Email
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in remark Apollo
access-list outside_access_in extended permit tcp any interface outside eq 4002
access-list outside_access_in remark Autocad
access-list outside_access_in extended permit tcp any interface outside eq 35
access-list outside_access_in remark Ray2
access-list outside_access_in extended permit tcp any interface outside eq 36
access-list outside_access_in remark Spid3r
access-list outside_access_in extended permit tcp any interface outside eq 7007
access-list outside_access_in remark eyeRepro
access-list outside_access_in extended permit tcp any host 216.135.46.185 object-group DM_INLINE_TCP_1 inactive
access-list outside_access_in remark FTP to Loki
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list inside_access_in extended permit ip any any
access-list CAPI extended permit tcp 192.168.1.0 255.255.255.0 host 216.205.208.139
access-list CAPI extended permit tcp host 216.205.208.139 192.168.1.0 255.255.255.0
access-list CAPO extended permit tcp host 216.205.208.138 host 216.205.208.139
access-list CAPO extended permit tcp host 216.205.208.139 host 216.205.208.138
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered informational
logging trap debugging
logging asdm informational
logging mail emergencies
logging from-address Cisco@reprographix.com
logging recipient-address sdowling@reprographix.com level errors
logging host inside 192.168.1.241
logging class auth mail emergencies asdm emergencies
logging class config asdm emergencies
logging class email asdm emergencies
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.101 smtp netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.120 ftp netmask 255.255.255.255  dns
static (inside,outside) tcp interface ftp-data 192.168.1.120 ftp-data netmask 255.255.255.255  dns
static (inside,outside) tcp interface 4002 192.168.1.118 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 35 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 36 192.168.1.209 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 7007 192.168.1.242 3389 netmask 255.255.255.255
static (inside,outside) tcp 216.135.46.185 https 192.168.1.202 https netmask 255.255.255.255
static (inside,outside) tcp 216.135.46.185 ftp 192.168.1.202 ftp netmask 255.255.255.255
static (inside,outside) tcp 216.135.46.185 www 192.168.1.202 www netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 216.205.208.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca server
 shutdown
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
dhcp-client client-id interface inside
dhcp-client update dns server both
dhcpd dns 216.135.0.10 216.135.1.10
!
dhcpd dns 216.135.0.10 216.125.1.10 interface outside
!
dhcpd address 192.168.1.150-192.168.1.235 inside
dhcpd dns 192.168.1.100 192.168.1.241 interface inside
dhcpd ping_timeout 500 interface inside
dhcpd domain repro.local interface inside
dhcpd update dns interface inside
dhcpd option 4 ip 198.30.92.2 137.146.28.85 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 192.5.41.40 source outside prefer
ntp server 198.30.92.2 source outside
webvpn
 internal-password enable
username r3pr0 password f6CE7iDS67FP8WsZ encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect ftp
  inspect ip-options
policy-map type inspect esmtp Base
 description rudament
 parameters
  no mask-banner
  allow-tls
 match sender-address length gt 320
  log
 match MIME filename length gt 255
  log
 match cmd line length gt 512
  log
 match cmd RCPT count gt 100
  log
 match body line length gt 998
  log
!
service-policy global_policy global
smtp-server 216.205.208.139
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:91b7eaa0eeab5960837a89b52c8d3655
: end
asdm image disk0:/asdm-625.bin
asdm history enable
0
 
LVL 1

Expert Comment

by:orbistechnology
ID: 34994092
Can you describe your ISP CPE and any equipment in front of and behind the ASA?  I still don't get your outside network and statics.

0
 

Author Comment

by:ReproGraphix
ID: 34994139
I have a Bonded T-1 connecting into the ASA 5510.  the ASA is running out to to 3 48 port switches and to the end users.  I have 10 servers mixed within that inside portion of the ASA.  4 of those servers are web application servers that each have their own static IP.  Those IP's share the same subnet and gateway that the outside connection has.

I recently brought on another T-1 but it is not connected to the ASA.  I have also purchased a Cisco RV082 which I had hoped I could use to load balance the old T-1 and the new T-1 then connect into the front of the ASA and gain some performance.  Though my last attempt at that failed miserably.
0
 
LVL 1

Expert Comment

by:orbistechnology
ID: 34994193
What do you mean by a bonded T1?  Is it two, three, four T1s?  The actual T1 circuits terminate on a CPE device.  The ASA cannot terminate a T1 circuit directly.  The CPE must connect via Ethernet to the ASA.  What is your IP assignment from your ISP?

If you have "internal" servers that share outside addresses, you likely have VLANning involved - and those servers may bypass the ASA altogether.  Reprogramming the ASA won't do anything at that point.  It can be very confusing when VLANs are involved.  You can have one switch were ALL of the interfaces of the ASA connect to the same switch.  Only the switch configs can show you where traffic is really going at that point.  

The RV082 is a Linksys device, rebranded as Cisco.  I would return it and get your money back ASAP.

You can't "load balance" and get more bandwidth.  Only bonding via MLPPP or other protocol with coordination from your ISP can get your more absolute bandwidth.  

If you have multiple ISPs, this protects you from a single ISP outage, but will never gain you more total bandwidth.  You can share the load over multiple connections, but you can never take multiple connections from multiple ISPs and get a total aggregate bandwidth which equals the sum of all connections.
0
 

Author Comment

by:ReproGraphix
ID: 34994281

The 1st T-1 gives me 5 external IP addresses and has a speed of 3 mbps down and 1.5 mbps up. Those IP addresses are used for FTP, Web Server, Spam AV Email Filter and a Mail Server (including the IP for the front of the ASA 5510 I have used those 5 IP addresses.).

The Other T-1 has the same speed specs.  It was brought in due to the old T-1's expiring contract and waning to do some testing with 2 connections.  I understand that the device has it's limitations I just wanted to see what I might be able to do with it.  Load balancing is something I need in place desperately. Those T-1's aren't that fast but we do a lot of file transferring and the speed stays steady so it works.

In the server rack I have a 48 port switch that connects my VMware servers and physical servers.  A network connection runs to another server rack and 48 port switch to the other end of the building.  Then a final switch roughly 50 feet from that spot in another part of the building connects a large number of plotter printers and some WiFi access points.

I have no VLans and I only have the 192.168.1.0 IP config internally.

The Outside IP scheme is

Usable IP Block - 216.205.208.138 to 217.205.208.142
also 217.135.46.185 and 217.135.46.186
Gateway- 216.205.208.138
Subnet - 255.255.255.248

I have NAT and ACL access rules pointing those external IP to the outside interface and so forth to the internal server IP. As you can see in my config file.
0
 
LVL 3

Accepted Solution

by:
Rick_at_ptscinti earned 250 total points
ID: 34997247
Look at an Adtran 3450.  It can terminate up to 4 t1's and the command line basically the same as a Cisco.

It looks like it's not working at all now....add the following lines and this should get it up from the outside in using 216.205.208.140

static (inside,outside) tcp 216.205.208.140 https 192.168.1.200 https netmask 255.255.255.255
static (inside,outside) tcp 216.205.208.140 ftp 192.168.1.200 ftp netmask 255.255.255.255
static (inside,outside) tcp 216.205.208.140 www 192.168.1.200 www netmask 255.255.255.255

It you want the 217.135.46.185 network to work you will have to add the following

interface eth0/2
   ip address 217.135.46.185 255.255.255.252 secondary

That will allow the router to "listen" for incoming requests on that network.

Don't take this the wrong way, but I think it would be in your interest to find a local support vendor to help you.  It's one thing to need a little help supporting something that is in place and working, but you are basically starting from scratch and need someone who works with this equipment on a regular basis.
0
 
LVL 3

Expert Comment

by:Rick_at_ptscinti
ID: 34997267
FYI....T1's can't go faster than 1.54Mbs and don't have different upload and download speeds.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now