From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Mon Oct 06 2008 - 09:07:29 ART
By merely translating the inside users to the Public Ip address of your
proxy server, will not 'force' the users to go through the proxy (Infact its
a pretty bad idea). You have a few options here:
> Educate the users to put the proxy in their browser (and allow only the
proxy IP to go to the internet for web traffic). Only NAT the proxy on the
firewall.
> Push the internet explorer settings automatically.
> Use PAC/WPAD http://en.wikipedia.org/wiki/Proxy_auto-config
> Perform 'port redirection on the firewall (will be a complicated design
and is defintely not recommended).
Regards
Farrukh
On Sat, Oct 4, 2008 at 8:35 PM, Mark Anthony <mctony@ymail.com> wrote:
> I can now ping the internet router inside int from the inside,USER; thru
> the
> ASA.
> Now, its 1 host that can browse the internet,other can not including my
> proxy server what can I do someone please advice on what command to use..
>
> I want all inside user to go thru the proxy to browse, except for my 3
> servers
> which have public ip addrs which I already did a static nat on the ASA.
>
> Thanks.
>
> --- On Sat, 10/4/08, Mike Canfield <mike@mcanfield.com> wrote:
>
> From: Mike Canfield <mike@mcanfield.com>
> Subject: Re: Can`t ping my ASA outside int from the inside
> To: "Mark Anthony" <mctony@ymail.com>
> Cc: "ccie groupstudy" <ccielab@groupstudy.com>
> Date: Saturday, October 4, 2008, 3:39 PM
>
> You need to enable something called management-interface or something
> like that. Its on CCO.
>
>
> On Oct 4, 2008, at 10:27 AM, Mark Anthony wrote:
>
> > I am using an ASA 5510 between my inside network and the internet
> > router.
> >
> >
> >
> > I cannot ping my ASA outside interface and the internet router inside
> > interface.
> >
> >
> >
> > Here is what I want to achieve:
> >
> > 1. I want my inside users to get to the internet using the proxy addr
> >
> > 2. I want my inside users to ping the outside int of the ASA.
> >
> > 3. I want remote users to access just 3 servers in my inside
> > network, these
> > servers also have a public addresses.
> >
> >
> >
> > Below is the config I have presently on the ASA.
> >
> >
> >
> > Can someone please help me by providing the configs that will make
> > me achieve
> > these tasks stated above.
> >
> >
> >
> > Thanks in advance
> >
> >
> >
> >
> >
> > ASA Version 7.0(6)
> >
> > !
> >
> > hostname ciscoasa
> >
> > enable password 8Ry2YjIyt7RRXU24 encrypted
> >
> > names
> >
> > dns-guard
> >
> > !
> >
> > interface Ethernet0/0
> >
> > description <connection to the internet router>
> >
> > nameif outside
> >
> > security-level 0
> >
> > ip address 194.203.x.x 255.255.255.0
> >
> > !
> >
> > interface Ethernet0/1
> >
> > description <connection to internal networks>
> >
> > nameif inside
> >
> > security-level 100
> >
> > ip address 194.203.x.x 255.255.255.0
> >
> > !
> >
> > interface Ethernet0/2
> >
> > description <connection to servers>
> >
> > shutdown
> >
> > nameif DMZ
> >
> > security-level 50
> >
> > no ip address
> >
> > !
> >
> > interface Ethernet0/3
> >
> > shutdown
> >
> > no nameif
> >
> > no security-level
> >
> > no ip address
> >
> > !
> >
> > interface Management0/0
> >
> > speed 100
> >
> > duplex full
> >
> > nameif management
> >
> > security-level 0
> >
> > ip address 192.168.1.1 255.255.255.0
> >
> > !
> >
> > passwd 2KFQnbNIdI.2KYOU encrypted
> >
> > ftp mode passive
> >
> > access-list 100 extended permit icmp any any echo-reply
> >
> > access-list 100 extended permit icmp any any time-exceeded
> >
> > access-list 100 extended permit icmp any any unreachable
> >
> > access-list 100 extended permit tcp any host 62.x.x.x eq www
> >
> > access-list 100 extended permit tcp any host 62.x.x.x eq www
> >
> > access-list 100 extended permit tcp any host 62.x.x.x eq smtp
> >
> > pager lines 24
> >
> > logging enable
> >
> > mtu outside 1500
> >
> > mtu inside 1500
> >
> > mtu DMZ 1500
> >
> > mtu management 1500
> >
> > no failover
> >
> > asdm image disk0:/asdm506.bin
> >
> > no asdm history enable
> >
> > arp timeout 14400
> >
> > global (outside) 1 62.x.x.x (proxy server public addres)
> >
> > nat (inside) 1 0.0.0.0 0.0.0.0
> >
> > static (inside,outside) 62.173.x.x x.203.101.5 netmask 255.255.255.255
> >
> > static (inside,outside) 62.173.x.x x.203.101.250 netmask
> > 255.255.255.255
> >
> > static (inside,outside) 62.173.x.x x.203.101.2 netmask 255.255.255.255
> >
> > access-group 100 in interface outside
> >
> > route outside 0.0.0.0 0.0.0.0 10.163.x.x 1( isp )
> >
> > timeout xlate 3:00:00
> >
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> >
> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> >
> > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> >
> > timeout uauth 0:05:00 absolute
> >
> > no snmp-server location
> >
> > no snmp-server contact
> >
> > snmp-server enable traps snmp authentication linkup linkdown coldstart
> >
> > telnet timeout 5
> >
> > ssh timeout 5
> >
> > console timeout 0
> >
> > Cryptochecksum:0d567cde88308477ab94bd171ee1479e
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:19 ARST