From: Peter Chuba (ptchuba@live.com)
Date: Tue Oct 07 2008 - 04:28:08 ART
If I understand you correctly, your proxy server is different from the other
three servers and has its own public IP. In that case I think what you have
to do is remove the lines
> global (outside) 1 62.x.x.x (proxy server public addres)
> nat (inside) 1 0.0.0.0 0.0.0.0
Then create a static nat entry for the public server ip as you did with the
other servers.
Assuming you are using a windows domain what I do to let the inside users
access the internet through the proxy server is, to push the settings to the
client machines through group policy in Windows. Specifically the group
policy setting is:
User configuration > windows settings > internet explorer maintenance >
connection > proxy settings.
If you don't want users to change this setting then go to
User configuration > administrative templates > windows components >
internet explorer ,,, and enable "Disable changing proxy settings"
You want to make sure these policies are not applied to the servers,
otherwise they will all go to the internet through the proxy server too.
Regards
Peter
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Mark
Anthony
Sent: Saturday, October 04, 2008 6:36 PM
To: Mike Canfield
Cc: ccie groupstudy
Subject: Re: Can`t ping my ASA outside int from the inside
I can now ping the internet router inside int from the inside,USER; thru the
ASA.
Now, its 1 host that can browse the internet,other can not including my
proxy server what can I do someone please advice on what command to use..
I want all inside user to go thru the proxy to browse, except for my 3
servers
which have public ip addrs which I already did a static nat on the ASA.
Thanks.
--- On Sat, 10/4/08, Mike Canfield <mike@mcanfield.com> wrote:
From: Mike Canfield <mike@mcanfield.com>
Subject: Re: Can`t ping my ASA outside int from the inside
To: "Mark Anthony" <mctony@ymail.com>
Cc: "ccie groupstudy" <ccielab@groupstudy.com>
Date: Saturday, October 4, 2008, 3:39 PM
You need to enable something called management-interface or something
like that. Its on CCO.
On Oct 4, 2008, at 10:27 AM, Mark Anthony wrote:
> I am using an ASA 5510 between my inside network and the internet
> router.
>
>
>
> I cannot ping my ASA outside interface and the internet router inside
> interface.
>
>
>
> Here is what I want to achieve:
>
> 1. I want my inside users to get to the internet using the proxy addr
>
> 2. I want my inside users to ping the outside int of the ASA.
>
> 3. I want remote users to access just 3 servers in my inside
> network, these
> servers also have a public addresses.
>
>
>
> Below is the config I have presently on the ASA.
>
>
>
> Can someone please help me by providing the configs that will make
> me achieve
> these tasks stated above.
>
>
>
> Thanks in advance
>
>
>
>
>
> ASA Version 7.0(6)
>
> !
>
> hostname ciscoasa
>
> enable password 8Ry2YjIyt7RRXU24 encrypted
>
> names
>
> dns-guard
>
> !
>
> interface Ethernet0/0
>
> description <connection to the internet router>
>
> nameif outside
>
> security-level 0
>
> ip address 194.203.x.x 255.255.255.0
>
> !
>
> interface Ethernet0/1
>
> description <connection to internal networks>
>
> nameif inside
>
> security-level 100
>
> ip address 194.203.x.x 255.255.255.0
>
> !
>
> interface Ethernet0/2
>
> description <connection to servers>
>
> shutdown
>
> nameif DMZ
>
> security-level 50
>
> no ip address
>
> !
>
> interface Ethernet0/3
>
> shutdown
>
> no nameif
>
> no security-level
>
> no ip address
>
> !
>
> interface Management0/0
>
> speed 100
>
> duplex full
>
> nameif management
>
> security-level 0
>
> ip address 192.168.1.1 255.255.255.0
>
> !
>
> passwd 2KFQnbNIdI.2KYOU encrypted
>
> ftp mode passive
>
> access-list 100 extended permit icmp any any echo-reply
>
> access-list 100 extended permit icmp any any time-exceeded
>
> access-list 100 extended permit icmp any any unreachable
>
> access-list 100 extended permit tcp any host 62.x.x.x eq www
>
> access-list 100 extended permit tcp any host 62.x.x.x eq www
>
> access-list 100 extended permit tcp any host 62.x.x.x eq smtp
>
> pager lines 24
>
> logging enable
>
> mtu outside 1500
>
> mtu inside 1500
>
> mtu DMZ 1500
>
> mtu management 1500
>
> no failover
>
> asdm image disk0:/asdm506.bin
>
> no asdm history enable
>
> arp timeout 14400
>
> global (outside) 1 62.x.x.x (proxy server public addres)
>
> nat (inside) 1 0.0.0.0 0.0.0.0
>
> static (inside,outside) 62.173.x.x x.203.101.5 netmask 255.255.255.255
>
> static (inside,outside) 62.173.x.x x.203.101.250 netmask
> 255.255.255.255
>
> static (inside,outside) 62.173.x.x x.203.101.2 netmask 255.255.255.255
>
> access-group 100 in interface outside
>
> route outside 0.0.0.0 0.0.0.0 10.163.x.x 1( isp )
>
> timeout xlate 3:00:00
>
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
>
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
>
> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
>
> timeout uauth 0:05:00 absolute
>
> no snmp-server location
>
> no snmp-server contact
>
> snmp-server enable traps snmp authentication linkup linkdown coldstart
>
> telnet timeout 5
>
> ssh timeout 5
>
> console timeout 0
>
> Cryptochecksum:0d567cde88308477ab94bd171ee1479e
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:19 ARST