From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Tue Oct 28 2008 - 03:18:52 ARST
I'll reply to your netpro post with a possible solution, but howcome you
switched from '*oluwaseyi ojo' *to MARK? or this that your alter-ego? :)
Regards
Farrukh
On Mon, Oct 27, 2008 at 8:13 PM, Mark Anthony <mctony@ymail.com> wrote:
> I have configured an ASA 5510 to be between an internet router and a cisco
> switch. I have 3 servers in my inside network which users access from
> outside
> and these servers also have public addresses, my inside user can connect to
> the internet,surf the net and I can also pull down mails from my exchange
> server via the internet, BUT MY REMOTE USERS CANNOT ACCESS THESE SERVERS
> FROM
> THEIR REMOTE END.
>
> Below are the configs on both the router and ASA for someone to please help
> me
> check and look what I did wrong.
>
> Please help me.
>
> :
> ASA Version 7.2(2)
> !
> hostname ciscoasa
> enable password 8Ry2YjIyt7RRXU24 encrypted
> names
> !
> interface GigabitEthernet0/0
> description <connection to the internet router>
> nameif outside
> security-level 0
> ip address 194.203.X.X 255.255.255.0
> !
> interface GigabitEthernet0/1
> description <connection to internal networks>
> nameif inside
> security-level 100
> ip address 194.203.X.X 255.255.255.0
> !
> interface GigabitEthernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface GigabitEthernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> shutdown
> no nameif
> no security-level
> no ip address
> management-only
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> ftp mode passive
> access-list 100 extended permit icmp any any echo-reply
> access-list 100 extended permit icmp any any time-exceeded
> access-list 100 extended permit icmp any any unreachable
> access-list 100 extended permit tcp any host 62.173.X.X eq www
> access-list 100 extended permit tcp any host 62.173.X.X eq www
> access-list 100 extended permit tcp any host 62.173.X.X eq smtp
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 0.0.0.0 0.0.0.0
> static (inside,outside) 62.173.X.X 194.203.X.X netmask 255.255.255.255 dn
> static (inside,outside) 62.173.X.X 194.203.X.X netmask 255.255.255.255
> s
> static (inside,outside) 62.173.X.X 194.203.X.X netmask 255.255.255.255 dns
> access-group 100 in interface outside
> route outside 0.0.0.0 0.0.0.0 10.163.X.X 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:0
> timeout uauth 0:05:00 absolute
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> telnet 194.203.X.X 255.255.255.255 inside
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> !
> service-policy global_policy global
> prompt hostname context
> Cryptochecksum:3897f58ffa9b9b7da8c7fe219442448c
> : end
>
>
>
> CONFIGURATION FOR THE ROUTER
>
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname Router
> !
> boot-start-marker
> boot-end-marker
> !
> !
> no aaa new-model
> !
> !
> ip cef
> !
> !
> !
> voice-card 0
> no dspfarm
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> !
> interface GigabitEthernet0/0
> description Gateway to CONNECTION TO LAN
> ip address 194.203.X.X 255.255.255.0
> ip access-group 102 in
> ip nat inside
> duplex auto
> speed auto
> !
> interface GigabitEthernet0/1
> description LINK TO ipNX VPN CLOUD
> ip address 10.163.X.X 255.255.254.0
> ip nat outside
> duplex auto
> speed auto
> !
> router eigrp 2113
> network 192.168.X.X 0.0.0.3
> network 194.203.X.X
> network 194.203.X.X
> no auto-summary
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 10.163.X.X
> ip route 62.173.X.X 255.255.255.255 GigabitEthernet0/0
> ip route 62.173.X.X 255.255.255.255 GigabitEthernet0/0
> ip route 62.173.X.X 255.255.255.255 GigabitEthernet0/0
> !
> ip http server
> no ip http secure-server
> ip nat inside source list 10 interface GigabitEthernet0/1 overload
> ip nat inside source static tcp 62.173.X.X 25 194.203.X.X 25 extendable
> ip nat inside source static tcp 62.173.X.X 80 194.203.X.X 80 extendable
> ip nat inside source static tcp 62.173.X.X 80 194.203.X.X 80 extendable
> !
> access-list 10 permit 194.203.X.X 0.0.0.255
> access-list 102 deny tcp 194.203.0.0 0.0.255.255 any eq 137 log
> access-list 102 deny udp 194.203.0.0 0.0.255.255 any eq netbios-ns log
> access-list 102 deny tcp 194.203.0.0 0.0.255.255 any eq 138 log
> access-list 102 deny udp 194.203.0.0 0.0.255.255 any eq netbios-dgm log
> access-list 102 permit ip any any
> !
> !
> !
> control-plane
> !
> !
> !
> !
> !
> !
> !
> !
> line con 0
> password XXXXXX
> login
> line aux 0
> line vty 0 4
> password XXXXXX
> login
> !
> scheduler allocate 20000 1000
> !
> end
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:23 ARST