Re: Second LAN Interface on ASA 5510

From: Haroon (itguy.pro@gmail.com)
Date: Tue Mar 31 2009 - 13:10:48 ART

Thanks ryan, There were routes in there from R2 to ASA and ASA to R2... i've
removed them recently.

Here is the current config:

Firewall-5510# show config
: Saved
: Written by at 19:44:43.168 EST Tue Feb 17 2009
!
ASA Version 8.0(4)
!
hostname Firewall-5510
domain-name corp.domain.com
names
!
interface Ethernet0/0
 description Connected to the internet
 nameif Outside
 security-level 0
 ip address 12.12.12.26 255.255.255.224

!
interface Ethernet0/1
 description Connected to inside, to Load Balancer
 nameif Inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0

!
interface Ethernet0/2
 description Corp LAN connection to 2821-2 Router
 nameif CorpLAN
 security-level 100
 ip address 172.16.10.1 255.255.255.252

!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 ospf cost 10
 management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name corp.domain.com
access-list 100 remark allows INSIDE hosts to PING OUT
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list 100 remark XYZ Extranet Start
access-list 100 extended permit tcp any host 12.12.12.28 eq www
access-list 100 extended permit tcp any host 12.12.12.28 eq https
access-list 100 remark MYCampus Start
access-list 100 extended permit tcp any host 12.12.12.29 eq www
access-list 100 extended permit tcp any host 12.12.12.29 eq ftp
access-list 100 remark XYZ WEBSite Start
access-list 100 extended permit tcp any host 12.12.12.32 eq www
access-list 100 extended permit tcp any host 12.12.12.32 eq ftp
access-list 100 extended permit tcp any host 12.12.12.32 eq 3389
access-list 100 extended permit tcp any host 12.12.12.32 eq https
access-list 100 extended permit tcp any host 12.12.12.32 eq 1433
access-list 100 remark ABC EXTRANET Start
access-list 100 extended permit tcp any host 12.12.12.52 eq www
access-list 100 extended permit tcp any host 12.12.12.52 eq https
access-list 100 remark ABC MYCAMPUS Start
access-list 100 extended permit tcp any host 12.12.12.51 eq www
access-list 100 extended permit tcp any host 12.12.12.51 eq ftp
access-list 100 extended permit tcp any host 12.12.12.51 eq 8080
access-list 100 extended permit tcp any host 12.12.12.51 eq 8099
access-list 100 remark ABC WEBSITE Start
access-list 100 extended permit tcp any host 12.12.12.50 eq www
access-list 100 extended permit tcp any host 12.12.12.50 eq ftp
access-list 100 extended permit tcp any host 12.12.12.50 eq https
access-list 100 remark ALL OTHERS
access-list 100 extended permit tcp any host 12.12.12.47 eq www
access-list 100 extended permit tcp any host 12.12.12.47 eq ftp
access-list 100 extended permit tcp any host 12.12.12.48 eq 8080
access-list 100 extended permit tcp any host 12.12.12.29 eq 8080
access-list 100 extended permit tcp any host 12.12.12.40 eq www
access-list 100 extended permit tcp any host 12.12.12.40 eq ftp
access-list 100 extended permit tcp any host 12.12.12.46 eq www
access-list 100 extended permit tcp any host 12.12.12.41 eq www
access-list 100 extended permit tcp any host 12.12.12.41 eq pop3
access-list 100 extended permit tcp any host 12.12.12.41 eq smtp
access-list 100 extended permit tcp any host 12.12.12.27 eq www
access-list 100 extended permit tcp any host 12.12.12.38 eq www
access-list 100 extended permit tcp any host 12.12.12.39 eq www
access-list 100 extended permit tcp any host 12.12.12.33 eq www
access-list 100 extended permit tcp any host 12.12.12.34 eq www
access-list 100 extended permit tcp any host 12.12.12.35 eq www
access-list CorpLAN_access_in extended permit icmp 172.16.10.0
255.255.255.252 192.168.100.0 255.255.255.0
access-list CorpLAN_access_in extended permit icmp 192.168.100.0
255.255.255.0 172.16.10.0 255.255.255.252
access-list Inside_access_in extended permit ip 172.16.10.0 255.255.255.252
192.168.100.0 255.255.255.0
access-list Inside_access_in extended permit ip 192.168.100.0 255.255.255.0
172.16.10.0 255.255.255.252
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu CorpLAN 1500
mtu management 1500
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 12.12.12.227
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) 12.12.12.28 192.168.100.254 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.29 192.168.100.252 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.30 192.168.100.13 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.31 192.168.100.14 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.32 192.168.100.251 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.40 192.168.100.210 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.41 192.168.100.80 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.46 192.168.100.215 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.47 192.168.100.247 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.48 192.168.100.20 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.49 192.168.100.249 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.50 192.168.100.233 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.51 192.168.100.234 netmask 255.255.255.255
static (Inside,Outside) 12.12.12.52 192.168.100.235 netmask 255.255.255.255
access-group 100 in interface Outside
access-group Inside_access_in in interface Inside
access-group CorpLAN_access_in in interface CorpLAN
!
route Outside 0.0.0.0 0.0.0.0 12.12.12.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 CorpLAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
client-update enable
telnet 192.168.100.0 255.255.255.0 Inside
telnet 172.16.10.0 255.255.255.0 CorpLAN
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 60
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400
average-rate 200
username ABCuser password
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
!

On Tue, Mar 31, 2009 at 11:49 AM, Ryan DeBerry <rdeberry@gmail.com> wrote:

> Need to see the config or portions of it.
>
> Is there any NAT'ing in place between the 2 environments.
>
> Route should be Added to R2
> Route should be added to ASA
>
>
>
>
> On Tue, Mar 31, 2009 at 3:41 PM, Haroon <itguy.pro@gmail.com> wrote:
>
>> Correct. I've tried putting static route on ASA going back to the
>> 192.168.1.x network, i've tried access list in/out, etc. but no go.
>>
>>
>>
>> On Tue, Mar 31, 2009 at 11:36 AM, Joe Astorino <joe_astorino@comcast.net
>> >wrote:
>>
>> > I'm assuming you have checked your routing going BACK to the 192.168.1.x
>> > network from the LB and ASA ?
>> >
>> > "He not busy being born is busy dying" -- Dylan
>> >
>> > -----BEGIN PGP PUBLIC KEY BLOCK-----
>> > Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>> >
>> > mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>> > Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>> > W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>> > RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>> > YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>> > doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>> > EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>> > FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>> > FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>> > aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>> > CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>> > Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>> > tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>> > q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>> > VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>> > ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>> > fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>> > F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>> > UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>> > nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>> > QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>> > 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>> > L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>> > DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>> > 74k/eLaYWYqu7YI=
>> > =8HMA
>> > -----END PGP PUBLIC KEY BLOCK-----
>> >
>> > ----- Original Message -----
>> > From: "Haroon" <itguy.pro@gmail.com>
>> > To: "Joe Astorino" <joe_astorino@comcast.net>
>> > Cc: "Cisco certification" <ccielab@groupstudy.com>
>> > Sent: Tuesday, March 31, 2009 11:34:15 AM GMT -05:00 US/Canada Eastern
>> > Subject: Re: Second LAN Interface on ASA 5510
>> >
>> > Well, I did that, I can reach the 172.16.10.1 address on ASA, but it
>> > doesn't go anywhere after that to the load balancer (192.168.100.1) or
>> even
>> > the 10.10.0.x network, where the web servers are.
>> >
>> > Thanks,
>> >
>> > Haroon
>> >
>> > On Tue, Mar 31, 2009 at 11:22 AM, Joe Astorino <
>> joe_astorino@comcast.net>wrote:
>> >
>> >> So maybe I am missing something, why not just put a static route there
>> >> that points the users from 192.168.1.x heading towards the web servers,
>> to
>> >> the ASA
>> >>
>> >>
>> >> "He not busy being born is busy dying" -- Dylan
>> >>
>> >> -----BEGIN PGP PUBLIC KEY BLOCK-----
>> >> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>> >>
>> >> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>> >> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>> >> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>> >> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>> >> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>> >> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>> >> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>> >> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>> >> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>> >> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>> >> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>> >> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>> >> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>> >> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>> >> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>> >> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>> >> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>> >> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>> >> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>> >> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>> >> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>> >> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>> >> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>> >> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>> >> 74k/eLaYWYqu7YI=
>> >> =8HMA
>> >> -----END PGP PUBLIC KEY BLOCK-----
>> >>
>> >> ----- Original Message -----
>> >> From: "itguy pro" <itguy.pro@gmail.com>
>> >> To: "Joe Astorino" <joe_astorino@comcast.net>
>> >> Cc: "Cisco certification" <ccielab@groupstudy.com>
>> >> Sent: Tuesday, March 31, 2009 11:20:08 AM GMT -05:00 US/Canada Eastern
>> >> Subject: Re: Second LAN Interface on ASA 5510
>> >>
>> >> Hi joe,
>> >>
>> >> That is what we are trying to setup now... They shouldn't be going out
>> to
>> >> get to the 10.10.0.x subnet.
>> >>
>> >>
>> >> Thanks
>> >>
>> >> Sent via BlackBerry from T-Mobile
>> >>
>> >> ------------------------------
>> >> *From*: Joe Astorino
>> >> *Date*: Tue, 31 Mar 2009 15:17:05 +0000 (UTC)
>> >> *To*: Haroon<itguy.pro@gmail.com>
>> >> *Subject*: Re: Second LAN Interface on ASA 5510
>> >>
>> >> Forgive me because I'm not really an ASA guy (yet) , but I am
>> wondering,
>> >> why are the users on 192.168.1.x routing out to the internet to get to
>> a
>> >> private internal subnet? Is there some sort of NAT going on or
>> something?
>> >> Why not solve the problem using normal routing?
>> >>
>> >>
>> >> "He not busy being born is busy dying" -- Dylan
>> >>
>> >> -----BEGIN PGP PUBLIC KEY BLOCK-----
>> >> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>> >>
>> >> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>> >> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>> >> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>> >> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>> >> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>> >> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>> >> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>> >> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>> >> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>> >> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>> >> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>> >> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>> >> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>> >> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>> >> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>> >> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>> >> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>> >> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>> >> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>> >> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>> >> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>> >> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>> >> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>> >> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>> >> 74k/eLaYWYqu7YI=
>> >> =8HMA
>> >> -----END PGP PUBLIC KEY BLOCK-----
>> >>
>> >> ----- Original Message -----
>> >> From: "Haroon" <itguy.pro@gmail.com>
>> >> To: "Cisco certification" <ccielab@groupstudy.com>
>> >> Sent: Tuesday, March 31, 2009 11:06:31 AM GMT -05:00 US/Canada Eastern
>> >> Subject: Second LAN Interface on ASA 5510
>> >>
>> >> Hello Experts,
>> >>
>> >> We phased out our PIX recently and upgraded to ASA 5510. I was able to
>> >> convert the config over from pix and everything seems to be working
>> fine
>> >> (A
>> >> to B on diagram). Now, I want to connect 3rd interface on ASA to our
>> >> corporate LAN where staff users on desktops access web servers on
>> >> 10.10.0.x
>> >> subnet. Right now they are going out to the internet (R-2) and then
>> coming
>> >> back into the R-1. I need to be able to reach 10.10.0.x subnet from
>> >> 192.168.1.x (Y to Z on diagram) without breaking the main config (A to
>> B)
>> >> on
>> >> the ASA.
>> >>
>> >> Here is a diagram:
>> >> http://www.ccie.pro/ASA-RT.jpg
>> >> (asa config available upon request)
>> >>
>> >> I can ping the 172.16.10.x addresses from where the desktops are... any
>> >> hints would be greatly appreciated.
>> >>
>> >> Thanks,
>> >>
>> >> Haroon
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:08 ART