From: Ryan DeBerry (rdeberry@gmail.com)
Date: Tue Mar 31 2009 - 13:21:26 ART
OK.
From what I see, the LB is doing NAT for the 10.10.0 net as there is only a
default route on the ASA.
You are going to need '*same-security-traffic permit inter-interface'* as
the traffic flow is sec 100 to sec 100.
Also is this traffic supposed to be NAT'd or seen as itself?
On Tue, Mar 31, 2009 at 4:10 PM, Haroon <itguy.pro@gmail.com> wrote:
> Thanks ryan, There were routes in there from R2 to ASA and ASA to R2...
> i've removed them recently.
>
> Here is the current config:
>
>
> Firewall-5510# show config
> : Saved
> : Written by at 19:44:43.168 EST Tue Feb 17 2009
> !
> ASA Version 8.0(4)
> !
> hostname Firewall-5510
> domain-name corp.domain.com
> names
> !
> interface Ethernet0/0
> description Connected to the internet
> nameif Outside
> security-level 0
> ip address 12.12.12.26 255.255.255.224
>
> !
> interface Ethernet0/1
> description Connected to inside, to Load Balancer
> nameif Inside
> security-level 100
> ip address 192.168.100.1 255.255.255.0
>
> !
> interface Ethernet0/2
> description Corp LAN connection to 2821-2 Router
> nameif CorpLAN
> security-level 100
> ip address 172.16.10.1 255.255.255.252
>
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> shutdown
> nameif management
> security-level 100
> no ip address
> ospf cost 10
> management-only
> !
> boot system disk0:/asa804-k8.bin
> ftp mode passive
> clock timezone EST -5
> clock summer-time EDT recurring
> dns server-group DefaultDNS
> domain-name corp.domain.com
> access-list 100 remark allows INSIDE hosts to PING OUT
> access-list 100 extended permit icmp any any echo-reply
> access-list 100 extended permit icmp any any time-exceeded
> access-list 100 extended permit icmp any any unreachable
> access-list 100 remark XYZ Extranet Start
> access-list 100 extended permit tcp any host 12.12.12.28 eq www
> access-list 100 extended permit tcp any host 12.12.12.28 eq https
> access-list 100 remark MYCampus Start
> access-list 100 extended permit tcp any host 12.12.12.29 eq www
> access-list 100 extended permit tcp any host 12.12.12.29 eq ftp
> access-list 100 remark XYZ WEBSite Start
> access-list 100 extended permit tcp any host 12.12.12.32 eq www
> access-list 100 extended permit tcp any host 12.12.12.32 eq ftp
> access-list 100 extended permit tcp any host 12.12.12.32 eq 3389
> access-list 100 extended permit tcp any host 12.12.12.32 eq https
> access-list 100 extended permit tcp any host 12.12.12.32 eq 1433
> access-list 100 remark ABC EXTRANET Start
> access-list 100 extended permit tcp any host 12.12.12.52 eq www
> access-list 100 extended permit tcp any host 12.12.12.52 eq https
> access-list 100 remark ABC MYCAMPUS Start
> access-list 100 extended permit tcp any host 12.12.12.51 eq www
> access-list 100 extended permit tcp any host 12.12.12.51 eq ftp
> access-list 100 extended permit tcp any host 12.12.12.51 eq 8080
> access-list 100 extended permit tcp any host 12.12.12.51 eq 8099
> access-list 100 remark ABC WEBSITE Start
> access-list 100 extended permit tcp any host 12.12.12.50 eq www
> access-list 100 extended permit tcp any host 12.12.12.50 eq ftp
> access-list 100 extended permit tcp any host 12.12.12.50 eq https
> access-list 100 remark ALL OTHERS
> access-list 100 extended permit tcp any host 12.12.12.47 eq www
> access-list 100 extended permit tcp any host 12.12.12.47 eq ftp
> access-list 100 extended permit tcp any host 12.12.12.48 eq 8080
> access-list 100 extended permit tcp any host 12.12.12.29 eq 8080
> access-list 100 extended permit tcp any host 12.12.12.40 eq www
> access-list 100 extended permit tcp any host 12.12.12.40 eq ftp
> access-list 100 extended permit tcp any host 12.12.12.46 eq www
> access-list 100 extended permit tcp any host 12.12.12.41 eq www
> access-list 100 extended permit tcp any host 12.12.12.41 eq pop3
> access-list 100 extended permit tcp any host 12.12.12.41 eq smtp
> access-list 100 extended permit tcp any host 12.12.12.27 eq www
> access-list 100 extended permit tcp any host 12.12.12.38 eq www
> access-list 100 extended permit tcp any host 12.12.12.39 eq www
> access-list 100 extended permit tcp any host 12.12.12.33 eq www
> access-list 100 extended permit tcp any host 12.12.12.34 eq www
> access-list 100 extended permit tcp any host 12.12.12.35 eq www
> access-list CorpLAN_access_in extended permit icmp 172.16.10.0
> 255.255.255.252 192.168.100.0 255.255.255.0
> access-list CorpLAN_access_in extended permit icmp 192.168.100.0
> 255.255.255.0 172.16.10.0 255.255.255.252
> access-list Inside_access_in extended permit ip 172.16.10.0 255.255.255.252
> 192.168.100.0 255.255.255.0
> access-list Inside_access_in extended permit ip 192.168.100.0 255.255.255.0
> 172.16.10.0 255.255.255.252
> pager lines 24
> logging enable
> logging asdm informational
> mtu Outside 1500
> mtu Inside 1500
> mtu CorpLAN 1500
> mtu management 1500
> ip verify reverse-path interface Outside
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-615.bin
> no asdm history enable
> arp timeout 14400
> global (Outside) 1 12.12.12.227
> nat (Inside) 1 0.0.0.0 0.0.0.0
> static (Inside,Outside) 12.12.12.28 192.168.100.254 netmask 255.255.255.255
>
> static (Inside,Outside) 12.12.12.29 192.168.100.252 netmask 255.255.255.255
>
> static (Inside,Outside) 12.12.12.30 192.168.100.13 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.31 192.168.100.14 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.32 192.168.100.251 netmask 255.255.255.255
>
> static (Inside,Outside) 12.12.12.40 192.168.100.210 netmask 255.255.255.255
>
> static (Inside,Outside) 12.12.12.41 192.168.100.80 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.46 192.168.100.215 netmask 255.255.255.255
>
> static (Inside,Outside) 12.12.12.47 192.168.100.247 netmask 255.255.255.255
>
> static (Inside,Outside) 12.12.12.48 192.168.100.20 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.49 192.168.100.249 netmask 255.255.255.255
>
> static (Inside,Outside) 12.12.12.50 192.168.100.233 netmask 255.255.255.255
>
> static (Inside,Outside) 12.12.12.51 192.168.100.234 netmask 255.255.255.255
>
> static (Inside,Outside) 12.12.12.52 192.168.100.235 netmask 255.255.255.255
>
> access-group 100 in interface Outside
> access-group Inside_access_in in interface Inside
> access-group CorpLAN_access_in in interface CorpLAN
> !
> route Outside 0.0.0.0 0.0.0.0 12.12.12.25 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> http server enable
> http 192.168.1.0 255.255.255.0 CorpLAN
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> client-update enable
> telnet 192.168.100.0 255.255.255.0 Inside
> telnet 172.16.10.0 255.255.255.0 CorpLAN
> telnet 192.168.1.0 255.255.255.0 management
> telnet timeout 60
> ssh timeout 5
> console timeout 0
> threat-detection basic-threat
> threat-detection statistics
> threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400
> average-rate 200
> username ABCuser password
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> !
> service-policy global_policy global
> !
>
> On Tue, Mar 31, 2009 at 11:49 AM, Ryan DeBerry <rdeberry@gmail.com> wrote:
>
>> Need to see the config or portions of it.
>>
>> Is there any NAT'ing in place between the 2 environments.
>>
>> Route should be Added to R2
>> Route should be added to ASA
>>
>>
>>
>>
>> On Tue, Mar 31, 2009 at 3:41 PM, Haroon <itguy.pro@gmail.com> wrote:
>>
>>> Correct. I've tried putting static route on ASA going back to the
>>> 192.168.1.x network, i've tried access list in/out, etc. but no go.
>>>
>>>
>>>
>>> On Tue, Mar 31, 2009 at 11:36 AM, Joe Astorino <joe_astorino@comcast.net
>>> >wrote:
>>>
>>> > I'm assuming you have checked your routing going BACK to the
>>> 192.168.1.x
>>> > network from the LB and ASA ?
>>> >
>>> > "He not busy being born is busy dying" -- Dylan
>>> >
>>> > -----BEGIN PGP PUBLIC KEY BLOCK-----
>>> > Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>>> >
>>> > mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>>> > Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>>> > W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>>> > RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>>> > YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>>> > doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>>> > EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>>> > FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>>> > FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>>> > aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>>> > CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>>> > Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>>> > tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>>> > q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>>> > VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>>> > ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>>> > fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>>> > F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>>> > UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>>> > nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>>> > QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>>> > 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>>> > L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>>> > DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>>> > 74k/eLaYWYqu7YI=
>>> > =8HMA
>>> > -----END PGP PUBLIC KEY BLOCK-----
>>> >
>>> > ----- Original Message -----
>>> > From: "Haroon" <itguy.pro@gmail.com>
>>> > To: "Joe Astorino" <joe_astorino@comcast.net>
>>> > Cc: "Cisco certification" <ccielab@groupstudy.com>
>>> > Sent: Tuesday, March 31, 2009 11:34:15 AM GMT -05:00 US/Canada Eastern
>>> > Subject: Re: Second LAN Interface on ASA 5510
>>> >
>>> > Well, I did that, I can reach the 172.16.10.1 address on ASA, but it
>>> > doesn't go anywhere after that to the load balancer (192.168.100.1) or
>>> even
>>> > the 10.10.0.x network, where the web servers are.
>>> >
>>> > Thanks,
>>> >
>>> > Haroon
>>> >
>>> > On Tue, Mar 31, 2009 at 11:22 AM, Joe Astorino <
>>> joe_astorino@comcast.net>wrote:
>>> >
>>> >> So maybe I am missing something, why not just put a static route there
>>> >> that points the users from 192.168.1.x heading towards the web
>>> servers, to
>>> >> the ASA
>>> >>
>>> >>
>>> >> "He not busy being born is busy dying" -- Dylan
>>> >>
>>> >> -----BEGIN PGP PUBLIC KEY BLOCK-----
>>> >> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>>> >>
>>> >> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>>> >> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>>> >> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>>> >> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>>> >> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>>> >> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>>> >> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>>> >> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>>> >> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>>> >> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>>> >> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>>> >> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>>> >> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>>> >> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>>> >> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>>> >> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>>> >> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>>> >> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>>> >> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>>> >> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>>> >> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>>> >> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>>> >> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>>> >> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>>> >> 74k/eLaYWYqu7YI=
>>> >> =8HMA
>>> >> -----END PGP PUBLIC KEY BLOCK-----
>>> >>
>>> >> ----- Original Message -----
>>> >> From: "itguy pro" <itguy.pro@gmail.com>
>>> >> To: "Joe Astorino" <joe_astorino@comcast.net>
>>> >> Cc: "Cisco certification" <ccielab@groupstudy.com>
>>> >> Sent: Tuesday, March 31, 2009 11:20:08 AM GMT -05:00 US/Canada Eastern
>>> >> Subject: Re: Second LAN Interface on ASA 5510
>>> >>
>>> >> Hi joe,
>>> >>
>>> >> That is what we are trying to setup now... They shouldn't be going out
>>> to
>>> >> get to the 10.10.0.x subnet.
>>> >>
>>> >>
>>> >> Thanks
>>> >>
>>> >> Sent via BlackBerry from T-Mobile
>>> >>
>>> >> ------------------------------
>>> >> *From*: Joe Astorino
>>> >> *Date*: Tue, 31 Mar 2009 15:17:05 +0000 (UTC)
>>> >> *To*: Haroon<itguy.pro@gmail.com>
>>> >> *Subject*: Re: Second LAN Interface on ASA 5510
>>> >>
>>> >> Forgive me because I'm not really an ASA guy (yet) , but I am
>>> wondering,
>>> >> why are the users on 192.168.1.x routing out to the internet to get to
>>> a
>>> >> private internal subnet? Is there some sort of NAT going on or
>>> something?
>>> >> Why not solve the problem using normal routing?
>>> >>
>>> >>
>>> >> "He not busy being born is busy dying" -- Dylan
>>> >>
>>> >> -----BEGIN PGP PUBLIC KEY BLOCK-----
>>> >> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>>> >>
>>> >> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>>> >> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>>> >> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>>> >> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>>> >> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>>> >> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>>> >> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>>> >> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>>> >> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>>> >> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>>> >> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>>> >> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>>> >> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>>> >> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>>> >> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>>> >> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>>> >> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>>> >> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>>> >> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>>> >> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>>> >> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>>> >> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>>> >> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>>> >> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>>> >> 74k/eLaYWYqu7YI=
>>> >> =8HMA
>>> >> -----END PGP PUBLIC KEY BLOCK-----
>>> >>
>>> >> ----- Original Message -----
>>> >> From: "Haroon" <itguy.pro@gmail.com>
>>> >> To: "Cisco certification" <ccielab@groupstudy.com>
>>> >> Sent: Tuesday, March 31, 2009 11:06:31 AM GMT -05:00 US/Canada Eastern
>>> >> Subject: Second LAN Interface on ASA 5510
>>> >>
>>> >> Hello Experts,
>>> >>
>>> >> We phased out our PIX recently and upgraded to ASA 5510. I was able to
>>> >> convert the config over from pix and everything seems to be working
>>> fine
>>> >> (A
>>> >> to B on diagram). Now, I want to connect 3rd interface on ASA to our
>>> >> corporate LAN where staff users on desktops access web servers on
>>> >> 10.10.0.x
>>> >> subnet. Right now they are going out to the internet (R-2) and then
>>> coming
>>> >> back into the R-1. I need to be able to reach 10.10.0.x subnet from
>>> >> 192.168.1.x (Y to Z on diagram) without breaking the main config (A to
>>> B)
>>> >> on
>>> >> the ASA.
>>> >>
>>> >> Here is a diagram:
>>> >> http://www.ccie.pro/ASA-RT.jpg
>>> >> (asa config available upon request)
>>> >>
>>> >> I can ping the 172.16.10.x addresses from where the desktops are...
>>> any
>>> >> hints would be greatly appreciated.
>>> >>
>>> >> Thanks,
>>> >>
>>> >> Haroon
>>> >>
>>> >>
>>> >> Blogs and organic groups at http://www.ccie.net
>>> >>
>>> >>
>>> _______________________________________________________________________
>>> >> Subscription information may be found at:
>>> >> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:08 ART
