From: Alexei Monastyrnyi (alexeim73@gmail.com)
Date: Tue Mar 31 2009 - 15:33:24 ART
Haroon
for what I see, you do NAT between them interfaces. Try not to. You
don't need this extra complication since you have declared both Inside
and CorpLAN as security level 100. you don't seem to have any address
space overlap etc. I don't see any points to do any NAT for this traffic.
Try to use
nat (Inside) 0 acl1
nat (CorpLAN) 0 acl2
Where acl1/acl2 are ACLs include source-destination for those subnets in
both directions.
HTH
A.
Haroon wrote:
> Thanks ryan, There were routes in there from R2 to ASA and ASA to R2... i've
> removed them recently.
>
> Here is the current config:
>
>
> Firewall-5510# show config
> : Saved
> : Written by at 19:44:43.168 EST Tue Feb 17 2009
> !
> ASA Version 8.0(4)
> !
> hostname Firewall-5510
> domain-name corp.domain.com
> names
> !
> interface Ethernet0/0
> description Connected to the internet
> nameif Outside
> security-level 0
> ip address 12.12.12.26 255.255.255.224
>
> !
> interface Ethernet0/1
> description Connected to inside, to Load Balancer
> nameif Inside
> security-level 100
> ip address 192.168.100.1 255.255.255.0
>
> !
> interface Ethernet0/2
> description Corp LAN connection to 2821-2 Router
> nameif CorpLAN
> security-level 100
> ip address 172.16.10.1 255.255.255.252
>
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> shutdown
> nameif management
> security-level 100
> no ip address
> ospf cost 10
> management-only
> !
> boot system disk0:/asa804-k8.bin
> ftp mode passive
> clock timezone EST -5
> clock summer-time EDT recurring
> dns server-group DefaultDNS
> domain-name corp.domain.com
> access-list 100 remark allows INSIDE hosts to PING OUT
> access-list 100 extended permit icmp any any echo-reply
> access-list 100 extended permit icmp any any time-exceeded
> access-list 100 extended permit icmp any any unreachable
> access-list 100 remark XYZ Extranet Start
> access-list 100 extended permit tcp any host 12.12.12.28 eq www
> access-list 100 extended permit tcp any host 12.12.12.28 eq https
> access-list 100 remark MYCampus Start
> access-list 100 extended permit tcp any host 12.12.12.29 eq www
> access-list 100 extended permit tcp any host 12.12.12.29 eq ftp
> access-list 100 remark XYZ WEBSite Start
> access-list 100 extended permit tcp any host 12.12.12.32 eq www
> access-list 100 extended permit tcp any host 12.12.12.32 eq ftp
> access-list 100 extended permit tcp any host 12.12.12.32 eq 3389
> access-list 100 extended permit tcp any host 12.12.12.32 eq https
> access-list 100 extended permit tcp any host 12.12.12.32 eq 1433
> access-list 100 remark ABC EXTRANET Start
> access-list 100 extended permit tcp any host 12.12.12.52 eq www
> access-list 100 extended permit tcp any host 12.12.12.52 eq https
> access-list 100 remark ABC MYCAMPUS Start
> access-list 100 extended permit tcp any host 12.12.12.51 eq www
> access-list 100 extended permit tcp any host 12.12.12.51 eq ftp
> access-list 100 extended permit tcp any host 12.12.12.51 eq 8080
> access-list 100 extended permit tcp any host 12.12.12.51 eq 8099
> access-list 100 remark ABC WEBSITE Start
> access-list 100 extended permit tcp any host 12.12.12.50 eq www
> access-list 100 extended permit tcp any host 12.12.12.50 eq ftp
> access-list 100 extended permit tcp any host 12.12.12.50 eq https
> access-list 100 remark ALL OTHERS
> access-list 100 extended permit tcp any host 12.12.12.47 eq www
> access-list 100 extended permit tcp any host 12.12.12.47 eq ftp
> access-list 100 extended permit tcp any host 12.12.12.48 eq 8080
> access-list 100 extended permit tcp any host 12.12.12.29 eq 8080
> access-list 100 extended permit tcp any host 12.12.12.40 eq www
> access-list 100 extended permit tcp any host 12.12.12.40 eq ftp
> access-list 100 extended permit tcp any host 12.12.12.46 eq www
> access-list 100 extended permit tcp any host 12.12.12.41 eq www
> access-list 100 extended permit tcp any host 12.12.12.41 eq pop3
> access-list 100 extended permit tcp any host 12.12.12.41 eq smtp
> access-list 100 extended permit tcp any host 12.12.12.27 eq www
> access-list 100 extended permit tcp any host 12.12.12.38 eq www
> access-list 100 extended permit tcp any host 12.12.12.39 eq www
> access-list 100 extended permit tcp any host 12.12.12.33 eq www
> access-list 100 extended permit tcp any host 12.12.12.34 eq www
> access-list 100 extended permit tcp any host 12.12.12.35 eq www
> access-list CorpLAN_access_in extended permit icmp 172.16.10.0
> 255.255.255.252 192.168.100.0 255.255.255.0
> access-list CorpLAN_access_in extended permit icmp 192.168.100.0
> 255.255.255.0 172.16.10.0 255.255.255.252
> access-list Inside_access_in extended permit ip 172.16.10.0 255.255.255.252
> 192.168.100.0 255.255.255.0
> access-list Inside_access_in extended permit ip 192.168.100.0 255.255.255.0
> 172.16.10.0 255.255.255.252
> pager lines 24
> logging enable
> logging asdm informational
> mtu Outside 1500
> mtu Inside 1500
> mtu CorpLAN 1500
> mtu management 1500
> ip verify reverse-path interface Outside
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-615.bin
> no asdm history enable
> arp timeout 14400
> global (Outside) 1 12.12.12.227
> nat (Inside) 1 0.0.0.0 0.0.0.0
> static (Inside,Outside) 12.12.12.28 192.168.100.254 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.29 192.168.100.252 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.30 192.168.100.13 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.31 192.168.100.14 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.32 192.168.100.251 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.40 192.168.100.210 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.41 192.168.100.80 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.46 192.168.100.215 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.47 192.168.100.247 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.48 192.168.100.20 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.49 192.168.100.249 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.50 192.168.100.233 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.51 192.168.100.234 netmask 255.255.255.255
> static (Inside,Outside) 12.12.12.52 192.168.100.235 netmask 255.255.255.255
> access-group 100 in interface Outside
> access-group Inside_access_in in interface Inside
> access-group CorpLAN_access_in in interface CorpLAN
> !
> route Outside 0.0.0.0 0.0.0.0 12.12.12.25 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> http server enable
> http 192.168.1.0 255.255.255.0 CorpLAN
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> client-update enable
> telnet 192.168.100.0 255.255.255.0 Inside
> telnet 172.16.10.0 255.255.255.0 CorpLAN
> telnet 192.168.1.0 255.255.255.0 management
> telnet timeout 60
> ssh timeout 5
> console timeout 0
> threat-detection basic-threat
> threat-detection statistics
> threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400
> average-rate 200
> username ABCuser password
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> !
> service-policy global_policy global
> !
>
> On Tue, Mar 31, 2009 at 11:49 AM, Ryan DeBerry <rdeberry@gmail.com> wrote:
>
>
>> Need to see the config or portions of it.
>>
>> Is there any NAT'ing in place between the 2 environments.
>>
>> Route should be Added to R2
>> Route should be added to ASA
>>
>>
>>
>>
>> On Tue, Mar 31, 2009 at 3:41 PM, Haroon <itguy.pro@gmail.com> wrote:
>>
>>
>>> Correct. I've tried putting static route on ASA going back to the
>>> 192.168.1.x network, i've tried access list in/out, etc. but no go.
>>>
>>>
>>>
>>> On Tue, Mar 31, 2009 at 11:36 AM, Joe Astorino <joe_astorino@comcast.net
>>>
>>>> wrote:
>>>>
>>>> I'm assuming you have checked your routing going BACK to the 192.168.1.x
>>>> network from the LB and ASA ?
>>>>
>>>> "He not busy being born is busy dying" -- Dylan
>>>>
>>>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>>>> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>>>>
>>>> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>>>> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>>>> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>>>> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>>>> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>>>> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>>>> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>>>> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>>>> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>>>> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>>>> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>>>> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>>>> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>>>> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>>>> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>>>> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>>>> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>>>> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>>>> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>>>> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>>>> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>>>> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>>>> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>>>> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>>>> 74k/eLaYWYqu7YI=
>>>> =8HMA
>>>> -----END PGP PUBLIC KEY BLOCK-----
>>>>
>>>> ----- Original Message -----
>>>> From: "Haroon" <itguy.pro@gmail.com>
>>>> To: "Joe Astorino" <joe_astorino@comcast.net>
>>>> Cc: "Cisco certification" <ccielab@groupstudy.com>
>>>> Sent: Tuesday, March 31, 2009 11:34:15 AM GMT -05:00 US/Canada Eastern
>>>> Subject: Re: Second LAN Interface on ASA 5510
>>>>
>>>> Well, I did that, I can reach the 172.16.10.1 address on ASA, but it
>>>> doesn't go anywhere after that to the load balancer (192.168.100.1) or
>>>>
>>> even
>>>
>>>> the 10.10.0.x network, where the web servers are.
>>>>
>>>> Thanks,
>>>>
>>>> Haroon
>>>>
>>>> On Tue, Mar 31, 2009 at 11:22 AM, Joe Astorino <
>>>>
>>> joe_astorino@comcast.net>wrote:
>>>
>>>>> So maybe I am missing something, why not just put a static route there
>>>>> that points the users from 192.168.1.x heading towards the web servers,
>>>>>
>>> to
>>>
>>>>> the ASA
>>>>>
>>>>>
>>>>> "He not busy being born is busy dying" -- Dylan
>>>>>
>>>>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>>>>> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>>>>>
>>>>> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>>>>> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>>>>> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>>>>> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>>>>> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>>>>> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>>>>> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>>>>> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>>>>> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>>>>> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>>>>> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>>>>> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>>>>> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>>>>> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>>>>> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>>>>> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>>>>> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>>>>> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>>>>> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>>>>> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>>>>> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>>>>> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>>>>> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>>>>> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>>>>> 74k/eLaYWYqu7YI=
>>>>> =8HMA
>>>>> -----END PGP PUBLIC KEY BLOCK-----
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "itguy pro" <itguy.pro@gmail.com>
>>>>> To: "Joe Astorino" <joe_astorino@comcast.net>
>>>>> Cc: "Cisco certification" <ccielab@groupstudy.com>
>>>>> Sent: Tuesday, March 31, 2009 11:20:08 AM GMT -05:00 US/Canada Eastern
>>>>> Subject: Re: Second LAN Interface on ASA 5510
>>>>>
>>>>> Hi joe,
>>>>>
>>>>> That is what we are trying to setup now... They shouldn't be going out
>>>>>
>>> to
>>>
>>>>> get to the 10.10.0.x subnet.
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>> Sent via BlackBerry from T-Mobile
>>>>>
>>>>> ------------------------------
>>>>> *From*: Joe Astorino
>>>>> *Date*: Tue, 31 Mar 2009 15:17:05 +0000 (UTC)
>>>>> *To*: Haroon<itguy.pro@gmail.com>
>>>>> *Subject*: Re: Second LAN Interface on ASA 5510
>>>>>
>>>>> Forgive me because I'm not really an ASA guy (yet) , but I am
>>>>>
>>> wondering,
>>>
>>>>> why are the users on 192.168.1.x routing out to the internet to get to
>>>>>
>>> a
>>>
>>>>> private internal subnet? Is there some sort of NAT going on or
>>>>>
>>> something?
>>>
>>>>> Why not solve the problem using normal routing?
>>>>>
>>>>>
>>>>> "He not busy being born is busy dying" -- Dylan
>>>>>
>>>>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>>>>> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>>>>>
>>>>> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>>>>> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>>>>> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>>>>> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>>>>> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>>>>> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>>>>> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>>>>> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>>>>> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>>>>> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>>>>> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>>>>> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>>>>> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>>>>> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>>>>> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>>>>> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>>>>> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>>>>> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>>>>> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>>>>> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>>>>> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>>>>> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>>>>> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>>>>> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>>>>> 74k/eLaYWYqu7YI=
>>>>> =8HMA
>>>>> -----END PGP PUBLIC KEY BLOCK-----
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Haroon" <itguy.pro@gmail.com>
>>>>> To: "Cisco certification" <ccielab@groupstudy.com>
>>>>> Sent: Tuesday, March 31, 2009 11:06:31 AM GMT -05:00 US/Canada Eastern
>>>>> Subject: Second LAN Interface on ASA 5510
>>>>>
>>>>> Hello Experts,
>>>>>
>>>>> We phased out our PIX recently and upgraded to ASA 5510. I was able to
>>>>> convert the config over from pix and everything seems to be working
>>>>>
>>> fine
>>>
>>>>> (A
>>>>> to B on diagram). Now, I want to connect 3rd interface on ASA to our
>>>>> corporate LAN where staff users on desktops access web servers on
>>>>> 10.10.0.x
>>>>> subnet. Right now they are going out to the internet (R-2) and then
>>>>>
>>> coming
>>>
>>>>> back into the R-1. I need to be able to reach 10.10.0.x subnet from
>>>>> 192.168.1.x (Y to Z on diagram) without breaking the main config (A to
>>>>>
>>> B)
>>>
>>>>> on
>>>>> the ASA.
>>>>>
>>>>> Here is a diagram:
>>>>> http://www.ccie.pro/ASA-RT.jpg
>>>>> (asa config available upon request)
>>>>>
>>>>> I can ping the 172.16.10.x addresses from where the desktops are... any
>>>>> hints would be greatly appreciated.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Haroon
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:08 ART
