Thank you everyone. I've been really busy so I haven't had time to reply
back or try some of your recommendation but I sure will and report back.
Thank you!!!
Haroon
On Tue, Mar 31, 2009 at 2:33 PM, Alexei Monastyrnyi <alexeim73_at_gmail.com>wrote:
> Haroon
> for what I see, you do NAT between them interfaces. Try not to. You don't
> need this extra complication since you have declared both Inside and CorpLAN
> as security level 100. you don't seem to have any address space overlap etc.
> I don't see any points to do any NAT for this traffic.
>
> Try to use
> nat (Inside) 0 acl1
> nat (CorpLAN) 0 acl2
> Where acl1/acl2 are ACLs include source-destination for those subnets in
> both directions.
>
> HTH
> A.
>
>
>
> Haroon wrote:
>
>> Thanks ryan, There were routes in there from R2 to ASA and ASA to R2...
>> i've
>> removed them recently.
>>
>> Here is the current config:
>>
>>
>> Firewall-5510# show config
>> : Saved
>> : Written by at 19:44:43.168 EST Tue Feb 17 2009
>> !
>> ASA Version 8.0(4)
>> !
>> hostname Firewall-5510
>> domain-name corp.domain.com
>> names
>> !
>> interface Ethernet0/0
>> description Connected to the internet
>> nameif Outside
>> security-level 0
>> ip address 12.12.12.26 255.255.255.224
>>
>> !
>> interface Ethernet0/1
>> description Connected to inside, to Load Balancer
>> nameif Inside
>> security-level 100
>> ip address 192.168.100.1 255.255.255.0
>>
>> !
>> interface Ethernet0/2
>> description Corp LAN connection to 2821-2 Router
>> nameif CorpLAN
>> security-level 100
>> ip address 172.16.10.1 255.255.255.252
>>
>> !
>> interface Ethernet0/3
>> shutdown
>> no nameif
>> no security-level
>> no ip address
>> !
>> interface Management0/0
>> shutdown
>> nameif management
>> security-level 100
>> no ip address
>> ospf cost 10
>> management-only
>> !
>> boot system disk0:/asa804-k8.bin
>> ftp mode passive
>> clock timezone EST -5
>> clock summer-time EDT recurring
>> dns server-group DefaultDNS
>> domain-name corp.domain.com
>> access-list 100 remark allows INSIDE hosts to PING OUT
>> access-list 100 extended permit icmp any any echo-reply
>> access-list 100 extended permit icmp any any time-exceeded
>> access-list 100 extended permit icmp any any unreachable
>> access-list 100 remark XYZ Extranet Start
>> access-list 100 extended permit tcp any host 12.12.12.28 eq www
>> access-list 100 extended permit tcp any host 12.12.12.28 eq https
>> access-list 100 remark MYCampus Start
>> access-list 100 extended permit tcp any host 12.12.12.29 eq www
>> access-list 100 extended permit tcp any host 12.12.12.29 eq ftp
>> access-list 100 remark XYZ WEBSite Start
>> access-list 100 extended permit tcp any host 12.12.12.32 eq www
>> access-list 100 extended permit tcp any host 12.12.12.32 eq ftp
>> access-list 100 extended permit tcp any host 12.12.12.32 eq 3389
>> access-list 100 extended permit tcp any host 12.12.12.32 eq https
>> access-list 100 extended permit tcp any host 12.12.12.32 eq 1433
>> access-list 100 remark ABC EXTRANET Start
>> access-list 100 extended permit tcp any host 12.12.12.52 eq www
>> access-list 100 extended permit tcp any host 12.12.12.52 eq https
>> access-list 100 remark ABC MYCAMPUS Start
>> access-list 100 extended permit tcp any host 12.12.12.51 eq www
>> access-list 100 extended permit tcp any host 12.12.12.51 eq ftp
>> access-list 100 extended permit tcp any host 12.12.12.51 eq 8080
>> access-list 100 extended permit tcp any host 12.12.12.51 eq 8099
>> access-list 100 remark ABC WEBSITE Start
>> access-list 100 extended permit tcp any host 12.12.12.50 eq www
>> access-list 100 extended permit tcp any host 12.12.12.50 eq ftp
>> access-list 100 extended permit tcp any host 12.12.12.50 eq https
>> access-list 100 remark ALL OTHERS
>> access-list 100 extended permit tcp any host 12.12.12.47 eq www
>> access-list 100 extended permit tcp any host 12.12.12.47 eq ftp
>> access-list 100 extended permit tcp any host 12.12.12.48 eq 8080
>> access-list 100 extended permit tcp any host 12.12.12.29 eq 8080
>> access-list 100 extended permit tcp any host 12.12.12.40 eq www
>> access-list 100 extended permit tcp any host 12.12.12.40 eq ftp
>> access-list 100 extended permit tcp any host 12.12.12.46 eq www
>> access-list 100 extended permit tcp any host 12.12.12.41 eq www
>> access-list 100 extended permit tcp any host 12.12.12.41 eq pop3
>> access-list 100 extended permit tcp any host 12.12.12.41 eq smtp
>> access-list 100 extended permit tcp any host 12.12.12.27 eq www
>> access-list 100 extended permit tcp any host 12.12.12.38 eq www
>> access-list 100 extended permit tcp any host 12.12.12.39 eq www
>> access-list 100 extended permit tcp any host 12.12.12.33 eq www
>> access-list 100 extended permit tcp any host 12.12.12.34 eq www
>> access-list 100 extended permit tcp any host 12.12.12.35 eq www
>> access-list CorpLAN_access_in extended permit icmp 172.16.10.0
>> 255.255.255.252 192.168.100.0 255.255.255.0
>> access-list CorpLAN_access_in extended permit icmp 192.168.100.0
>> 255.255.255.0 172.16.10.0 255.255.255.252
>> access-list Inside_access_in extended permit ip 172.16.10.0
>> 255.255.255.252
>> 192.168.100.0 255.255.255.0
>> access-list Inside_access_in extended permit ip 192.168.100.0
>> 255.255.255.0
>> 172.16.10.0 255.255.255.252
>> pager lines 24
>> logging enable
>> logging asdm informational
>> mtu Outside 1500
>> mtu Inside 1500
>> mtu CorpLAN 1500
>> mtu management 1500
>> ip verify reverse-path interface Outside
>> no failover
>> icmp unreachable rate-limit 1 burst-size 1
>> asdm image disk0:/asdm-615.bin
>> no asdm history enable
>> arp timeout 14400
>> global (Outside) 1 12.12.12.227
>> nat (Inside) 1 0.0.0.0 0.0.0.0
>> static (Inside,Outside) 12.12.12.28 192.168.100.254 netmask
>> 255.255.255.255
>> static (Inside,Outside) 12.12.12.29 192.168.100.252 netmask
>> 255.255.255.255
>> static (Inside,Outside) 12.12.12.30 192.168.100.13 netmask 255.255.255.255
>> static (Inside,Outside) 12.12.12.31 192.168.100.14 netmask 255.255.255.255
>> static (Inside,Outside) 12.12.12.32 192.168.100.251 netmask
>> 255.255.255.255
>> static (Inside,Outside) 12.12.12.40 192.168.100.210 netmask
>> 255.255.255.255
>> static (Inside,Outside) 12.12.12.41 192.168.100.80 netmask 255.255.255.255
>> static (Inside,Outside) 12.12.12.46 192.168.100.215 netmask
>> 255.255.255.255
>> static (Inside,Outside) 12.12.12.47 192.168.100.247 netmask
>> 255.255.255.255
>> static (Inside,Outside) 12.12.12.48 192.168.100.20 netmask 255.255.255.255
>> static (Inside,Outside) 12.12.12.49 192.168.100.249 netmask
>> 255.255.255.255
>> static (Inside,Outside) 12.12.12.50 192.168.100.233 netmask
>> 255.255.255.255
>> static (Inside,Outside) 12.12.12.51 192.168.100.234 netmask
>> 255.255.255.255
>> static (Inside,Outside) 12.12.12.52 192.168.100.235 netmask
>> 255.255.255.255
>> access-group 100 in interface Outside
>> access-group Inside_access_in in interface Inside
>> access-group CorpLAN_access_in in interface CorpLAN
>> !
>> route Outside 0.0.0.0 0.0.0.0 12.12.12.25 1
>> timeout xlate 3:00:00
>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
>> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
>> 0:05:00
>> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
>> 0:02:00
>> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
>> dynamic-access-policy-record DfltAccessPolicy
>> http server enable
>> http 192.168.1.0 255.255.255.0 CorpLAN
>> no snmp-server location
>> no snmp-server contact
>> snmp-server enable traps snmp authentication linkup linkdown coldstart
>> crypto ipsec security-association lifetime seconds 28800
>> crypto ipsec security-association lifetime kilobytes 4608000
>> client-update enable
>> telnet 192.168.100.0 255.255.255.0 Inside
>> telnet 172.16.10.0 255.255.255.0 CorpLAN
>> telnet 192.168.1.0 255.255.255.0 management
>> telnet timeout 60
>> ssh timeout 5
>> console timeout 0
>> threat-detection basic-threat
>> threat-detection statistics
>> threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400
>> average-rate 200
>> username ABCuser password
>> !
>> class-map inspection_default
>> match default-inspection-traffic
>> !
>> !
>> policy-map type inspect dns preset_dns_map
>> parameters
>> message-length maximum 512
>> policy-map global_policy
>> class inspection_default
>> inspect dns preset_dns_map
>> inspect ftp
>> inspect h323 h225
>> inspect h323 ras
>> inspect rsh
>> inspect rtsp
>> inspect esmtp
>> inspect sqlnet
>> inspect skinny
>> inspect sunrpc
>> inspect xdmcp
>> inspect sip
>> inspect netbios
>> inspect tftp
>> !
>> service-policy global_policy global
>> !
>>
>> On Tue, Mar 31, 2009 at 11:49 AM, Ryan DeBerry <rdeberry_at_gmail.com>
>> wrote:
>>
>>
>>
>>> Need to see the config or portions of it.
>>>
>>> Is there any NAT'ing in place between the 2 environments.
>>>
>>> Route should be Added to R2
>>> Route should be added to ASA
>>>
>>>
>>>
>>>
>>> On Tue, Mar 31, 2009 at 3:41 PM, Haroon <itguy.pro_at_gmail.com> wrote:
>>>
>>>
>>>
>>>> Correct. I've tried putting static route on ASA going back to the
>>>> 192.168.1.x network, i've tried access list in/out, etc. but no go.
>>>>
>>>>
>>>>
>>>> On Tue, Mar 31, 2009 at 11:36 AM, Joe Astorino <
>>>> joe_astorino_at_comcast.net
>>>>
>>>>
>>>>> wrote:
>>>>> I'm assuming you have checked your routing going BACK to the
>>>>> 192.168.1.x
>>>>> network from the LB and ASA ?
>>>>>
>>>>> "He not busy being born is busy dying" -- Dylan
>>>>>
>>>>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>>>>> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>>>>>
>>>>> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>>>>> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>>>>> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>>>>> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>>>>> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>>>>> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>>>>> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>>>>> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>>>>> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>>>>> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>>>>> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>>>>> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>>>>> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>>>>> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>>>>> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>>>>> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>>>>> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>>>>> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>>>>> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>>>>> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>>>>> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>>>>> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>>>>> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>>>>> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>>>>> 74k/eLaYWYqu7YI=
>>>>> =8HMA
>>>>> -----END PGP PUBLIC KEY BLOCK-----
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Haroon" <itguy.pro_at_gmail.com>
>>>>> To: "Joe Astorino" <joe_astorino_at_comcast.net>
>>>>> Cc: "Cisco certification" <ccielab_at_groupstudy.com>
>>>>> Sent: Tuesday, March 31, 2009 11:34:15 AM GMT -05:00 US/Canada Eastern
>>>>> Subject: Re: Second LAN Interface on ASA 5510
>>>>>
>>>>> Well, I did that, I can reach the 172.16.10.1 address on ASA, but it
>>>>> doesn't go anywhere after that to the load balancer (192.168.100.1) or
>>>>>
>>>>>
>>>> even
>>>>
>>>>
>>>>> the 10.10.0.x network, where the web servers are.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Haroon
>>>>>
>>>>> On Tue, Mar 31, 2009 at 11:22 AM, Joe Astorino <
>>>>>
>>>>>
>>>> joe_astorino_at_comcast.net>wrote:
>>>>
>>>>
>>>>> So maybe I am missing something, why not just put a static route there
>>>>>> that points the users from 192.168.1.x heading towards the web
>>>>>> servers,
>>>>>>
>>>>>>
>>>>> to
>>>>
>>>>
>>>>> the ASA
>>>>>>
>>>>>>
>>>>>> "He not busy being born is busy dying" -- Dylan
>>>>>>
>>>>>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>>>>>> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>>>>>>
>>>>>> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>>>>>> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>>>>>> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>>>>>> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>>>>>> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>>>>>> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>>>>>> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>>>>>> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>>>>>> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>>>>>> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>>>>>> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>>>>>> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>>>>>> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>>>>>> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>>>>>> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>>>>>> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>>>>>> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>>>>>> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>>>>>> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>>>>>> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>>>>>> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>>>>>> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>>>>>> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>>>>>> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>>>>>> 74k/eLaYWYqu7YI=
>>>>>> =8HMA
>>>>>> -----END PGP PUBLIC KEY BLOCK-----
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "itguy pro" <itguy.pro_at_gmail.com>
>>>>>> To: "Joe Astorino" <joe_astorino_at_comcast.net>
>>>>>> Cc: "Cisco certification" <ccielab_at_groupstudy.com>
>>>>>> Sent: Tuesday, March 31, 2009 11:20:08 AM GMT -05:00 US/Canada Eastern
>>>>>> Subject: Re: Second LAN Interface on ASA 5510
>>>>>>
>>>>>> Hi joe,
>>>>>>
>>>>>> That is what we are trying to setup now... They shouldn't be going out
>>>>>>
>>>>>>
>>>>> to
>>>>
>>>>
>>>>> get to the 10.10.0.x subnet.
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Sent via BlackBerry from T-Mobile
>>>>>>
>>>>>> ------------------------------
>>>>>> *From*: Joe Astorino
>>>>>> *Date*: Tue, 31 Mar 2009 15:17:05 +0000 (UTC)
>>>>>> *To*: Haroon<itguy.pro_at_gmail.com>
>>>>>> *Subject*: Re: Second LAN Interface on ASA 5510
>>>>>>
>>>>>> Forgive me because I'm not really an ASA guy (yet) , but I am
>>>>>>
>>>>>>
>>>>> wondering,
>>>>
>>>>
>>>>> why are the users on 192.168.1.x routing out to the internet to get to
>>>>>>
>>>>>>
>>>>> a
>>>>
>>>>
>>>>> private internal subnet? Is there some sort of NAT going on or
>>>>>>
>>>>>>
>>>>> something?
>>>>
>>>>
>>>>> Why not solve the problem using normal routing?
>>>>>>
>>>>>>
>>>>>> "He not busy being born is busy dying" -- Dylan
>>>>>>
>>>>>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>>>>>> Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
>>>>>>
>>>>>> mQGiBEY2qu8RBAD0E7Ydspmpn9/rRfd614pvDaqj4GKAUeWpc8NNJ3xNU9C5TAKg
>>>>>> Ta/52f2DvxgPlw6m7W66AJP0HZODw2ameQ9tNMrz3upKRA+ISFaqkJa99UOTdLGC
>>>>>> W/HtHWZNUJDopBHm3j/TBAAhI0EWvcNIudbHx5zYY4osfDNMaIXYaySwIwCg61Db
>>>>>> RuST/K0PlSUFK9o6AqTmrcsD/ReQLYK/OEzZBQsPBqMD68ADtdYyIA3VZ7nhWCzc
>>>>>> YODiBl36XIskcwyVAnU9YXs/Hf96MfI1R2fvYGW8jJ4WHb3wT1JxgiUG4rUbA2L3
>>>>>> doxNseggGrKC31njFynVuOpdd/TRfsqzV3Yv5MGFPkNG3w/AoiRtwoMZFUtAox3j
>>>>>> EWbBA/4mYkTKS/Rfgpv7QQHj4ajCHsTL/JNSN8LARwbBomUFdJ+0xdNdr7Ax1zC4
>>>>>> FEUfP0plRMLMypKPSNYzlIF8dKGwW2I8hUMfQpmIBA4BXBE0/mbv21lU2AzTkvb1
>>>>>> FssbIzhCkx3mMzESgYIwnnNkJBatTfFqKOxGm//G7s2y1eFPsrQnSm9lIEFzdG9y
>>>>>> aW5vIDxqb2VfYXN0b3Jpbm9AY29tY2FzdC5uZXQ+iGAEExECACAFAkY2qu8CGwMG
>>>>>> CwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRAb4dzwEzSi9chbAKCTz89zl4etDIdD
>>>>>> Hewo7LNEmfT8uQCgmbneQqTT5VyIEx75nG5KzJh2K2m5Ag0ERjaq7xAIALgM2fwR
>>>>>> tuhRNrwvkYFXTA5grAnnhGqFXPfLt5YlU86QLdu3Z9WJcAAHck1HMCUxdm0gZyNu
>>>>>> q5XQnmr76dbWjftQ+mxYAdhZGjjGV1OQyjfyUoLbxyR0jvaLUTFvMmtxFsHpJvEc
>>>>>> VLscWZUvjPbpcg/BH8EWbDUSCJc70EZMW6TpjyL+1Eq6+n4KB+IWDnn603U3vYFj
>>>>>> ExVfg2CqTIzC/mxAGQ/lg1ujKBnL/VemGpjZzL8jyYVLhAtASTWnwuaL1Sf2kCYh
>>>>>> fApP+06YxkQ39BrJmi7Dg6s5zeRu4le57kPLVAGK0ZYRbaq5asAi9Ni5j/ZLdh/b
>>>>>> F3oUgAOTPQtqbi8AAwUH/1n9jpOXRX7LsfsI5K4gVhHYPUYuy5WuRRxJZ6Y1JbOq
>>>>>> UfePLg+cutaxE8RAvEY1VZvNTvEt7UYPoA3qR3lb4IzLqJimbbKGhhVdHIOYLGnz
>>>>>> nxiwfo4S+my9GEYKLb3iHIR1DCfihhDryVlFYGAMCPNh0w2sNSSenP4cZBuD6V1J
>>>>>> QLitW9aZoURMvtFYU8aO/BlZ7hVlRVNU5juwwAM5t2n2gBeRhMthaAR7OApDypvB
>>>>>> 1TM+BeSDchieEAFNkX4leSMbFgP3CJmAXMJXKj8MQmsR8gdccUHGplGFI6IzNklm
>>>>>> L/eWLdhAZsM+LsAo4MpoJzPoQyFIH7wmIPm4b/z7YZmISQQYEQIACQUCRjaq7wIb
>>>>>> DAAKCRAb4dzwEzSi9XiWAKCdDtdnTW9X/6rHxQL/obNiZsEtEwCgrlmYisNacJyf
>>>>>> 74k/eLaYWYqu7YI=
>>>>>> =8HMA
>>>>>> -----END PGP PUBLIC KEY BLOCK-----
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Haroon" <itguy.pro_at_gmail.com>
>>>>>> To: "Cisco certification" <ccielab_at_groupstudy.com>
>>>>>> Sent: Tuesday, March 31, 2009 11:06:31 AM GMT -05:00 US/Canada Eastern
>>>>>> Subject: Second LAN Interface on ASA 5510
>>>>>>
>>>>>> Hello Experts,
>>>>>>
>>>>>> We phased out our PIX recently and upgraded to ASA 5510. I was able to
>>>>>> convert the config over from pix and everything seems to be working
>>>>>>
>>>>>>
>>>>> fine
>>>>
>>>>
>>>>> (A
>>>>>> to B on diagram). Now, I want to connect 3rd interface on ASA to our
>>>>>> corporate LAN where staff users on desktops access web servers on
>>>>>> 10.10.0.x
>>>>>> subnet. Right now they are going out to the internet (R-2) and then
>>>>>>
>>>>>>
>>>>> coming
>>>>
>>>>
>>>>> back into the R-1. I need to be able to reach 10.10.0.x subnet from
>>>>>> 192.168.1.x (Y to Z on diagram) without breaking the main config (A to
>>>>>>
>>>>>>
>>>>> B)
>>>>
>>>>
>>>>> on
>>>>>> the ASA.
>>>>>>
>>>>>> Here is a diagram:
>>>>>> http://www.ccie.pro/ASA-RT.jpg
>>>>>> (asa config available upon request)
>>>>>>
>>>>>> I can ping the 172.16.10.x addresses from where the desktops are...
>>>>>> any
>>>>>> hints would be greatly appreciated.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Haroon
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>>
>>>>>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Apr 04 2009 - 16:50:31 ART
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:11 ART
