AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS 2 edits |
Anav
Premium Member
2012-Mar-15 10:06 am
Re: [HELP] NAT vs Route vs ACL -ASA5505Okay Before I tried anything I ran packet tracker with unit hooked up. GUESS WHAT... It adored m y ACLS.... ;-P The problem is NAT. In any case I changed all service ports from both source and destination to JUST source. (I tried just destination and the asdm config wouldnt let me something about conflict with ipv6 which made no sense to me). Changing the ports from both source and dest to just source made NO difference on packet tracer. Here is the latest runconfig Saved
:
ASA Version 8.4(3)
!
hostname AgileDevelopment
enable password SrnWJ82Q9IsDq97j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
interface Vlan1
no forward interface Vlan12
nameif main-lan
security-level 100
ip address 192.168.24.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ab.abc.def.230 255.255.255.248
!
interface Vlan12
nameif admin-dmz
security-level 100
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
clock timezone AST -2
clock summer-time ADT recurring
same-security-traffic permit inter-interface
object network obj_any_main-lan
subnet 0.0.0.0 0.0.0.0
description Applied by router ---> SNAT for main lan
object network TrustedInternetUsers
subnet ab.abc.def.0 255.255.255.0
object network Corporate-user
host .98
description Corp Ojbect for access to TFS, OM
object network 3-remote-h
subnet .0.0 255.255.0.0
object network 3-remote-w
subnet .0 255.255.255.0
object network 1-remote
host .4
object network 2-remote
host .133
object network ISP-GatewayIP
host ab.abc.def.225
object network VS-pcIP
host 192.168.24.34
object network obj_any-admin-dmz
subnet 0.0.0.0 0.0.0.0
description Used to apply SNAT for DMZ (internet access)
object service input-port
service tcp source eq www
object service OM1
service tcp source eq 5080
object service OM2
service tcp source eq 8088
object service OM3
service tcp source eq https
object service TFS
service tcp source eq 8080
object service RDP
service tcp source eq 3389
object service RouterAdmin
service tcp source eq 3334
object network NAT4OM3
host 192.168.24.34
object network NAT4OM1
host 192.168.24.34
object network NAT4OM2
host 192.168.24.34
object network NAT4RDP
host 192.168.24.34
object network NAT4TFS
host 192.168.24.34
object network NAT4WWW2OM1
host 192.168.24.34
object-group network Router-Admin
description Remote access to adjust router settings
network-object object 2-remote
network-object object TrustedInternetUsers
object-group network TFS-usergroup
description dept Access TFS, Open Meetings and RDP
network-object object TrustedInternetUsers
network-object object 3-remote-h
network-object object 3-remote-w
network-object object 1-remote
network-object object 2-remote
object-group service OMServiceGroup
service-object object OM1
service-object object OM2
service-object object OM3
object-group service CorporateServiceGroup
service-object object OM2
service-object object OM3
service-object object input-port
access-list outside_access_in remark Access to VS-TFS
access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP
access-list outside_access_in remark Access to Open Meetings
access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP
access-list outside_access_in remark remote access to VS
pager lines 24
logging asdm informational
mtu main-lan 1500
mtu outside 1500
mtu admin-dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any_main-lan
nat (main-lan,outside) dynamic interface
object network obj_any-admin-dmz
nat (admin-dmz,outside) dynamic interface
object network NAT4OM3
nat (main-lan,outside) static interface service tcp https https
object network NAT4OM1
nat (main-lan,outside) static interface service tcp 5080 5080
object network NAT4OM2
nat (main-lan,outside) static interface service tcp 8088 8088
object network NAT4RDP
nat (main-lan,outside) static interface service tcp 3389 3389
object network NAT4TFS
nat (main-lan,outside) static interface service tcp 8080 8080
object network NAT4WWW2OM1
nat (main-lan,outside) static interface service tcp 5080 www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 3334
http server session-timeout 60
http 192.168.2.0 255.255.255.0 admin-dmz
http 192.168.24.0 255.255.255.0 main-lan
http .133 255.255.255.255 outside
http ab.abc.def.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.24.0 255.255.255.0 main-lan
ssh .133 255.255.255.255 outside
ssh ab.abc.def.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 admin-dmz
ssh timeout 10
ssh version 2
console timeout 0
dhcpd address 192.168.24.5-192.168.24.10 main-lan
dhcpd dns ab.0.0.96 ab.0.0.97 interface main-lan
dhcpd enable main-lan
!
dhcpd dns ab.0.0.96 ab.0.0.97 interface outside
!
dhcpd address 192.168.2.5-192.168.2.10 admin-dmz
dhcpd dns ab.0.0.96 ab.0.0.97 interface admin-dmz
dhcpd enable admin-dmz
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.87.233.53 source outside
webvpn
username user5- password Xl5915GPBhncsPAQ encrypted
username user3- password mAVJxjP/lM8yc59F encrypted
username user4- password w7V/UFyrOwnQknqm encrypted
username user2- password .NJvJ7zi.ROsatP7 encrypted
username user1- password OZCdJRBWiCmcaFZ. encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9cb5b5e2fb04a7c463aa077743174534
: end
no asdm history enable |
|
|
Anav, You'd think from that that it was the NAT but I've seen it say that and it hasn't been. Based on the fact that when you open up the ACL completely and it works, I'd definitely say it's your ACL. Have you tried Hellfire's suggestion of putting the port objects at the end? If I get a chance later I'll run a test on mine and see what happens. Is there any reason you have to use the object group for the ports? Something like: access-list access-list outside_access_in extended permit tcp object-group TFS-usergroup object VS-pcIP eq 5080
access-list access-list outside_access_in extended permit tcp object-group TFS-usergroup object VS-pcIP eq 8088
access-list access-list outside_access_in extended permit tcp object-group TFS-usergroup object VS-pcIP eq https
should work equally well and to my mind is much easier to read. Paul |
|
|
Geekball |
Ok, just tested on my ASA, from the CLI. If you specify object or object-group as the first argument after the "permit" you cannot put anything else in the ACL. My ASA won't even accept what you've got in your ACL. Just in case you're thinking I'm on a different version: asa(config)# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(3) Device Manager Version 6.4(7) The only way I can see to do it is: object-group service OMServiceGroup tcp
port-object eq 5080
port-object eq 8088
port-object eq https
access-list outside_access_in extended permit tcp object-group TFS-usergroup object VS-pcIP object-group OMServiceGroup
In ASDM you can create that group as a "TCP Service Group" Paul |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS 2 edits |
Anav
Premium Member
2012-Mar-16 6:40 am
okay will try that today as well........... much thanks...... like i said, asdm fun. Edit: Redid packet trace with correct destination. Success except REAL WORLD test FAILED. Next to try recommmendations on acl format changes. By the way what the heck is unnat lookup in the packet tracer. It seemed to recognize (for a different packet trace test I did) the nat rule (5080 80) but did more than just lookup because at the nat rule proper after acl processing it used the nat rule (5080 5080) which is a rule intended for other users that dont have outgoing port restrictions). Very confused. |
|
Anav 1 edit |
Anav
Premium Member
2012-Mar-16 9:57 am
HELP? lol |
My remark about ACLs is that if I put in an an acl that states (global implicit any any permit), just before the default deny one.. The traffic failure above gets through. So I am thinking still its an acl issue of sorts............ So off to recongifure if i can. As you can see, through asdm its not possible. I simply put in the parameters available and the output is what I get.....^^????? Its a rule applicable to the outside interface. The source are the TFS users ( a group of allowed external web IPs) The destination is the real IP (the pc with the server) The Service is TFS, in this case a single tcp port. |
|
Anav 1 edit |
Anav
Premium Member
2012-Mar-16 11:21 am
Problem solved. Initially my service ports were both source and destination. Upon advice I changed these all to source. (phardcar you owe me a few beers buddy lol)
Today I tried changing them all to destination. Why you ask, because when for giggles I wanted to recreate the rule I was testing in CLI - using putty, I simply modified the existing rule by using a default service (Citrex). Lo and behold for the first time I got a service rule that looked familiar.... ended with "eq citrix."
The moral, is CLI is for dummies but use it because it will help you in ASDM troubleshooting LOL.
(I then noticed all the default rules were set for destination)
I was able to change all my service ports to destination except ONE,, you guessed it the main one I was testing. I kept getting ipv6 errors associated when trying to change it to destination. HOW WEIRD is that. So I deleted it and reinserted it.
Packet trace - good Real test - success. Oh and by the way, my ACL rules did not change format. They were good the whole time, it was by service ports that were effed up.
Thanks for all your patience on round one, now the simple ipsec and ssl vpn saga begins. I hope to heck remote managment works LOL. |
|
|
to Anav
Jeez, and I was JUST about to break out my ASA to try your config this weekend, Anav. Wanna post up the (now working) config? said by Anav:The moral, is CLI is for dummies but use it because it will help you in ASDM troubleshooting LOL. ...GUI is for Windows, CLI is for *nix and Cisco said by Anav:Thanks for all your patience on round one Thanks for sticking it through... so you going to kick Zyxel to the curb now? :razz: Regards |
|
|
to Anav
said by Anav:Problem solved. Initially my service ports were both source and destination. Upon advice I changed these all to source. (phardcar you owe me a few beers buddy lol) ... Thanks for all your patience on round one, now the simple ipsec and ssl vpn saga begins. I hope to heck remote managment works LOL. Haha.. If I'm ever in Canada, you're more than welcome to a few.. Personally, having more of an IOS background writing the ACLs without the objects is easier for me.. I stick to the CLI rather than ASDM.. ASDM for IPSEC is a bit easier and for editing the SSLVPN policies I'd almost recommend it.. Glad you got it sorted though. I'd be interested to see the final working config too if it's not too much trouble. Paul |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS 1 edit |
Anav
Premium Member
2012-Mar-17 9:42 am
You guys are great, Bigsy needs a senseo of humour ;-P Go Barcelona!!
As promised the least I can do for your help and stamina is to post the running config.
: Saved : ASA Version 8.4(3) ! hostname Thanks-to-HELLFIRE-PHARDACRE enable password SrnWJ82Q9IsDq97j encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 switchport access vlan 12 ! interface Ethernet0/7 switchport access vlan 12 ! interface Vlan1 no forward interface Vlan12 nameif main-lan security-level 100 ip address 192.168.24.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address ab.abc.def.230 255.255.255.248 ! interface Vlan12 nameif admin-dmz security-level 100 ip address 192.168.2.1 255.255.255.0 ! ftp mode passive clock timezone AST -2 clock summer-time ADT recurring same-security-traffic permit inter-interface object network obj_any_main-lan subnet 0.0.0.0 0.0.0.0 description Applied by router ---> SNAT for main lan object network TrustedInternetUsers subnet ab.abc.def.0 255.255.255.0 object network Corporate-user host 555.555.555.55 description corp Ojbect for access to TFS, OM object network 3-remote-h subnet 11.111.0.0 255.255.0.0 object network 3-remote-w subnet 22.222.222.0 255.255.255.0 object network 1-remote host 33.3.333.3 object network 2-remote host 444.44.444.444 object network ISP-GatewayIP host ab.abc.def.225 object network VS-pcIP host 192.168.24.34 object network obj_any-admin-dmz subnet 0.0.0.0 0.0.0.0 description Used to apply SNAT for DMZ (internet access) object service input-port service tcp destination eq www object service OM1 service tcp destination eq 5080 object service OM2 service tcp destination eq 8088 object service OM3 service tcp destination eq https object service RDP service tcp destination eq 3389 object service RouterAdmin service tcp destination eq 3334 object network NAT4OM3 host 192.168.24.34 object network NAT4OM1 host 192.168.24.34 object network NAT4OM2 host 192.168.24.34 object network NAT4RDP host 192.168.24.34 object network NAT4TFS host 192.168.24.34 object network NAT4WWW2OM1 host 192.168.24.34 object service TFS service tcp destination eq 8080 object-group network Router-Admin description Remote access to adjust router settings network-object object 2-remote network-object object TrustedInternetUsers object-group network TFS-usergroup description dept Access TFS, Open Meetings and RDP network-object object TrustedInternetUsers network-object object 3-remote-h network-object object 3-remote-w network-object object 1-remote network-object object 2-remote object-group service OMServiceGroup service-object object OM1 service-object object OM2 service-object object OM3 object-group service CorporateServiceGroup service-object object OM2 service-object object OM3 service-object object input-port access-list outside_access_in remark Access to VS-TFS access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP access-list outside_access_in remark Access to Open Meetings access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP access-list outside_access_in extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP pager lines 24 logging enable logging list EventsListGeneral level informational class auth logging list EventsListGeneral level informational class config logging list EventsListGeneral level informational class vpn logging list EventsListGeneral level informational class webvpn logging list EventsListGeneral level informational class ssl logging console informational logging monitor informational logging asdm informational mtu main-lan 1500 mtu outside 1500 mtu admin-dmz 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 ! object network obj_any_main-lan nat (main-lan,outside) dynamic interface object network obj_any-admin-dmz nat (admin-dmz,outside) dynamic interface object network NAT4OM3 nat (main-lan,outside) static interface service tcp https https object network NAT4OM1 nat (main-lan,outside) static interface service tcp 5080 5080 object network NAT4OM2 nat (main-lan,outside) static interface service tcp 8088 8088 object network NAT4RDP nat (main-lan,outside) static interface service tcp 3389 3389 object network NAT4TFS nat (main-lan,outside) static interface service tcp 8080 8080 object network NAT4WWW2OM1 nat (main-lan,outside) static interface service tcp 5080 www access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication enable console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable 3334 http server session-timeout 60 http 192.168.2.0 255.255.255.0 admin-dmz http 192.168.24.0 255.255.255.0 main-lan http 444.444.444.44 255.255.255.255 outside http ab.abc.def.0 255.255.255.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart telnet timeout 5 ssh 192.168.24.0 255.255.255.0 main-lan ssh 444.444.444.44 255.255.255.255 outside ssh ab.abc.def.0 255.255.255.0 outside ssh 192.168.2.0 255.255.255.0 admin-dmz ssh timeout 10 ssh version 2 console timeout 0
dhcpd address 192.168.24.5-192.168.24.10 main-lan dhcpd dns 22.0.0.0 22.0.0.0 interface main-lan dhcpd enable main-lan ! dhcpd dns 22.0.0.0 22.0.0.0interface outside ! dhcpd address 192.168.2.5-192.168.2.10 admin-dmz dhcpd dns 22.0.0.0 22.0.0.0 interface admin-dmz dhcpd enable admin-dmz ! threat-detection basic-threat threat-detection statistics host threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 209.87.233.53 source outside webvpn username user5- password Xl5915GPBhncsPAQ encrypted username user3- password mAVJxjP/lM8yc59F encrypted username user4- password w7V/UFyrOwnQknqm encrypted username user2- password .NJvJ7zi.ROsatP7 encrypted username user1- password OZCdJRBWiCmcaFZ. encrypted ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options class class-default user-statistics accounting ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:e9330d99905f31e69f15113bae6f095b : end no asdm history enable |
|
Anav |
Anav
Premium Member
2012-Mar-20 9:14 am
Okay two issues. I should have reported partial success. Issue 1. Cisco Lies. ACLs are NOT performed before NAT. Or more accurately they dont mention UNNAT. I have a port translation in nat for one set of external clients that can use port 80 at corporate but not the desired port of 5080 at the private server behind the asa 5505 (single public wanip). So I ACL ruled port 80 for them but not 5080 (no requirement right as NAT is done after ACL). WRONG EFFFING WRONG. I had no success with that server for them until this morning when I added,,,,,,,,,,,, you guessed it port 5080 to the ACL rule. Checking packet tracer an unnat process takes place before acl switching the ports the bugger. SO the moral is the router is frigging with NAT before the ACL Rule. IN any case I know have all servers seemingly firing on all cylinders. This is based strictly on rudimentary logging in a number of users but not much functionality. So it remains to be seen. Issue 2. ONe particulare service port is a pain to switch from source to destination or vice versa UNLIKE all my other service ports. I do not know why and here is the error message received. object service TFS [ERROR] service tcp destination eq 8080 Object is used in IPv6 access-list outside_access_in. Can't change IP to IPv4. ERROR: object (TFS) updation failed due to internal errorNow I checked in ACLS and everywhere else. I have no IPV6 anywhere. So WTF over. I was able to change the name of the service object then change the port number, which let me create a new service object which I then had to insert into the ACL rules and then could delete the now old one. Any geniuses out there that explain that one? Issue 3. (just checking to see if anyone noticed I said 2 above LOL) The whole discussion for static nat, and service port definition. They would NOT work when I chose source and they WORK when I select destination. (they also did not work when I had both source and destination selected in service ports). So on one hand there are the xperts saying oh lads, you have to put in source, it seems backwards but please do.... and on the other hand you have two facts, one my setup works with them in destination and EVERY DEFAULT service object uses destination. Conclusioin, too many docs, videos, blogs, discussions, forums. and only a vague sense of unease is my reward. |
|
|
to Anav
For point 3 Anav, the ACL syntax of ASA is as follows :
[permit /deny] [protocol] [source ip(s)] [source port(s)] [destination ip(s)] [destination port(s)]
Plus you have to remember the DIRECTION the ACL is applied (or nat, or whatever). Not sure how to explain it better or what; I think you already know that a SENDING host would use a port greater than 1023 in all communications, and the RECIEVER would be listening on a specific port -- eg. TCP22/SSH for example. That rule still applies and is part of the syntax in however you construct your config and has to be taken into account.
I'm still wrapping my mind around ASA8.3 and up -- which you've basically forced me to learn as I'm very comfortable with ASA8.2, thank you very much -- and the changes Cisco's done to it, so alot of this is new to me as well.
I'll see what help I can give on your points 1 and 2.
Regards |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2012-Mar-20 1:00 pm
Ahh the joys of a router company with a multiple personality disorder. Dont forget to actually answer question 3 as well. ;-P Looking forward to you joining me "in the bed" of 8.3 ! |
|
|
to Anav
BTW, a link you may want to file for future reference Anav » www.cisco.com/en/US/prod ··· ist.htmlBasically it's a collection of all of the config examples Cisco keeps. I've been taking a look at the ones in particular that use 8.3 code and seeing if anything's applicable to you. I'll see if I can squeeze a couple hours this weekend as well to lab this up... suffice to say work's nuts, and spare time is at a premium. Regards |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2012-Mar-22 11:40 am
thanks hellfire, right now just need to confirm that my nat rules are working as they should. I have them as inside, outside rules but format looks closer to some outside, inside rules. So not sure If I have implemented a format for the wrong direction, or I need to change format and direction, or is good as it is. |
|
|
to Anav
@Anav Sorry to report that while the weekend came, it was NOT very relaxing, nor was it very free... so didn't get a chance to lab up your config.
I also wanted to inquire how likely it is for you to legally get ASA code older than you're running, preferably 8.2 if possible?
What you're wanting to do is perfectly doable, and if we can get you a working config, you just have to load it via CLI and walk away...
Regards |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2012-Mar-28 7:17 am
ha, no worries hellfire. Apparently the simple object embedded nat I am using is okay for my simple needs. However twice nat or manual nat is much sexier and good for when you need access external servers or perhaps when other internal lans need access to another internal lan. Now if I get xtra energy I may dabble in twice nat but really dont have the need. Not going back thats the past not a horror I want to relive LOL. |
|
|
to Anav
So how likely on 8.2 ASA code?
Also have to ask, how close are you to asking your managment to ditch the ASA for a Zyxel? If you go that route, I'll gladly take that ASA off your hands...
Regards |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2012-Mar-29 10:58 am
Ha the unit belongs to the larger corporation and I got it free. No sticking with its up and running, 8.2 is for losers. ADSM and 8.4 is da bomb. |
|