Need a little cisco asa config help

V

vxspiritxv

[H]ard|Gawd
Joined
Feb 10, 2001
Messages
1,610
I have two internet connections. One for servers one for home. I tested multiple context mode, but the no remote client VPNs was a deal breaker. So I'm back in single mode with everything working except I can't access my servers from the 'inside' interface.

Also if anyone knows how to 'if outside fails, route everything att' that would be awesome too. No idea if that's even possible now because of the nature of the outside connection being dhcp.

Code: 
ASA Version 9.1(5)21

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1.2
 vlan 2
 nameif servers
 security-level 20
 ip address 10.11.1.1 255.255.255.0
!
interface Ethernet0/2
 nameif att
 security-level 0
 ip address 104.x.x.13 255.255.255.240
!

object network INSIDE-HOSTS
 subnet 192.168.1.0 255.255.255.0
object network WEBSERVER_OUT
 host 104.x.x.10
object network WEBSERVER
 host 10.11.1.12
object network EMAILSERVER
 host 10.11.1.11
object network EMAILSERVER_OUT
 host 104.x.x.9

access-list outside_in extended permit icmp any any
access-list outside_in extended permit udp any any
access-list servers_in extended permit icmp any4 any4
access-list servers_in extended permit tcp any object WEBSERVER eq https
access-list servers_in extended permit tcp any object WEBSERVER eq domain
access-list servers_in extended permit udp any object WEBSERVER eq domain
access-list servers_in extended permit tcp any object WEBSERVER eq www
access-list servers_in extended permit udp any object WEBSERVER eq snmp
access-list servers_in extended permit tcp any object WEBSERVER eq ssh
access-list servers_in extended permit tcp any object EMAILSERVER eq https
access-list servers_in extended permit tcp any object EMAILSERVER eq smtp

no arp permit-nonconnected
route-lookup

nat (servers,att) source static WEBSERVER WEBSERVER_OUT dns
nat (servers,att) source static EMAILSERVER EMAILSERVER_OUT dns

object network INSIDE-HOSTS
 nat (inside,outside) dynamic interface

access-group outside_in in interface outside
access-group servers_in in interface att
route att 0.0.0.0 0.0.0.0 104.x.x.x 10
 
I don't see an access list entry for inside<>servers connectivity so I'd assume your problem is your different security levels. You could also nat your inside onto your servers interface if you wanted.
 
You must log in or register to reply here.
Back
Top