Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ASA 5510

Reply
Thread Tools

ASA 5510

 
 
Arek Czereszewski
Guest
Posts: n/a
 
      06-08-2006
Hi all,

I have strange situation with ASA
When I have connected 5 workstations everything work fine.
LAN 192.168.0.0/24 have WWW, my DNS, my pop3/smtp.
Part of my config

object-group service strony tcp
port-object eq www
port-object eq https
object-group service poczta tcp
port-object eq smtp
port-object eq pop3
port-object eq 995

access-list inside_access_in extended permit udp 192.168.0.0
255.255.255.0 host my_DNS eq domain
access-list inside_access_in extended permit tcp 192.168.0.0
255.255.255.0 host my_mail_server object-group poczta
access-list inside_access_in extended permit tcp 192.168.0.0
255.255.255.0 any object-group strony

nat-control
global (outside) 100 213.xxx.xxx.86-213.xxx.xxx.88

Servers in DMZ works fine.

But when I connect to ASA whole network (~150 workstations)
I have a lots of this records in log:
3|Jun 08 2006 11:03:17|305006: portmap translation creation failed for
udp src inside:192.168.0.31/2609 dst outside:my_DNS_SERVER/53

Whats can be wrong? Where can I looking for solution?

With regards
Arek

--
Arek Czereszewski
"UNIX is like a wigwam:
no windows, no gates, apache inside."
 
Reply With Quote
 
 
 
 
SAto
Guest
Posts: n/a
 
      06-08-2006

Arek Czereszewski skrev:

> global (outside) 100 213.xxx.xxx.86-213.xxx.xxx.88


If I'm not missing something here you are only NATing and not PATing
anything
that would mean that only three workstations can have access to
external network at one time one for each of the x.x.x.86, x.x.x.87,
x.x.x.88 any further will not be able to NAT

However you could do this:

global (outside) 100 213.x.x.86-213.x.x.87
global (outside) 100 213.x.x.88
nat (inside) 100 0.0.0.0 0.0.0.0 0 0

This would NAT the first two hosts to 86,87 then PAT all the others to
88

Hope this was helpful

-SAto

 
Reply With Quote
 
 
 
 
Arek Czereszewski
Guest
Posts: n/a
 
      06-09-2006
SAto napisaƂ(a):
> Arek Czereszewski skrev:
>
>> global (outside) 100 213.xxx.xxx.86-213.xxx.xxx.88

>
> If I'm not missing something here you are only NATing and not PATing
> anything
> that would mean that only three workstations can have access to
> external network at one time one for each of the x.x.x.86, x.x.x.87,
> x.x.x.88 any further will not be able to NAT
>
> However you could do this:
>
> global (outside) 100 213.x.x.86-213.x.x.87
> global (outside) 100 213.x.x.88
> nat (inside) 100 0.0.0.0 0.0.0.0 0 0
>
> This would NAT the first two hosts to 86,87 then PAT all the others to
> 88
>
> Hope this was helpful


Yes it's work now
Thank you very much.

Firewalling on pf in *BSD it's still easier for me.

Now I must fwd connections from 192.168.0.0/24 to ports 80,443 to squid.

Regards
Arek

--
Arek Czereszewski
arek (at) wup-katowice (dot) pl | gg: 1349941
"UNIX is like a wigwam:
no windows, no gates, apache inside."
 
Reply With Quote
 
SAto
Guest
Posts: n/a
 
      06-09-2006

Arek Czereszewski skrev:
> Now I must fwd connections from 192.168.0.0/24 to ports 80,443 to squid.


To the best of my knowledge the pix does not support this.
It only supports url lookups with websense to filter urls not cache
content.

You could put the squid in bridge mode and put it between your LAN and
the PIX but I would personally not recomend such a setup.

It is much better to configure clients to use the cache in the browser
settings or run WCCP or route map redirection on a router.

-SAto

 
Reply With Quote
 
Erik Tamminga
Guest
Posts: n/a
 
      06-10-2006
Hi,

ASA 7.2 now supports WCCP as well! Have a look at asa manual at
http://www.cisco.com/application/pdf...0080641f89.pdf

Erik


"SAto" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>
> Arek Czereszewski skrev:
>> Now I must fwd connections from 192.168.0.0/24 to ports 80,443 to squid.

>
> To the best of my knowledge the pix does not support this.
> It only supports url lookups with websense to filter urls not cache
> content.
>
> You could put the squid in bridge mode and put it between your LAN and
> the PIX but I would personally not recomend such a setup.
>
> It is much better to configure clients to use the cache in the browser
> settings or run WCCP or route map redirection on a router.
>
> -SAto
>



 
Reply With Quote
 
SAto
Guest
Posts: n/a
 
      06-13-2006

Erik Tamminga skrev:

> ASA 7.2 now supports WCCP as well! Have a look at asa manual at
> http://www.cisco.com/application/pdf...0080641f89.pdf


Nice, that would be the best solution in this case.

-SAto

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN Tilman Schmidt Cisco 5 02-18-2008 12:07 PM
IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116 Tilman Schmidt Cisco 0 01-24-2008 10:49 AM
asa 5510 to Catalyst 2950 vlan and trunking brownie Cisco 1 02-27-2006 09:52 PM
ASA 5510 Route Question Barry Lance Cisco 1 11-10-2005 12:05 PM
Active/standby config for ASA 5510 Erich Reimberg N. Cisco 0 07-01-2005 01:57 PM



Advertisments