ASA 5510

Discussion in 'Cisco' started by Arek Czereszewski, Jun 8, 2006.

  1. Hi all,

    I have strange situation with ASA
    When I have connected 5 workstations everything work fine.
    LAN 192.168.0.0/24 have WWW, my DNS, my pop3/smtp.
    Part of my config

    object-group service strony tcp
    port-object eq www
    port-object eq https
    object-group service poczta tcp
    port-object eq smtp
    port-object eq pop3
    port-object eq 995

    access-list inside_access_in extended permit udp 192.168.0.0
    255.255.255.0 host my_DNS eq domain
    access-list inside_access_in extended permit tcp 192.168.0.0
    255.255.255.0 host my_mail_server object-group poczta
    access-list inside_access_in extended permit tcp 192.168.0.0
    255.255.255.0 any object-group strony

    nat-control
    global (outside) 100 213.xxx.xxx.86-213.xxx.xxx.88

    Servers in DMZ works fine.

    But when I connect to ASA whole network (~150 workstations)
    I have a lots of this records in log:
    3|Jun 08 2006 11:03:17|305006: portmap translation creation failed for
    udp src inside:192.168.0.31/2609 dst outside:my_DNS_SERVER/53

    Whats can be wrong? Where can I looking for solution?

    With regards
    Arek

    --
    Arek Czereszewski
    "UNIX is like a wigwam:
    no windows, no gates, apache inside."
    Arek Czereszewski, Jun 8, 2006
    #1
    1. Advertising

  2. Arek Czereszewski

    SAto Guest

    Arek Czereszewski skrev:

    > global (outside) 100 213.xxx.xxx.86-213.xxx.xxx.88


    If I'm not missing something here you are only NATing and not PATing
    anything
    that would mean that only three workstations can have access to
    external network at one time one for each of the x.x.x.86, x.x.x.87,
    x.x.x.88 any further will not be able to NAT

    However you could do this:

    global (outside) 100 213.x.x.86-213.x.x.87
    global (outside) 100 213.x.x.88
    nat (inside) 100 0.0.0.0 0.0.0.0 0 0

    This would NAT the first two hosts to 86,87 then PAT all the others to
    88

    Hope this was helpful

    -SAto
    SAto, Jun 8, 2006
    #2
    1. Advertising

  3. SAto napisał(a):
    > Arek Czereszewski skrev:
    >
    >> global (outside) 100 213.xxx.xxx.86-213.xxx.xxx.88

    >
    > If I'm not missing something here you are only NATing and not PATing
    > anything
    > that would mean that only three workstations can have access to
    > external network at one time one for each of the x.x.x.86, x.x.x.87,
    > x.x.x.88 any further will not be able to NAT
    >
    > However you could do this:
    >
    > global (outside) 100 213.x.x.86-213.x.x.87
    > global (outside) 100 213.x.x.88
    > nat (inside) 100 0.0.0.0 0.0.0.0 0 0
    >
    > This would NAT the first two hosts to 86,87 then PAT all the others to
    > 88
    >
    > Hope this was helpful


    Yes it's work now :)
    Thank you very much.

    Firewalling on pf in *BSD it's still easier for me.

    Now I must fwd connections from 192.168.0.0/24 to ports 80,443 to squid.

    Regards
    Arek

    --
    Arek Czereszewski
    arek (at) wup-katowice (dot) pl | gg: 1349941
    "UNIX is like a wigwam:
    no windows, no gates, apache inside."
    Arek Czereszewski, Jun 9, 2006
    #3
  4. Arek Czereszewski

    SAto Guest

    Arek Czereszewski skrev:
    > Now I must fwd connections from 192.168.0.0/24 to ports 80,443 to squid.


    To the best of my knowledge the pix does not support this.
    It only supports url lookups with websense to filter urls not cache
    content.

    You could put the squid in bridge mode and put it between your LAN and
    the PIX but I would personally not recomend such a setup.

    It is much better to configure clients to use the cache in the browser
    settings or run WCCP or route map redirection on a router.

    -SAto
    SAto, Jun 9, 2006
    #4
  5. Hi,

    ASA 7.2 now supports WCCP as well! Have a look at asa manual at
    http://www.cisco.com/application/pd...ps6120/c2001/ccmigration_09186a0080641f89.pdf

    Erik


    "SAto" <> wrote in message
    news:...
    >
    > Arek Czereszewski skrev:
    >> Now I must fwd connections from 192.168.0.0/24 to ports 80,443 to squid.

    >
    > To the best of my knowledge the pix does not support this.
    > It only supports url lookups with websense to filter urls not cache
    > content.
    >
    > You could put the squid in bridge mode and put it between your LAN and
    > the PIX but I would personally not recomend such a setup.
    >
    > It is much better to configure clients to use the cache in the browser
    > settings or run WCCP or route map redirection on a router.
    >
    > -SAto
    >
    Erik Tamminga, Jun 10, 2006
    #5
  6. Arek Czereszewski

    SAto Guest

    SAto, Jun 13, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Erich Reimberg N.

    Active/standby config for ASA 5510

    Erich Reimberg N., Jul 1, 2005, in forum: Cisco
    Replies:
    0
    Views:
    756
    Erich Reimberg N.
    Jul 1, 2005
  2. Barry Lance

    ASA 5510 Route Question

    Barry Lance, Nov 9, 2005, in forum: Cisco
    Replies:
    1
    Views:
    12,827
  3. brownie
    Replies:
    1
    Views:
    875
  4. Tilman Schmidt
    Replies:
    0
    Views:
    3,239
    Tilman Schmidt
    Jan 24, 2008
  5. Tilman Schmidt
    Replies:
    5
    Views:
    18,544
    Lutz Donnerhacke
    Feb 18, 2008
Loading...

Share This Page