Skip to main content

accessing other servers from internal

More
16 years 5 months ago #26360 by S0lo

i did the following:

conf t
interface Ethernet0/1
switchport mode access
switchport access vlan 1
end

then when i sh run it it just shows the following:
interface Ethernet0/1
!
like it doesnt take the command. any ideas? I did try it without the switchport mode access command also but no luck.


Can you try it again on Ethernet0/4 or Ethernet0/5 since they are the ones connected to the servers as you say.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
16 years 5 months ago #26592 by flipzz
This is my config. Still can not get 2 servers behind the asa 5505 to talk to each other. when i go to ping them, the first ping goes thru then the rest are timed out. Trying to get 192.168.2.2 (on ethernet0/1) to talk to 192.168.2.14 (on Ethernet0/4).

Any ideas would be great!

: Saved
:
ASA Version 7.2(3)
!
hostname iconnect
domain-name default.domain.invalid
enable password XXXXXXXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.184.74 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 3Xo1V7gQuBf5IAPD encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service PASVFTP tcp
port-object range 50000 51000
access-list outside_access_in extended permit tcp any host XXX.XXX.184.75 eq ftp
access-list outside_access_in extended permit tcp any host XXX.XXX.184.75 eq www
access-list outside_access_in extended permit tcp any host XXX.XXX.184.75 eq 3389
access-list outside_access_in extended permit tcp any host XXX.XXX.184.75 eq https
access-list outside_access_in extended permit tcp any host XXX.XXX.184.75 range 50000 51000
access-list outside_access_in extended permit tcp any host XXX.XXX.184.76 eq www
access-list outside_access_in extended permit tcp any host XXX.XXX.184.76 eq ftp
access-list outside_access_in extended permit tcp any host XXX.XXX.184.76 eq https
access-list outside_access_in extended permit tcp any host XXX.XXX.184.77 eq 3314
access-list outside_access_in extended permit tcp any host XXX.XXX.184.77 eq domain
access-list outside_access_in extended permit udp any host XXX.XXX.184.77 eq domain
access-list outside_access_in extended permit tcp any host XXX.XXX.184.79 eq 3306
access-list outside_access_in extended permit tcp any host XXX.XXX.184.80 eq 3307
access-list outside_access_in extended permit tcp any host XXX.XXX.184.79 eq smtp
access-list outside_access_in extended permit tcp any host XXX.XXX.184.79 eq pop3
access-list outside_access_in extended permit tcp any host XXX.XXX.184.79 eq 8484
access-list outside_access_in extended permit tcp any host XXX.XXX.184.79 eq 81
access-list outside_access_in extended permit tcp any host XXX.XXX.184.75 eq 81
access-list outside_access_in extended permit tcp any host XXX.XXX.184.3 eq 1433
access-list outside_access_in extended permit tcp any host XXX.XXX.184.3 eq 1645
access-list outside_access_in extended permit tcp any host XXX.XXX.184.3 eq 1813
access-list outside_access_in extended permit tcp any host XXX.XXX.184.3 eq 3305
access-list outside_access_in extended permit udp any host XXX.XXX.184.3 eq radius
access-list outside_access_in extended permit udp any host XXX.XXX.184.3 eq 1813
access-list outside_access_in extended permit tcp any host XXX.XXX.184.75 object-group PASVFTP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 2 XXX.XXX.184.0 netmask 255.255.255.0
nat (inside) 2 192.168.2.0 255.255.255.0
static (outside,inside) 192.168.2.2 XXX.XXX.184.75 netmask 255.255.255.255
static (inside,outside) XXX.XXX.184.75 192.168.2.2 netmask 255.255.255.255
static (outside,inside) 192.168.2.3 XXX.XXX.184.76 netmask 255.255.255.255
static (inside,outside) XXX.XXX.184.76 192.168.2.3 netmask 255.255.255.255
static (outside,inside) 192.168.2.14 XXX.XXX.184.77 netmask 255.255.255.255
static (inside,outside) XXX.XXX.184.77 192.168.2.14 netmask 255.255.255.255
static (outside,inside) 192.168.2.6 XXX.XXX.184.79 netmask 255.255.255.255
static (outside,inside) 192.168.2.7 XXX.XXX.184.80 netmask 255.255.255.255
static (inside,outside) XXX.XXX.184.79 192.168.2.6 netmask 255.255.255.255
static (inside,outside) XXX.XXX.184.80 192.168.2.7 netmask 255.255.255.255
static (inside,outside) XXX.XXX.184.3 192.168.2.5 netmask 255.255.255.255
static (outside,inside) 192.168.2.5 XXX.XXX.184.3 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.184.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.2-192.168.2.254 inside
dhcpd dns XXX.XXX.184.14 207.170.3.6 interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
More
16 years 5 months ago #26594 by mqabdullah
Replied by mqabdullah on topic try this
Dear Friend,

To check whether the ports are communicating with each other. try to used two desktops pc's without windows firewall. If both the desktops are communicating with eachother. then the problem is with your servers configuration.

OR

Reset your firewall. And configure the ports with the command switchport access vlan 1.

This two solutions will solve your problem :lol:
More
16 years 5 months ago #26595 by flipzz
I put 2 pc's on and they will not ping or interact with each other. i put them in ethernet0/5 and ethernet0/6.

strange part is, if server in Ethernet0/2 pings server in Ethernet0/3 (or any combination) the first ping goes thru but then all pings afterwards time out. Also with SMTP connections. do a telnet 192.168.2.6 25 command, i gett he post but immediate drop connection,

I also added the following to all ports (except ethernet0/0):

switchport mode access
switchport access vlan 1

even though it takes the command and does not error out, it does not show she i do a sh run.

all servers and pcs and access the outside world, just not each other.

Any ideas?
More
16 years 5 months ago #26599 by S0lo
Smells like an ACL/firewall config problem. Your config is too complex for me to grab. Tell you what, can you take your ASA into a maintenance phase for like 2 or 3 hours? Then copy your config some were safe (like your console PC), Then erase the start-up config and start fresh. First add only the most important command like interface IPs and VLANs. then test if the two servers can communicate. If they can, you can now gradually add commands one by one and test connectivity between the 2 servers after each command added until you find the one that makes it fail.

This is a rather dumb solution and will take time. but it could be the last resort. And if it fails, you can simply copy your original config back.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
16 years 4 months ago #26605 by flipzz
might be a time consuming one, but I think that is my best bet to do. Will do late tonight. This has production servers behind it already running websites and email so have to do late.

Thanks!
Time to create page: 0.146 seconds