I have a WAN interface and 2 LAN interface. I need both the LAN be able to access a server outside the network via the WAN (outside) interface. I am using a ASA 5510 firewall instead of a router, because I don't have a router.
It looks simple enough but it does not work. I ping from the a PC (172.16.22.8) connected to LAN (inside) Network to 10.10.10.1 which is the WAN local interface also did not work.
But from the ASA Firewall, I could ping my LAN (inside) PC. I followed a config i get from this forum. However, it did not work. Below my config. Please help.
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.22.254 255.255.255.0
!
interface Ethernet0/2
nameif inside2
security-level 50
ip address 172.16.21.254 255.255.255.0
!
access-list outside-inside extended permit ip any any
access-list outside-inside extended permit icmp any any
static (inside,outside) 172.16.22.0 172.16.22.0 netmask 255.255.255.0
static (outside,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
access-group outside-inside in interface outside
Best Answer
An ASA will not allow you to ping it's interface on the other side of the firewall, so, if you are connected to Ethernet0/1, you will not be able to ping Ethernet0/0, even though you might be allowed to ping something connected to Ethernet0/0. It is just one of the quirks of the ASA.
The reason your clients can't connect to the server, might not be because of the firewall, but because of routing. Does your client know that in order to reach
10.10.10.0/24
, the need to go through172.16.22.254
and does you server also know that in order to reach172.16.22.0/24
, it needs to go through10.10.10.1
?