litelnoleMemberMay 02, 2011 at 10:08 am #154460
I apologize in advance if i have posted in the wrong category. I am unsure if this is an ASA issue or a switching issue.
I have a unique situation that I will try to explain briefly to set up my important question. Please note that I would like all these connections to run simultaneously and that i am not requesting a failover scenario.
I have my server environment on two 3750 switches currently, and it is chained to a Dell unmanaged switch that serves our workstations (172.16.254.x/24)patched out to the office. They are all sending/receiving internet traffic through a Cisco ASA 5505 (172.16.4.2/25).
I have two other separate internet connections available to me and they are plugged into a Cisco ASA 5520. I have configured the 4 interfaces on that ASA as inside, outside, inside2, outside 2. I have set up a site to site VPN to our DR location on the inside (172.19.x.x)/outside interfaces using one of the two internet pipes. I plugged that into our 3750 core and simply made our DR subnet a route and the inside interface on the 5520 the default gateway for that subnet. Let me also mention that the inside interface is 172.16.8.1/25 and the inside2 is 172.16.8.129/25.
Everything is currently working fine, but I need to now set up our 3rd internet connection as the connection that will provide incoming access for our hosted applications to our customers. (it is currently in place at another location that will be decommissioned here very soon). I have configured (to the best of my ability) the inside2/outside2 interface on that third internet connection and plugged it into my 3750 core. However, when I try to make a request (port 80 let’s say) from the outside world to one of my production servers public IP that is NATed (172.16.32.x/24) my ASA gives me an error message:
2|May 02 2011|11:33:41|106001|external source ip|1545|public facing IP on ASA NATTED|80|Inbound TCP connection denied from external source ip/1545 to public facing IP on ASA NATTED/80 flags SYN on interface outside2
1. I’m unsure why the source port is 1545 when all I’m trying to do is open via a browser
2. What does this error message mean exactly?
I was under the impression that a “denied” anything would apply to an ACL, but I don’t see any that would have any effect on this.
Is having my production servers with their default gateway as the link outbound via the 5505 the issue? But that seems routing related….Since the 5520 and 5505 internal interfaces are on two different subnets?
I need to isolate the servers that need incoming requests from the outside and then make their responses via the 5520, and the workstations need to only get their internet traffic to/from the 5505 link. However, the workstations need to be able to talk to the production servers as well for obvious management purposes.
Do i need to create separate core switch stacks? one for workstations and one for servers so that I can dedicate those gateway IPs to each internet connection/firewall?
I will somehow have to then connect those two cores so that workstations can talk to servers..so if i just create a common vlan on an interface on each core and then trunk the two together, will that work?
Sorry for the long story…just wanted to make sure I got all of the details in.
You must be logged in to reply to this topic.