Scott,
Were you able to resolve the problem you were having?
It is best practice to assign a static IP address to your server within the subnet of the other devices on your switch. Starting over on some of the logic, I do not remember a lot of what I typed earlier, the server should be on the DMZ zone interface. BUT if you have it connected to the switch with your four employee computers, then they should never had a problem accessing the server.
For DMZ interface the server should have its own address that is not on the same subnet as the employee computers. Think 192.168.2.100 -> Server on DMZ and 192.168.1.1-4 -> employee computers on the switch connecting to your LAN zone interface. Either way do not use DHCP for your server.
If you resolved this already, perfect. If you have not let me know the following:
1) Internal IP address of server
2) DHCP pool for your internet network
3) What is your server connected to (ASA or switch) and port numbers
4) Is there any reason for Internet traffic to access your 2008 server?
On a network of your size, I would recommend not using DHCP at all and managing each device with a static IP. Since you are using an ASA 5505, I also recommend putting the server on the DMZ zone and not directly in connection with your switch/employee devices. This is for security reasons.
You can use the following example to setup your network:
-Disable DHCP on your ASA: from global config enter 'no dhcpd'
-Confirm that your zones have an IP address and are tied into your interfaces: you can use show run to confirm this
-Assign ip addresses to each computer. Example:
--Host: 192.168.1.2 through 4
--Gateway: 192.168.1.1 -> This is the IP address of your LAN interface on the ASA
--Subnet: 255.255.255.0
---This is just an example and you can use whatever address ranges that you want.
ASA devices by default allow LAN -> DMZ traffic so there is no extra settings that you need to enter, unless you need traffic to originate from the server to the hosts. Then you will need to create a rule to allow DMZ -> LAN traffic. This can also be found on the Cisco website.
Thanks,
Yimman
scott46 :
Yimman :
Yimman, ignore the student piece. Those go directly from the computers to the Comcast box through a switch. There is no connection between student and staff networks. I probably shouldn't have even mentioned it.
Staff have four computers. Three computers connect direct to a 16 port Netgear switch then to the Comcast box on individual cables. The server and my computer connect through a switch in my room then to the 16 port Netgear switch, then to the Comcast box. I want to replace the 16 port Netgear switch with the Cisco firewall.
The rest of your question about subnets and vlans I don't understand. I've tried to find some on-line tutorials that would help but I have been unable to. Maybe I'm asking the wrong questions.
I have diagrammed our current network but I don't see a way to share that here.
Your question is good and I understand what you are asking. Your response provided me enough information to make a mental topology of your network. Without further information, I do not believe that the problem is with your ASA. It sounds as though either your computer and the server are not on the same network, different VLANs, or there is something wrong with the server.
To check the IP address for your server and computer type
cmd into Windows Run. On the command prompt type
ipconfig. You may get a lot of a little output; however, the results you are looking for will be at the top of the output. A subnet mask (255.255.255.0) means that any devices with the ip range of 192.168.0.0 through 192.168.0.255 is the same network. 255 means that the numbers must match exactly and 0 represents 0 to 255. 192.168.1.10 does not match and your switch would not be able to communicate with the device.
A great starting point once you get the addresses of your computer and the server is to try to ping one from the other. Again from
cmd type
ping [address]. I would type
ping 192.168.0.10. If you get a reply, it means that traffic from your computer is reaching the server. You can also try it from the other employee computers to confirm that the problem is not with the cables or other physical equipment.
VLANs are a bit more difficult to fully explain and requires the use of the ASA to transfer data between devices that maybe on the same switch. You can find excellent videos on YouTube by CBTNuggets that will help you understand the technology and give you a good reference point from which to start troubleshooting the problem.
I know it is a lot of information. Let me know if you need any additional assistance and I will gladly follow up.
Yimman
The 4 staff computers seem to ping to the server ok but they take a pretty long time to log on to the server after a user enters their logon and password. I'm going to make up some numbers so our ip address isn't public but here is what I see:
Server: IPv4 - 25.1.25.110, subnet 255.255.255.0
But our server is set to DHCP. Does this matter? Won't the IP address change on a reboot?