Answer to: Hello List Easy Cisco question.
bill at kruchas.com
bill at kruchas.com
Wed Jul 13 14:15:26 UTC 2011
Hello, and thanks for all the help.
What the issue boiled down to, I was creating the access list just
like the static command. Which means I was using the source and
destination ports when creating it. You just need the destination port,
actually because the firewall "catches" the packet on a different port
and un encapsulates the packet and passes it through. The different
port was causing the accesslist to reject the packet.
so this is what I had:
>access-list Etherpoint_access_in extended permit tcp any eq 5900 host
outside-ip eq 5900
This is what worked :)
>access-list Etherpoint_access_in extended permit tcp any host
outside-ip eq 5900
A complete example if anyone who needs it to route external request to
an internal host:
* access list to permit traffic in
access-list Etherpoint_access_in extended permit tcp any host
outside-ip eq 5900
*static command to setup the relationship form outside interface to
inside host
static (Inside,Etherpoint) tcp interface 5900 192.168.125.8 5900
netmask 255.255.255.255
* command to bind the accesslist to the outside interface
access-group Etherpoint_access_in in interface Etherpoint
Thanks again list
Bill Kruchas
Below is the full question and details.
*****************************************************************
Hello List,
First let me say I'm not a heads down network guy, but I have setup
several cisco firewalls from pix's some 831's, and now I'm trying to
get a asa 5505 configured. ver 7.2 and 5.2 on the ASDM.
This has been in and working for some time, granting outbound
access. There is only one external useable ip address so everything is
using PAT to get out, (although whoever set it up set it up like a nat
with a global address pool).
I have been trying to get an inbound static command to work, with no
luck. First I wonder if I can do a static mapping for ingress on the
same IP that is being used for PAT/NAT for egress. And if that is
possible why can't I get through, I'm pretty sure the static command is
right, and I needed to add two acl's (any to outside) (outside to
inside) to get the packet trace in asdm to let the packet into the
inside host, but still the translate isn't passing the packet tracing.
Please any insight would be greatly appreciated.
The log shows the port coming in as something different than what I
expect: the 66.152.132.32/1064 should be 66.152.132.32/5900 (for vnc,
which is the client I am testing with).
These are the lines from the log:
>4 Jul 12 2011 11:27:13 106023 66.152.132.32 outside-ip Deny tcp src
Etherpoint:66.152.132.32/1064 dst Inside:outside-ip/5900 by
access-group "Etherpoint_access_in" [0x0, 0x0]
>4 Jul 12 2011 11:27:07 106023 66.152.132.32 outside-ip Deny tcp src
Etherpoint:66.152.132.32/1064 dst Inside:outside-ip/5900 by
access-group "Etherpoint_access_in" [0x0, 0x0]
>4 Jul 12 2011 11:27:04 106023 66.152.132.32 outside-ip Deny tcp src
Etherpoint:66.152.132.32/1064 dst Inside:outside-ip/5900 by
These are the appropriate lines from the config:
>access-list Etherpoint_access_in extended permit tcp any eq 5900 host
outside-ip eq 5900
>access-list Etherpoint_access_in extended permit tcp host outside-ip
eq 5900 host 192.168.125.8 eq 5900
>global (Etherpoint) 2 interface
>nat (Inside) 0 access-list Inside_nat0_outbound
>nat (Inside) 2 192.168.125.0 255.255.255.0
>static (Inside,Etherpoint) tcp interface 5900 192.168.125.8 5900
netmask 255.255.255.255
>no threat-detection statistics tcp-intercept
>access-group Inside_access_in in interface Inside
>access-group Etherpoint_access_in in interface Etherpoint
Thanks In Advance
Bill Kruchas
More information about the NANOG
mailing list