RE: Hello List, a easy Cisco question.
Hello, We have Nat setup on our equipment, just a plain vanilla internet connection. Here is the pertinent section of the runing config. ! interface Ethernet0/2 nameif Etherpoint security-level 0 ip address outside-ip 255.255.255.252 ospf cost 10 ! object-group service terminal-services tcp port-object eq 3389 access-list Inside_access_in extended permit icmp any any access-list Inside_access_in extended permit ip 192.168.125.0 255.255.255.0 any access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 MobileVPN 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 MobileVPN 255.255.255.0 inactive access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 any inactive access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.14.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.101.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.253.0 255.255.255.0 access-list Haven_splitTunnelAcl_1 standard permit 192.168.125.0 255.255.255.0 access-list Etherpoint_access_in extended permit tcp host 192.168.125.8 eq 3389 any eq 3389 access-list Etherpoint_access_in extended permit tcp any eq 3389 host 192.168.125.8 eq 3389 access-list Etherpoint_access_in extended permit tcp any host 192.168.125.8 eq 3389 access-list Etherpoint_nat0_outbound extended permit ip host 192.168.125.8 host outside-ip access-list Etherpoint_nat0_outbound extended permit ip host outside-ip host 192.168.125.8 ip local pool HavenVPN 192.168.253.1-192.168.253.254 mask 255.255.255.0 global (Etherpoint) 2 interface nat (Inside) 0 access-list Inside_nat0_outbound nat (Inside) 2 192.168.125.0 255.255.255.0 nat (Etherpoint) 0 access-list Etherpoint_nat0_outbound outside static (Inside,Etherpoint) tcp interface 3389 192.168.125.8 3389 netmask 255.255.255.255 no threat-detection statistics tcp-intercept access-group Inside_access_in in interface Inside access-group Etherpoint_access_in in interface Etherpoint route Etherpoint 0.0.0.0 0.0.0.0 204.186.102.187 1 -------- Original Message -------- Subject: Re: Hello List, a easy Cisco question. From: Dennis <[1]daodennis@gmail.com> Date: Mon, July 11, 2011 12:39 pm To: [2]bill@kruchas.com On Mon, Jul 11, 2011 at 12:33 PM, <[3]bill@kruchas.com> wrote: trying to So your provider has your ASA behind a NAT or there is a NAT inside,outside statement on your ASA? Some more pieces of the configuration would be helpful here too. Thanks, Dennis O. References 1. mailto:daodennis@gmail.com 2. mailto:bill@kruchas.com 3. mailto:bill@kruchas.com
On Mon, Jul 11, 2011 at 3:16 PM, <bill@kruchas.com> wrote:
Firewalls are security sensitive devices, I suggest reading docs and not relying on untrusted sources for basic operating directions; if improperly configured a Firewall may pass traffic but be insecure. I can't tell you exactly what buttons to hit in the SDM right now, but I see you have " access-list Etherpoint_access_in extended permit tcp any eq 3389 host 192.168.125.8 eq 3389" Unless "192.168.125.8" is your global IP, something is wrong here. You should permit to destination port 3389 on the global IP, on the inbound ACL of your outside interface, when you are applying an ACL before translation. Then traffic matching your port forwarding rule would then be allowed through that ACL " access-list Etherpoint_access_in extended permit tcp host 192.168.125.8 eq 3389 any eq 3389" You don't need this, assuming .125.8 is an inside IP and Etherpoint is your outside int.
Regards, -- -JH
participants (2)
-
bill@kruchas.com -
Jimmy Hess