RE: Hello List, a easy Cisco question.
Hello,
I am not a heads down network guy, but I have setup a few firewalls, and have got them to do what I wanted, "eventually". But mostly through reading and trial and error.
I am struggling with this one, but I think I know the answer, but want to verify it with some experts.
We have a cisco asa 5505, with an internet connection with only one useable ip address (subnet 255.255.255.252). We/they have had a nat setup for outgoing connections for some time, but I have been
Hello, We have Nat setup on our equipment, just a plain vanilla internet connection. Here is the pertinent section of the runing config. ! interface Ethernet0/2 nameif Etherpoint security-level 0 ip address outside-ip 255.255.255.252 ospf cost 10 ! object-group service terminal-services tcp port-object eq 3389 access-list Inside_access_in extended permit icmp any any access-list Inside_access_in extended permit ip 192.168.125.0 255.255.255.0 any access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 MobileVPN 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 MobileVPN 255.255.255.0 inactive access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 any inactive access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.14.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.101.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.253.0 255.255.255.0 access-list Haven_splitTunnelAcl_1 standard permit 192.168.125.0 255.255.255.0 access-list Etherpoint_access_in extended permit tcp host 192.168.125.8 eq 3389 any eq 3389 access-list Etherpoint_access_in extended permit tcp any eq 3389 host 192.168.125.8 eq 3389 access-list Etherpoint_access_in extended permit tcp any host 192.168.125.8 eq 3389 access-list Etherpoint_nat0_outbound extended permit ip host 192.168.125.8 host outside-ip access-list Etherpoint_nat0_outbound extended permit ip host outside-ip host 192.168.125.8 ip local pool HavenVPN 192.168.253.1-192.168.253.254 mask 255.255.255.0 global (Etherpoint) 2 interface nat (Inside) 0 access-list Inside_nat0_outbound nat (Inside) 2 192.168.125.0 255.255.255.0 nat (Etherpoint) 0 access-list Etherpoint_nat0_outbound outside static (Inside,Etherpoint) tcp interface 3389 192.168.125.8 3389 netmask 255.255.255.255 no threat-detection statistics tcp-intercept access-group Inside_access_in in interface Inside access-group Etherpoint_access_in in interface Etherpoint route Etherpoint 0.0.0.0 0.0.0.0 204.186.102.187 1 -------- Original Message -------- Subject: Re: Hello List, a easy Cisco question. From: Dennis <[1]daodennis@gmail.com> Date: Mon, July 11, 2011 12:39 pm To: [2]bill@kruchas.com On Mon, Jul 11, 2011 at 12:33 PM, <[3]bill@kruchas.com> wrote: trying to So your provider has your ASA behind a NAT or there is a NAT inside,outside statement on your ASA? Some more pieces of the configuration would be helpful here too. Thanks, Dennis O. References 1. mailto:daodennis@gmail.com 2. mailto:bill@kruchas.com 3. mailto:bill@kruchas.com
On Mon, Jul 11, 2011 at 3:16 PM, <bill@kruchas.com> wrote:
connection. ip address outside-ip 255.255.255.252 Aside from the fact 255.255.255.252 is not a valid IP address.
Firewalls are security sensitive devices, I suggest reading docs and not relying on untrusted sources for basic operating directions; if improperly configured a Firewall may pass traffic but be insecure. I can't tell you exactly what buttons to hit in the SDM right now, but I see you have " access-list Etherpoint_access_in extended permit tcp any eq 3389 host 192.168.125.8 eq 3389" Unless "192.168.125.8" is your global IP, something is wrong here. You should permit to destination port 3389 on the global IP, on the inbound ACL of your outside interface, when you are applying an ACL before translation. Then traffic matching your port forwarding rule would then be allowed through that ACL " access-list Etherpoint_access_in extended permit tcp host 192.168.125.8 eq 3389 any eq 3389" You don't need this, assuming .125.8 is an inside IP and Etherpoint is your outside int.
Here is the pertinent section of the runing config.
! interface Ethernet0/2 nameif Etherpoint security-level 0 ip address outside-ip 255.255.255.252 ospf cost 10 !
object-group service terminal-services tcp port-object eq 3389 access-list Inside_access_in extended permit icmp any any access-list Inside_access_in extended permit ip 192.168.125.0 255.255.255.0 any access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 MobileVPN 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 MobileVPN 255.255.255.0 inactive access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 any inactive access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.14.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.101.0 255.255.255.0 access-list Inside_nat0_outbound extended permit ip 192.168.125.0 255.255.255.0 192.168.253.0 255.255.255.0 access-list Haven_splitTunnelAcl_1 standard permit 192.168.125.0 255.255.255.0 access-list Etherpoint_access_in extended permit tcp host 192.168.125.8 eq 3389 any eq 3389 access-list Etherpoint_access_in extended permit tcp any eq 3389 host 192.168.125.8 eq 3389 access-list Etherpoint_access_in extended permit tcp any host 192.168.125.8 eq 3389 access-list Etherpoint_nat0_outbound extended permit ip host 192.168.125.8 host outside-ip access-list Etherpoint_nat0_outbound extended permit ip host outside-ip host 192.168.125.8
ip local pool HavenVPN 192.168.253.1-192.168.253.254 mask 255.255.255.0
global (Etherpoint) 2 interface
nat (Inside) 0 access-list Inside_nat0_outbound nat (Inside) 2 192.168.125.0 255.255.255.0 nat (Etherpoint) 0 access-list Etherpoint_nat0_outbound outside static (Inside,Etherpoint) tcp interface 3389 192.168.125.8 3389 netmask 255.255.255.255
no threat-detection statistics tcp-intercept access-group Inside_access_in in interface Inside access-group Etherpoint_access_in in interface Etherpoint
route Etherpoint 0.0.0.0 0.0.0.0 204.186.102.187 1
-------- Original Message -------- Subject: Re: Hello List, a easy Cisco question. From: Dennis <[1]daodennis@gmail.com> Date: Mon, July 11, 2011 12:39 pm To: [2]bill@kruchas.com On Mon, Jul 11, 2011 at 12:33 PM, <[3]bill@kruchas.com> wrote: > Hello, > > I am not a heads down network guy, but I have setup a few > firewalls, and have got them to do what I wanted, "eventually". But > mostly through reading and trial and error. > > I am struggling with this one, but I think I know the answer, but > want to verify it with some experts. > > > > We have a cisco asa 5505, with an internet connection with only one > useable ip address (subnet 255.255.255.252). We/they have had a nat > setup for outgoing connections for some time, but I have been trying to So your provider has your ASA behind a NAT or there is a NAT inside,outside statement on your ASA? Some more pieces of the configuration would be helpful here too. Thanks, Dennis O.
References
1. mailto:daodennis@gmail.com 2. mailto:bill@kruchas.com 3. mailto:bill@kruchas.com
Regards, -- -JH
participants (2)
-
bill@kruchas.com
-
Jimmy Hess