Answer to: Hello List Easy Cisco question.
Hello, and thanks for all the help. What the issue boiled down to, I was creating the access list just like the static command. Which means I was using the source and destination ports when creating it. You just need the destination port, actually because the firewall "catches" the packet on a different port and un encapsulates the packet and passes it through. The different port was causing the accesslist to reject the packet. so this is what I had:
access-list Etherpoint_access_in extended permit tcp any eq 5900 host outside-ip eq 5900
This is what worked :)
access-list Etherpoint_access_in extended permit tcp any host outside-ip eq 5900 A complete example if anyone who needs it to route external request to an internal host:
* access list to permit traffic in access-list Etherpoint_access_in extended permit tcp any host outside-ip eq 5900 *static command to setup the relationship form outside interface to inside host static (Inside,Etherpoint) tcp interface 5900 192.168.125.8 5900 netmask 255.255.255.255 * command to bind the accesslist to the outside interface access-group Etherpoint_access_in in interface Etherpoint Thanks again list Bill Kruchas Below is the full question and details. ***************************************************************** Hello List, First let me say I'm not a heads down network guy, but I have setup several cisco firewalls from pix's some 831's, and now I'm trying to get a asa 5505 configured. ver 7.2 and 5.2 on the ASDM. This has been in and working for some time, granting outbound access. There is only one external useable ip address so everything is using PAT to get out, (although whoever set it up set it up like a nat with a global address pool). I have been trying to get an inbound static command to work, with no luck. First I wonder if I can do a static mapping for ingress on the same IP that is being used for PAT/NAT for egress. And if that is possible why can't I get through, I'm pretty sure the static command is right, and I needed to add two acl's (any to outside) (outside to inside) to get the packet trace in asdm to let the packet into the inside host, but still the translate isn't passing the packet tracing. Please any insight would be greatly appreciated. The log shows the port coming in as something different than what I expect: the 66.152.132.32/1064 should be 66.152.132.32/5900 (for vnc, which is the client I am testing with). These are the lines from the log:
4 Jul 12 2011 11:27:13 106023 66.152.132.32 outside-ip Deny tcp src Etherpoint:66.152.132.32/1064 dst Inside:outside-ip/5900 by access-group "Etherpoint_access_in" [0x0, 0x0] 4 Jul 12 2011 11:27:07 106023 66.152.132.32 outside-ip Deny tcp src Etherpoint:66.152.132.32/1064 dst Inside:outside-ip/5900 by access-group "Etherpoint_access_in" [0x0, 0x0] 4 Jul 12 2011 11:27:04 106023 66.152.132.32 outside-ip Deny tcp src Etherpoint:66.152.132.32/1064 dst Inside:outside-ip/5900 by These are the appropriate lines from the config: access-list Etherpoint_access_in extended permit tcp any eq 5900 host outside-ip eq 5900 access-list Etherpoint_access_in extended permit tcp host outside-ip eq 5900 host 192.168.125.8 eq 5900 global (Etherpoint) 2 interface nat (Inside) 0 access-list Inside_nat0_outbound nat (Inside) 2 192.168.125.0 255.255.255.0 static (Inside,Etherpoint) tcp interface 5900 192.168.125.8 5900 netmask 255.255.255.255 no threat-detection statistics tcp-intercept access-group Inside_access_in in interface Inside access-group Etherpoint_access_in in interface Etherpoint Thanks In Advance Bill Kruchas
participants (1)
-
bill@kruchas.com