03-03-2007 05:23 AM - edited 03-11-2019 02:41 AM
I have a single static IP and currently serve http, https, & SMTP (successfully) through PAT with a PIX 501.
I've tried every combination of Outside_in ACL's, even a permit any any and incoming traffic is still blocked by ACL. The logged event is:
TCP access denied by ACL from 195.156.154.115/3359 to WAN:195.156.111.132/443
Solved! Go to Solution.
03-09-2007 09:45 AM
if you want to do .132 (ASA outside interface) you should do
static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255
note: elijah recommended same thing above
03-04-2007 11:39 AM
is the acl applied to an interface. for example if your acl is named inpackets, then you would need "access-group inpackets in interface outside"
03-05-2007 05:39 AM
Yes, it is applied to an interface:
"access-group WAN_access_in in interface WAN"
03-05-2007 05:35 AM
Having 2 static IP, using a diffrenet one for port forwarding all works fine.
03-06-2007 11:13 AM
What version of IOS are you running I currently have this setup without any issues at all.
access-list 100 extended permit tcp any host X.X.X.X eq smtp
static (inside,outside) tcp interface smtp servers ip here smtp netmask 255.255.255.255
Applied to the interface
access-group 100 in interface outside
03-06-2007 01:56 PM
hi,
i guess i am saying the same thing again.
for the access from outside to inside
you need
the static:
static (inside,outside)
let's say,the internal ip address of the server is 10.0.0.2
so,the static would be :
static (inside,outside) 195.156.111.132 10.0.0.2
along with this,we need an access-list on the outside interface which permits the traffic.
access-list out_in permit tcp any host 195.156.111.132 eq http
access-list out_in permit tcp any host 195.156.111.132 eq https
access-list out_in permit tcp any host 195.156.111.132 eq smtp
Let me know if this helps.
Sushil
03-09-2007 09:40 AM
hi,
I have the following commands:
access-list WAN_access_in extended permit ip any host 195.156.111.131
static (LAN,WAN) tcp 195.156.111.131 www 192.168.151.22 www netmask 255.255.255.255
access-group WAN_access_in in interface WAN
ASA has the IP 195.156.111.132.
If I have the commands with a different ip, eg 131, it works. If I use the ASA own IP, 132, I get ACL denies.
03-09-2007 09:45 AM
if you want to do .132 (ASA outside interface) you should do
static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255
note: elijah recommended same thing above
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: