Solved: 525 GUI vs CLI?

rocker311 · ‎08-02-2007

Hi all-

Noob question here. Got no Cisco experience, sorry.

We've got a pair of 525's (the second is set for failover) that were set up for us by a consultant who used CLI to do everything.

At the time, the consultant said that we can't use the GUI to do NAT edits because he did the initial setup on CLI. That sounds like a load of Shatner to me, but is that true?

Anyway, I now need to add a NAT to allow port 5632 to go to my web server. I used Checkpoint for years, so doing it via GUI shouldn't be a big challenge.

I go into the Cisco ASDM GUI v1.1(1) and add:

static: inside: 10.1.1.21: port 5632(tcp): any: outside: 66.251.64.101: port 5632(tcp)

static: inside: 10.1.1.21: port 5632(ucp): any: outside: 66.251.64.101: port 5632(ucp)

I get a popup saying "This static port mapping translation rule is overlapping with a dynamic address translation rule for inside:0.0.0.0/0.0.0.0(any) using global pool 10. Do you still wish to proceed?"

Clicking "Proceed" adds the rule, but still doesn't seem to open up the port.

It's the exact same setup I have for allowing port 80 (http) on the web server. Web works. This doesn't.

Ideas?

Thanks-

-jimr

acomiskey · ‎08-02-2007

ACL looks fine. You are allowing www and tcp 5632 to x.x.x.101 and the corresponding static statements are good as well.

Please rate helpful posts.

View solution in original post

acomiskey · ‎08-02-2007

You can use the gui.

Could you post the config?

Have you also allowed port 5632 in an access-list?

rocker311 · ‎08-02-2007

Re: allowing in access list: Probably not, a consultant did the setup. Where would I look?

Re: posting config: Consultant didn't set up a TFTP server. Any suggestions as to how to get this file to my PC so I can upload?

I've got 3 files in flash:

asdm-501.bin (5.9 M)

downgrade.cfg (5k)

image.bin (5.1M)

Which file are we after?

-jimr

acomiskey · ‎08-02-2007

You would probably look under config -> Security policy I think, not 100% sure in pdm.

To get the config you should be able to go to file -> show running config in new window. Then just copy and past. Remove passwords and public ip addresses.

rocker311 · ‎08-02-2007

That was handy. Here's the config.

Looking in the config's access list, I don't see any entry for 5632, even tho it's in the NAT. That must be the problem.

So the "duh" question now, I'd imagine, would be "Should I set up this rule in the AL?"

allow: any: x.x.x.101: incoming: outside: 5632

But the more important question is "How do I save my current setup so I can restore if I cork it all up trying to add this rule?"

acomiskey · ‎08-02-2007

Yes, you need an acl entry for this.

access-list 101 extended permit tcp any host x.x.x.101 eq 5632

If you put the acl entry in and don't save then you can always reboot and you'll be back to the last saved config.

Not sure exactly how it goes in the gui, just do the same as for the other entries, for example...

access-list 101 extended permit tcp any host x.x.x.101 eq www

rocker311 · ‎08-02-2007

Okay, the entry is made. (See new config file.) Still not sure if it's working.

I did a log while I tried to hit the site from an external connection.

Log shows I'm in and that it built a connection, so I can only assume I'm up and that the remainder of the problem is going to be configuring IIS properly.

Here's the log entries:

6|Aug 02 2007 14:21:34|302014: Teardown TCP connection 44083483 for outside:x.x.x.110/6498 to inside:10.1.1.21/5632

duration 0:01:04 bytes 771 TCP Reset-O

6|Aug 02 2007 14:20:33|302013: Built inbound TCP connection 44083483 for outside:x.x.x.110/6498 (x.x.x.110/6498)

to inside:10.1.1.21/5632 (x.x.x.101/5632)

So it looks like my PIX is passing the data. Many thanks!

-jimr

acomiskey · ‎08-02-2007

ACL looks fine. You are allowing www and tcp 5632 to x.x.x.101 and the corresponding static statements are good as well.

Please rate helpful posts.