08-02-2007 07:54 AM - edited 03-11-2019 03:52 AM
Hi all-
Noob question here. Got no Cisco experience, sorry.
We've got a pair of 525's (the second is set for failover) that were set up for us by a consultant who used CLI to do everything.
At the time, the consultant said that we can't use the GUI to do NAT edits because he did the initial setup on CLI. That sounds like a load of Shatner to me, but is that true?
Anyway, I now need to add a NAT to allow port 5632 to go to my web server. I used Checkpoint for years, so doing it via GUI shouldn't be a big challenge.
I go into the Cisco ASDM GUI v1.1(1) and add:
static: inside: 10.1.1.21: port 5632(tcp): any: outside: 66.251.64.101: port 5632(tcp)
static: inside: 10.1.1.21: port 5632(ucp): any: outside: 66.251.64.101: port 5632(ucp)
I get a popup saying "This static port mapping translation rule is overlapping with a dynamic address translation rule for inside:0.0.0.0/0.0.0.0(any) using global pool 10. Do you still wish to proceed?"
Clicking "Proceed" adds the rule, but still doesn't seem to open up the port.
It's the exact same setup I have for allowing port 80 (http) on the web server. Web works. This doesn't.
Ideas?
Thanks-
-jimr
Solved! Go to Solution.
08-02-2007 10:43 AM
ACL looks fine. You are allowing www and tcp 5632 to x.x.x.101 and the corresponding static statements are good as well.
Please rate helpful posts.
08-02-2007 08:11 AM
You can use the gui.
Could you post the config?
Have you also allowed port 5632 in an access-list?
08-02-2007 08:28 AM
Re: allowing in access list: Probably not, a consultant did the setup. Where would I look?
Re: posting config: Consultant didn't set up a TFTP server. Any suggestions as to how to get this file to my PC so I can upload?
I've got 3 files in flash:
asdm-501.bin (5.9 M)
downgrade.cfg (5k)
image.bin (5.1M)
Which file are we after?
-jimr
08-02-2007 08:36 AM
You would probably look under config -> Security policy I think, not 100% sure in pdm.
To get the config you should be able to go to file -> show running config in new window. Then just copy and past. Remove passwords and public ip addresses.
08-02-2007 08:50 AM
That was handy. Here's the config.
Looking in the config's access list, I don't see any entry for 5632, even tho it's in the NAT. That must be the problem.
So the "duh" question now, I'd imagine, would be "Should I set up this rule in the AL?"
allow: any: x.x.x.101: incoming: outside: 5632
But the more important question is "How do I save my current setup so I can restore if I cork it all up trying to add this rule?"
08-02-2007 09:00 AM
Yes, you need an acl entry for this.
access-list 101 extended permit tcp any host x.x.x.101 eq 5632
If you put the acl entry in and don't save then you can always reboot and you'll be back to the last saved config.
Not sure exactly how it goes in the gui, just do the same as for the other entries, for example...
access-list 101 extended permit tcp any host x.x.x.101 eq www
08-02-2007 10:34 AM
Okay, the entry is made. (See new config file.) Still not sure if it's working.
I did a log while I tried to hit the site from an external connection.
Log shows I'm in and that it built a connection, so I can only assume I'm up and that the remainder of the problem is going to be configuring IIS properly.
Here's the log entries:
6|Aug 02 2007 14:21:34|302014: Teardown TCP connection 44083483 for outside:x.x.x.110/6498 to inside:10.1.1.21/5632
duration 0:01:04 bytes 771 TCP Reset-O
6|Aug 02 2007 14:20:33|302013: Built inbound TCP connection 44083483 for outside:x.x.x.110/6498 (x.x.x.110/6498)
to inside:10.1.1.21/5632 (x.x.x.101/5632)
So it looks like my PIX is passing the data. Many thanks!
-jimr
08-02-2007 10:43 AM
ACL looks fine. You are allowing www and tcp 5632 to x.x.x.101 and the corresponding static statements are good as well.
Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide