ASA 5510 implicit rule woes

Answered Question

Hi,

we have a new ASA 5510. It will connect to the internet by pppoe, and for the time we only have one internal network. What I am trying to do is traditional "nat forwarding", ie forward http requests from internet hosts to port 80 on our server located in the internal network.


What seems to be the problem is that the acl's are not recognised, as all traffic is identified and dropped by the last implicit rule. I should also mention that I am a complete noob when it comes to cisco in general, however I have worked whith different firewall brands for years.


I have attached my current config.

Please note that the ASA is not yet installed - I am testing the configurations on a private only network whith the Outside Interface connected via DHCP. Connections from the inside to outside is working, however I cannot connect from the Outside to the internal server(For the time being I am only testing http and RDP). Please also note that I am using ADSM for config purposes as I am not really comfortable with the CLI yet.


any pointers or solutions will be highly appreciated.



Correct Answer by acomiskey about 9 years 9 months ago

What is the outside interface address? Is it 10.0.102.232? If so, change your static commands and use the "interface" keyword like so...


static (Inside1,Outside) tcp interface www 10.120.0.10 www netmask 255.255.255.255

static (Inside1,Outside) tcp interface 3389 10.120.0.10 3389 netmask 255.255.255.255


Then your acl would simply look like this...


access-list Outside_access_in extended permit tcp any interface outside eq www

access-list Outside_access_in extended permit tcp any interface outside eq 3389

access-group Outside_access_in in interface Outside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Wed, 09/26/2007 - 04:57
User Badges:
  • Green, 3000 points or more

What is the outside interface address? Is it 10.0.102.232? If so, change your static commands and use the "interface" keyword like so...


static (Inside1,Outside) tcp interface www 10.120.0.10 www netmask 255.255.255.255

static (Inside1,Outside) tcp interface 3389 10.120.0.10 3389 netmask 255.255.255.255


Then your acl would simply look like this...


access-list Outside_access_in extended permit tcp any interface outside eq www

access-list Outside_access_in extended permit tcp any interface outside eq 3389

access-group Outside_access_in in interface Outside

Actions

This Discussion