I'm trying to do a simple scenario: accessing a server at the inside. I'm using the usual trio lines (static, acl, acg) as follow:
G= Global IP address (outside if)
F= Foreign IP address (origine of test)
access-list in_outside_static extended permit ip any host G.G.G.G
static (inside,outside) G.G.G.G 192.168.10.3 netmask 255.255.255.255
access-group in_outside_static in interface outside
But, it doesn't work...
The ACL is never fire up (hitcnt=0). But the log indicate:
TCP request discarded from F.F.F.F/1137 to outside:G.G.G.F/21.
Note: The outside interface receives his ip add by DHCP. Is static xlate has a problem with this?
Do you have an idea where to look to resolve this behavior.
I'm using a ASA 5520 version 7.2(1)
More info: I make a packet-tracer which reveals that G.G.G.G isn't translated in phase 2 below, why?
# packet-tracer input outside tcp F.F.F.F 1025 G.G.G.G$
Found no matching flow, creating a new flow
static (inside,outside) tcp G.G.G.G ftp 192.168.10.3 ftp netmask 255.255.255.255 norandomseq
match tcp inside host 192.168.10.3 eq 21 outside any
static translation to G.G.G.G/21
translate_hits = 0, untranslate_hits = 11
NAT divert to egress interface inside
Untranslate G.G.G.G/21 to 192.168.10.3/21 using netmask 255.255.255.255
in G.G.G.G 255.255.255.255 identity
output-interface: NP Identity Ifc
Drop-reason: (acl-drop) Flow is denied by configured rule
Yes, this is by design. You must use the interface keyword instead of specifying the actual IP address when you want to include the IP address of a PIX Firewall interface in a static PAT entry.
Please refer the below command reference for details.
I hope it helps.
** Please rate all helpful posts **