03-11-2008 12:33 PM - edited 03-11-2019 05:15 AM
Hi,
I have
1- Firewall configure with outside IP 201.100.100.1
2- Router 1 with loop back 10.1.1.1 (inside network)
3- Router 2 with loop back 10.2.2.2 (inside network)
I configure the following on ASA
Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255
static (inside,outside) tcp 1200 201.100.100.1 1200 10.2.2.2 telnet netmask 255.255.255.255
I configure outside access list which allow access from any to host 201.100.100.1 using ports 1100 & 1200.
I need to do telnet to outside to the inside routers using the same outside interface. This configuration is not work. When I tried the same configuration using different outside ip (not outside interface ip) it will work fine. So could you please advice how i can do this using the same outside ip address. This scenario was asked on Internetwork expert scenarios for CCIE labs but It didn't work with me.
Please advice if i miss something
Thanks
03-11-2008 12:38 PM
If you are using the outside interface address for translation then use the word interface instead of the address in the static command.
Remove:
no Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255
Add:
Static (inside,outside) tcp interface 1100 10.1.1.1 telnet netmask 255.255.255.255
HTH
Sundar
03-11-2008 12:41 PM
also use "interface outside" instead of the IP in your ACL.
and make sure your firewall can ping the loopback IP's yo'ure trying to connect to.
03-11-2008 12:49 PM
Steven,
Using interface in place of address should take care of his problem as he stated he was able to connect to the inside router using a different outside address.
-Sundar
03-11-2008 12:53 PM
yes, and best practice is to also use "interface outside" in the acl, if you're using the IP of the interface for PAT.
03-11-2008 12:51 PM
thanks. It works for R1 which is located at inside but not for R2 which is located at DMZ!!!!!
ip applied the below commands:
access-list OUTSIDE extended permit tcp any interface outside eq 2223
access-list OUTSIDE extended permit tcp any interface outside eq 1123
!
static (inside,outside) tcp interface 1123 10.1.1.1 telnet netmask 255.255.255.255
static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255
!
telnet working for 10.1.1.1 but not for 10.1.2.2 while i can ping all of them
please advice
Thanks,
03-11-2008 12:54 PM
no static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255
static (dmz,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255
this assumes "dmz" is the name of your dmz interface (as defined w/ the nameif command)
03-11-2008 12:56 PM
For DMZ reconfigure your static for translation between DMZ and outside address.
static (DMZ,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255
I just noticed Steven had responded to this post as well.
Abdullah, if nat-control is enabled in the firewall nat rule is required between a pair of interfaces and that's the reason why you have to do this.
HTH
Sundar
03-11-2008 12:58 PM
Thanks alot. Iam sitting from morning on lab.It seems i should leave it becasue i cannot distinguish between DMZ and inside now .lol.
thanks alot .it works.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: