03-11-2008 12:33 PM - edited 03-11-2019 05:15 AM
Hi,
I have
1- Firewall configure with outside IP 201.100.100.1
2- Router 1 with loop back 10.1.1.1 (inside network)
3- Router 2 with loop back 10.2.2.2 (inside network)
I configure the following on ASA
Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255
static (inside,outside) tcp 1200 201.100.100.1 1200 10.2.2.2 telnet netmask 255.255.255.255
I configure outside access list which allow access from any to host 201.100.100.1 using ports 1100 & 1200.
I need to do telnet to outside to the inside routers using the same outside interface. This configuration is not work. When I tried the same configuration using different outside ip (not outside interface ip) it will work fine. So could you please advice how i can do this using the same outside ip address. This scenario was asked on Internetwork expert scenarios for CCIE labs but It didn't work with me.
Please advice if i miss something
Thanks
03-11-2008 12:38 PM
If you are using the outside interface address for translation then use the word interface instead of the address in the static command.
Remove:
no Static (inside,outside) tcp 201.100.100.1 1100 10.1.1.1 telnet netmask 255.255.255.255
Add:
Static (inside,outside) tcp interface 1100 10.1.1.1 telnet netmask 255.255.255.255
HTH
Sundar
03-11-2008 12:41 PM
also use "interface outside" instead of the IP in your ACL.
and make sure your firewall can ping the loopback IP's yo'ure trying to connect to.
03-11-2008 12:49 PM
Steven,
Using interface in place of address should take care of his problem as he stated he was able to connect to the inside router using a different outside address.
-Sundar
03-11-2008 12:53 PM
yes, and best practice is to also use "interface outside" in the acl, if you're using the IP of the interface for PAT.
03-11-2008 12:51 PM
thanks. It works for R1 which is located at inside but not for R2 which is located at DMZ!!!!!
ip applied the below commands:
access-list OUTSIDE extended permit tcp any interface outside eq 2223
access-list OUTSIDE extended permit tcp any interface outside eq 1123
!
static (inside,outside) tcp interface 1123 10.1.1.1 telnet netmask 255.255.255.255
static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255
!
telnet working for 10.1.1.1 but not for 10.1.2.2 while i can ping all of them
please advice
Thanks,
03-11-2008 12:54 PM
no static (inside,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255
static (dmz,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255
this assumes "dmz" is the name of your dmz interface (as defined w/ the nameif command)
03-11-2008 12:56 PM
For DMZ reconfigure your static for translation between DMZ and outside address.
static (DMZ,outside) tcp interface 2223 10.1.2.2 telnet netmask 255.255.255.255
I just noticed Steven had responded to this post as well.
Abdullah, if nat-control is enabled in the firewall nat rule is required between a pair of interfaces and that's the reason why you have to do this.
HTH
Sundar
03-11-2008 12:58 PM
Thanks alot. Iam sitting from morning on lab.It seems i should leave it becasue i cannot distinguish between DMZ and inside now .lol.
thanks alot .it works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide