static rule fail

Unanswered Question

using the attached config I can telnet to ports 951 & 952 on 2 different real IPs as configured and connecting to a listener on 192.168.200.2, a test machine connected directly to ASA


in order to test some of the real connections using the real internal IP and ports, I've added few access-list commands:

access-list outside_access_in extended permit icmp any interface outside

access-list outside_access_in extended permit tcp any host 63.x.y.26 eq 951

access-list outside_access_in extended permit tcp any host 63.x.y.27 eq 952

access-list outside_access_in extended permit tcp any host 63.x.y.25 eq lotusnotes

access-list outside_access_in extended permit tcp any host 63.x.y.26 eq smtp

access-list outside_access_in extended permit tcp any host 63.x.y.25 eq www

access-list outside_access_in extended permit tcp any host 63.x.y.20 eq https

access-list outside_access_in extended permit tcp any host 63.x.y.10 eq https

access-list outside_access_out extended permit ip any any

access-list inside_nat0_outside extended permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list Split_T extended permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0


I've also added matching static commands:

static (inside,outside) tcp interface 951 192.168.200.2 951 netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.27 952 192.168.200.2 952 netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.25 lotusnotes 192.168.200.12 lotusnotes netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.26 smtp 192.168.200.6 smtp netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.25 www 192.168.200.12 www netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.20 https 192.168.42.200 https netmask 255.255.255.255

access-group outside_access_in in interface outside


adding those I can still telnet to ports 951\952

when I change the test machine to 192.168.200.12 and try to test port 80 or port 25 it is not connecting

I've checked ARP records (sh arp) on ASA and it does show 192.168.200.12

I can access ASA (telnet) and the internet from the test machine


any ideas?




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I also had 2 problems configuring the static maps:

one of my services use a range of ports (200-210)

do I have to type in each port separately?


got the following error when I used the same internal IP\port combination for different real IPs:

ERROR: duplicate of existing static

TCP inside:192.168.42.200/443 to outside:63.x.y.20/443 netmask 255.255.255.255

acomiskey Thu, 07/31/2008 - 07:47
User Badges:
  • Green, 3000 points or more

A configuration like this is not possible...


static (inside,outside) tcp 63.x.y.20 https 192.168.42.200 https netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.21 https 192.168.42.200 https netmask 255.255.255.255


acomiskey Thu, 07/31/2008 - 07:45
User Badges:
  • Green, 3000 points or more

I would recommend you remove the following from your acl.


no access-list outside_access_out extended permit ip any any


Did you try a "clear xlate" after the change to .12?

acomiskey Thu, 07/31/2008 - 08:03
User Badges:
  • Green, 3000 points or more

Sorry, just realized it is a different acl, outside_access_out.

I've been playing more and found something interesting:

when the test machine is changed to 192.168.200.12 port 1352 (lotusnotes) is accessible from out side

but port 80 not- it is going to my production firewall that uses a totally different IP:

HTTP/1.1 400 Bad Request ( The data is invalid. )

Via: 1.1 ProductionFirewall

Connection: close

Proxy-Connection: close

Pragma: no-cache

Cache-Control: no-cache

Content-Type: text/html

Content-Length: 1946


weird...

now I guess ports 80 & 443, just like smtp have their own different behavior

husycisco Thu, 07/31/2008 - 11:48
User Badges:
  • Gold, 750 points or more

Hello Ofir,

I assume IIS (or what web server you are using) is affected due to IP change. Restarting the relevant IIS services after changing the IP in test machine would be helpful

Also try running "clear local-host all" in firewall after static changes


Regards

Actions

This Discussion