inbound access on ASA 5505

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Fri, 08/08/2008 - 06:08

Please change you static from:

static (outside,inside) tcp 192.168.100.93 3403 10.10.10.3 3403 netmask 255.255.255.255

To:

static (inside,outside) tcp ......

Please rate if helpful.

Regards

Farrukh

I changed the nat to:

static (inside,outside) tcp 192.168.100.93 3403 10.10.10.3 3403 netmask 255.255.255.255

Which seems backwards to me, but I'll try anything at this point. The traffic is still not making it through. For clarification since they're both private addresses, the 10.10.10.3 address is the outside interface of the ASA and the 192.168.100.93 is the machine I'm trying to get to. Thanks.

Brian

Jon Marshall Fri, 08/08/2008 - 06:27

Brian

Change static statement to

static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255

The static statements do indeed seem backwards - one of the PIX/ASA idiosyncracies.

Jon

Farrukh Haroon Fri, 08/08/2008 - 06:55

Yup I forgot to mention you have to swap the IPs as well. The Static command is like a sandwich :)

static (inside,outside) outside-ip inside-ip

'inside' is the bread :) and the 'outside' is the filling inside it.

Regards

Farrukh

Still the same result, not getting through. I don't put much faith in the packet trace program in the ASDM, but no matter which way I've configured the NAT it always shows the packet as being blocked by the implicit deny on the outside interface, shouldn't the allow rule right above it fire and allow the packet through?

Jon Marshall Fri, 08/08/2008 - 07:00

You need to change your access-list from

access-list outside_access_in extended permit tcp any host 192.168.100.93 eq 3403

to

access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403

Jon

Jon Marshall Fri, 08/08/2008 - 07:24

Config looks good. Just to clarify

You are on a machine on the outside of your ASA and you are trying to access the machine

10.10.10.3 on port 3403

Is the above correct ?

Also you may need to clear your xlate table as you have changed your static translations

"clear xlate"

will clear translations. This will clear all existing connections so don't run if there is a lot of other traffic going through your firewall but it doesn't look like that from your ADSM graphic.

You can specify the exact xlate if needed.

Jon

Jon Marshall Fri, 08/08/2008 - 07:34

But your are Natting 192.168.100.93 to 10.10.10.3.

So when you try and connect to the internal machine from outside you need to try and connect to

10.10.10.3 on port 3403.

If you want to be able to connect directly to 192.168.100.93 then we need to change your config again.

Jon

I think originally I was natting 10.10.10.3 to 192.168.100.93. What I need to do is if a packet hits 10.10.10.3:3403 it needs to be natted and passed to 192168.100.93:3403. I think the config would be:

static (inside,outside)10.10.10.3 3403 192.168.100.93 3403 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 192.168.100.93 eq 3403

access-group outside_access_in in interface outside

That static nat throws a "global address overlaps with mask" error though. At one point I had the above commands in but with the ip's in the static reversed(192 then 10), that nat was accepted, but I still couldn't get through. Since it's confusing with 2 private addresses the 192 is the machine on the inside and the 10.10.10.3 is the eth0 interface of the ASA.

Jon Marshall Fri, 08/08/2008 - 07:51

static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403

access-group outside_access_in in interface outside

then

"clear xlate"

Then you need to try and connect to 10.10.10.3 3403 from outside.

Jon

JORGE RODRIGUEZ Fri, 08/08/2008 - 07:33

acl should have worked as suggested by others

try this which should also work

no access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403

access-list outside_access_in extended permit tcp any interface outside eq 3403

make sure server is listening on that 3403 port.

[edit]

change the static nat as Jon had suggested and make corrections on the acl I provided, it does work this way.

static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255

Anonymous (not verified) Fri, 08/08/2008 - 23:05

You have a route for outside interface:-

route outside 0.0.0.0 0.0.0.0 10.10.10.3 1

Configure a route for your inside interface also.

Regards

Muksip

Anonymous (not verified) Fri, 08/08/2008 - 23:08

Actions

This Discussion