inbound access on ASA 5505

Unanswered Question
Farrukh Haroon Fri, 08/08/2008 - 06:08
User Badges:
  • Red, 2250 points or more

Please change you static from:


static (outside,inside) tcp 192.168.100.93 3403 10.10.10.3 3403 netmask 255.255.255.255


To:


static (inside,outside) tcp ......


Please rate if helpful.


Regards


Farrukh

I changed the nat to:


static (inside,outside) tcp 192.168.100.93 3403 10.10.10.3 3403 netmask 255.255.255.255


Which seems backwards to me, but I'll try anything at this point. The traffic is still not making it through. For clarification since they're both private addresses, the 10.10.10.3 address is the outside interface of the ASA and the 192.168.100.93 is the machine I'm trying to get to. Thanks.


Brian

Jon Marshall Fri, 08/08/2008 - 06:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Brian


Change static statement to


static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255


The static statements do indeed seem backwards - one of the PIX/ASA idiosyncracies.


Jon

Farrukh Haroon Fri, 08/08/2008 - 06:55
User Badges:
  • Red, 2250 points or more

Yup I forgot to mention you have to swap the IPs as well. The Static command is like a sandwich :)


static (inside,outside) outside-ip inside-ip


'inside' is the bread :) and the 'outside' is the filling inside it.


Regards


Farrukh

Still the same result, not getting through. I don't put much faith in the packet trace program in the ASDM, but no matter which way I've configured the NAT it always shows the packet as being blocked by the implicit deny on the outside interface, shouldn't the allow rule right above it fire and allow the packet through?

Jon Marshall Fri, 08/08/2008 - 07:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

You need to change your access-list from


access-list outside_access_in extended permit tcp any host 192.168.100.93 eq 3403


to


access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403


Jon

Jon Marshall Fri, 08/08/2008 - 07:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Config looks good. Just to clarify


You are on a machine on the outside of your ASA and you are trying to access the machine


10.10.10.3 on port 3403


Is the above correct ?


Also you may need to clear your xlate table as you have changed your static translations


"clear xlate"


will clear translations. This will clear all existing connections so don't run if there is a lot of other traffic going through your firewall but it doesn't look like that from your ADSM graphic.


You can specify the exact xlate if needed.


Jon

Jon Marshall Fri, 08/08/2008 - 07:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

But your are Natting 192.168.100.93 to 10.10.10.3.


So when you try and connect to the internal machine from outside you need to try and connect to


10.10.10.3 on port 3403.


If you want to be able to connect directly to 192.168.100.93 then we need to change your config again.


Jon

I think originally I was natting 10.10.10.3 to 192.168.100.93. What I need to do is if a packet hits 10.10.10.3:3403 it needs to be natted and passed to 192168.100.93:3403. I think the config would be:


static (inside,outside)10.10.10.3 3403 192.168.100.93 3403 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 192.168.100.93 eq 3403

access-group outside_access_in in interface outside


That static nat throws a "global address overlaps with mask" error though. At one point I had the above commands in but with the ip's in the static reversed(192 then 10), that nat was accepted, but I still couldn't get through. Since it's confusing with 2 private addresses the 192 is the machine on the inside and the 10.10.10.3 is the eth0 interface of the ASA.

Jon Marshall Fri, 08/08/2008 - 07:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255


access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403


access-group outside_access_in in interface outside


then


"clear xlate"


Then you need to try and connect to 10.10.10.3 3403 from outside.


Jon

JORGE RODRIGUEZ Fri, 08/08/2008 - 07:33
User Badges:
  • Green, 3000 points or more

acl should have worked as suggested by others


try this which should also work


no access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403

access-list outside_access_in extended permit tcp any interface outside eq 3403


make sure server is listening on that 3403 port.


[edit]

change the static nat as Jon had suggested and make corrections on the acl I provided, it does work this way.


static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255




Anonymous (not verified) Fri, 08/08/2008 - 23:05
User Badges:

You have a route for outside interface:-

route outside 0.0.0.0 0.0.0.0 10.10.10.3 1


Configure a route for your inside interface also.


Regards

Muksip

Anonymous (not verified) Fri, 08/08/2008 - 23:08
User Badges:


Actions

This Discussion