08-08-2008 05:51 AM - edited 03-11-2019 06:28 AM
I'm trying to configure external access to several different machines and no matter what I've tried the packet is blocked by the implicit deny rule on the outside interface. I've attached both the nat and access rule screens as well as my running config. Thanks
08-08-2008 06:08 AM
Please change you static from:
static (outside,inside) tcp 192.168.100.93 3403 10.10.10.3 3403 netmask 255.255.255.255
To:
static (inside,outside) tcp ......
Please rate if helpful.
Regards
Farrukh
08-08-2008 06:21 AM
I changed the nat to:
static (inside,outside) tcp 192.168.100.93 3403 10.10.10.3 3403 netmask 255.255.255.255
Which seems backwards to me, but I'll try anything at this point. The traffic is still not making it through. For clarification since they're both private addresses, the 10.10.10.3 address is the outside interface of the ASA and the 192.168.100.93 is the machine I'm trying to get to. Thanks.
Brian
08-08-2008 06:27 AM
Brian
Change static statement to
static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255
The static statements do indeed seem backwards - one of the PIX/ASA idiosyncracies.
Jon
08-08-2008 06:55 AM
Yup I forgot to mention you have to swap the IPs as well. The Static command is like a sandwich :)
static (inside,outside) outside-ip inside-ip
'inside' is the bread :) and the 'outside' is the filling inside it.
Regards
Farrukh
08-08-2008 06:57 AM
Still the same result, not getting through. I don't put much faith in the packet trace program in the ASDM, but no matter which way I've configured the NAT it always shows the packet as being blocked by the implicit deny on the outside interface, shouldn't the allow rule right above it fire and allow the packet through?
08-08-2008 07:00 AM
You need to change your access-list from
access-list outside_access_in extended permit tcp any host 192.168.100.93 eq 3403
to
access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403
Jon
08-08-2008 07:19 AM
08-08-2008 07:24 AM
Config looks good. Just to clarify
You are on a machine on the outside of your ASA and you are trying to access the machine
10.10.10.3 on port 3403
Is the above correct ?
Also you may need to clear your xlate table as you have changed your static translations
"clear xlate"
will clear translations. This will clear all existing connections so don't run if there is a lot of other traffic going through your firewall but it doesn't look like that from your ADSM graphic.
You can specify the exact xlate if needed.
Jon
08-08-2008 07:29 AM
No, the 10.10.10.3 is the OUTSIDE (Eth0) address of the ASA. The 192.168.100.93 is the machine inside the ASA and I'm trying to connect using 3403.
08-08-2008 07:34 AM
But your are Natting 192.168.100.93 to 10.10.10.3.
So when you try and connect to the internal machine from outside you need to try and connect to
10.10.10.3 on port 3403.
If you want to be able to connect directly to 192.168.100.93 then we need to change your config again.
Jon
08-08-2008 07:48 AM
I think originally I was natting 10.10.10.3 to 192.168.100.93. What I need to do is if a packet hits 10.10.10.3:3403 it needs to be natted and passed to 192168.100.93:3403. I think the config would be:
static (inside,outside)10.10.10.3 3403 192.168.100.93 3403 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 192.168.100.93 eq 3403
access-group outside_access_in in interface outside
That static nat throws a "global address overlaps with mask" error though. At one point I had the above commands in but with the ip's in the static reversed(192 then 10), that nat was accepted, but I still couldn't get through. Since it's confusing with 2 private addresses the 192 is the machine on the inside and the 10.10.10.3 is the eth0 interface of the ASA.
08-08-2008 07:51 AM
static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403
access-group outside_access_in in interface outside
then
"clear xlate"
Then you need to try and connect to 10.10.10.3 3403 from outside.
Jon
08-08-2008 07:33 AM
acl should have worked as suggested by others
try this which should also work
no access-list outside_access_in extended permit tcp any host 10.10.10.3 eq 3403
access-list outside_access_in extended permit tcp any interface outside eq 3403
make sure server is listening on that 3403 port.
[edit]
change the static nat as Jon had suggested and make corrections on the acl I provided, it does work this way.
static (inside,outside) tcp interface 3403 192.168.100.93 3403 netmask 255.255.255.255
08-08-2008 11:05 PM
You have a route for outside interface:-
route outside 0.0.0.0 0.0.0.0 10.10.10.3 1
Configure a route for your inside interface also.
Regards
Muksip
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: