08-13-2008 12:11 PM - edited 03-11-2019 06:31 AM
I am trying to grant access from the Internet to one single IP address but have 3 port forwarders, for some reason I cannot open these ports from the Internet, here's what I mean:
here are the acl's to open the ports
access-list outside_incoming extended permit tcp any host 216.a.b.c eq smtp
access-list outside_incoming extended permit tcp any host 216.a.b.c eq https
access-list outside_incoming extended permit tcp any host 216.a.b.c eq www
Here are the static nats:
static (inside,outside) tcp 216.a.b.c www 10.20.4.161 www netmask 255.255.255.255
static (inside,outside) tcp 216.a.b.c https 10.20.4.161 https netmask 255.255.255.255
static (dmz,outside) tcp 216.a.b.c smtp 172.20.0.35 smtp netmask 255.255.255.255
here's the access-group
access-group outside_incoming in interface outside
But when I telnet to port 25, 80, 443 from the Internet on 216.a.b.c I cannot open that port.
Any idea???
08-13-2008 12:17 PM
Is 216.a.b.c your outside interface address? If so then you must use the "interface" keyword in your statics.
static (inside,outside) tcp interface www 10.20.4.161 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.20.4.161 https netmask 255.255.255.255
static (dmz,outside) tcp interface smtp 172.20.0.35 smtp netmask 255.255.255.255
08-13-2008 12:29 PM
Yes, 216.a.b.c is my public Internet IP address.
In your static nat example, where is the public address? Note that 216.a.b.c is not the PAT'd address and not the outside interface IP address, it is a dedicated address for this port forwarding.
So I don't think putting "interface" will not do the trick. I am pretty confident that the config I have is correct, but for some reason it is not working.
Here's an example online, it's the same as what I have:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
question still remains, why cannot I not open the 3 ports from the Internet.
Note that I can open the ports from the private\internal address so I know the services are running
08-13-2008 12:31 PM
I asked "if 216.a.b.c was your outside interface address". Since it is not, then yes, the interface keyword is not your solution.
Try a show xlate and make sure the translations are there.
08-14-2008 05:50 AM
Still no luck.
I ran a capture on the firewall:
access-list testt permit ip any host tcp 216.a.b.c eq 25
capture rontestt access-list testt interface outside
here is some of the output I am seeing from the capture
show cap rontestt
22: 19:20:17.741462 123.204.0.86.4635 > 216.a.b.c.25: . ack 3517948072 win 65535
23: 19:20:18.483266 123.204.0.86.4635 > 216.a.b.c.25: . ack 3517948072 win 65535
24: 19:20:18.484121 123.204.0.86.4635 > 216.a.b.c.25: . ack 3517948308 win 65300
I am not sure if the output of the capture is saying some outside\Internet IP address was able to open port 25 on 216.a.b.c or simply attempted to open the port. What I do know, when I try to telnet to port 25 from the Internet (or port 80 or 443) I am unable to open the port.
It is worth noting that I can ping 216.a.b.c from the Internet, so it looks like the static NAT is working to some extent, but I am unable to open the three ports.
Is there another way to determining the root cause of this issue in addition to "capture"?
I have posted the config in the first message of this thread. Again, I am followed the same example as here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
Any idea why this is not working?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide