Access to hosts from outside

Answered Question
Jan 21st, 2009
User Badges:

Hello,


I want to enable access to server on ip address: 192.168.100.30 on port 22 located in inside interface from internet (outside)


We have ASA 5520 Cisco Adaptive Security Appliance Software Version 8.0(2)




My config (only relevant lines):


interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12

!

interface GigabitEthernet0/1

nameif DMZ

security-level 50

ip address 172.146.147.1 255.255.255.248 standby 172.146.147.2

!

interface GigabitEthernet0/3

nameif Inside

security-level 100

ip address 192.168.200.3 255.255.255.0 standby 192.168.200.2

.

.

access-list Inside_access_in extended permit ip 192.168.100.30 any

access-list Inside_access_in extended deny ip any any

.

.

access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh

access-list Outside_access_in extended deny ip any any

.

.

global (Outside) 1 172.146.147.11 netmask 255.255.255.0

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 10.1.33.0 255.255.255.0

nat (Inside) 1 10.1.34.0 255.255.255.0

nat (Inside) 1 10.1.35.0 255.255.255.0

nat (Inside) 1 10.1.36.0 255.255.255.0

nat (Inside) 1 10.1.39.0 255.255.255.0

nat (Inside) 1 10.1.41.0 255.255.255.0

nat (Inside) 1 10.1.42.0 255.255.255.0

nat (Inside) 1 10.1.44.0 255.255.255.0

nat (Inside) 1 10.1.99.0 255.255.255.0

nat (Inside) 1 10.40.2.0 255.255.255.0

nat (Inside) 1 10.40.24.0 255.255.255.0

nat (Inside) 1 192.168.100.0 255.255.255.0

nat (Inside) 1 192.168.250.0 255.255.255.0

nat (Inside) 1 192.168.96.0 255.255.248.0

static (Inside,Outside) tcp 172.146.147.14 ssh 192.168.100.30 ssh netmask 255.255.255.255

access-group Outside_access_in in interface Outside

access-group DMZ_access_in in interface DMZ

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 172.146.147.14 1

route Inside 10.0.0.0 255.0.0.0 192.168.200.1 1

route Outside 172.16.101.72 255.255.255.252 195.146.147.14 1

route Inside 192.168.0.0 255.255.0.0 192.168.200.1 1

.

.



When i type telnet 172.146.147.15 22 from public internet i cant open port 22....so i dont know - is something missing or wrong?


Thanks.

Correct Answer by Tshi M about 8 years 6 months ago

below is your outside interface config

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12


you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won't be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.


regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Mo'ath Al Rawashdeh Wed, 01/21/2009 - 07:58
User Badges:
  • Bronze, 100 points or more

Hi,


"access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh"


"static (Inside,Outside) tcp 172.146.147.14 ssh 192.168.100.30 ssh netmask 255.255.255.255"


Unless this is a typo, the access-list has to be:


access-list Outside_access_in extended permit tcp any host 172.146.147.14 eq ssh (not 172.146.147.15)



Regards



lubosbella Wed, 01/21/2009 - 11:51
User Badges:

Sorry i copied bad line....


Right statements are:


access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh


static (Inside,Outside) tcp 172.146.147.15 ssh 192.168.100.30 ssh netmask 255.255.255.255


but this is not working ....


Any other suggestion?


Thank.


Tshi M Wed, 01/21/2009 - 12:12
User Badges:
  • Silver, 250 points or more

do you have logging enable? Using ASDM, you can trace the packet and see where the deny occurs.

lubosbella Wed, 01/21/2009 - 13:25
User Badges:

No logging is not enable for now....


Maybe can help this:


access-list Outside_access_in line 7 extended permit tcp any host 172.146.147.15 eq ssh (hitcnt=0) 0xb6f77e86


access-list Inside_access_in line 29 extended permit ip host 192.168.100.30 any (hitcnt=77) 0x4db26635


show xlate:


PAT Global 172.146.147.15(22) Local 192.168.100.30(22)

PAT Global 172.146.147.11(30) Local 192.168.100.30(123)

PAT Global 172.146.147.11(34204) Local 10.1.44.51(52658)

....


thank



Tshi M Wed, 01/21/2009 - 13:29
User Badges:
  • Silver, 250 points or more

you are not hitting your PAT address. hit counts on 172.146.147.15 is zero.


regards,

Correct Answer
Tshi M Wed, 01/21/2009 - 13:46
User Badges:
  • Silver, 250 points or more

below is your outside interface config

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12


you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won't be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.


regards,

Tshi M Thu, 01/22/2009 - 04:45
User Badges:
  • Silver, 250 points or more

I am glad to here!!

Actions

This Discussion