Solved: Access to hosts from outside

lubosbella · ‎01-21-2009

Hello,

I want to enable access to server on ip address: 192.168.100.30 on port 22 located in inside interface from internet (outside)

We have ASA 5520 Cisco Adaptive Security Appliance Software Version 8.0(2)

My config (only relevant lines):

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12

!

interface GigabitEthernet0/1

nameif DMZ

security-level 50

ip address 172.146.147.1 255.255.255.248 standby 172.146.147.2

!

interface GigabitEthernet0/3

nameif Inside

security-level 100

ip address 192.168.200.3 255.255.255.0 standby 192.168.200.2

.

access-list Inside_access_in extended permit ip 192.168.100.30 any

access-list Inside_access_in extended deny ip any any

.

access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh

access-list Outside_access_in extended deny ip any any

.

global (Outside) 1 172.146.147.11 netmask 255.255.255.0

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 10.1.33.0 255.255.255.0

nat (Inside) 1 10.1.34.0 255.255.255.0

nat (Inside) 1 10.1.35.0 255.255.255.0

nat (Inside) 1 10.1.36.0 255.255.255.0

nat (Inside) 1 10.1.39.0 255.255.255.0

nat (Inside) 1 10.1.41.0 255.255.255.0

nat (Inside) 1 10.1.42.0 255.255.255.0

nat (Inside) 1 10.1.44.0 255.255.255.0

nat (Inside) 1 10.1.99.0 255.255.255.0

nat (Inside) 1 10.40.2.0 255.255.255.0

nat (Inside) 1 10.40.24.0 255.255.255.0

nat (Inside) 1 192.168.100.0 255.255.255.0

nat (Inside) 1 192.168.250.0 255.255.255.0

nat (Inside) 1 192.168.96.0 255.255.248.0

static (Inside,Outside) tcp 172.146.147.14 ssh 192.168.100.30 ssh netmask 255.255.255.255

access-group Outside_access_in in interface Outside

access-group DMZ_access_in in interface DMZ

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 172.146.147.14 1

route Inside 10.0.0.0 255.0.0.0 192.168.200.1 1

route Outside 172.16.101.72 255.255.255.252 195.146.147.14 1

route Inside 192.168.0.0 255.255.0.0 192.168.200.1 1

.

When i type telnet 172.146.147.15 22 from public internet i cant open port 22....so i dont know - is something missing or wrong?

Thanks.

Tshi M · ‎01-21-2009

below is your outside interface config

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12

you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won't be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.

regards,

View solution in original post

Mo'ath Al Rawashdeh · ‎01-21-2009

Hi,

"access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh"

"static (Inside,Outside) tcp 172.146.147.14 ssh 192.168.100.30 ssh netmask 255.255.255.255"

Unless this is a typo, the access-list has to be:

access-list Outside_access_in extended permit tcp any host 172.146.147.14 eq ssh (not 172.146.147.15)

Regards

lubosbella · ‎01-21-2009

Sorry i copied bad line....

Right statements are:

access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh

static (Inside,Outside) tcp 172.146.147.15 ssh 192.168.100.30 ssh netmask 255.255.255.255

but this is not working ....

Any other suggestion?

Thank.

Tshi M · ‎01-21-2009

do you have logging enable? Using ASDM, you can trace the packet and see where the deny occurs.

lubosbella · ‎01-21-2009

No logging is not enable for now....

Maybe can help this:

access-list Outside_access_in line 7 extended permit tcp any host 172.146.147.15 eq ssh (hitcnt=0) 0xb6f77e86

access-list Inside_access_in line 29 extended permit ip host 192.168.100.30 any (hitcnt=77) 0x4db26635

show xlate:

PAT Global 172.146.147.15(22) Local 192.168.100.30(22)

PAT Global 172.146.147.11(30) Local 192.168.100.30(123)

PAT Global 172.146.147.11(34204) Local 10.1.44.51(52658)

....

thank

Tshi M · ‎01-21-2009

you are not hitting your PAT address. hit counts on 172.146.147.15 is zero.

regards,

Tshi M · ‎01-21-2009

below is your outside interface config

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12

you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won't be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.

regards,

lubosbella · ‎01-22-2009

Thank you very much...it`s working ;).

Tshi M · ‎01-22-2009

I am glad to here!!