02-25-2009 02:25 AM - edited 03-11-2019 07:56 AM
Hi,
I want to allow incoming trafic on port 444 to be NATed to an internal host. I also want to allow this traffic using ACL. Seems fairly simple but I can't figure it out.
The important part of my config:
xxx.xxx.xxx.xxx is my external IP address.
: Saved
:
ASA Version 7.2(3)
!
hostname x
domain-name x
enable password x
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any eq 444 host xxx.xxx.xxx.xxx eq 444
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xxx.xxx.xxx.xxx 444 192.168.100.16 444 netmask 255.255.255.255
access-group outside_access_in in interface outside
02-25-2009 03:08 AM
Traffic coming from outside will not have both the src and dst port set to 444 so your acl will not work -
access-list outside_access_in extended permit tcp any eq 444 host xxx.xxx.xxx.xxx eq 444
assuming you are talking about traffic coming in with a destination port of 444 which you then want to send to your internal server 192.168.100.16 change the acl line to -
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444
Jon
02-25-2009 03:12 AM
Your ACL is wrong, you are using a source port of 444 - It will be anything from 1024-65535.
Change the acl to:-
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444
HTH>
02-25-2009 03:16 AM
and I always find it usefull when I am using the IP address of the outside interface to configure the acl & nat to use it, like:-
access-list outside_access_in extended permit tcp any interface outside eq telnet
static (inside,outside) tcp interface 23 192.168.100.16 23 netmask 255.255.255.255
HTH>
02-25-2009 07:06 AM
I changed the ACL to:
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444
But the problem still remains. Is there something wrong with my NAT rule perhaps?
02-25-2009 07:09 AM
post your current nat rule.
also try a clear xlate then re-test
02-25-2009 07:09 AM
Forget my last post. I got it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide