Cisco PIX506E VNC Port redirection

Answered Question
Apr 26th, 2010

Hi

I would like to ask your help in configuring Cisco Pix506e.

I have created the ACL and static translations for 5900 port, but when I want to connect with VNCViewer to the Server behind the PIX, I get the 10060 (timeout) error.

The network scenario is a little tricky (reversed?), because I want to separate a little laboratory network from our office network.

inside IP: 10.242.2.17 (to Office network)

outside IP: 192.168.0.1 (to Laboratory network)

I would like to make 4 port forwarding rules, that permit office users to connect to LAB PCs VNC Server behind the firewall.

e.g:

from 10.242.2.0 subnet to 192.168.0.10, 192.168.0.11, 192.168.012 etc. (with different VNC ports like 5900,5901,5902)

Debugging log says: (when try to connect from my office computer's VNC Viewer to LAB computer's VNC server)

710005 : TCP request discarded from 10.242.3.170/5113 to inside 10.242.2.17/5900

here is the running config:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password iEh/IbgaUI6/OKSa encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

names
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 eq 5900 interfa
ce outside eq 5900 log 7
pager lines 24
logging on
logging timestamp
logging trap debugging
logging facility 23
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1 255.255.255.0
ip address inside 10.242.2.17 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.242.3.170 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
static (inside,outside) tcp 192.168.0.10 5900 10.242.3.170 5900 netmask 255.255.
255.255 0 0
access-group inside_access_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.242.2.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 10.242.2.18-10.242.3.17 inside
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:c66469cfe0e28e0aa7af6e3ac316120b
: end

Correct Answer by Jennifer Halim about 6 years 9 months ago

Is PIX the default gateway for your internal host? Is the internal host default gateway 10.242.2.17?

If there is another internal router, then you would need to configure route on the router to route 192.168.0.0/24 towards the PIX inside interface (10.242.2.17).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Tue, 04/27/2010 - 03:02

From the requirement, it seems that you would like to port forward the outside (lab) host instead of the inside host.

The static NAT configuration that you have configured is to port forward the inside host (10.242.3.170).

To port forward the destination, you would need to configure the following:

static (inside,outside) 10.242.2.0 10.242.2.0 netmaks 255.255.254.0

static (outside,inside) tcp 10.242.3.170 5900 192.168.0.10 5900 netmask 255.255.255.255

access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 host 10.242.3.170 eq 5900

From your inside host, you would need to VNC to the inside address of 10.242.3.170.

One question to you, do you have a requirement to perform port redirection? because from your configuration, you are using the same port, ie: 5900, not redirecting to a different port. Can you not directly access the lab host on each port? What port is each VNC server listening on?

Peter Herczeg Tue, 04/27/2010 - 03:15

Thanky for your quick reply.

I will try the commands you adviced soon.

I would need for redirection of VNC ports, because our users needs "fixed" VNC connection details for each computer.

from office network (10.242.2.0 netmask 255.255.254.0) users should connect to LAB1 PC via 5900, LAB2 PC via 5901, LAB3 PC via 5902, etc...

that's why I need redirection, using as identify different PCs

or is there other (and more secure) solution?

thanks

Jennifer Halim Tue, 04/27/2010 - 03:20

I assume that each VNC server already listens on those different port, ie: 5900, 5901, 5902, etc..

From your inside host, are you going to directly access the corresponding port, or they will always access 1 specific port, and depending on which server they are trying to reach, it will automatically port forward it to the respective port?

Sorry, i am not quite understand what you are trying to achieve.

Peter Herczeg Tue, 04/27/2010 - 04:11

sorry, for  being confusing...

I try to achieve that office network users could choose which LAB PC they want to connect.

I create 4 different "saved" VNC connection icon for each computer, which store the connecting port.

if they access always one port (5900) from inside network, how PIX would know, which user wants connect to which server (5901,5902,5093)?

at their computer I cannot set fix IPs, so what kind of ACL or Translation rule would make the connection successful?

thanks for your patience that's my first meeting with a cisco firewall...

by the way, how do you mean this:

"From your inside host, you would need to VNC to the inside address of 10.242.3.170."

the PC with the IP above, is my computer which I use for testing.

if I wants to connect to outside host (192.168.0.10 via outside interface 192.168.0.1) I should use from my computer 10.242.2.17:5900 shall I?

I think PIX should build the session when a TCP 5900 request arrives from inside network, with my PCs IP, and the firewall forward it to 192.168.0.10 via outside interface.

Is this correct?

Jennifer Halim Tue, 04/27/2010 - 05:32

In that case, I wouldn't worry about the port redirection static nat statement.

Just configure the following:

static (inside,outside) 10.242.2.0 10.242.2.0 netmaks 255.255.254.0

access-list inside_access_in permit tcp 10.242.2.0  255.255.254.0 host 192.168.0.10 eq 5900

On the icon that you configure for each PC, you would need to configure the real ip address of the host, ie: 192.168.0.10
.

You can configure access-list to allow the rest of the VNC server and ports.

Peter Herczeg Tue, 04/27/2010 - 06:13

I have executed the commands you wrote, but no luck:(

I have no idea what could be wrong.

when I try to connect from my inside nework with the address 192.168.0.10, VNC doesn't find that network, and returns back with 10051 (illegal software channel operation on a non existing network)

but if I try to use the VNC pointed to the inside interface 10.242.2.17, the packet reaches the PIX, but it discard with the same messages, that I wrote above (710005)

It is strange, why PIX interface changes the TCP port of my VNC request?

or our Central Cisco 2600 changes the packet?

in my case there is need for routing commands on PIX or Cisco router?

thanks again

Correct Answer
Jennifer Halim Tue, 04/27/2010 - 06:16

Is PIX the default gateway for your internal host? Is the internal host default gateway 10.242.2.17?

If there is another internal router, then you would need to configure route on the router to route 192.168.0.0/24 towards the PIX inside interface (10.242.2.17).

Peter Herczeg Tue, 04/27/2010 - 06:31

ouch... new problems

we have an MC3800 gateway, and an internal router, and unfortunately I don't have access them...:(

but I have access to a 6509 L3 Switch.

is it possible to make this switch to do the routing functions, and do not let change of port number of VNC packets?

Peter Herczeg Wed, 04/28/2010 - 01:23

I could manage adding routes on our central router, and it solved the problem!

Thanks for your help, without your instructions I would still searching the mistake at the PIX only...

Best regards,

Peter

Peter Herczeg Thu, 05/27/2010 - 02:01

hi

i did not want to open a new thread, but I would have one more question.

Meanwhile we noticed, that users via VPN login cannot use the 192.168.... addressess to connect to PCs behind the firewall.

I think VPN routers or firewalls block this request.

Is there any config modification at PIX which allow users to connect to its inside interface with different ports?

I mean, instead of using 192.168.0.10:5900, they use 10.242.2.17:5900 which redirected to 192.168.0.10:5900?

thanks for your help

Peter

Federico Coto F... Thu, 05/27/2010 - 03:03

Peter,

In that case you will need to do NAT.

Let's say that you want the VPN clients to access the host 192.168.0.10 with IP 10.242.2.17

In this case, you can have a statement like:

static (in,out) 10.242.2.17 192.168.0.10

You will need to remove 192.168.0.10 from the NAT exemption rule (when destined to the VPN pool).

If you need more information let us know.

Federico.

Peter Herczeg Thu, 05/27/2010 - 05:37

Thanks for your quick reply, but it's more complicated...

VPN clients doesn't connect to network via this firewall, they "come from" 10.70...

and the second trick is that behind the firewall there are 4-5 computers, that must be reached by different VNC ports.

for example:

user connects to VPN, and if he connect VNC viewer to 10.242.2.17:5900 then he connects to PC0 192.168.0.10:5900

or to connect PC1 he wants to use 10.242.2.17:5901 and then connects to 192.168.0.11:5901, etc...

is it clear what I want to achieve?

Thanks

Federico Coto F... Thu, 05/27/2010 - 05:45

Peter,

Is this what you're trying to accomplish?

static (in,out) tcp 10.242.2.17 5900 192.168.0.10 5900
static (in,out) tcp 10.242.2.17 5901 192.168.0.11 5901
static (in,out) tcp 10.242.2.17 590x 192.168.0.1x 590x

In this way:

Traffic to 10.242.2.17 on TCP port 5900 will be forwarded by the PIX to 192.168.0.10 to port 5900

Traffic to 10.242.2.17 on TCP port 5901 will be forwarded by the PIX to 192.168.0.11 to port 5901

Traffic to 10.242.2.17 on TCP port 590x will be forwarded by the PIX to 192.168.0.1x to port 590x

Federico.

Peter Herczeg Thu, 05/27/2010 - 06:07

Yes, this is the "mission"

I have tested the modification you wrote on PC0 (192.168.0.1:5900), but VNC give refused connection (10061) error message.

here is actual config:

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.13 LAB3
name 192.168.0.12 LAB2
name 192.168.0.11 LAB1
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 192.168.0.0 255
.255.255.0 eq 5900
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 192.168.0.0 255
.255.255.0 eq 5901
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 192.168.0.0 255
.255.255.0 eq 5902
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 192.168.0.0 255
.255.255.0 eq 5903
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 192.168.0.0 255
.255.255.0 eq 5904
access-list inside_access_in permit tcp 10.70.0.0 255.255.240.0 192.168.0.0 255.
255.255.0 range 5900 5904
access-list outside_access_in permit tcp host 192.168.0.10 eq 5900 10.242.2.0 25
5.255.254.0 eq 5900
access-list outside_access_in permit tcp host LAB1 eq 5901 10.242.2.0 255.255.25
4.0 eq 5901
access-list outside_access_in permit tcp host LAB2 eq 5902 10.242.2.0 255.255.25
4.0 eq 5902
access-list outside_access_in permit tcp host LAB3 eq 5903 10.242.2.0 255.255.25
4.0 eq 5903
access-list outside_access_in permit tcp host LAB3 eq 5903 10.242.2.0 255.255.25
4.0 eq 5904
pager lines 24
logging on
logging timestamp
logging trap debugging
logging facility 23
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1 255.255.255.0
ip address inside 10.242.2.17 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.242.3.170 255.255.255.255 inside
pdm location 192.168.0.10 255.255.255.255 outside
pdm location LAB1 255.255.255.255 outside
pdm location LAB2 255.255.255.255 outside
pdm location LAB3 255.255.255.255 outside
pdm location 10.70.0.0 255.255.240.0 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm logging debugging 100
pdm history enable
arp timeout 14400
static (inside,outside) tcp 10.242.2.17 5900 192.168.0.10 5900 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.242.2.0 255.255.254.0 inside
http 10.70.0.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 10.242.2.18-10.242.3.17 inside
dhcpd lease 3600
dhcpd ping_timeout 750

what mistakes I have made?

thanks

Federico Coto F... Thu, 05/27/2010 - 06:21

You still have not entered the static rules:

static (in,out) tcp 10.242.2.17 5900 192.168.0.10 5900
static (in,out) tcp 10.242.2.17 5901 192.168.0.11 5901
static (in,out) tcp 10.242.2.17 590x 192.168.0.1x 590x

Check the ''sh run static''

You should see the above lines (changing the ''x'' with the correct number)...

Federico.

Peter Herczeg Fri, 05/28/2010 - 02:40

I have entered the static rules, you wrote. but no success. if I try to connect to 10.242.2.17:5900 (which should be translated to 192.168.0.10:5900), the log says

710005: TCP request discarded from 10.242.3.170/2557 to inside 10.242.2.17/5900

/10.242.3.170 is the IP of my computer, in the same network as interface inside/

fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.13 LAB3
name 192.168.0.12 LAB2
name 192.168.0.11 LAB1
name 192.168.0.10 LAB0
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 192.168.0.0 255.255.255.0 eq 5900
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 192.168.0.0 255.255.255.0 eq 5901
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 192.168.0.0 255.255.255.0 eq 5902
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 192.168.0.0 255.255.255.0 eq 5903
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 192.168.0.0 255.255.255.0 eq 5904
access-list inside_access_in permit tcp 10.70.0.0 255.255.240.0 192.168.0.0 255.255.255.0 range 5900 5904
access-list inside_access_in permit tcp 10.242.2.0 255.255.254.0 host 10.242.2.17 eq 5900
access-list outside_access_in permit tcp host LAB0 eq 5900 10.242.2.0 255.255.254.0 eq 5900
access-list outside_access_in permit tcp host LAB1 eq 5901 10.242.2.0 255.255.254.0 eq 5901
access-list outside_access_in permit tcp host LAB2 eq 5902 10.242.2.0 255.255.254.0 eq 5902
access-list outside_access_in permit tcp host LAB3 eq 5903 10.242.2.0 255.255.254.0 eq 5903
pager lines 24
logging on
logging timestamp
logging trap debugging
logging facility 23
mtu outside 1500
mtu inside 1500
ip address outside 192.168.0.1 255.255.255.0
ip address inside 10.242.2.17 255.255.254.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.242.3.170 255.255.255.255 inside
pdm location LAB0 255.255.255.255 outside
pdm location LAB1 255.255.255.255 outside
pdm location LAB2 255.255.255.255 outside
pdm location LAB3 255.255.255.255 outside
pdm location 10.70.0.0 255.255.240.0 inside
pdm location 0.0.0.0 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.255 inside
pdm location LAB0 255.255.255.255 inside
pdm location LAB1 255.255.255.255 inside
pdm location LAB2 255.255.255.255 inside
pdm location LAB3 255.255.255.255 inside
pdm location 192.168.0.14 255.255.255.255 inside
pdm location 192.168.0.0 255.255.254.0 inside
pdm location 192.168.0.14 255.255.255.255 outside
pdm location 10.242.2.17 255.255.255.255 outside
pdm location 10.242.2.0 255.255.255.0 outside
pdm logging debugging 100
pdm history enable
arp timeout 14400
static (inside,outside) tcp 10.242.2.17 5901 LAB1 5901 netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.242.2.17 5902 LAB2 5902 netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.242.2.17 5903 LAB3 5903 netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.242.2.17 5900 LAB0 5900 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.242.2.0 255.255.254.0 inside
http 10.70.0.0 255.255.240.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750

What else could be wrong?

thanks

Federico Coto F... Fri, 05/28/2010 - 12:54

I see your problem Peter...

Your internal network is 10.242.2.0/23

Your outside network is 192.168.0.0/24

You are connecting from 10.242.3.170 which is on the inside network.

So, if you try to connect to 10.242.2.17 from 10.242.3.170 that connection should not go through the ASA.

Both source and destination IPs are on the same network segment.

The only time that 10.242.3.170 will go through the ASA is when trying to ''talk'' to another network segment (reachable via the ASA).

I though that you were trying the connection from ''outside'' the ASA (it should work this way).

Why are you attempting this connection to go through the ASA?

Federico.

Peter Herczeg Sat, 05/29/2010 - 07:03

I am trying to connect through ASA because this is not an usual network topology.

Inside network is an office network, outside network is a Process Control network in a Laboratory.

As LAB computers are not under my control and administration (updates, AD names, group policy, antivirus, etc...) I have to separate them from office network with this firewall.

The reason is I need to be able to connect to outside, that some users want to monitor LAB PCs from office network via VNC.

Locally it works, because if I write the 192.168.0.10:5900 into my VNC viewer, the connection is built up, because our local Cisco gateway routes the packets to this network.

But these users need to be able to connect via VPN connection, and that's why I should configure the PIX to accept connection with address 10.242.2.17:5900 / 5901 / 5902, etc...

Is it possible?

Federico Coto F... Sat, 05/29/2010 - 08:48

Peter,

Reviewing your configuration, this is what you need then

clear configure access-list inside_access_in
clear configure static
static (outside,inside) tcp 10.242.2.17 5901 LAB1 5901 netmask 255.255.255.255 0 0
static (outside,inside) tcp 10.242.2.17 5902 LAB2 5902 netmask 255.255.255.255 0 0
static (outside,inside) tcp 10.242.2.17 5903 LAB3 5903 netmask 255.255.255.255 0 0
static (outside,inside) tcp 10.242.2.17 5900 LAB0 5900 netmask 255.255.255.255 0 0

In this way, from the inside network you can reach the LABx devices with the IP 10.242.2.17
and based on the port it will be redirected accordingly.

Try this...

Federico.

Peter Herczeg Sun, 05/30/2010 - 23:19

Federico,

I have cleared the config as you wrote, but no success.

I still get the discard messages in PIX log.

Federico Coto F... Mon, 05/31/2010 - 08:03

Peter,

Please post your current

sh run static

sh run access-list

sh run access-group

sh run ip

Federico.

Peter Herczeg Tue, 06/01/2010 - 05:56

sh static

static (outside,inside) tcp 10.242.2.17 5901 192.168.0.11 5901 netmask 255.255.255.255 0 0
static (outside,inside) tcp 10.242.2.17 5902 192.168.0.12 5902 netmask 255.255.255.255 0 0
static (outside,inside) tcp 10.242.2.17 5903 192.168.0.13 5903 netmask 255.255.255.255 0 0
static (outside,inside) tcp 10.242.2.17 5900 192.168.0.10 5900 netmask 255.255.255.255 0 0

sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list outside_access_in; 4 elements
access-list outside_access_in line 1 permit tcp host 192.168.0.10 eq 5900 10.242.2.0 255.255.254.0 eq 5900 (hitcnt=0)
access-list outside_access_in line 2 permit tcp host 192.168.0.11 eq 5901 10.242.2.0 255.255.254.0 eq 5901 (hitcnt=0)
access-list outside_access_in line 3 permit tcp host 192.168.0.12 eq 5902 10.242.2.0 255.255.254.0 eq 5902 (hitcnt=0)
access-list outside_access_in line 4 permit tcp host 192.168.0.13 eq 5903 10.242.2.0 255.255.254.0 eq 5903 (hitcnt=0)

sh access-group

access-group outside_access_in in interface outside

sh ip

System IP Addresses:
        ip address outside 192.168.0.1 255.255.255.0
        ip address inside 10.242.2.17 255.255.254.0
Current IP Addresses:
        ip address outside 192.168.0.1 255.255.255.0
        ip address inside 10.242.2.17 255.255.254.0

Best regards

Peter

Federico Coto F... Tue, 06/01/2010 - 07:06

Peter,

Is an unusual situation.
You're trying to access servers on the outside side of the ASA through the inside interface and those servers have to be
statically NATed and redirected via ports.

So, we have tried this configuration:

static (outside,inside) tcp 10.242.2.17 5901 192.168.0.11 5901
static (outside,inside) tcp 10.242.2.17 5902 192.168.0.12 5902
static (outside,inside) tcp 10.242.2.17 5903 192.168.0.13 5903
static (outside,inside) tcp 10.242.2.17 5900 192.168.0.10 5900

This will allow the 192.168.0.x server to be seen as 10.242.2.17 from the inside side.
You can only reach those servers on the specified ports.
There is no ACL applied to the inside interface, so all traffic should be permitted.

I will suggest as a next step to enable logs and do a Packet Tracer test.

To enable logs do the following:

logging on
logging buffere 7
show log

Capture the output of the logs when attempting the connection.
To turn off the logs do ''no logging on''

Then, do a Packet tracer from ASDM or CLI to check the path of the connection.

Federico.

Actions

This Discussion

Related Content