Nagaraja Thanthry Tue, 07/20/2010 - 20:49
User Badges:
  • Cisco Employee,

Hello,


Please try the config below:


object service Web
service tcp source eq www


object service SecureWeb
service tcp source eq https


object service SMTP
service tcp source eq SMTP


object network out_1
host 1.1.1.1


object network in_1
host 192.168.11.2


object network in_2
host 192.168.11.5


nat (inside,outside) source static in_1 interface service Web Web
nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb
nat (inside,outside) source static in_2 interface service SMTP SMTP


access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-list outside_access_in permit tcp any interface outside eq 25


Hope this helps.


Regards,


NT

Allen P Chen Wed, 07/21/2010 - 00:02
User Badges:
  • Cisco Employee,

Will traffic from the DMZ be PAT'ed to the outside interface as well?  If so, you will need a corresponding NAT statement for this:


object network obj_10.0.0.0

subnet 10.0.0.0 255.255.255.0

nat (dmz,outside) dynamic interface


The above will allow all traffic from 10.0.0.0/24 behind the DMZ interface to be PAT'ed to the outside interface IP address (1.1.1.1) when making an outbound connection.


Hope this helps.

egrundlehner Thu, 07/22/2010 - 10:36
User Badges:

Thanks! I'm going to test this now. How do I allow a range of Ip's to hit our firewall for PCI testing. A security company we use needs to be able to hit the firewall to test. In our Watchguard this was called an exception list.

Nagaraja Thanthry Thu, 07/22/2010 - 10:42
User Badges:
  • Cisco Employee,

Hello,


You can add entries to the outside access-list.


Access-list outside_access_in permit ip host any


Hope this helps.


Regards,


NT

Allen P Chen Thu, 07/22/2010 - 10:45
User Badges:
  • Cisco Employee,

Which internal hosts will the security company need to access, and on which ports?  If it needs to access the internal host 192.168.11.2 on ports 80,443 and host 192.168.11.5 on port 25, then the following commands provided by the previous poster should allow this:


nat (inside,outside) source static in_1 interface service Web Web
nat (inside,outside) source static in_1 interface service SecureWeb SecureWeb
nat (inside,outside) source static in_2 interface service SMTP SMTP


access-list outside_access_in permit tcp any interface outside eq 80
access-list outside_access_in permit tcp any interface outside eq 443
access-list outside_access_in permit tcp any interface outside eq 25


access-group outside_access_in in interface outside

egrundlehner Thu, 07/22/2010 - 11:01
User Badges:

They actually test agains tthe firewall. So i'm assuming they just need icmp on the outside inteface turned on.

Allen P Chen Thu, 07/22/2010 - 11:52
User Badges:
  • Cisco Employee,

Can you try removing this line?


nat (inside,outside) source dynamic any interface


I think this NAT rule is taking precedence instead of the static PATs you've configured.  You can then configure dynamic PAT for inside hosts going out as follows:


object network obj_192.168.11.0

subnet 192.168.11.0 255.255.255.0

nat (inside,outside) dynamic interface


Issue "clear local-host" and try testing again.

egrundlehner Thu, 07/22/2010 - 11:59
User Badges:

Still does not work. This is what shows in the logs.


Can you call or email me off the boards



4Jul 22 201019:01:10106023208.85.196.732233192.168.11.2443Deny tcp src outside:1.1.1.1./2233 dst inside:192.168.11.2/443 by access-group "outside_access_in" [0x0, 0x0]
Allen P Chen Thu, 07/22/2010 - 11:59
User Badges:
  • Cisco Employee,

Also, 8.3 uses the real IP address in the ACLs, so please try changing the ACL as follows.  Sorry I missed it earlier:


no access-list outside_access_in extended permit tcp any interface outside eq www
no access-list outside_access_in extended permit tcp any interface outside eq https
no access-list outside_access_in extended permit tcp any interface outside eq smtp


access-list outside_access_in extended permit tcp any host 192.168.11.2 eq www
access-list outside_access_in extended permit tcp any host 192.168.11.2 eq https
access-list outside_access_in extended permit tcp any host 192.168.11.5 eq smtp


access-group outside_access_in in interface outside

Actions

This Discussion