07-22-2013 02:43 PM - edited 03-11-2019 07:15 PM
I have an extended access-list rule that is #1 in poistion on the external access list
access-list acl-outside line 1 extended permit tcp host x.x.x.x host a.b.c.d eq 5723
access-list acl-outside line 2 extended permit tcp host x.x.x.y host a.b.c.e eq 5723
but when i telnet from x.x.x.x to a.b.c.d to 5723
it does not listen or respond.
internally i verified that the ports is listening on the host.
The ip of the internal ip is natted to the external ip a.b.c.d
any idea?
07-22-2013 02:49 PM
Hi,
Well the first thing to do would be to use the "packet-tracer" to check what it says would happen to such a connections
packet-tracer input outside tcp x.x.x.x 12345 a.b.c.d 5723
This should tell us if all the configurations are ok. For example that we are matching the correct NAT configuration and ACL rule.
If everything seems fine (share the output) then you should probably test the connection from the external network and monitor the syslogs and check that you see the Building and Teardown messages of the TCP connection. Furthermore look at what the termination reason of the connection is in the Teardown message.
There could be several reasons the connections isnt coming up even though the firewall configurations are ok
One "last" option is ofcourse to take a traffic capture on the ASA and confirm if the traffic is heading to the host and if anything is coming back while the TCP connection is being formed.
- Jouni
07-22-2013 03:00 PM
packet-tracer input outside tcp x.x.x.x 12345 a.b.c.d 5723
12345 is the source port of the source ip? I dont know what the source port will be
07-22-2013 03:03 PM
Hi,
You dont really need to know the source port. The source port is irrelevant. As you see you have not defined any specific source port in the ACL so any source port is allowed. The port 12345 is just an example source port as the connection/packet simulated needs to have one.
- Jouni
07-22-2013 03:09 PM
I ran the packet tracer and came up with this result
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
07-22-2013 03:12 PM
Hi,
It would be good to see the full output of the command.
But if that is all that can be seen then it would seem to point out that the ASA configurations are fine and the problems and the problem is somewhere else.
The next thing would be to look at the ASA logs while attempting the connection. ASDM would probably be the easiest way if you have not set up a Syslog server to which the ASA sends the logs.
- Jouni
07-22-2013 02:51 PM
So you are running a version lowe than 8.3 right?
Remember that after 8.3 you now poing to the private ip addresses of the devices.
To be sure this is not a FW issue
capture capout interface outside match tcp host x.x.x.x host a.b.c.d_public eq 5723
capture capin interface inside match tcp host x.x.x.x host a.b.c.d_Private eq 5723
Then try to connect once and share
show cap capout
show cap capin
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-22-2013 03:01 PM
capture capout interface outside match tcp host x.x.x.x host a.b.c.d_public eq 5723
when i do this it says incomplete command
Hostname or A.B.C.D Destination IP address
any Abbreviation for destination address and mask of 0.0.0.0
0.0.0.0
host Use this keyword to configure destination host
07-22-2013 04:14 PM
i did both captures and there are no packets captured
show capture capout
0 packet captured
0 packet shown
show capture capin
0 packet captured
0 packet shown
07-22-2013 04:19 PM
Hi,
Either the capture was configured with incorrect IP addresses or there was simply no traffic from the public/external network that ever reached the ASA.
- Jouni
07-22-2013 04:21 PM
i initiated the traffic from x.x.x.x with a telnet public_ip 5723
but there was no response.
I am able to ping the ip from x.x.x.x
07-22-2013 04:31 PM
If you generate the traffic and you do not see anything on the capture then as Jounni said traffic is not getting to the ASA, it´s being block somewhere else....
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-22-2013 04:42 PM
how do I find out the telnet connection from the source to the destination from the logs?
07-22-2013 04:43 PM
Do
show logging | include x.x.x.x (Source IP address)
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-22-2013 04:45 PM
Hi,
I would probably start by logging into the ASDM management and go to the Monitoring sections and open logging. Then you could attempt the connections and see if any connection attempts are getting denied.
Since you already configured a packet capture and we got no hits, that would mean that either the capture was configured with the wrong IP addresses or simply no traffic reached your ASA.
Since you say that ICMP works it would seem more likely to me that the traffic might be coming from a different source IP address than the one configured in the ACL rules perhaps?
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide