Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access to hosts from outside

Hello,

I want to enable access to server on ip address: 192.168.100.30 on port 22 located in inside interface from internet (outside)

We have ASA 5520 Cisco Adaptive Security Appliance Software Version 8.0(2)

My config (only relevant lines):

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12

!

interface GigabitEthernet0/1

nameif DMZ

security-level 50

ip address 172.146.147.1 255.255.255.248 standby 172.146.147.2

!

interface GigabitEthernet0/3

nameif Inside

security-level 100

ip address 192.168.200.3 255.255.255.0 standby 192.168.200.2

.

.

access-list Inside_access_in extended permit ip 192.168.100.30 any

access-list Inside_access_in extended deny ip any any

.

.

access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh

access-list Outside_access_in extended deny ip any any

.

.

global (Outside) 1 172.146.147.11 netmask 255.255.255.0

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 10.1.33.0 255.255.255.0

nat (Inside) 1 10.1.34.0 255.255.255.0

nat (Inside) 1 10.1.35.0 255.255.255.0

nat (Inside) 1 10.1.36.0 255.255.255.0

nat (Inside) 1 10.1.39.0 255.255.255.0

nat (Inside) 1 10.1.41.0 255.255.255.0

nat (Inside) 1 10.1.42.0 255.255.255.0

nat (Inside) 1 10.1.44.0 255.255.255.0

nat (Inside) 1 10.1.99.0 255.255.255.0

nat (Inside) 1 10.40.2.0 255.255.255.0

nat (Inside) 1 10.40.24.0 255.255.255.0

nat (Inside) 1 192.168.100.0 255.255.255.0

nat (Inside) 1 192.168.250.0 255.255.255.0

nat (Inside) 1 192.168.96.0 255.255.248.0

static (Inside,Outside) tcp 172.146.147.14 ssh 192.168.100.30 ssh netmask 255.255.255.255

access-group Outside_access_in in interface Outside

access-group DMZ_access_in in interface DMZ

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 172.146.147.14 1

route Inside 10.0.0.0 255.0.0.0 192.168.200.1 1

route Outside 172.16.101.72 255.255.255.252 195.146.147.14 1

route Inside 192.168.0.0 255.255.0.0 192.168.200.1 1

.

.

When i type telnet 172.146.147.15 22 from public internet i cant open port 22....so i dont know - is something missing or wrong?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Access to hosts from outside

below is your outside interface config

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12

you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won't be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.

regards,

8 REPLIES

Re: Access to hosts from outside

Hi,

"access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh"

"static (Inside,Outside) tcp 172.146.147.14 ssh 192.168.100.30 ssh netmask 255.255.255.255"

Unless this is a typo, the access-list has to be:

access-list Outside_access_in extended permit tcp any host 172.146.147.14 eq ssh (not 172.146.147.15)

Regards

New Member

Re: Access to hosts from outside

Sorry i copied bad line....

Right statements are:

access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh

static (Inside,Outside) tcp 172.146.147.15 ssh 192.168.100.30 ssh netmask 255.255.255.255

but this is not working ....

Any other suggestion?

Thank.

Bronze

Re: Access to hosts from outside

do you have logging enable? Using ASDM, you can trace the packet and see where the deny occurs.

New Member

Re: Access to hosts from outside

No logging is not enable for now....

Maybe can help this:

access-list Outside_access_in line 7 extended permit tcp any host 172.146.147.15 eq ssh (hitcnt=0) 0xb6f77e86

access-list Inside_access_in line 29 extended permit ip host 192.168.100.30 any (hitcnt=77) 0x4db26635

show xlate:

PAT Global 172.146.147.15(22) Local 192.168.100.30(22)

PAT Global 172.146.147.11(30) Local 192.168.100.30(123)

PAT Global 172.146.147.11(34204) Local 10.1.44.51(52658)

....

thank

Bronze

Re: Access to hosts from outside

you are not hitting your PAT address. hit counts on 172.146.147.15 is zero.

regards,

Bronze

Re: Access to hosts from outside

below is your outside interface config

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12

you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won't be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.

regards,

New Member

Re: Access to hosts from outside

Thank you very much...it`s working ;).

Bronze

Re: Access to hosts from outside

I am glad to here!!

127
Views
0
Helpful
8
Replies