ASA 5505 Basic config- Myths Lies but no Videotapes
Okay two issues. I should have reported partial success.
Issue 1. Cisco Lies. ACLs are NOT performed before NAT. Or more accurately they dont mention UNNAT.
I have a port translation in nat for one set of external clients that can use port 80 at corporate but not the desired port of 5080 at the private server behind the asa 5505 (single public wanip). So I ACL ruled port 80 for them but not 5080 (no requirement right as NAT is done after ACL). WRONG EFFFING WRONG. I had no success with that server for them until this morning when I added,,,,,,,,,,,, you guessed it port 5080 to the ACL rule. Checking packet tracer an unnat process takes place before acl switching the ports the bugger.
SO the moral is the router is frigging with NAT before the ACL Rule.
IN any case I know have all servers seemingly firing on all cylinders. This is based strictly on rudimentary logging in a number of users but not much functionality. So it remains to be seen.
Issue 2. ONe particulare service port is a pain to switch from source to destination or vice versa UNLIKE all my other service ports. I do not know why and here is the error message received.
object service TFS [ERROR] service tcp destination eq 8080 Object is used in IPv6 access-list outside_access_in. Can't change IP to IPv4. ERROR: object (TFS) updation failed due to internal error
Now I checked in ACLS and everywhere else. I have no IPV6 anywhere. So WTF over. I was able to change the name of the service object then change the port number, which let me create a new service object which I then had to insert into the ACL rules and then could delete the now old one. Any geniuses out there that explain that one?
Issue 3. (just checking to see if anyone noticed I said 2 above LOL) The whole discussion for static nat, and service port definition. They would NOT work when I chose source and they WORK when I select destination. (they also did not work when I had both source and destination selected in service ports). So on one hand there are the xperts saying oh lads, you have to put in source, it seems backwards but please do.... and on the other hand you have two facts, one my setup works with them in destination and EVERY DEFAULT service object uses destination.
Conclusioin, too many docs, videos, blogs, discussions, forums. and only a vague sense of unease is my reward.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :