03-03-2007 05:23 AM - edited 03-11-2019 02:41 AM
I have a single static IP and currently serve http, https, & SMTP (successfully) through PAT with a PIX 501.
I've tried every combination of Outside_in ACL's, even a permit any any and incoming traffic is still blocked by ACL. The logged event is:
TCP access denied by ACL from 195.156.154.115/3359 to WAN:195.156.111.132/443
Solved! Go to Solution.
03-09-2007 09:45 AM
if you want to do .132 (ASA outside interface) you should do
static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255
note: elijah recommended same thing above
03-04-2007 11:39 AM
is the acl applied to an interface. for example if your acl is named inpackets, then you would need "access-group inpackets in interface outside"
03-05-2007 05:39 AM
Yes, it is applied to an interface:
"access-group WAN_access_in in interface WAN"
03-05-2007 05:35 AM
Having 2 static IP, using a diffrenet one for port forwarding all works fine.
03-06-2007 11:13 AM
What version of IOS are you running I currently have this setup without any issues at all.
access-list 100 extended permit tcp any host X.X.X.X eq smtp
static (inside,outside) tcp interface smtp servers ip here smtp netmask 255.255.255.255
Applied to the interface
access-group 100 in interface outside
03-06-2007 01:56 PM
hi,
i guess i am saying the same thing again.
for the access from outside to inside
you need
the static:
static (inside,outside)
let's say,the internal ip address of the server is 10.0.0.2
so,the static would be :
static (inside,outside) 195.156.111.132 10.0.0.2
along with this,we need an access-list on the outside interface which permits the traffic.
access-list out_in permit tcp any host 195.156.111.132 eq http
access-list out_in permit tcp any host 195.156.111.132 eq https
access-list out_in permit tcp any host 195.156.111.132 eq smtp
Let me know if this helps.
Sushil
03-09-2007 09:40 AM
hi,
I have the following commands:
access-list WAN_access_in extended permit ip any host 195.156.111.131
static (LAN,WAN) tcp 195.156.111.131 www 192.168.151.22 www netmask 255.255.255.255
access-group WAN_access_in in interface WAN
ASA has the IP 195.156.111.132.
If I have the commands with a different ip, eg 131, it works. If I use the ASA own IP, 132, I get ACL denies.
03-09-2007 09:45 AM
if you want to do .132 (ASA outside interface) you should do
static (LAN,WAN) tcp interface www 192.168.151.22 www netmask 255.255.255.255
note: elijah recommended same thing above
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide