Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 implicit rule woes

Hi,

we have a new ASA 5510. It will connect to the internet by pppoe, and for the time we only have one internal network. What I am trying to do is traditional "nat forwarding", ie forward http requests from internet hosts to port 80 on our server located in the internal network.

What seems to be the problem is that the acl's are not recognised, as all traffic is identified and dropped by the last implicit rule. I should also mention that I am a complete noob when it comes to cisco in general, however I have worked whith different firewall brands for years.

I have attached my current config.

Please note that the ASA is not yet installed - I am testing the configurations on a private only network whith the Outside Interface connected via DHCP. Connections from the inside to outside is working, however I cannot connect from the Outside to the internal server(For the time being I am only testing http and RDP). Please also note that I am using ADSM for config purposes as I am not really comfortable with the CLI yet.

any pointers or solutions will be highly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: ASA 5510 implicit rule woes

What is the outside interface address? Is it 10.0.102.232? If so, change your static commands and use the "interface" keyword like so...

static (Inside1,Outside) tcp interface www 10.120.0.10 www netmask 255.255.255.255

static (Inside1,Outside) tcp interface 3389 10.120.0.10 3389 netmask 255.255.255.255

Then your acl would simply look like this...

access-list Outside_access_in extended permit tcp any interface outside eq www

access-list Outside_access_in extended permit tcp any interface outside eq 3389

access-group Outside_access_in in interface Outside

1 REPLY
Green

Re: ASA 5510 implicit rule woes

What is the outside interface address? Is it 10.0.102.232? If so, change your static commands and use the "interface" keyword like so...

static (Inside1,Outside) tcp interface www 10.120.0.10 www netmask 255.255.255.255

static (Inside1,Outside) tcp interface 3389 10.120.0.10 3389 netmask 255.255.255.255

Then your acl would simply look like this...

access-list Outside_access_in extended permit tcp any interface outside eq www

access-list Outside_access_in extended permit tcp any interface outside eq 3389

access-group Outside_access_in in interface Outside

890
Views
0
Helpful
1
Replies
CreatePlease login to create content