The host restriction access-list (18.104.22.168) only works when I remove the first access list. Otherwise, any external host can access 22.214.171.124:22 and get to 192.168.1.84:2222. I also notice that by leaving only the second access-list rule host 126.96.36.199 can get to port 2222 and 22! Again, i need ANY host to be able to access 192.168.1.84:2222 and only 188.8.131.52 to access 192.168.1.84:22. Can you point to what I am doing wrong or is it a bug with ASA 9.1(5)?
PS. this is my first ever post so excuse me if I am not being very clear or not formatting things properly
This not a bug in the code. The issue here is that the real port in both cases is the same i.e, 2222. On ASA versions 8.3 and above the access-list uses the real ports and IP addresses to allow traffic to an internal host.
Having configured both NAT statements the ASA on the outside interface is already actively listening for port 22 and 2222 connections on the public IP address of 184.108.40.206. Now, when traffic from 220.127.116.11 comes in on port either ports the NAT rule is passed and the first access list entry makes sure that all traffic to the internal server is permitted irrespective of what ACL is configured below it.
If you run "show access-list outside_access_in", you will see no hit counts on the second rule. This is because the traffic from 18.104.22.168 also qualifies to hit the first rule and since it appears first, the second rule becomes redundant.
I'll check to see if we can blackhole the traffic from 22.214.171.124 on port 2222 specifically so that this traffic gets denied.
So the conclusion is that what you see in this case is expected behavior based on the code that you are running.
This is what I suspected. Although, I was hoping that object network name in the access-list would make the difference.
> I'll check to see if we can blackhole the traffic from 126.96.36.199 on port 2222 specifically so that this traffic gets denied.
I think this is the opposite of what I am trying to accomplish. I want 188.8.131.52 to be the ONLY host to have access on port 22. All other hosts including 184.108.40.206 should be able to access port 2222.
I am still unable to get around this issue. I am back to thinking that this is a bug and unexpected behaviour. Logically, ANY traffic coming on outside port 22 should only trigger the following object network and access list:
object network ACCESS_ON_22
nat (inside,outside) static OUTSIDE_IP service tcp 2222 22
I am just not sure how can traffic coming in outside port 22 trigger a nat and access list rule that strictly refers to outside port 2222. It makes very little sense or I simply don't understand the logic behind it. At any rate, how would one propely deal with a situation like mine. I am sure I'm not the only one out there!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...