I am pretty confused about a firewall setup I inherited that is causing me some problems. It's an ASA 5505 configured with the standard Inside and Outside networks, plus a DMZ and a Test LAN. I am trying to get a backup solution configured that of course requires agents installed on the hosts to talk to the central console. The central console is installed on the DMZ in the 192.168.10.0/24 network. The server with the agent is installed on the 192.168.100.0/24 Test network. I added an ACL via the ADSM as follows:
access-list TEST_access_in line 3 extended permit object-group DM_INLINE_PROTOCOL_2 host 192.168.10.4 any access-list TEST_access_in line 3 extended permit ip host 192.168.10.4 any access-list TEST_access_in line 3 extended permit icmp host 192.168.10.4 any access-list TEST_access_in line 3 extended permit tcp host 192.168.10.4 any
When I tested this through the packet trace tool, it failed. It says it failed due to the following:
nat (TEST) 1 0.0.0.0 0.0.0.0
match ip TEST any inside any
dynamic translation to pool 1 (192.168.20.1 [Interface PAT])
I have asolutely no idea what this means. I thought NAT just determined what kind of address translation you have for your unrouteable IPs. I don't know why it would be blocking access between two networks. Can anyone give me some ideas or information about what this is referring to and what I might be doing wrong?
access-group inside_access_in in interface inside access-group outside_access_in in interface outside access-group dmz_access_in in interface dmz access-group TEST_access_in in interface TEST
I am trying to connect from IP 192.168.10.4 in the DMZ network to 192.168.20.220 on the inside LAN. With no changes to the configuration from me I do a packet trace from the DMZ. The output is this
I perform the same test on the inside interface, no change made to the existing config, and I get this:
So, I figure I need to add an ACL to prevent the implicit deny rule. I create a rule permitting source 192.168.10.4 to 192.168.20.220, protocols IP and TCP, and apply it to the inside of the inside interface. I do the same test as before and I get this:
Having thought about this since my post, I do need to mention that the source IP (192.168.10.4) has a static NAT to a public IP in the config. So, presumably when traffic from that host leaves the ASA it gets translated to the public IP. I did try changing my ACLs to the public IP instead, but that also didn't work so I doubt that I'm barking up the right tree.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :