05-14-2012 08:25 PM - edited 03-11-2019 04:06 PM
Hi experts,
I need your help with an ACL because I am not very familiar with ASA 5520 yet. I'm still studing.
I have been able to allow the OUTSIDE world to connect via SSH to the intermal host 172.17.2.50 on my DMZ network. I've created a NAT rule and an ACL as written on the configuration below.
Now I need the INTERNAL network to ssh 172.17.2.50 but ASA stops me with the following error:
"%ASA-3-305006: {outbound static|identity|portmap|regular) translation
creation failed for protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dest_address/dest_port [(idfw_user)]"
Can you please help me figure out a solution?
Here the configuration (I've removed the standard part):
========================================================================
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address ************ ************
!
interface GigabitEthernet0/1
shutdown
nameif INTERNAL
security-level 100
no ip address
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 172.18.2.1 255.255.255.0
!
object-group service DM_INLINE_TCP_1 tcp
port-object eq ssh
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE object-group DM_INLINE_TCP_1
access-list DMZ_access_in extended permit tcp any interface INTERNAL eq ssh
global (OUTSIDE) 1 interface
global (INTERNAL) 1 interface
nat (INTERNAL) 1 172.18.1.0 255.255.255.0
nat (DMZ) 1 172.18.2.0 255.255.255.0
static (DMZ,OUTSIDE) tcp interface ssh 172.17.2.50 ssh netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
access-group DMZ_access_in in interface DMZ
========================================================================
Thanks,
Dario
Solved! Go to Solution.
05-14-2012 10:48 PM
Here is the configuration:
static (INTERNAL,DMZ) 172.18.1.0 172.18.1.0 netmask 255.255.255.0
then "clear xlate" to clear any existing translation before you test access.
Hope that helps.
05-14-2012 10:48 PM
Here is the configuration:
static (INTERNAL,DMZ) 172.18.1.0 172.18.1.0 netmask 255.255.255.0
then "clear xlate" to clear any existing translation before you test access.
Hope that helps.
05-14-2012 10:54 PM
Thanks a lot Jennifer. It worked perfectly! :-)
This support is just awesome.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: