Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

static rule fail

using the attached config I can telnet to ports 951 & 952 on 2 different real IPs as configured and connecting to a listener on 192.168.200.2, a test machine connected directly to ASA

in order to test some of the real connections using the real internal IP and ports, I've added few access-list commands:

access-list outside_access_in extended permit icmp any interface outside

access-list outside_access_in extended permit tcp any host 63.x.y.26 eq 951

access-list outside_access_in extended permit tcp any host 63.x.y.27 eq 952

access-list outside_access_in extended permit tcp any host 63.x.y.25 eq lotusnotes

access-list outside_access_in extended permit tcp any host 63.x.y.26 eq smtp

access-list outside_access_in extended permit tcp any host 63.x.y.25 eq www

access-list outside_access_in extended permit tcp any host 63.x.y.20 eq https

access-list outside_access_in extended permit tcp any host 63.x.y.10 eq https

access-list outside_access_out extended permit ip any any

access-list inside_nat0_outside extended permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list Split_T extended permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0

I've also added matching static commands:

static (inside,outside) tcp interface 951 192.168.200.2 951 netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.27 952 192.168.200.2 952 netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.25 lotusnotes 192.168.200.12 lotusnotes netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.26 smtp 192.168.200.6 smtp netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.25 www 192.168.200.12 www netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.20 https 192.168.42.200 https netmask 255.255.255.255

access-group outside_access_in in interface outside

adding those I can still telnet to ports 951\952

when I change the test machine to 192.168.200.12 and try to test port 80 or port 25 it is not connecting

I've checked ARP records (sh arp) on ASA and it does show 192.168.200.12

I can access ASA (telnet) and the internet from the test machine

any ideas?

10 REPLIES
New Member

Re: static rule fail

I also had 2 problems configuring the static maps:

one of my services use a range of ports (200-210)

do I have to type in each port separately?

got the following error when I used the same internal IP\port combination for different real IPs:

ERROR: duplicate of existing static

TCP inside:192.168.42.200/443 to outside:63.x.y.20/443 netmask 255.255.255.255

Green

Re: static rule fail

A configuration like this is not possible...

static (inside,outside) tcp 63.x.y.20 https 192.168.42.200 https netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.21 https 192.168.42.200 https netmask 255.255.255.255

New Member

Re: static rule fail

what are the other options?

I have 2 domain names coming on 2 different IPs

each should come as https

both go to the same server

New Member

Re: static rule fail

Green

Re: static rule fail

I would recommend you remove the following from your acl.

no access-list outside_access_out extended permit ip any any

Did you try a "clear xlate" after the change to .12?

New Member

Re: static rule fail

I did "clear xlate" right after "clear arp"

removing this access-list didn't affect anything, still not working

Green

Re: static rule fail

Sorry, just realized it is a different acl, outside_access_out.

New Member

Re: static rule fail

I've been playing more and found something interesting:

when the test machine is changed to 192.168.200.12 port 1352 (lotusnotes) is accessible from out side

but port 80 not- it is going to my production firewall that uses a totally different IP:

HTTP/1.1 400 Bad Request ( The data is invalid. )

Via: 1.1 ProductionFirewall

Connection: close

Proxy-Connection: close

Pragma: no-cache

Cache-Control: no-cache

Content-Type: text/html

Content-Length: 1946

weird...

now I guess ports 80 & 443, just like smtp have their own different behavior

Re: static rule fail

Hello Ofir,

I assume IIS (or what web server you are using) is affected due to IP change. Restarting the relevant IIS services after changing the IP in test machine would be helpful

Also try running "clear local-host all" in firewall after static changes

Regards

New Member

Re: static rule fail

I'm using a port listener tool, not IIS.

anyway, I just came back from checking again and found that some mozila users out there tried my IP and left traces on my listener :)

maybe telnet on port 80\443 has a problem with this listener...

164
Views
0
Helpful
10
Replies