Cisco ASA5500 unable to pass inbound TCP traffic...

Cisco ASA5500 unable to pass inbound TCP traffic...

am 24.08.2007 20:56:27 von del

I have an ASA5505 firewall, T1 in to a private IP network. Outbound
traffic no problem, in bound TCP though not working. I have very
little hair left after working for hours on what I'm guessing is a
simple issue. Why can't I get TCP traffic into the hosts I've created
ACL & Static's for? Any thoughts are appriciated, thanks.

interface Vlan1


nameif inside


security-level 100


ip address 192.168.0.101 255.255.255.0


interface Vlan2


nameif outside


security-level 0


ip address XX.XXX.180.138 255.255.255.248


interface Ethernet0/0


switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


passwd
ftp mode passive


dns server-group DefaultDNS


domain-name default.domain.invalid


access-list outside_access_in extended permit tcp any host
192.168.0.99 eq www


access-list outside_access_in extended permit tcp any host
192.168.0.99 eq ftp


access-list outside_access_in extended permit tcp any host
192.168.0.99 eq pop3


access-list outside_access_in extended permit tcp any host
192.168.0.99 eq 8383


access-list outside_access_in extended permit tcp any host
192.168.0.131 eq smtp


access-list outside_access_in extended permit tcp any host
192.168.0.131 eq ssh


access-list outside_access_in extended permit tcp any host
192.168.0.100 eq 10883


access-list outside_access_in extended permit tcp any host
192.168.0.10 eq pptp


access-list outside_access_in extended permit tcp any host
192.168.0.109 eq telnet


pager lines 24


logging asdm informational


mtu outside 1500


mtu inside 1500


icmp unreachable rate-limit 1 burst-size 1


asdm image disk0:/asdm-522.bin


no asdm history enable


arp timeout 14400


nat-control


global (outside) 1 interface


nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) tcp XX.XXX.180.138 www 192.168.0.99 www
netmask 255.255.255.255


static (inside,outside) tcp XX.XXX.180.138 10883 192.168.0.100 10883
netmask 255.255.255.255


static (inside,outside) tcp XX.XXX.180.138 ssh 192.168.0.131 ssh
netmask 255.255.255.255


static (inside,outside) tcp XX.XXX.180.138 3389 192.168.0.10 3389
netmask 255.255.255.255


static (inside,outside) tcp XX.XXX.180.138 smtp 192.168.0.131 smtp
netmask 255.255.255.255


static (inside,outside) tcp XX.XXX.180.138 8383 192.168.0.99 8383
netmask 255.255.255.255


static (inside,outside) tcp XX.XXX.180.138 pop3 192.168.0.99 pop3
netmask 255.255.255.255


static (inside,outside) tcp XX.XXX.180.138 ftp 192.168.0.99 ftp
netmask 255.255.255.255


static (inside,outside) tcp XX.XXX.180.138 telnet 192.168.0.109
telnet
netmask 255.255.255.255


access-group outside_access_in in interface outside


route outside 0.0.0.0 XX.XXX.180.137 255.255.255.248 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-
pat
0:05:00


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00


timeout uauth 0:05:00 absolute


http server enable


http 0.0.0.0 0.0.0.0 inside


telnet timeout 5


ssh timeout 5


console timeout 0


class-map inspection_default


match default-inspection-traffic


policy-map type inspect dns preset_dns_map


parameters


message-length maximum 512


policy-map global_policy


class inspection_default


inspect dns preset_dns_map


inspect ftp


inspect h323 h225


inspect h323 ras


inspect rsh


inspect rtsp


inspect esmtp


inspect sqlnet


inspect skinny


inspect sunrpc


inspect xdmcp


inspect sip


inspect netbios


inspect tftp


inspect icmp


service-policy global_policy global


prompt hostname context


Cryptochecksum:

Re: Cisco ASA5500 unable to pass inbound TCP traffic...

am 25.08.2007 03:08:30 von roberson

In article <1187981787.951454.249350@q3g2000prf.googlegroups.com>,
wrote:
>I have an ASA5505 firewall, T1 in to a private IP network. Outbound
>traffic no problem, in bound TCP though not working. I have very
>little hair left after working for hours on what I'm guessing is a
>simple issue. Why can't I get TCP traffic into the hosts I've created
>ACL & Static's for? Any thoughts are appriciated, thanks.

>access-list outside_access_in extended permit tcp any host 192.168.0.99 eq www

You have to use the *public* IP addresses in the access-list that
you apply to the outside interface.


More generally, unless you have specifically configured otherwise,
if you have any traffic that needs to initiate connections from a
lower security interface to a higher security interface, then
the ACL attached to the lower security interface needs to be
written in terms of the IP address that the higher security
interface NAT or static's to with respect to that lower security
interface. (This isn't necessarily the same as the "public"
IP, because you might (for whatever reason) choose to have
your "inside" interface translate to some other address range
for communications to a DMZ.)