Cisco ASA5500 unable to pass inbound TCP traffic...

Secure Home | Search | About

Lost Password?

Networking Firewalls

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Cisco ASA5500 unable to pass inbound TCP traffic...

del

08-24-2007

Re: Cisco ASA5500 unable to pass inbound TCP traff...

Walter Roberson

08-24-2007

Posted by on August 24, 2007, 2:56 pm

If you were Registered and logged in, you could reply and use other advanced thread options

I have an ASA5505 firewall, T1 in to a private IP network. Outbound
traffic no problem, in bound TCP though not working. I have very
little hair left after working for hours on what I'm guessing is a
simple issue. Why can't I get TCP traffic into the hosts I've created
ACL & Static's for? Any thoughts are appriciated, thanks.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.101 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address XX.XXX.180.138 255.255.255.248

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

passwd
ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit tcp any host
192.168.0.99 eq www

access-list outside_access_in extended permit tcp any host
192.168.0.99 eq ftp

access-list outside_access_in extended permit tcp any host
192.168.0.99 eq pop3

access-list outside_access_in extended permit tcp any host
192.168.0.99 eq 8383

access-list outside_access_in extended permit tcp any host
192.168.0.131 eq smtp

access-list outside_access_in extended permit tcp any host
192.168.0.131 eq ssh

access-list outside_access_in extended permit tcp any host
192.168.0.100 eq 10883

access-list outside_access_in extended permit tcp any host
192.168.0.10 eq pptp

access-list outside_access_in extended permit tcp any host
192.168.0.109 eq telnet

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp XX.XXX.180.138 www 192.168.0.99 www
netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 10883 192.168.0.100 10883
netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 ssh 192.168.0.131 ssh
netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 3389 192.168.0.10 3389
netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 smtp 192.168.0.131 smtp
netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 8383 192.168.0.99 8383
netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 pop3 192.168.0.99 pop3
netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 ftp 192.168.0.99 ftp
netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 telnet 192.168.0.109
telnet
netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 XX.XXX.180.137 255.255.255.248 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-
pat
0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:

Posted by Walter Roberson on August 24, 2007, 9:08 pm

If you were Registered and logged in, you could reply and use other advanced thread options

>I have an ASA5505 firewall, T1 in to a private IP network. Outbound

>traffic no problem, in bound TCP though not working. I have very

>little hair left after working for hours on what I'm guessing is a

>simple issue. Why can't I get TCP traffic into the hosts I've created

>ACL & Static's for? Any thoughts are appriciated, thanks.

>access-list outside_access_in extended permit tcp any host 192.168.0.99 eq www

You have to use the *public* IP addresses in the access-list that
you apply to the outside interface.

More generally, unless you have specifically configured otherwise,
if you have any traffic that needs to initiate connections from a
lower security interface to a higher security interface, then
the ACL attached to the lower security interface needs to be
written in terms of the IP address that the higher security
interface NAT or static's to with respect to that lower security
interface. (This isn't necessarily the same as the "public"
IP, because you might (for whatever reason) choose to have
your "inside" interface translate to some other address range
for communications to a DMZ.)

Similar Threads	Posted
inbound PIX Traffic	March 19, 2006, 2:14 pm
My Cisco ASA is mangling legitimate SMTP traffic	June 5, 2007, 5:18 pm
setting up a pass through server	February 14, 2005, 11:41 am
VPN pass-through with NetScreen 5 (ScreenOS 5.0.x)	July 28, 2006, 1:30 am
Pass-Guaranteed.com Now Hiring!!!	January 9, 2007, 5:43 pm
Proper Way to Pass ICMP Through Firewall-1?	April 27, 2005, 11:20 pm
Pass-lock in ZonaAlarm Free	March 24, 2006, 3:28 pm
Outgoing emails can not pass through Pix firewall	April 7, 2006, 10:13 am
How can I tell Sygate to let networked Laptop pass?	June 26, 2006, 6:06 pm
Watchguard Firebox 2 (PPTP and GRE Pass Through)	March 20, 2007, 1:28 pm

The site map in XML format XML site map