We help IT Professionals succeed at work.
Get Started

ASA 5505 Can't telnet in from outside to NAT address

1,436 Views
Last Modified: 2010-04-21
This seems to look right to me, but here is the config of a ASA 5505 and I can't telnet in to the NAT address 192.168.1.13 .. the packet trace says blocked by implicit ACL, like the main address-list ACL is not even there... It looks like several others I have setup, but here they only have the outside interface to map too, only that one open IP address @ .34 ... maybe that is the problem... anyway here is the config:

ASA Version 7.2(3)
!
hostname Dxxxxxx
domain-name dxxxxxxxx.com
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 68.77.105.34 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.17
 name-server 4.2.2.6
 domain-name dxxxxxxxx.com
access-list inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.224
access-list outside_access_in extended permit tcp any host 68.77.105.34 eq telnet
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_IP 192.168.1.230-192.168.1.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 68.77.105.34 192.168.1.13 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.77.105.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server VPN_Users protocol nt
aaa-server VPN_Users host 192.168.1.17
 timeout 5
 nt-auth-domain-controller server
aaa-server dxxxxxxxxx protocol nt
aaa-server dxxxxxxxxx host 192.168.1.17
 timeout 5
 nt-auth-domain-controller server
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy Dxxxxxxxxx internal
group-policy Dxxxxxxxxx attributes
 dns-server value 192.168.1.17
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value dxxxxxxxxx.com
tunnel-group Dxxxxxxxx type ipsec-ra
tunnel-group Dxxxxxxxx general-attributes
 address-pool VPN_IP
 authentication-server-group VPN_Users
 default-group-policy Dxxxxxxxxx
prompt hostname context
: end
asdm image disk0:/asdm-523.bin
no asdm history enable


Comment
Watch Question
Commented:
This problem has been solved!
Unlock 1 Answer and 2 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE