Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Set static inside to outside with PPOE connection

Posted on 2008-10-23
3
625 Views
Last Modified: 2013-12-14
I have a ATT DSL connection at a location and have set up an ASA behind it and have it working properly.  I also opened up 3389 to point to the internal host.  I used whatismyip.com to find out the public I was getting and tried to remote in to no avail.  I want to set one of my statics to one of my hosts but the static mapping does not work right with PPOE connection.  How can I do so?  config below...



sh run

: Saved

:

ASA Version 7.2(4)

!

hostname TexasBlackGold


names

name 10.10.0.50 zeus

name 10.10.0.30 triton

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.10.0.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 pppoe client vpdn group att

 ip address pppoe setroute

!

interface Ethernet0/0

 switchport access vlan 2

<--- More --->
             
!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

 domain-name something.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outsidein extended permit icmp any any

access-list outsidein extended permit tcp any any eq smtp

             
access-list outsidein extended permit tcp any any eq pop3

access-list outsidein extended permit tcp any any eq https

access-list outsidein extended permit tcp any eq https any

access-list outsidein extended permit tcp any eq www any

access-list outsidein extended permit tcp any any eq www

access-list outsidein extended permit tcp any host zeus eq 3389

access-list outsidein extended permit udp any host zeus eq 3389

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outsidein in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 1.2.196.0 255.255.255.0 outside

             
http 10.10.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.10.0.0 255.255.255.0 inside

telnet 1.2.196.0 255.255.255.0 outside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group att request dialout pppoe

vpdn group att localname something@sbcglobal.net

vpdn group att ppp authentication pap

vpdn username something@sbcglobal.net password ********* store-local

dhcpd dns zeus 4.2.2.2

dhcpd lease 100000

dhcpd domain something.com

dhcpd auto_config outside

!

dhcpd address 10.10.0.100-10.10.0.200 inside

dhcpd enable inside

!


!

<--- More --->
             
class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

<--- More --->
             
service-policy global_policy global

prompt hostname context

0
Comment
Question by:rcooper83
3 Comments
 
LVL 14

Expert Comment

by:Kutyi
ID: 22791137
no access-list outsidein extended permit tcp any host zeus eq 3389
no access-list outsidein extended permit udp any host zeus eq 3389
access-list outsidein permit tcp any any eq 3389
static(inside,outside) tcp interface 3389 10.10.0.50 3389 netmask 255.255.255.255

copy and paste these commands into the PiX
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22791140
your acl is incorrect and you need static nat port translations.

Example. http to host triton, RDP to host zeus

static (inside,outside) tcp interface 3389 10.10.0.50 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.10.0.30 www netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq 3389
access-group outside_access_in in interface outside


0
 
LVL 16

Expert Comment

by:btassure
ID: 22791156
You need to add a static NAT rule:
static (inside,outside) zeus (or you would use an ip) [outside ip] netmask 255.255.255.255
http://www.tech-recipes.com/rx/149/static-map-to-internal-device-on-a-pix/

And your inbound access list will not allow that traffic - the ACL is applied BEFORE the NAT rule so you need to permit the 3389 traffic to the outside interface, not the address of the server.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Cable Modem Provisioning from DPoE compliant server  This Article is to support CMTS administrators to provide an overview of DOCSIS compliance configuration file, and to provision a cable modem located at customer place from a Back office serve…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question