We help IT Professionals succeed at work.

NAT not working

lkingpinl
lkingpinl asked
on
1,063 Views
Last Modified: 2012-05-08
I have a Openfire Chat server that I am trying to make available to the outside.  No clue why it is not working.  I have a PIX 515E firewall and have port 5222 NAT to the Chat Server box, but when i try to access from outside, I see this in the logs:

4      Feb 08 1993      11:07:26      106023      71.238.30.35      192.168.10.37       Deny tcp src outside:71.238.30.35/4570 dst inside:192.168.10.37/5222 by access-group "outside_access_in" [0x0, 0x0]

Result of the command: "show run"
 
: Saved
:
PIX Version 7.2(1) 
!
hostname troy-inet-fw
domain-name hbpogoup.com
enable password pL2TsYYLLL46JSOL encrypted
names
name 10.52.8.6 ushbpots01 description Terminal Server
name 10.52.8.5 usshbpoprxy01 description HBPO Troy ISA Server
name 10.52.8.10 usshbpoftp01 description HBPO Troy FTP Server
name 10.52.11.26 hbpous0009 description Dave's Laptop Wired
name 10.52.10.81 hbpous0009-W description Dave's Laptop Wireless
name 10.52.11.39 hbpous0023 description Matt/Mike's PC
name 10.52.8.120 hbpousvista01 description Dave's Vista Machine
name 10.52.11.4 hbt4 description NetApp Filer
name 10.52.11.8 s72m01 description Lotus Notes Server
name 136.2.8.172 wcd011.ford.com description Ford Covisint
name 129.9.153.70 tn3270.us3.lb.dcx.com
name 205.231.92.114 WorksightedRemote description Worksigted Terminal Server
name 64.86.101.183 AdobeUpdate1
name 64.86.101.168 AdobeUpdate2
name 10.52.8.13 wapplcaccess
name 10.52.10.86 ws-hlt-16 description Matt's Laptop - Wired
name 10.52.8.51 ws-hlt-03 description Joann Vitale
name 10.52.8.52 ws-hlt-03-w
name 10.52.8.15 Solarwinds
name 10.52.8.16 Solarwinds-DRAC
name 192.168.77.0 TAP_PIX_Inside description 255.255.255.0
name 10.53.200.0 TAP_LAN description 255.255.248.0
name 10.52.8.11 usshbposp01 description Sharepoint site
name 10.52.145.134 wapcmm description QIR Database
name 129.9.102.24 tn3270.extra.daimlerchrysler.com
name 129.9.70.24 web3270.extra.daimlerchrysler.com description Daimler Chrysler 3270 Client
!
interface Ethernet0
 description Public Interface
 nameif outside
 security-level 0
 ip address dhcp setroute 
 ospf cost 10
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.52.8.2 255.255.248.0 
 ospf cost 10
!
interface Ethernet2
 nameif DMZ
 security-level 5
 ip address 192.168.78.1 255.255.255.0 
 ospf cost 10
!
passwd pL2TsYYLLL46JSOL encrypted
banner motd Why hello....
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name hbpogoup.com
object-group network ITMachines
 network-object host hbpous0009-W
 network-object host hbpous0009
 network-object host 10.52.8.20
 network-object host 10.52.10.85
 network-object host hbpousvista01
 network-object host 10.52.8.21
 network-object host ws-hlt-16
 network-object host ws-hlt-03
 network-object host 10.52.8.50
 network-object host ws-hlt-03-w
 network-object host hbpous0023
object-group network TroyServers
 network-object host 10.52.11.2
 network-object host hbt4
 network-object host 10.52.11.5
 network-object host s72m01
 network-object host usshbpoftp01
 network-object host usshbpoprxy01
 network-object host ushbpots01
 network-object host Solarwinds
 network-object host Solarwinds-DRAC
 network-object 10.52.9.0 255.255.255.0
object-group network Internet_Access
 description Hosts that are permited external access
 group-object ITMachines
 group-object TroyServers
 network-object host wapplcaccess
 network-object host 10.52.8.100
 network-object host 10.52.8.101
 network-object host 10.52.8.1
 network-object host 10.52.8.103
 network-object host usshbpoftp01
 network-object host usshbposp01
 network-object host 10.52.10.136
 network-object host 10.52.11.64
 network-object host 10.52.11.62
 network-object host 10.52.11.63
 network-object host 10.52.10.105
 network-object host 10.52.11.58
 network-object host ushbpots01
 network-object host 10.52.10.144
 network-object host 10.52.15.200
 network-object host 10.52.8.9
 network-object host 10.52.8.49
 network-object host 10.52.10.122
object-group service PassiveFTP tcp
 description Passive FTP Ports
 port-object range 15000 15025
 port-object eq ftp-data
 port-object eq ftp
object-group network TroyDC-DNS
 description Troy DC/DNS Servers
 network-object host 10.52.11.2
 network-object host 10.52.11.5
object-group network InternetHosts
 description Allowed Internet Hosts
 network-object host wcd011.ford.com
 network-object host 129.9.44.132
 network-object host tn3270.us3.lb.dcx.com
 network-object host 129.9.155.70
 network-object host WorksightedRemote
 network-object host 204.101.14.2
 network-object host AdobeUpdate2
 network-object host AdobeUpdate1
 network-object host 193.29.151.59
object-group network ExtMonitoring
 network-object 10.52.8.0 255.255.248.0
object-group network TAP_Network
 description All TAP Subnets
 network-object TAP_PIX_Inside 255.255.255.0
object-group network Toluca_Subnets
 network-object 10.53.0.0 255.255.0.0
 network-object TAP_PIX_Inside 255.255.255.0
object-group service Spark tcp
 port-object eq 5222
access-list outside_access_in remark Don't allow people to ping our outside IPs
access-list outside_access_in extended deny icmp any any echo 
access-list outside_access_in remark Let me ping stuff...
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in remark Forward RDP to Termserv
access-list outside_access_in extended permit tcp any interface outside eq 3389 inactive 
access-list outside_access_in remark Allow traffic inbound to ftp box.
access-list outside_access_in extended permit tcp any interface outside object-group PassiveFTP 
access-list outside_access_in remark Allow access to Chat Server
access-list outside_access_in extended permit tcp any object-group Spark interface outside object-group Spark 
access-list outside_access_in remark Allow RDP from Worksighted Terminal Server
access-list outside_access_in extended permit tcp host WorksightedRemote host 216.234.116.124 eq 3389 inactive 
access-list outside_access_in remark Allow access to Sharepoint site
access-list outside_access_in extended permit tcp any host 216.234.116.125 eq www inactive 
access-list inside_nat0_outbound extended permit ip any 192.168.42.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.52.8.0 255.255.248.0 host 10.5.5.10 
access-list inside_nat0_outbound extended permit ip object-group ExtMonitoring host 10.5.5.10 
access-list inside_nat0_outbound extended permit ip 10.52.8.0 255.255.248.0 object-group Toluca_Subnets 
access-list outside_cryptomap extended permit ip any 192.168.42.0 255.255.255.0 
access-list HBPO standard permit host ushbpots01 
access-list HBPO standard permit host 10.52.8.8 
access-list HBPO standard permit host wapplcaccess 
access-list HBPO remark Solarwinds
access-list HBPO standard permit host Solarwinds 
access-list HBPO standard permit host 10.52.11.1 
access-list HBPO remark Exchange
access-list HBPO standard permit host 10.230.104.11 
access-list HBPO standard permit host 10.52.9.15 
access-list HBPO remark Chat Server
access-list HBPO standard permit host 10.52.8.9 
access-list inside_access_in extended permit ip object-group Internet_Access any 
access-list inside_access_in extended permit ip any object-group Toluca_Subnets 
access-list inside_access_in extended permit tcp any object-group PassiveFTP any object-group PassiveFTP 
access-list inside_access_in extended permit ip any object-group InternetHosts 
access-list inside_access_in extended permit tcp any any eq https 
access-list outside_20_cryptomap extended permit ip 10.52.8.0 255.255.248.0 host 10.1.1.10 
access-list outside_20_cryptomap_1 extended permit ip object-group ExtMonitoring host 10.5.5.10 
access-list outside_cryptomap_31 extended permit ip 10.52.8.0 255.255.248.0 host 10.5.5.10 
access-list outside_50_cryptomap extended permit ip 10.52.8.0 255.255.248.0 object-group Toluca_Subnets 
access-list inside_access_out extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool TroyVPNPool 192.168.42.100-192.168.42.199
icmp deny any outside
icmp permit any inside
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 ushbpots01 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 5222 10.52.8.9 5222 netmask 255.255.255.255 
static (inside,outside) tcp interface ftp usshbpoftp01 ftp netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
route inside 10.0.0.0 255.0.0.0 10.52.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TroyDC protocol radius
aaa-server TroyDC host 10.52.11.5
 key test
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
group-policy TroyVPN internal
group-policy TroyVPN attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value HBPO
 default-domain value hbpogroup.com
 address-pools value TroyVPNPool
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
snmp-server host outside 10.5.5.10 community HBPO~mon
snmp-server host inside Solarwinds community HBPO~mon
snmp-server location Troy
snmp-server contact "Dave Williams"
snmp-server community HBPO~mon
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 30 match address outside_cryptomap_31
crypto map outside_map 30 set peer 204.177.185.82 
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 50 match address outside_50_cryptomap
crypto map outside_map 50 set peer 200.76.29.154 
crypto map outside_map 50 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity hostname 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group TroyVPN type ipsec-ra
tunnel-group TroyVPN general-attributes
 address-pool TroyVPNPool
 authentication-server-group TroyDC
 default-group-policy TroyVPN
 authorization-required
tunnel-group TroyVPN ipsec-attributes
 pre-shared-key *
tunnel-group TroyVPN ppp-attributes
 authentication pap
 authentication ms-chap-v2
tunnel-group 204.177.185.82 type ipsec-l2l
tunnel-group 204.177.185.82 ipsec-attributes
 pre-shared-key *
tunnel-group 200.76.29.154 type ipsec-l2l
tunnel-group 200.76.29.154 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group krishna type ipsec-ra
tunnel-group krishna general-attributes
 address-pool TroyVPNPool
 authentication-server-group TroyDC
 default-group-policy TroyVPN
tunnel-group krishna ipsec-attributes
 pre-shared-key *
tunnel-group krishna ppp-attributes
 authentication pap
 authentication ms-chap-v2
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.78.100-192.168.78.149 DMZ
dhcpd dns 204.177.184.10 204.177.184.15 interface DMZ
dhcpd enable DMZ
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:74335b9b429040e7d0596110997487bd
: end

Open in new window

Comment
Watch Question

Author

Commented:
FYI,
For clarification the openfire server is 10.52.8.9 in the run result above.
**static (inside,outside) tcp interface 5222 10.52.8.9 5222 netmask 255.255.255.255 **
Senior Network Manager
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
But it is there....
 
access-list outside_access_in extended permit tcp any object-group Spark interface outside object-group Spark
Spark is defined as TCP port 5222
Robert Sutton JrSenior Network Manager
CERTIFIED EXPERT

Commented:
FWIW, if you review your statement config, outbound is allowed, not inbound.

Author

Commented:
see attached.....where is it wrong?
help.JPG

Author

Commented:
Found the issue....
Robert Sutton JrSenior Network Manager
CERTIFIED EXPERT

Commented:
When I enlarge the photo I cannot read the words or even see anything clear. Otherwise I would review it.
Robert Sutton JrSenior Network Manager
CERTIFIED EXPERT

Commented:
Is it resolved?

Author

Commented:
Yeah it's resolved.  
Changed:
access-list outside_access_in extended permit tcp any object-group Spark interface outside object-group Spark
to:
access-list outside_access_in extended permit tcp any interface outside object-group Spark
Robert Sutton JrSenior Network Manager
CERTIFIED EXPERT

Commented:
IM glad you got it working. Cheers!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.