asked on
High range ports and ASA inspection ?
We have an ASA5505 with inside, dmz and outside interface. I cannot get outside connections to come in.
We normally allow outside traffic into the dmz like this: (ip addresses have been changed)
access-list outside-in extended permit tcp any host 77.1.1.80 eq 80
access-list outside-in extended permit tcp any host 77.1.1.80 range 60000 64999
static (dmz,outside) 77.1.1.80 10.10.10.12 netmask 255.255.255.255
All DMZ hosts have full access to anything (except internal network)
The issue we are having is, no traffic is hitting 10.10.10.12 from the outside. I even did a permit ip any host 77.1.1.80 and still nothing. If we access 77.1.1.80 from 77.1.1.50,(one of our own public IPs) it works. But no other outside users can access it
We normally allow outside traffic into the dmz like this: (ip addresses have been changed)
access-list outside-in extended permit tcp any host 77.1.1.80 eq 80
access-list outside-in extended permit tcp any host 77.1.1.80 range 60000 64999
static (dmz,outside) 77.1.1.80 10.10.10.12 netmask 255.255.255.255
All DMZ hosts have full access to anything (except internal network)
The issue we are having is, no traffic is hitting 10.10.10.12 from the outside. I even did a permit ip any host 77.1.1.80 and still nothing. If we access 77.1.1.80 from 77.1.1.50,(one of our own public IPs) it works. But no other outside users can access it
CiscoRoutersHardware Firewalls
Last Comment
orus
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Yes
ASKER
I have several other dmz boxes that are accessed no problem
Try putting a capture on the outside and DMZ interfaces then try to send traffic - you may be getting data on the wrong ports. Have you checked the logs to see if anything is being denied?
ASKER
I did do a capture earlier. I can see the DMZ host sending traffic out
I see it translated to the public IP
I see TCP syns going out , but no other TCP traffic
On the ACLS:
I see no hits on the ACL , EXCEPT for when host 77.1.1.50 accessed it. Then it worked. But any host outside of our public IP block does NOT work. I thought it could be a routing issue with our Cable internet provider. (not sending traffic destined for 77.1.1.80 to our modem)?
I see it translated to the public IP
I see TCP syns going out , but no other TCP traffic
On the ACLS:
I see no hits on the ACL , EXCEPT for when host 77.1.1.50 accessed it. Then it worked. But any host outside of our public IP block does NOT work. I thought it could be a routing issue with our Cable internet provider. (not sending traffic destined for 77.1.1.80 to our modem)?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Yea I tried that too. And just now, I tried allowing VNC in through to a dmz host. It worked like a charm. This Lifesize video conferencing device is the one with the issue. It doesn't like being behind Cisco firewalls I heard. oh well