sej69
asked on
Cisco PIX translation access issue
I'm trying to set up a new pix using the outside interface and translating specific ports to a NAT host on the inside.
Everything looks ok, but I don't see the ACL rules being hit in the ASDM / access rules. I do get an error: " TCP access denied by AC from (myexternal)/54936 to outside:corepix/23"
name WWW.XXX.YYY.ZZZ ME
name 10.10.10.1 InsideCorePix
name www.xxx.yyy.zzz corepix
name 10.10.10.2 APDDevice
access-list outside_access_in extended permit ip host ME host corepix log warnings
access-list outside_access_in extended permit tcp any any eq telnet
access-list DefaultRAGroup_splitTunnel Acl standard permit 10.10.10.0 255.255.255.0
access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip host APDDevice any
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (outside,inside) APDDevice noncorepix netmask 255.255.255.255
access-group outside_access_in in interface outside
Is there something special I need to do to allow the outside interface to forward a port to a host on the inside?
Everything looks ok, but I don't see the ACL rules being hit in the ASDM / access rules. I do get an error: " TCP access denied by AC from (myexternal)/54936 to outside:corepix/23"
name WWW.XXX.YYY.ZZZ ME
name 10.10.10.1 InsideCorePix
name www.xxx.yyy.zzz corepix
name 10.10.10.2 APDDevice
access-list outside_access_in extended permit ip host ME host corepix log warnings
access-list outside_access_in extended permit tcp any any eq telnet
access-list DefaultRAGroup_splitTunnel
access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip host APDDevice any
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (outside,inside) APDDevice noncorepix netmask 255.255.255.255
access-group outside_access_in in interface outside
Is there something special I need to do to allow the outside interface to forward a port to a host on the inside?
Is this the complete Access-list? Are there any additional ACEs for 'outside_access_in'?
Also, you ask about forwarding a port inside. How many IPs do you have available from your ISP? If it is a block of IPs, then you need to make sure that you don't use the same IP on the outside interface that you are trying to use in that static NAT. Are there additional NAT statements that are not posted?
Also, listen to ernie about the format of that static as well.
Also, you ask about forwarding a port inside. How many IPs do you have available from your ISP? If it is a block of IPs, then you need to make sure that you don't use the same IP on the outside interface that you are trying to use in that static NAT. Are there additional NAT statements that are not posted?
Also, listen to ernie about the format of that static as well.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
still working on this
ASKER
Thanks
to:
static (inside,outside) noncorepix APDDevice netmask 255.255.255.255
I assume noncorepix is an additional public ip address?