Cisco PIX translation access issue

Posted on 2011-04-19
Medium Priority
Last Modified: 2012-05-11
I'm trying to set up a new pix using the outside interface and translating specific ports to a NAT host on the inside.

Everything looks ok, but I don't see the ACL rules being hit in the ASDM / access rules.  I do get an error: " TCP access denied by AC from (myexternal)/54936 to outside:corepix/23"

name InsideCorePix
name www.xxx.yyy.zzz corepix
name APDDevice

access-list outside_access_in extended permit ip host ME host corepix log warnings
access-list outside_access_in extended permit tcp any any eq telnet
access-list DefaultRAGroup_splitTunnelAcl standard permit
access-list inside_access_in extended permit ip any log warnings
access-list inside_access_in extended permit ip host APDDevice any

global (outside) 101 interface
nat (inside) 101
static (outside,inside) APDDevice noncorepix netmask
access-group outside_access_in in interface outside

Is there something special I need to do to allow the outside interface to forward a port to a host on the inside?
Question by:sej69
LVL 35

Expert Comment

by:Ernie Beek
ID: 35432813
First change: static (outside,inside) APDDevice noncorepix netmask
static (inside,outside) noncorepix APDDevice netmask

I assume noncorepix is an additional public ip address?
LVL 33

Expert Comment

ID: 35433107
Is this the complete Access-list?  Are there any additional ACEs for 'outside_access_in'?  

Also, you ask about forwarding a port inside.    How many IPs do you have available from your ISP?   If it is a block of IPs, then you need to make sure that you don't use the same IP on the outside interface that you are trying to use in that static NAT.    Are there additional NAT statements that are not posted?  

Also, listen to ernie about the format of that static as well.

LVL 12

Accepted Solution

Fidelius earned 2000 total points
ID: 35498549

By the error you are getting, you are using same public IP for outside interface and static NAT. If you have only one public IP you will need to do port forwarding like this:
static (inside,outside) tcp interface telnet APDDevice telnet netmask 0 0

(More info here http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml#t11)

In this scenario, you will be unable to telnet to corepix from outside. To avoid this problem, do the following:
static (inside,outside) tcp interface 2023 APDDevice telnet netmask 0 0

In this case you will need to use telnet to port 2023 to reach APDDevice's port 23. Also you will need to adjust outside ACL:
access-list outside_access_in extended permit tcp any host corepix eq 2023


Author Comment

ID: 35824264
still working on this

Author Closing Comment

ID: 35971036

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question