cymrich
asked on
cisco asa 5505 port forwarding help
I have servers hosted at a colo and I am trying to allow printing from the app on the servers to the office. I am having trouble figuring out how exactly to do this.
so basically... the outside IP of the office router is 172.31.1.1 and I need anything sent to port 9100 to be forwarded to 192.168.1.30.
172.31.1.1 is attached to interface vlan2... when I try to add a static map it won't allow me to specify that IP address and gives some error about using PAT and having to use interface instead of the IP. so it ends up being something like:
static (inside,outside) tcp interface 9100 192.168.1.30 9100 netmask 255.255.255.255
where it says interface it won't allow me to use the IP or vlan2 or even outside... anything besides interface gives me an error. I added a line to the access list to allow port 9100 also (and also cleared the translation tables) and it doesn't work. any idea what I'm doing wrong here?
so basically... the outside IP of the office router is 172.31.1.1 and I need anything sent to port 9100 to be forwarded to 192.168.1.30.
172.31.1.1 is attached to interface vlan2... when I try to add a static map it won't allow me to specify that IP address and gives some error about using PAT and having to use interface instead of the IP. so it ends up being something like:
static (inside,outside) tcp interface 9100 192.168.1.30 9100 netmask 255.255.255.255
where it says interface it won't allow me to use the IP or vlan2 or even outside... anything besides interface gives me an error. I added a line to the access list to allow port 9100 also (and also cleared the translation tables) and it doesn't work. any idea what I'm doing wrong here?
ASKER
I've removed the crypto stuff and a few other things to make it shorter as I don't think they are related to this... and I spaced out the access list to make it easier to see the related line and added both the different access lines I tried (not at the same time).
ASA Version 8.0(4)
!
hostname XXXXX
domain-name XXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
no names
name XX.XXX.XXX.XXX XXXXXXXXXX
name XX.XXX.XXX.XXX XXXXXXXXXX
name XX.XXX.XXX.XXX XXXXXXXXXX
name XXX.XXX.XXX.XXX XXXXXXXXXX
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.31.1.1 255.255.255.0
!
interface Vlan5
nameif XXXXX
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface Vlan15
nameif XXXXXXXXX
security-level 50
ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 15
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
dns server-group DefaultDNS
domain-name XXXXXXXXXXXXX
object-group service XXXXXXXXXXXXXXX tcp
port-object eq www
object-group service XXXXXXXXXXXXXXX tcp
port-object eq 3389
port-object eq https
object-group service XXXXXXXXXXXXXXX tcp
port-object eq 993
port-object eq https
port-object eq smtp
object-group service XXXXXXXXXXXXXXX tcp-udp
port-object eq 9100
port-object eq www
access-list outside_access_in extended permit ip any XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
access-list outside_access_in extended permit icmp 172.31.XXX.XXX 255.255.252.0 any echo-reply
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group XXXXXXXXXXXXXXX
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group XXXXXXXXXXXXXXX
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group XXXXXXXXXXXXXXX
access-list outside_access_in extended permit ip host XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX 255.255.255.252
access-list outside_access_in extended permit tcp any eq 9100 host 172.31.1.1 eq 9100
access-list outside_access_in extended permit tcp host 172.31.1.1 eq 9100 host 192.168.1.30 eq 9100
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.128
access-list VTC-DMZ_nat0_outbound remark VTC
access-list VTC-DMZ_nat0_outbound extended permit ip XXX.XXX.XXX.XXX 255.255.255.252 any
access-list VTC-DMZ_access_in extended permit ip any any
no pager
logging enable
logging monitor debugging
logging buffered emergencies
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu VTC-DMZ 1500
ip local pool VPN-Pool 192.168.2.10-192.168.2.100
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (VTC-DMZ) 0 access-list VTC-DMZ_nat0_outbound
static (inside,outside) XXX.XXX.XXX.XXX 192.168.1.3 netmask 255.255.255.255
static (inside,outside) XXX.XXX.XXX.XXX 192.168.1.2 netmask 255.255.255.255
static (inside,outside) XXX.XXX.XXX.XXX 192.168.1.102 netmask 255.255.255.255
static (inside,outside) tcp interface 192.168.1.30 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group VTC-DMZ_access_in in interface VTC-DMZ
route outside 0.0.0.0 0.0.0.0 172.31.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy XXXXXXXXXXXXXXXX internal
group-policy XXXXXXXXXXXXXXXX attributes
dns-server value 192.168.1.1
vpn-tunnel-protocol IPSec
default-domain value XXXXXXXXXXXXXXX
username XXXXXXXXX password XXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXXXX password XXXXXXXXXXXX encrypted
tunnel-group XXXXXXXXXXXXXXX type remote-access
tunnel-group XXXXXXXXXXXXXXX general-attributes
address-pool VPN-Pool
default-group-policy XXXXXXXXXXXXXXXXXX
tunnel-group XXXXXXXXXXXXXXXXX ipsec-attributes
pre-shared-key *
ASA Version 8.0(4)
!
hostname XXXXX
domain-name XXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXX encrypted
no names
name XX.XXX.XXX.XXX XXXXXXXXXX
name XX.XXX.XXX.XXX XXXXXXXXXX
name XX.XXX.XXX.XXX XXXXXXXXXX
name XXX.XXX.XXX.XXX XXXXXXXXXX
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.31.1.1 255.255.255.0
!
interface Vlan5
nameif XXXXX
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface Vlan15
nameif XXXXXXXXX
security-level 50
ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 15
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
dns server-group DefaultDNS
domain-name XXXXXXXXXXXXX
object-group service XXXXXXXXXXXXXXX tcp
port-object eq www
object-group service XXXXXXXXXXXXXXX tcp
port-object eq 3389
port-object eq https
object-group service XXXXXXXXXXXXXXX tcp
port-object eq 993
port-object eq https
port-object eq smtp
object-group service XXXXXXXXXXXXXXX tcp-udp
port-object eq 9100
port-object eq www
access-list outside_access_in extended permit ip any XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
access-list outside_access_in extended permit icmp 172.31.XXX.XXX 255.255.252.0 any echo-reply
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group XXXXXXXXXXXXXXX
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group XXXXXXXXXXXXXXX
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX object-group XXXXXXXXXXXXXXX
access-list outside_access_in extended permit ip host XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX 255.255.255.252
access-list outside_access_in extended permit tcp any eq 9100 host 172.31.1.1 eq 9100
access-list outside_access_in extended permit tcp host 172.31.1.1 eq 9100 host 192.168.1.30 eq 9100
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.128
access-list VTC-DMZ_nat0_outbound remark VTC
access-list VTC-DMZ_nat0_outbound extended permit ip XXX.XXX.XXX.XXX 255.255.255.252 any
access-list VTC-DMZ_access_in extended permit ip any any
no pager
logging enable
logging monitor debugging
logging buffered emergencies
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu VTC-DMZ 1500
ip local pool VPN-Pool 192.168.2.10-192.168.2.100
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (VTC-DMZ) 0 access-list VTC-DMZ_nat0_outbound
static (inside,outside) XXX.XXX.XXX.XXX 192.168.1.3 netmask 255.255.255.255
static (inside,outside) XXX.XXX.XXX.XXX 192.168.1.2 netmask 255.255.255.255
static (inside,outside) XXX.XXX.XXX.XXX 192.168.1.102 netmask 255.255.255.255
static (inside,outside) tcp interface 192.168.1.30 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group VTC-DMZ_access_in in interface VTC-DMZ
route outside 0.0.0.0 0.0.0.0 172.31.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy XXXXXXXXXXXXXXXX internal
group-policy XXXXXXXXXXXXXXXX attributes
dns-server value 192.168.1.1
vpn-tunnel-protocol IPSec
default-domain value XXXXXXXXXXXXXXX
username XXXXXXXXX password XXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXXXX password XXXXXXXXXXXX encrypted
tunnel-group XXXXXXXXXXXXXXX type remote-access
tunnel-group XXXXXXXXXXXXXXX general-attributes
address-pool VPN-Pool
default-group-policy XXXXXXXXXXXXXXXXXX
tunnel-group XXXXXXXXXXXXXXXXX ipsec-attributes
pre-shared-key *
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Irmoore, those lines didn't do it... I made sure to clear xlate after adding them but it seems to have had no effect.
You said I removed the crypto stuff
So there are vpn's? And is the colo perhaps connected through a vpn?
So there are vpn's? And is the colo perhaps connected through a vpn?
ASKER
there is a VPN setup however nobody is using it... it predates me. I think it may have been used before a dedicated circuit was added connecting the office and colo.
Ok, a dedicated circuit...
I feel a need to try and visualize this, where does this link fit in to the picture?
I feel a need to try and visualize this, where does this link fit in to the picture?
ASKER
while on the phone with my ISP I described this issue hoping to find out if there was anything on their end that was somehow interfering... as we started looking in to it I happened to check the port settings... it turns out I typo'd the ip address in the printer settings on the server I was trying to print from and it was actually working the entire time.
So could you post a sanitized configuration over here, along with the errors you get?