Cisco ASA5500 unable to pass inbound TCP traffic...

I have an ASA5505 firewall, T1 in to a private IP network. Outbound traffic no problem, in bound TCP though not working. I have very little hair left after working for hours on what I'm guessing is a simple issue. Why can't I get TCP traffic into the hosts I've created ACL & Static's for? Any thoughts are appriciated, thanks.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.101 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address XX.XXX.180.138 255.255.255.248

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

passwd ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit tcp any host

192.168.0.99 eq www

access-list outside_access_in extended permit tcp any host

192.168.0.99 eq ftp

access-list outside_access_in extended permit tcp any host

192.168.0.99 eq pop3

access-list outside_access_in extended permit tcp any host

192.168.0.99 eq 8383

access-list outside_access_in extended permit tcp any host

192.168.0.131 eq smtp

access-list outside_access_in extended permit tcp any host

192.168.0.131 eq ssh

access-list outside_access_in extended permit tcp any host

192.168.0.100 eq 10883

access-list outside_access_in extended permit tcp any host

192.168.0.10 eq pptp

access-list outside_access_in extended permit tcp any host

192.168.0.109 eq telnet

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp XX.XXX.180.138 www 192.168.0.99 www netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 10883 192.168.0.100 10883 netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 ssh 192.168.0.131 ssh netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 3389 192.168.0.10 3389 netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 smtp 192.168.0.131 smtp netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 8383 192.168.0.99 8383 netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 pop3 192.168.0.99 pop3 netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 ftp 192.168.0.99 ftp netmask 255.255.255.255

static (inside,outside) tcp XX.XXX.180.138 telnet 192.168.0.109 telnet netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 XX.XXX.180.137 255.255.255.248 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp- pat

0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

service-policy global_policy global

prompt hostname context

Cryptochecksum:

Reply to
del
Loading thread data ...

You have to use the *public* IP addresses in the access-list that you apply to the outside interface.

More generally, unless you have specifically configured otherwise, if you have any traffic that needs to initiate connections from a lower security interface to a higher security interface, then the ACL attached to the lower security interface needs to be written in terms of the IP address that the higher security interface NAT or static's to with respect to that lower security interface. (This isn't necessarily the same as the "public" IP, because you might (for whatever reason) choose to have your "inside" interface translate to some other address range for communications to a DMZ.)

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.