1. Home
  2. Cisco Systems
  3. Nat port Forwarding , allows only only some ip

Nat port Forwarding , allows only only some ip

Hi,

we configured cisco asa 5505 router, with the following configurations. we forwarded the port 8080 to my private ip (10.0.1.178) on the same lan. However the router allows from only some static public ip, and rejects most of the static public ip.

Anyone can figure out the problem? Thanks in Advance!

ASA Version 7.2(2)

!

hostname hn

domain-name default.domain.invalid

enable password skdjfklke encrypted

names

!

interface Vlan1

nameif inside

security-level 75

ip address 10.0.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.0

ospf cost 10

!

interface Vlan13

no forward interface Vlan2

nameif lan2

security-level 75

ip address 10.0.3.1 255.255.255.0

management-only

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd dsaasdYREI.2OPuU encrypted

banner motd hn...

banner motd Please dont change any configurations with out the permission of net

work admin..

banner motd Thank you..

no ftp mode passive

clock timezone IST 7 30

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service vnc tcp

description vnc

port-object range 5900 5905

object-group service pramana-ssh tcp

port-object range 10022 10022

access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx object- group vnc ina

ctive

access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq ssh inactive

access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 8080

access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 10022

access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 3830

access-list inside_access_in remark Implicit rule: Permit all traffic to less se

cure networks

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging standby

logging asdm informational

logging host inside 10.0.8.152

logging permit-hostdown

mtu inside 1500

mtu outside 1500

mtu lan2 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 10022 10.0.1.0 10022 netmask

255.255.25

5.255

static (inside,outside) tcp interface 3830 10.0.1.0 3830 netmask

255.255.255.

255

static (inside,outside) tcp 0.0.0.0 8080 10.0.1.178 8080 netmask

255.255.255.

255

access-group inside_access_in in interface inside

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 64.22.240.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

client-firewall none

client-access-rule none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application Access

sso-server none

deny-message value Login was successful, but because certain criteria have not

been met or due to some specific group policy, you do not have permission to us

e any of the VPN features. Contact your IT administrator for more information

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

username admin password lpTWt99OGW0dN6ef encrypted privilege 15

http server enable

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 72.55.173.2

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 10.0.1.0 255.255.255.0 inside

telnet timeout 15

ssh 10.0.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.0.1.100-10.0.1.227 inside

dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside

dhcpd option 66 ip 10.0.12.10 interface inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

! !

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect http http_map

parameters

protocol-violation action drop-connection

policy-map global_policy

description pramana_ssh

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect netbios

inspect tftp

inspect http http_map

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:csdfkkkl117e96d

: end

hn#

Reply to
rayuthar
Loading thread data ...

static (inside,outside) tcp 0.0.0.0 8080 10.0.1.178 8080 netmask

255.255.255.

Is the above line correct in the config? Is 0.0.0.0 the public ip x.x.x.x ?

If so is it the same IP as the IP in the below ACL?

access-list 101 extended permit tcp any host xxx.xxx.xxx.xxx eq 8080

Reply to
artie lange

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.