Port forwarding problem with ASA 7.2

Hello there,

I ran onto a funny issue with ASA. I'm trying to make port forwarding where my NAT inside global address is equal to the one of my outside Interface. ASA simply rejects any connection attempts on hosts translated on such way. There is no any logs about denied connections (even with some debugging used) although I'm getting syslog records about Internet packets denied by ACL, but these packets aren't related with my static nat problem. I checked this flow with ASDM Packet Tracer and got info that my connection is denied by ACL implicit rule!? I double checked this ACL and it seems ok. If I switch this static onto an IP address (inside global) that I'm not using for anything other then for this port forwarding - connections are allowed. Service policy implemented is the one that is default: "global_policy" with no changes from default config.

Here is the part of my config: !Address on which I can't connect is 100.100.50.98. I can't connect with any external TCP ports specified in these statics. Everything works ok when I configire my statics with for example 100.100.50.99 instead.

static (inside,outside) tcp 100.100.50.98 pcanywhere-data 192.168.117.56 pcanywhere-data netmask 255.255.255.255 static (inside,outside) tcp 100.100.50.98 5389 192.168.117.230 3389 netmask

255.255.255.255 static (inside,outside) udp 100.100.50.98 pcanywhere-status 192.168.117.56 pcanywhere-status netmask 255.255.255.255 static (inside,outside) tcp 100.100.50.98 6389 192.168.117.62 3389 netmask 255.255.255.255 static (inside,outside) tcp 100.100.50.98 59827 192.168.117.1 1433 netmask 255.255.255.255 static (inside,outside) tcp 100.100.50.98 3389 192.168.117.1 3389 netmask 255.255.255.255 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.117.100 255.255.255.0 ! interface Vlan2 description Internet nameif outside security-level 0 ip address 100.100.50.98 255.255.255.248 ! access-group 111 in interface outside ! !this ACL is only an example, so only 3389 port is permited, but in my real ACL I permited all ports used in statics.

access-list 111 extended permit tcp any host 100.100.50.98 eq 3389 !

nat (inside) 1 192.168.117.0 255.255.255.0 global (outside) 1 interface

Best Regards, Igor

Reply to
Pseto
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.