<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Hi, Sometimes I always forget in Network Security</title>
    <link>https://community.cisco.com/t5/network-security/asa-5505-access-statement/m-p/2580943#M197922</link>
    <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Sometimes I always forget the ACL portion in the older software. What I mean is that since you are using the actual interface IP address of &lt;STRONG&gt;"outside"&lt;/STRONG&gt; as your public IP address in the NAT configurations then you might need to change the &lt;STRONG&gt;"host x.x.x.x"&lt;/STRONG&gt; portion in the ACL &lt;STRONG&gt;"outside_access_in"&lt;/STRONG&gt; to &lt;STRONG&gt;"interface outside"&lt;/STRONG&gt;. And try the connections again.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Just to be on the safe side you could also check that the ACL is actually attached to the interface &lt;STRONG&gt;"outside"&lt;/STRONG&gt; with this command&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;show run access-group&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;You could also use the &lt;STRONG&gt;"packet-tracer"&lt;/STRONG&gt; command to test if all the configurations are correct on the ASA.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;packet-tracer input outside tcp 8.8.8.8 12345 &amp;lt;public ip&amp;gt; 10001&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;And copy/paste the full output here. Remember to change the public IP address(es) before you post though.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Hope this helps &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;- Jouni&lt;/P&gt;</description>
    <pubDate>Thu, 15 Jan 2015 08:06:12 GMT</pubDate>
    <dc:creator>Jouni Forss</dc:creator>
    <dc:date>2015-01-15T08:06:12Z</dc:date>
    <item>
      <title>ASA 5505 access statement</title>
      <link>https://community.cisco.com/t5/network-security/asa-5505-access-statement/m-p/2580942#M197921</link>
      <description>&lt;P&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;I am trying to allow outside access to a piece of equipment behind our ASA 5505. The equipment has an internal IP like 10.x.x.x. I have placed the following in the ASA but it does not appear to work correctly. I am checking by Telnet to the public IP and port number (10001).&amp;nbsp;&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;(x.x.x.x) is a static public address&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;name 10.0.x.x VEEDER&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;access-list outside_access_in extended permit tcp any host x.x.x.x eq www&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;access-list outside_access_in extended permit tcp any host x.x.x.x eq https&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;access-list outside_access_in extended permit tcp any host x.x.x.x eq 10001&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;access-list outside_access_in extended permit udp any host x.x.x.x eq 10001&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;access-list outside_cryptomap extended permit ip 10.x.x.x 255.255.255.0 192.168.1.0 255.255.255.0&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;static (inside,outside) tcp interface www VEEDER www netmask 255.255.255.255&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;static (inside,outside) tcp interface https VEEDER https netmask 255.255.255.255&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;static (inside,outside) tcp interface ssh VEEDER ssh netmask 255.255.255.255&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;static (inside,outside) udp interface 10001 VEEDER 10001 netmask 255.255.255.255&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;Thanks for any help and let me know if you need more info. I am somewhat good at inputting these statements just don't thoroughly understand what they mean.&lt;/SPAN&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;BR style="font-size: 14px; font-family: 'Open Sans', sans-serif; color: rgb(34, 34, 34); line-height: 22px;" /&gt;&lt;SPAN style="color: rgb(34, 34, 34); font-family: 'Open Sans', sans-serif; font-size: 14px; line-height: 22px;"&gt;Chris&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 12 Mar 2019 05:20:48 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa-5505-access-statement/m-p/2580942#M197921</guid>
      <dc:creator>Chris Neal</dc:creator>
      <dc:date>2019-03-12T05:20:48Z</dc:date>
    </item>
    <item>
      <title>Hi, Sometimes I always forget</title>
      <link>https://community.cisco.com/t5/network-security/asa-5505-access-statement/m-p/2580943#M197922</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Sometimes I always forget the ACL portion in the older software. What I mean is that since you are using the actual interface IP address of &lt;STRONG&gt;"outside"&lt;/STRONG&gt; as your public IP address in the NAT configurations then you might need to change the &lt;STRONG&gt;"host x.x.x.x"&lt;/STRONG&gt; portion in the ACL &lt;STRONG&gt;"outside_access_in"&lt;/STRONG&gt; to &lt;STRONG&gt;"interface outside"&lt;/STRONG&gt;. And try the connections again.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Just to be on the safe side you could also check that the ACL is actually attached to the interface &lt;STRONG&gt;"outside"&lt;/STRONG&gt; with this command&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;show run access-group&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;You could also use the &lt;STRONG&gt;"packet-tracer"&lt;/STRONG&gt; command to test if all the configurations are correct on the ASA.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;packet-tracer input outside tcp 8.8.8.8 12345 &amp;lt;public ip&amp;gt; 10001&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;And copy/paste the full output here. Remember to change the public IP address(es) before you post though.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Hope this helps &lt;span class="lia-unicode-emoji" title=":slightly_smiling_face:"&gt;🙂&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;- Jouni&lt;/P&gt;</description>
      <pubDate>Thu, 15 Jan 2015 08:06:12 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa-5505-access-statement/m-p/2580943#M197922</guid>
      <dc:creator>Jouni Forss</dc:creator>
      <dc:date>2015-01-15T08:06:12Z</dc:date>
    </item>
    <item>
      <title>Jouni, Thanks for responding.</title>
      <link>https://community.cisco.com/t5/network-security/asa-5505-access-statement/m-p/2580944#M197923</link>
      <description>&lt;P&gt;Jouni,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks for responding. I have tried changing the &lt;SPAN style="color: rgb(75, 75, 75); font-family: &amp;quot;Arial&amp;quot;,sans-serif; font-size: 11pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;"&gt;&lt;STRONG&gt;"host x.x.x.x"&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;SPAN style="color: rgb(75, 75, 75); font-family: &amp;quot;Arial&amp;quot;,sans-serif; font-size: 11pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;"&gt; portion in the ACL &lt;STRONG&gt;&lt;SPAN style="font-family: &amp;quot;Arial&amp;quot;,sans-serif;"&gt;"outside_access_in"&lt;/SPAN&gt;&lt;/STRONG&gt; to &lt;SPAN&gt;&lt;STRONG&gt;"interface outside" and it did not connect. It would say invalid marker.&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I have posted the packet tester below based on my statements above in the ASA. Maybe you can see an issue.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Phase: 1&lt;BR /&gt;Type: FLOW-LOOKUP&lt;BR /&gt;Subtype:&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;Additional Information:&lt;BR /&gt;Found no matching flow, creating a new flow&lt;/P&gt;&lt;P&gt;Phase: 2&lt;BR /&gt;Type: UN-NAT&lt;BR /&gt;Subtype: static&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255&lt;/P&gt;&lt;P&gt;&amp;nbsp; match tcp inside host VEEDER eq 10001 outside any&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; static translation to X.X.X.X/10001&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; translate_hits = 0, untranslate_hits = 4&lt;BR /&gt;Additional Information:&lt;BR /&gt;NAT divert to egress interface inside&lt;BR /&gt;Untranslate X.X.X.X/10001 to VEEDER/10001 using netmask 255.255.255.255&lt;/P&gt;&lt;P&gt;Phase: 3&lt;BR /&gt;Type: ACCESS-LIST&lt;BR /&gt;Subtype: log&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;access-group outside_access_in in interface outside&lt;BR /&gt;access-list outside_access_in extended permit tcp any host&amp;nbsp;X.X.X.X eq 10001&lt;/P&gt;&lt;P&gt;Additional Information:&lt;/P&gt;&lt;P&gt;Phase: 4&lt;BR /&gt;Type: IP-OPTIONS&lt;BR /&gt;Subtype:&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;Additional Information:&lt;/P&gt;&lt;P&gt;Phase: 5&lt;BR /&gt;Type: VPN&lt;BR /&gt;Subtype: ipsec-tunnel-flow&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;Additional Information:&lt;/P&gt;&lt;P&gt;Phase: 6&lt;BR /&gt;Type: HOST-LIMIT&lt;BR /&gt;Subtype:&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;Additional Information:&lt;/P&gt;&lt;P&gt;Phase: 7&lt;BR /&gt;Type: NAT&lt;BR /&gt;Subtype: rpf-check&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255&lt;/P&gt;&lt;P&gt;&amp;nbsp; match tcp inside host VEEDER eq 10001 outside any&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; static translation to X.X.X.X/10001&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; translate_hits = 0, untranslate_hits = 4&lt;BR /&gt;Additional Information:&lt;/P&gt;&lt;P&gt;Phase: 8&lt;BR /&gt;Type: NAT&lt;BR /&gt;Subtype: host-limits&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;static (inside,outside) tcp interface www VEEDER www netmask 255.255.255.255&lt;BR /&gt;&amp;nbsp; match tcp inside host VEEDER eq 80 outside any&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; static translation to X.X.X.X/80&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; translate_hits = 0, untranslate_hits = 1&lt;BR /&gt;Additional Information:&lt;/P&gt;&lt;P&gt;Phase: 9&lt;BR /&gt;Type: IP-OPTIONS&lt;BR /&gt;Subtype:&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;Additional Information:&lt;/P&gt;&lt;P&gt;Phase: 10&lt;BR /&gt;Type: FLOW-CREATION&lt;BR /&gt;Subtype:&lt;BR /&gt;Result: ALLOW&lt;BR /&gt;Config:&lt;BR /&gt;Additional Information:&lt;BR /&gt;New flow created with id 46155, packet dispatched to next module&lt;/P&gt;&lt;P&gt;Result:&lt;BR /&gt;input-interface: outside&lt;BR /&gt;input-status: up&lt;BR /&gt;input-line-status: up&lt;BR /&gt;output-interface: inside&lt;BR /&gt;output-status: up&lt;BR /&gt;output-line-status: up&lt;BR /&gt;Action: allow&lt;/P&gt;</description>
      <pubDate>Thu, 15 Jan 2015 16:43:50 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/asa-5505-access-statement/m-p/2580944#M197923</guid>
      <dc:creator>Chris Neal</dc:creator>
      <dc:date>2015-01-15T16:43:50Z</dc:date>
    </item>
  </channel>
</rss>

