https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139852#M877419 <HTML><HEAD></HEAD><BODY><P>do you have logging enable? Using ASDM, you can trace the packet and see where the deny occurs.</P></BODY></HTML> Wed, 21 Jan 2009 20:12:24 GMT Tshi M 2009-01-21T20:12:24Z https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139849#M877416 <P>Hello, </P><P></P><P>I want to enable access to server on ip address: 192.168.100.30 on port 22 located in inside interface from internet (outside)</P><P></P><P>We have ASA 5520 Cisco Adaptive Security Appliance Software Version 8.0(2)</P><P></P><P></P><P></P><P>My config (only relevant lines):</P><P> </P><P></P><P>interface GigabitEthernet0/0</P><P> nameif Outside</P><P> security-level 0</P><P> ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12</P><P>!</P><P>interface GigabitEthernet0/1</P><P> nameif DMZ</P><P> security-level 50</P><P> ip address 172.146.147.1 255.255.255.248 standby 172.146.147.2</P><P>!</P><P>interface GigabitEthernet0/3</P><P> nameif Inside</P><P> security-level 100</P><P> ip address 192.168.200.3 255.255.255.0 standby 192.168.200.2</P><P>.</P><P>.</P><P>access-list Inside_access_in extended permit ip 192.168.100.30 any</P><P>access-list Inside_access_in extended deny ip any any</P><P>.</P><P>.</P><P>access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh</P><P>access-list Outside_access_in extended deny ip any any</P><P>.</P><P>.</P><P>global (Outside) 1 172.146.147.11 netmask 255.255.255.0</P><P>nat (Inside) 0 access-list Inside_nat0_outbound</P><P>nat (Inside) 1 10.1.33.0 255.255.255.0</P><P>nat (Inside) 1 10.1.34.0 255.255.255.0</P><P>nat (Inside) 1 10.1.35.0 255.255.255.0</P><P>nat (Inside) 1 10.1.36.0 255.255.255.0</P><P>nat (Inside) 1 10.1.39.0 255.255.255.0</P><P>nat (Inside) 1 10.1.41.0 255.255.255.0</P><P>nat (Inside) 1 10.1.42.0 255.255.255.0</P><P>nat (Inside) 1 10.1.44.0 255.255.255.0</P><P>nat (Inside) 1 10.1.99.0 255.255.255.0</P><P>nat (Inside) 1 10.40.2.0 255.255.255.0</P><P>nat (Inside) 1 10.40.24.0 255.255.255.0</P><P>nat (Inside) 1 192.168.100.0 255.255.255.0</P><P>nat (Inside) 1 192.168.250.0 255.255.255.0</P><P>nat (Inside) 1 192.168.96.0 255.255.248.0</P><P>static (Inside,Outside) tcp 172.146.147.14 ssh 192.168.100.30 ssh netmask 255.255.255.255</P><P>access-group Outside_access_in in interface Outside</P><P>access-group DMZ_access_in in interface DMZ</P><P>access-group Inside_access_in in interface Inside</P><P>route Outside 0.0.0.0 0.0.0.0 172.146.147.14 1</P><P>route Inside 10.0.0.0 255.0.0.0 192.168.200.1 1</P><P>route Outside 172.16.101.72 255.255.255.252 195.146.147.14 1</P><P>route Inside 192.168.0.0 255.255.0.0 192.168.200.1 1</P><P>.</P><P>.</P><P></P><P></P><P>When i type telnet 172.146.147.15 22 from public internet i cant open port 22....so i dont know - is something missing or wrong?</P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 14:40:08 GMT https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139849#M877416 lubosbella 2019-03-11T14:40:08Z https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139850#M877417 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>"access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh"</P><P></P><P>"static (Inside,Outside) tcp 172.146.147.14 ssh 192.168.100.30 ssh netmask 255.255.255.255"</P><P></P><P>Unless this is a typo, the access-list has to be:</P><P></P><P> access-list Outside_access_in extended permit tcp any host 172.146.147.14 eq ssh (not 172.146.147.15)</P><P></P><P></P><P>Regards</P><P></P><P></P></BODY></HTML> Wed, 21 Jan 2009 15:58:59 GMT https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139850#M877417 Mo'ath Al Rawashdeh 2009-01-21T15:58:59Z https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139851#M877418 <HTML><HEAD></HEAD><BODY><P>Sorry i copied bad line....</P><P></P><P>Right statements are:</P><P></P><P>access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh</P><P></P><P>static (Inside,Outside) tcp 172.146.147.15 ssh 192.168.100.30 ssh netmask 255.255.255.255</P><P></P><P>but this is not working ....</P><P></P><P>Any other suggestion? </P><P></P><P>Thank.</P><P></P></BODY></HTML> Wed, 21 Jan 2009 19:51:17 GMT https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139851#M877418 lubosbella 2009-01-21T19:51:17Z https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139852#M877419 <HTML><HEAD></HEAD><BODY><P>do you have logging enable? Using ASDM, you can trace the packet and see where the deny occurs.</P></BODY></HTML> Wed, 21 Jan 2009 20:12:24 GMT https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139852#M877419 Tshi M 2009-01-21T20:12:24Z https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139853#M877420 <HTML><HEAD></HEAD><BODY><P>No logging is not enable for now....</P><P></P><P>Maybe can help this:</P><P></P><P>access-list Outside_access_in line 7 extended permit tcp any host 172.146.147.15 eq ssh (hitcnt=0) 0xb6f77e86</P><P></P><P>access-list Inside_access_in line 29 extended permit ip host 192.168.100.30 any (hitcnt=77) 0x4db26635</P><P></P><P>show xlate:</P><P></P><P>PAT Global 172.146.147.15(22) Local 192.168.100.30(22)</P><P>PAT Global 172.146.147.11(30) Local 192.168.100.30(123)</P><P>PAT Global 172.146.147.11(34204) Local 10.1.44.51(52658)</P><P>....</P><P></P><P>thank</P><P></P><P></P></BODY></HTML> Wed, 21 Jan 2009 21:25:23 GMT https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139853#M877420 lubosbella 2009-01-21T21:25:23Z https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139854#M877421 <HTML><HEAD></HEAD><BODY><P>you are not hitting your PAT address. hit counts on 172.146.147.15 is zero. </P><P></P><P>regards,</P></BODY></HTML> Wed, 21 Jan 2009 21:29:00 GMT https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139854#M877421 Tshi M 2009-01-21T21:29:00Z https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139855#M877422 <HTML><HEAD></HEAD><BODY><P>below is your outside interface config</P><P>interface GigabitEthernet0/0 </P><P>nameif Outside </P><P>security-level 0 </P><P>ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12 </P><P></P><P>you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won't be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.</P><P></P><P>regards,</P></BODY></HTML> Wed, 21 Jan 2009 21:46:18 GMT https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139855#M877422 Tshi M 2009-01-21T21:46:18Z https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139856#M877424 <HTML><HEAD></HEAD><BODY><P>Thank you very much...it`s working ;). </P></BODY></HTML> Thu, 22 Jan 2009 12:41:14 GMT https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139856#M877424 lubosbella 2009-01-22T12:41:14Z https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139857#M877426 <HTML><HEAD></HEAD><BODY><P>I am glad to here!!</P></BODY></HTML> Thu, 22 Jan 2009 12:45:02 GMT https://community.cisco.com/t5/network-security/access-to-hosts-from-outside/m-p/1139857#M877426 Tshi M 2009-01-22T12:45:02Z