11-06-2012 03:46 PM - edited 03-11-2019 05:19 PM
Trying to allow inbound access from any host outside to my LAN server on port 995. Thank you so much!
asa5505# pack input outs tcp 4.2.2.2 3232 X.X.X.X 995 ---- X.X.X.X external IP
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 995 192.168.1.2 995 netmask 255.255.255.255
match tcp inside host 192.168.1.2 eq 995 outside any
static translation to X.X.X.X/995
translate_hits = 18, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate X.X.X.X/995 to 192.168.1.2/995 using netmask 255.255.255.255
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_in in interface outside
access-list outside_in extended permit tcp any host X.X.X.X eq 995
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface 995 192.168.1.2 995 netmask 255.255.255.255
match tcp inside host 192.168.1.2 eq 995 outside any
static translation to X.X.X.X/995
translate_hits = 18, untranslate_hits = 1
Additional Information:
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
match tcp inside host 192.168.1.2 eq 25 outside any
static translation to X.X.X.X/25
translate_hits = 13, untranslate_hits = 2923
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 55801166, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
asa5505#
Solved! Go to Solution.
11-06-2012 05:24 PM
Hi,
The packet-tracer shows that packets are allowed from any where on Internet to your server's mapped IP (external interface of the firewall) on port 995. They are getting translated to to real Ip address 192.168.1.2 and the access-list is allowing them. So as per the trace the traffic is allowed through the ASA.
11-06-2012 05:24 PM
Hi,
The packet-tracer shows that packets are allowed from any where on Internet to your server's mapped IP (external interface of the firewall) on port 995. They are getting translated to to real Ip address 192.168.1.2 and the access-list is allowing them. So as per the trace the traffic is allowed through the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide