Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
776
Views
0
Helpful
1
Replies

ASA 5525 problem with NAT and ACL

Frank27
Level 1
Level 1

‎12-16-2021 01:21 AM

I have a problem with this ASA. Cannot reach from the outside the inside network. Logs like that

 

A-3-710003: TCP access denied by ACL from 203.1.1.4/51022 to outside:10.0.0.3/443
%ASA-7-710005: TCP request discarded from 203.1.1.4/51022 to outside:10.0.0.3/443
%ASA-3-710003: TCP access denied by ACL from 203.1.1.4/51022 to outside:10.0.0.3/443
%ASA-7-710005: TCP request discarded from 203.1.1.4/51022 to outside:10.0.0.3/443
%ASA-3-710003: TCP access denied by ACL from 203.1.1.4/51022 to outside:10.0.0.3/443
%ASA-7-710005: TCP request discarded from 203.1.1.4/51022 to outside:10.0.0.3/443
%ASA-3-710003: TCP access denied by ACL from 203.1.1.4/51022 to outside:10.0.0.3/443
%ASA-7-710005: TCP request discarded from 203.1.1.4/51022 to outside:10.0.0.3/443

 

This is the relevant part of the running conf:

 

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.0.0.3 255.255.255.0
!
interface GigabitEthernet0/1
nameif VLAN
security-level 100
no ip address
!
interface GigabitEthernet0/1.1
vlan 20
nameif VLAN20
security-level 100
ip address 192.168.20.1 255.255.255.0

 

same-security-traffic permit inter-interface
object network VLAN20
host 192.168.20.2
object network outside_map
host 10.0.0.4

access-list INSIDE_IN extended permit ip any any
access-list tovlan extended permit icmp any host 192.168.20.2
access-list tovlan extended permit tcp any host 192.168.20.2 eq www
access-list tovlan extended permit tcp any host 192.168.20.2 eq https

nat (VLAN20,outside) source static VLAN20 outside_map no-proxy-arp
access-group INSIDE_IN in interface outside
access-group INSIDE_IN out interface outside

access-group tovlan  in interface VLAN20

access-group tovlan  out interface VLAN20

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

 

Any suggestions?

Thank You!

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎12-16-2021 02:13 PM

Looks like you are trying to access the server via your outside interface IP but you have defined 10.0.0.4 in your NAT statement.  Try accessing via 10.0.0.4.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card