01-11-2013 01:46 PM - edited 03-11-2019 05:45 PM
Sorry but I'm new to ASA. Trying to learn but I can't understand the process to set up an ASA acl. here is my clean txt file can some one tell me what
I'm doing wrong
Isimply trying to get a single IP to come in and nat to 192.168.50.2.
outside interface is 50.193.200.105. The IP I want to receive is 192.108.200.11 port 10800
sh run
: Saved
:
ASA Version 8.3(1)
!
!
interface Ethernet0/0
shutdown
nameif outside-itt
security-level 30
ip address 50.193.200.105 255.255.255.248
!
interface Ethernet0/1
shutdown
nameif itt-inside
security-level 70
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
clock timezone utc 0
dns server-group DefaultDNS
domain-name t
object network
host 192.168.50.2
object-group network itt-PENN
access-list itt extended permit tcp host 192.108.200.11 host 192.168.50.1 eq 10800
access-list itt extended deny ip any any
pager lines 50
logging timestamp
logging console critical
logging asdm informational
mtu management 1500
mtu outside-itt 1500
mtu itt-inside 1500
ip audit info action drop
ip audit attack action drop
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network itt
nat (any,any) static 192.108.200.11 service tcp 10800 10800
route outside-IGS 0.0.0.0 0.0.0.0 50.193.238.110 1
timeout xlate 1:00:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
class-map inspection_default
match default-inspection-traffic
!
!
01-11-2013 01:54 PM
Hi,
Provided that the following things that I state are true
Then your configuration could look like this
REMOVE THE OLD NAT CONFIGURATIONS BEFORE THIS
Commands
object network ITT
host 192.168.50.2
nat (itt-inside,outside-itt) static interface service tcp 10800 10800
access-list OUTSIDE-ITT-IN permit tcp host 192.108.200.11 object ITT eq 10800
access-group OUTSIDE-ITT-IN in interface outside-itt
Please rate if the information was helpfull and if it corrected your problem please mark the question as answered
Also ask more questions if needed
- Jouni
01-11-2013 01:56 PM
Also,
The above configuration you posted says that both interfaces are in "shutdown"
Go under each interface with "interface Ethernet0/0" and "interface Ethernet0/1" and issue the command "no shutdown" to bring up the interfaces IF they are indeed configured to "shutdown"
- Jouni
01-14-2013 09:48 AM
still showing untranslated_hits
access list is showing no hit counts
01-14-2013 09:56 AM
Hi,
When you are connecting from the "outside" its supposed to show untranslated hits.
Do you have the ACL attached to the interface with the "access-group" command?
Post your NAT and ACL commands again after changing them so I can see they correct.
It was my understanding that you wanted to do the following
- Jouni
01-14-2013 10:24 AM
interface Ethernet0/0
speed 10
duplex full
nameif outside-ITT
security-level 30
ip address 50.193.200.105 255.255.255.248
!
interface Ethernet0/1
nameif ITT-inside
security-level 70
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
object network ITT
host 192.168.50.2
access-list OUTSIDE-ITT-IN extended permit tcp host 192.108.200.11 object ITT eq 10800
!
object network ITT
nat (ITT-inside,outside-ITT) static interface service tcp 10800 10800
access-group OUTSIDE-ITT-IN in interface outside-ITT
route outside-IGS 0.0.0.0 0.0.0.0 50.193.200.110 1
01-14-2013 10:28 AM
Hi,
What is outside-IGS?
I cant see any interface named that.
Shouldnt the default route be pointing through interface "outside-ITT"
- Jouni
01-14-2013 11:38 AM
typo that should say outside-ITT
I'll look at the default route. Got a little wrapped around the axle on this
01-14-2013 11:43 AM
route outside-ITT 0.0.0.0 0.0.0.0 50.193.200.105 1
01-14-2013 11:45 AM
Just found out they want to add port 10801 out bound
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide