asa 8.3 acl

k.langley · ‎01-11-2013

Sorry but I'm new to ASA. Trying to learn but I can't understand the process to set up an ASA acl. here is my clean txt file can some one tell me what

I'm doing wrong

Isimply trying to get a single IP to come in and nat to 192.168.50.2.

outside interface is 50.193.200.105. The IP I want to receive is 192.108.200.11 port 10800

sh run

: Saved

:

ASA Version 8.3(1)

!

interface Ethernet0/0

shutdown

nameif outside-itt

security-level 30

ip address 50.193.200.105 255.255.255.248

!

interface Ethernet0/1

shutdown

nameif itt-inside

security-level 70

ip address 192.168.50.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

clock timezone utc 0

dns server-group DefaultDNS

domain-name t

object network

host 192.168.50.2

object-group network itt-PENN

access-list itt extended permit tcp host 192.108.200.11 host 192.168.50.1 eq 10800

access-list itt extended deny ip any any

pager lines 50

logging timestamp

logging console critical

logging asdm informational

mtu management 1500

mtu outside-itt 1500

mtu itt-inside 1500

ip audit info action drop

ip audit attack action drop

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network itt

nat (any,any) static 192.108.200.11 service tcp 10800 10800

route outside-IGS 0.0.0.0 0.0.0.0 50.193.238.110 1

timeout xlate 1:00:00

timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

class-map inspection_default

match default-inspection-traffic

!

Jouni Forss · ‎01-11-2013

Hi,

Provided that the following things that I state are true

Server Local IP = 192.168.50.2
Server Public IP = 50.193.200.105 (ASA "outside-itt")
Port to be forwarded = TCP/10800
Connections need to be allowed from the public source IP address of 192.108.200.11

Then your configuration could look like this

REMOVE THE OLD NAT CONFIGURATIONS BEFORE THIS

Commands

object network itt
no nat (any,any) static 192.108.200.11 service tcp 10800 10800
exit
no object network itt

object network ITT

host 192.168.50.2

nat (itt-inside,outside-itt) static interface service tcp 10800 10800

access-list OUTSIDE-ITT-IN permit tcp host 192.108.200.11 object ITT eq 10800

access-group OUTSIDE-ITT-IN in interface outside-itt

Please rate if the information was helpfull and if it corrected your problem please mark the question as answered

Also ask more questions if needed

- Jouni

Jouni Forss · ‎01-11-2013

Also,

The above configuration you posted says that both interfaces are in "shutdown"

Go under each interface with "interface Ethernet0/0" and "interface Ethernet0/1" and issue the command "no shutdown" to bring up the interfaces IF they are indeed configured to "shutdown"

- Jouni

k.langley · ‎01-14-2013

still showing untranslated_hits

access list is showing no hit counts

Jouni Forss · ‎01-14-2013

Hi,

When you are connecting from the "outside" its supposed to show untranslated hits.

Do you have the ACL attached to the interface with the "access-group" command?

Post your NAT and ACL commands again after changing them so I can see they correct.

It was my understanding that you wanted to do the following

Forward port TCP/10800 to the LAN host IP of 192.168.50.2
Public IP that you want to use is the "outside" interface IP address
You want to open traffic from the source IP address of 192.108.200.11

- Jouni

k.langley · ‎01-14-2013

interface Ethernet0/0

speed 10

duplex full

nameif outside-ITT

security-level 30

ip address 50.193.200.105 255.255.255.248

!

interface Ethernet0/1

nameif ITT-inside

security-level 70

ip address 192.168.50.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

object network ITT

host 192.168.50.2

access-list OUTSIDE-ITT-IN extended permit tcp host 192.108.200.11 object ITT eq 10800

!

object network ITT

nat (ITT-inside,outside-ITT) static interface service tcp 10800 10800

access-group OUTSIDE-ITT-IN in interface outside-ITT

route outside-IGS 0.0.0.0 0.0.0.0 50.193.200.110 1

Jouni Forss · ‎01-14-2013

Hi,

What is outside-IGS?

I cant see any interface named that.

Shouldnt the default route be pointing through interface "outside-ITT"

- Jouni

k.langley · ‎01-14-2013

typo that should say outside-ITT

I'll look at the default route. Got a little wrapped around the axle on this

k.langley · ‎01-14-2013

route outside-ITT 0.0.0.0 0.0.0.0 50.193.200.105 1

k.langley · ‎01-14-2013

Just found out they want to add port 10801 out bound