01-11-2013 01:46 PM - edited 03-11-2019 05:45 PM
Sorry but I'm new to ASA. Trying to learn but I can't understand the process to set up an ASA acl. here is my clean txt file can some one tell me what
I'm doing wrong
Isimply trying to get a single IP to come in and nat to 192.168.50.2.
outside interface is 50.193.200.105. The IP I want to receive is 192.108.200.11 port 10800
sh run
: Saved
:
ASA Version 8.3(1)
!
!
interface Ethernet0/0
shutdown
nameif outside-itt
security-level 30
ip address 50.193.200.105 255.255.255.248
!
interface Ethernet0/1
shutdown
nameif itt-inside
security-level 70
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
clock timezone utc 0
dns server-group DefaultDNS
domain-name t
object network
host 192.168.50.2
object-group network itt-PENN
access-list itt extended permit tcp host 192.108.200.11 host 192.168.50.1 eq 10800
access-list itt extended deny ip any any
pager lines 50
logging timestamp
logging console critical
logging asdm informational
mtu management 1500
mtu outside-itt 1500
mtu itt-inside 1500
ip audit info action drop
ip audit attack action drop
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network itt
nat (any,any) static 192.108.200.11 service tcp 10800 10800
route outside-IGS 0.0.0.0 0.0.0.0 50.193.238.110 1
timeout xlate 1:00:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
class-map inspection_default
match default-inspection-traffic
!
!
01-11-2013 01:54 PM
Hi,
Provided that the following things that I state are true
Then your configuration could look like this
REMOVE THE OLD NAT CONFIGURATIONS BEFORE THIS
Commands
object network ITT
host 192.168.50.2
nat (itt-inside,outside-itt) static interface service tcp 10800 10800
access-list OUTSIDE-ITT-IN permit tcp host 192.108.200.11 object ITT eq 10800
access-group OUTSIDE-ITT-IN in interface outside-itt
Please rate if the information was helpfull and if it corrected your problem please mark the question as answered
Also ask more questions if needed
- Jouni
01-11-2013 01:56 PM
Also,
The above configuration you posted says that both interfaces are in "shutdown"
Go under each interface with "interface Ethernet0/0" and "interface Ethernet0/1" and issue the command "no shutdown" to bring up the interfaces IF they are indeed configured to "shutdown"
- Jouni
01-14-2013 09:48 AM
still showing untranslated_hits
access list is showing no hit counts
01-14-2013 09:56 AM
Hi,
When you are connecting from the "outside" its supposed to show untranslated hits.
Do you have the ACL attached to the interface with the "access-group" command?
Post your NAT and ACL commands again after changing them so I can see they correct.
It was my understanding that you wanted to do the following
- Jouni
01-14-2013 10:24 AM
interface Ethernet0/0
speed 10
duplex full
nameif outside-ITT
security-level 30
ip address 50.193.200.105 255.255.255.248
!
interface Ethernet0/1
nameif ITT-inside
security-level 70
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
object network ITT
host 192.168.50.2
access-list OUTSIDE-ITT-IN extended permit tcp host 192.108.200.11 object ITT eq 10800
!
object network ITT
nat (ITT-inside,outside-ITT) static interface service tcp 10800 10800
access-group OUTSIDE-ITT-IN in interface outside-ITT
route outside-IGS 0.0.0.0 0.0.0.0 50.193.200.110 1
01-14-2013 10:28 AM
Hi,
What is outside-IGS?
I cant see any interface named that.
Shouldnt the default route be pointing through interface "outside-ITT"
- Jouni
01-14-2013 11:38 AM
typo that should say outside-ITT
I'll look at the default route. Got a little wrapped around the axle on this
01-14-2013 11:43 AM
route outside-ITT 0.0.0.0 0.0.0.0 50.193.200.105 1
01-14-2013 11:45 AM
Just found out they want to add port 10801 out bound
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: