Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1148
Views
0
Helpful
2
Replies

ASA 8.4 - Static NAT configuration ignoring outside ACL

Go to solution
John N Smith
Level 1
Level 1

‎08-01-2013 04:41 AM - edited ‎03-11-2019 07:19 PM

Hi,

I have an inside host configured with it's own external IP (not the outside IP), that seems to be ignoring the ACL configured for the outside interface. All traffic is passing.

My config looks like this:

interface Vlan1

nameif inside

security-level 100

ip address 172.16.33.253 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address XXX.XXX.XXX.1 255.255.255.248

object network host-dunstable-blackberry

host 172.16.33.213

nat (inside,outside) static XXX.XXX.XXX.2

access-list acl-outside-in extended deny tcp any object host-dunstable-blackberry eq ssh

access-group acl-outside-in in interface outside

XXX.XXX.XXX.2 falls within XXX.XXX.XXX.1 255.255.255.248

Even so, I'm still able to SSH from an unrelated IP, to XXX.XXX.XXX.2, and access my server.

Does anybody have any ideas? Is this by design? If so, how can I restrict access to this machine?

Any help would be greatly appreciated,

John

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-01-2013 08:20 AM

Hi,

Can you provide us with the output of the following command (Naturally fill in the actual public IP)

packet-tracer input outside tcp 1.1.1.1 12345 x.x.x.2 22

This should probably tell us what is allowing the traffic.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-01-2013 08:20 AM

Hi,

Can you provide us with the output of the following command (Naturally fill in the actual public IP)

packet-tracer input outside tcp 1.1.1.1 12345 x.x.x.2 22

This should probably tell us what is allowing the traffic.

- Jouni

0 Helpful

Go to solution
John N Smith
Level 1
Level 1
In response to Jouni Forss

‎08-02-2013 08:27 AM

Hi Jouni,

Thanks for taking the time to look at this. Performing the packet-trace shows that the traffic being blocked by the implicit deny on the outside interface.

Attempting to connect again showed that this was indeed the case.

I have no idea what was happening before, but everything seems to be working fine. It must be user error, but I'm certain I tested correctly initially... very confusing!

Thanks again,

John

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card