Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
0
Helpful
3
Replies

Firewall Rule

Jay Cambell
Level 1
Level 1

‎08-09-2017 04:50 PM - edited ‎03-12-2019 02:48 AM

I'm getting a block and I don't understand why.  I used the  ASDM tool to packet trace. Tried a telnet to the 10.0.0.0 and port and it work. When I test remote it doesn't work.  Its blocked.

Object network obj-10.0.0.0

host 10.0.0.0

Obj network obj-10.0.0.0

nat (inside, outside) 12.0.0.0 service tcp ssh ssh

Obj network obj-10.0.0.0

nat (inside, outside) 12.0.0.0 service tcp 990 990

Acl inside extended permit tcp host 10.0.0.0 host 12.0.0.0 eq ssh

Acl inside extended permit tcp host 10.0.0.0 host 12.0.0.0 eq 990

Acl outside extended permit tcp host 12.0.0.0 host 10.0.0.0 eq ssh

Acl outside extended permit tcp host 12.0.0.0 host 10.0.0.0 eq 990

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎08-09-2017 05:55 PM

Your inbound ACL rule below seems to be wrong

Acl outside extended permit tcp host 12.0.0.0 host 10.0.0.0 eq ssh
Acl outside extended permit tcp host 12.0.0.0 host 10.0.0.0 eq 990

These rules should ideally be (considering ASA is version 8.3+):

Acl outside extended permit tcp any host 10.0.0.0 eq ssh
Acl outside extended permit tcp any host 10.0.0.0 eq 990

Your Acl inside should also change accordingly.

0 Helpful

Jay Cambell
Level 1
Level 1
In response to Rahul Govindan

‎08-09-2017 06:59 PM

Are you saying the inbound should look like the below? Can you explain the difference? 

Acl inside extended permit tcp host 12.0.0.0 host 10.0.0.0 eq ssh

Acl inside extended permit tcp host 12.0.0.0 host 10.0.0.0 eq 990

0 Helpful

Jay Cambell
Level 1
Level 1
In response to Jay Cambell

‎08-09-2017 07:30 PM

Or inbound should look like this. 

Acl inside extended permit tcp any host 12.0.0.0 eq ssh
Acl inside extended permit tcp any host 12.0.0.0 eq 990
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card