04-17-2006 06:09 PM - edited 02-21-2020 12:50 AM
Just trying to forward a port from outside Int->device sitting on "inside" Interface, but getting the following in the logs:
%PIX-2-106006: Deny inbound UDP from 66.21.215.238/50507 to client_routable_address/6881 on interface outside
%PIX-2-106006: Deny inbound UDP from 62.141.54.206/6881 to client_routable_address/6881 on interface outside
%PIX-2-106006: Deny inbound UDP from 84.217.31.157/6881 to client_routable_address/6881 on interface outside
Relevant Config:
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp any host client_routable_address eq 6881
access-list 101 extended permit udp any host client_routable_address eq 6881
global (outside) 3 client_routable_address
nat (BCM) 3 0.0.0.0 0.0.0.0
static (BCM,outside) tcp 192.168.20.10 6881 client_routable_address 6881 netmask 255.255.255.255
static (BCM,outside) udp 192.168.20.10 6881 client_routable_address 6881 netmask 255.255.255.255
access-group 101 in interface outside
The static translations are there when issuing "show xlate":
# sh xlate
50 in use, 957 most used
PAT Global 192.168.20.10(6881) Local client_routable_address(6881)
PAT Global 192.168.20.10(6881) Local client_routable_address(6881)
acl 101 "6881" entries are not getting hit though:
# show access-list 101
access-list 101; 7 elements
access-list 101 line 1 extended permit icmp any any echo-reply (hitcnt=0)
access-list 101 line 2 extended permit icmp any any source-quench (hitcnt=10)
access-list 101 line 3 extended permit icmp any any unreachable (hitcnt=10279)
access-list 101 line 4 extended permit icmp any any time-exceeded (hitcnt=265)
access-list 101 line 5 extended permit tcp any host client_routable_address eq 6881 (hitcnt=0)
access-list 101 line 6 extended permit udp any host client_routable_address eq 6881 (hitcnt=0)
Am I missing anything obvious?
Solved! Go to Solution.
04-21-2006 02:17 AM
Hi,
I think you have got your STATIC lines reversed, they should be:
static (BCM,outside) tcp client_routable_address 6881 192.168.20.10 6881 netmask 255.255.255.255
Assuming that "client_routable_address" is your public IP and BMC is your "inside" or "DMZ" interface.
Salem.
04-21-2006 02:17 AM
Hi,
I think you have got your STATIC lines reversed, they should be:
static (BCM,outside) tcp client_routable_address 6881 192.168.20.10 6881 netmask 255.255.255.255
Assuming that "client_routable_address" is your public IP and BMC is your "inside" or "DMZ" interface.
Salem.
04-23-2006 02:20 PM
Champion! That was it.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide