Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
2
Replies

Problem with external access to internal hosts after upgrade to 8.6 firmware

Go to solution
baskervi
Level 1
Level 1

‎01-03-2013 08:59 AM - edited ‎03-11-2019 05:42 PM

We recently upgraded our firewall, and the new firewall has 8.6 firmware. We're having problems with users accessing an internal server from the outside. Here is a portion of the configuration:

======

object network obj-192.168.1.201

host 192.168.1.201

access-list OUTSIDE extended permit tcp any host xx.19.53.7 eq www

access-list OUTSIDE extended permit tcp any host xx.19.53.7 eq https

access-list OUTSIDE extended permit tcp any host xx.19.53.7 eq 8080

object network obj-192.168.1.201

nat (inside,outside) static xx.19.53.7

=======

The interesting thing is that if I create an access list entry from my external public IP to all addresses, e.g. "access-list OUTSIDE extended permit ip host xx.174.187.166 any", this works; however, the following doesn't work: "access-list OUTSIDE extended permit ip host xx.174.187.166 host xx.19.53.7".

Using wireshark, the syn packets are continually resent, and a syn/ack is never received. When I insert the access list entry for my public IP address to any, I see the packet flow of a normal session.

I presume I have a misconfiguration with the new firmware, but can anyone shed some light on this? Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-03-2013 09:02 AM

Hi,

You need to make the ACL statements to use the local IP address of 192.168.1.201

Example would be

access-list OUTSIDE extended permit tcp any object obj-192.168.1.201 eq www

access-list OUTSIDE extended permit tcp any object obj-192.168.1.201 eq https

access-list OUTSIDE extended permit tcp any object obj-192.168.1.201 eq 8080

If you dont want to use the objects in the ACL statements you could simply do the following

access-list OUTSIDE extended permit tcp any host 192.168.1.201 eq www

access-list OUTSIDE extended permit tcp any host 192.168.1.201 eq https

access-list OUTSIDE extended permit tcp any host 192.168.1.201 eq 8080

I guess you have upgraded from 8.2 or earlier software or?

In the new softwares of 8.3 and forward ACLs need to use the real IP addresses instead of the NAT/mapped IP address. This is because of the NAT changes from 8.3 onwards also.

And as you can see, with Static NAT configurations  and the local IP address under the new "network object", you can therefore use the "object " in your ACL statements.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-03-2013 09:02 AM

Hi,

You need to make the ACL statements to use the local IP address of 192.168.1.201

Example would be

access-list OUTSIDE extended permit tcp any object obj-192.168.1.201 eq www

access-list OUTSIDE extended permit tcp any object obj-192.168.1.201 eq https

access-list OUTSIDE extended permit tcp any object obj-192.168.1.201 eq 8080

If you dont want to use the objects in the ACL statements you could simply do the following

access-list OUTSIDE extended permit tcp any host 192.168.1.201 eq www

access-list OUTSIDE extended permit tcp any host 192.168.1.201 eq https

access-list OUTSIDE extended permit tcp any host 192.168.1.201 eq 8080

I guess you have upgraded from 8.2 or earlier software or?

In the new softwares of 8.3 and forward ACLs need to use the real IP addresses instead of the NAT/mapped IP address. This is because of the NAT changes from 8.3 onwards also.

And as you can see, with Static NAT configurations  and the local IP address under the new "network object", you can therefore use the "object " in your ACL statements.

- Jouni

0 Helpful

Go to solution
baskervi
Level 1
Level 1
In response to Jouni Forss

‎01-03-2013 09:47 AM

Thank you very much. I missed the access change in the access list, but it's working now. Take care.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card