05-29-2013 07:11 PM - edited 03-11-2019 06:51 PM
I have a very simple request on 8.6 code, I need to translate a public ip address to a private on a given port, I have the following :
object network obj-TEST
host 192.168.10.10
!
object network obj-TEST
nat (inside,outside) static 88.88.88.88
!
access-list incoming_outside extended permit tcp any host 88.88.88.88 eq 3389
access-group incoming_outside in interface outside
yet I am not able to RDP to 88.88.88.88 from the outside.
I checked that 192.168.10.10 is reachable from the firewall and the port is open from the inside
any idea what's wrong with this config?
05-29-2013 07:49 PM
Try changing the acl from 88.88.88.88 to 192.168.10.10
Sent from Cisco Technical Support Android App
05-29-2013 10:13 PM
You should always use real, not mapped addresses in ACLs when working with post 8.3 code, so do what Colin said.
05-30-2013 03:55 AM
It's working now. it looks strange to allow a private ip address incoming to the outside interface, I can't seem to wrap my head around this
05-30-2013 03:57 AM
Hi Ronni,
The reason for this is the fact that NAT and ACL operations have changed in the new software.
When a connection arrives on the ASA to a NATed destination address the ASA first UNTRANSLATES that public NAT IP address to the local IP address.
So after that phase of processing the packet the destination address is already the local IP address.
When the ASA reaches the ACL phase it will therefore need to allow the traffic to the REAL IP address rather than the NAT IP address.
Hope this helps
- Jouni
05-30-2013 11:44 PM
i need dmz to inside configuration
DMZ Interface IP 10.1.1.1/24
DMZ Server IP 10.1.1.254
Inside Interface 192.168.11.249
Thanks and regrds
05-30-2013 11:48 PM
Hi,
Please start a new discussion for your own questions that arent related to the original topic
Depending on your software level of your firewall you might not need any NAT configuration.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide