Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
0
Helpful
8
Replies

Traffic not passing through firewall

mickyq
Level 1
Level 1

‎01-17-2013 07:15 AM - edited ‎03-11-2019 05:48 PM

Ive got a problem with passing traffic through a Cisco 515e firewall.

im trying to telnet to devices on the inside net, 172.16.x.x fom an outside net 10.x.x.x

ive configured a group called infrastructure and added the 10.x.x.x addresses.

ive configured acl 101 inbound on the outside interface:

access-list 101 permit tcp object-group INFRASTRUCTURE any eq telnet

theres a route to the inside net:

inside 172.16.0.0 255.255.0.0 172.16.163.1

and theres a translation:

static (inside,outside) 10.4.4.34 10.4.4.34 netmask 255.255.255.255

when i try and connect, using a packet capture  I can see traffic from 10.4.4.34 to the inside device 172.x.x.x on the inside interface but i cant see the traffic leave the outside interface

ive used the same group infrastructure group before to connect to VM machines on the 172.x.x.x net on RDP and this wrks ok.

access-list 101 permit tcp object-group INFRASTRUCTURE object-group VMs eq 3389

does anyone have any idea what is wrong?

Labels:
0 Helpful
8 Replies 8

Rudy Sanjoko
Level 4
Level 4

‎01-17-2013 08:01 AM

have you configured the default route to the outside?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-17-2013 10:27 AM

What is the Ip address on the host on the outside

What is the ip address of the inside host that will be accessed via telnet,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

mickyq
Level 1
Level 1

‎01-17-2013 11:58 AM

thanks for the reply guys.
heres a diagram that might help explain my issue.

rdp from 10.4.4.34 to 172.16.163.186 works

telnet from 10.4.4.34 to 172.16.163.7 does not work

0 Helpful

rizwanr74
Level 7
Level 7

‎01-17-2013 12:23 PM

Hi Michael,

Check whether telnet is enabled or accessialbe host at: 172.16.163.7, and do you have a default-gateway assinged on the host at:172.16.163.7?

thanks

Rizwan Rafeek

0 Helpful

mickyq
Level 1
Level 1
In response to rizwanr74

‎01-17-2013 01:00 PM

Hi Rizwan

Telnet is enabled and default route configured. I can telnet to any switch on the 172.16.163.0 subnet from a device on that subnet. I have recently inherited this network and im trying to setup remote access. I configured 172.16.163.7 to accept telnet session from 10.4.4.34. I dont understand why I cant see the telnet leave the firewall on the last interface.

thanks

Michael

0 Helpful

Rudy Sanjoko
Level 4
Level 4
In response to mickyq

‎01-18-2013 12:30 AM

please provide the output of  following command on the right ASA: packet-tracer input outside tcp 172.18.3.65 23 172.16.163.7 23

0 Helpful

rizwanr74
Level 7
Level 7
In response to mickyq

‎01-18-2013 08:29 AM

Hi Michael,

Please post the output from below command.

packet-tracer input outside icmp 10.4.4.34 8 0 172.16.163.7

You may have to allow icmp travers temporarily on the ACL 101, to check the reachability.  

.

Look forward to hear from you.

thanks

Rizwan Rafeek

Message was edited by: Rizwan Mohamed

0 Helpful

mickyq
Level 1
Level 1

‎01-18-2013 12:24 PM

Thanks for the replies guys. Im not able to post the out put at the moment. Im away from work and I dont have access.

I have made a little headway. If I use a static translation on the right hand firewall:

static (inside,outside) 172.16.163.7 172.16.163.7 255.255.255.255

I can connect. the problem is I would need a static for every switch I need to telnet to.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card