01-17-2013 07:15 AM - edited 03-11-2019 05:48 PM
Ive got a problem with passing traffic through a Cisco 515e firewall.
im trying to telnet to devices on the inside net, 172.16.x.x fom an outside net 10.x.x.x
ive configured a group called infrastructure and added the 10.x.x.x addresses.
ive configured acl 101 inbound on the outside interface:
access-list 101 permit tcp object-group INFRASTRUCTURE any eq telnet
theres a route to the inside net:
inside 172.16.0.0 255.255.0.0 172.16.163.1
and theres a translation:
static (inside,outside) 10.4.4.34 10.4.4.34 netmask 255.255.255.255
when i try and connect, using a packet capture I can see traffic from 10.4.4.34 to the inside device 172.x.x.x on the inside interface but i cant see the traffic leave the outside interface
ive used the same group infrastructure group before to connect to VM machines on the 172.x.x.x net on RDP and this wrks ok.
access-list 101 permit tcp object-group INFRASTRUCTURE object-group VMs eq 3389
does anyone have any idea what is wrong?
01-17-2013 08:01 AM
have you configured the default route to the outside?
01-17-2013 10:27 AM
What is the Ip address on the host on the outside
What is the ip address of the inside host that will be accessed via telnet,
Regards
01-17-2013 11:58 AM
thanks for the reply guys.
heres a diagram that might help explain my issue.
rdp from 10.4.4.34 to 172.16.163.186 works
telnet from 10.4.4.34 to 172.16.163.7 does not work
01-17-2013 12:23 PM
Hi Michael,
Check whether telnet is enabled or accessialbe host at: 172.16.163.7, and do you have a default-gateway assinged on the host at:172.16.163.7?
thanks
Rizwan Rafeek
01-17-2013 01:00 PM
Hi Rizwan
Telnet is enabled and default route configured. I can telnet to any switch on the 172.16.163.0 subnet from a device on that subnet. I have recently inherited this network and im trying to setup remote access. I configured 172.16.163.7 to accept telnet session from 10.4.4.34. I dont understand why I cant see the telnet leave the firewall on the last interface.
thanks
Michael
01-18-2013 12:30 AM
please provide the output of following command on the right ASA: packet-tracer input outside tcp 172.18.3.65 23 172.16.163.7 23
01-18-2013 08:29 AM
Hi Michael,
Please post the output from below command.
packet-tracer input outside icmp 10.4.4.34 8 0 172.16.163.7
You may have to allow icmp travers temporarily on the ACL 101, to check the reachability.
.
Look forward to hear from you.
thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed
01-18-2013 12:24 PM
Thanks for the replies guys. Im not able to post the out put at the moment. Im away from work and I dont have access.
I have made a little headway. If I use a static translation on the right hand firewall:
static (inside,outside) 172.16.163.7 172.16.163.7 255.255.255.255
I can connect. the problem is I would need a static for every switch I need to telnet to.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide