06-17-2009 05:33 PM
I have been using CCA 2.0 and configured the device based on documents (a recurring story) and well it wont work...... again.
This is the results of the 'show tcp brief'
SR520#show tcp brief all
TCB Local Address Foreign Address (state)
84C8EFD4 192.168.75.1.23 172.16.33.10.3227 ESTAB
86479CB0 192.168.75.1.443 172.16.33.10.3078 ESTAB
8647850C 192.168.75.1.443 172.16.33.10.3122 ESTAB
84B08378 192.168.75.1.23 172.16.33.10.3062 ESTAB
83B7FAB8 192.168.75.1.23 172.16.33.10.3041 ESTAB
851D6704 *.443 *.* LISTEN
851D5CF4 *.443 *.* LISTEN
851D56B8 *.80 *.* LISTEN
85419B70 *.80 *.* LISTEN
85DAD264 XXX.XXX.XXX.194.ptr.us.443 *.* LISTEN
SR520#
It appears that CCA is not correctly adding the info into the configuration or is it.
It made these acl entries:
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.75.2
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.75.2
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.75.2
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.10.12
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip any host XX.XX.XX.194
It added this for one port but not for the others:
ip port-map user-protocol--1 port tcp 3389
and it added this:
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.10.12 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.75.2 5060 interface FastEthernet4 5060
ip nat inside source static udp 192.168.75.2 5060 interface FastEthernet4 5060
ip nat inside source static tcp 192.168.75.2 1720 interface FastEthernet4 1720
Yet none of these ports are allowed through the firewall.
Please help me figure this out.
Thanks
07-13-2009 06:30 AM
I think the CCA team knows of some issue with this. In May, I had heard that while configuration of NAT static entry is supported by CCA there is an issue in that CCA currently does not modify the firewall configuration to allow the statically mapped IP and TCP port to pass through.
I heard we were looking to resolve in a subsequent CCA release. I will find out when or ask that team to reply....
Steve DiStefano
SE Small Business Sales
U.S. Field Channel
07-13-2009 09:47 AM
This is resolved in CCA 2.0(1). TCP or UDP ports configured for static NAT mapping should be passed through the firewall.
Rgds,
Tomoo
07-13-2009 09:57 AM
MOST excellent news!!!! 2.0(1) is NOW available as well!!!!! Since last week....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: