Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Networking
- Routing
- Re: Cisco ASA 5505 Packet Tracer OK but Port is not open
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
1313
Views
0
Helpful
4
Replies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2020 05:27 AM
Dear all,
I am kind of new in the firewall management and got my first issue which I can't solve no matter what I try. I have a Cisco ASA 5505 with ASA 8.4(3) where I try to open the port 9101 for a local server over the internet.
I ran Packet Tracer and the access list and NAT seems fine due I see green hooks everywhere. Unfortunately if I do a Port check the port is still closed.
What can I do to make the Port public available or where do I have to have a deeper look?
Cheers
Alex
Solved! Go to Solution.
Labels:
- Labels:
-
Other Routing
-
Routing Protocols
-
WAN
1 Accepted Solution
Accepted Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2020 04:41 AM
Just found the solution. Due there were a double outside_access_in and outside_access_in_1 I cleared that up. Also I removed all the settings and built the cisco asa from scratch. Now it's working like a charme.
4 Replies 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2020 05:57 AM
Hello,
post the config of your ASA. Basically, a simply PAT should look like this:
object network WEB-TCP-9101
host 192.168.1.11
nat (inside,outside) static 201.8.2.41 service tcp 9101 9101
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-20-2020 07:06 AM
Hello,
what is the IP address of the local server ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-22-2020 04:24 AM - edited 08-22-2020 04:27 AM
Hi Georg,
what basically I want to open Port TCP 9101 on local IP 192.168.20.154 that this port is accessible via external IP 93.104.235.45 .
Here are my network objects:
object network OnlineMUC-LAN subnet 192.168.20.0 255.255.255.0 description OnlineMUC-LAN object network NETWORK_OBJ_172.16.20.0_25 subnet 172.16.20.0 255.255.255.128 object network NETWORK_OBJ_172.16.20.128_25 subnet 172.16.20.128 255.255.255.128 object network DFV-LAN subnet 192.168.25.0 255.255.255.0 description DFV-LAN object network DFV-pfSense-Firewall range 192.168.25.2 192.168.25.10 object network DFV-IPMI host 192.168.25.135 object network NETWORK_OBJ_192.168.20.0_24 subnet 192.168.20.0 255.255.255.0 object network NETWORK_OBJ_192.168.43.0_24 subnet 192.168.43.0 255.255.255.0 object network GASTLAN subnet 192.168.22.0 255.255.255.0 object network DFV-pfSense-Firewall-TCP range 192.168.25.1 192.168.25.10 object network ONL-LAN-20 subnet 192.168.20.0 255.255.255.0 object network DFV-LAN-25 subnet 192.168.25.0 255.255.255.0 object service Swyx-16203 service tcp source range 1 65535 destination eq 16203 object service Swyx-9101 service tcp source range 1 65535 destination eq 9101 object service http-80 service tcp source range 1 65535 destination eq www object service RDP service tcp destination eq 3389 description RDP object network NETWORK_OBJ_192.168.20.209_24 host 192.168.20.209 description CRM object service RDP_TS service tcp source eq 3389 object service HTTPS-RDG service tcp source eq https object network SwxyIT-Extern-1 subnet 213.148.136.0 255.255.255.0 description SwxyIT-Extern-1 object network SwyxIT2-Extern subnet 213.148.137.0 255.255.255.0 description SwyxIT2-Extern object service Swyx-20000-59999 service udp source range 55000 56000 destination range 20000 59999 object service Swyx-5060 service udp source eq 65002 destination eq sip object network SIP-Host-Telenova host 213.148.136.190 object network SIP-Host-Telenova_2 host 213.148.136.222 object network Extern-Compeso host 88.217.41.230 object service Swyx-9101_Mobile service tcp source eq 9101 destination eq 9101 description Swyx Mobile object network DFP-pfSense-VPN-UDP host 192.168.25.10 object service DSV-Firewall service tcp source eq 1194 destination eq 1194 object service Swyx-16203-Udp service udp destination eq 16203 object service Swyx-9101-Udp service udp destination eq 9101 object service OpenVPN service udp destination eq 1194 object network onlcrm01 host 192.168.20.154 description Swyx-Server object-group network DM_INLINE_NETWORK_1 network-object 10.1.1.0 255.255.255.0 network-object 10.1.10.0 255.255.255.0 network-object object OnlineMUC-LAN object-group network DM_INLINE_NETWORK_2 network-object 10.1.1.0 255.255.255.0 network-object 10.1.10.0 255.255.255.0 network-object object OnlineMUC-LAN object-group network DM_INLINE_NETWORK_3 network-object 192.168.20.0 255.255.255.0 network-object object DFV-LAN object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object icmp object-group protocol DM_INLINE_PROTOCOL_2 protocol-object ip protocol-object icmp object-group protocol DM_INLINE_PROTOCOL_4 protocol-object udp protocol-object tcp object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service grp_swyx service-object object Swyx-16203 service-object object Swyx-9101 service-object object Swyx-16203-Udp service-object object Swyx-9101-Udp object-group service imap4-secure tcp port-object eq 993 object-group protocol DM_INLINE_PROTOCOL_3 protocol-object icmp protocol-object udp object-group network SwyxIT-Extern description Externe Endpunkte für SwyxIT network-object object SwxyIT-Extern-1 network-object object SwyxIT2-Extern object-group network SIP-Hosts network-object object SIP-Host-Telenova network-object object SIP-Host-Telenova_2 object-group service Swyx-Ports tcp port-object eq 9101 object-group network DM_INLINE_NETWORK_4 network-object 10.1.1.0 255.255.255.0 network-object 10.1.10.0 255.255.255.0 network-object object OnlineMUC-LAN object-group service DM_INLINE_SERVICE_1 service-object tcp destination eq https service-object udp destination eq 1194 service-object tcp destination eq 1194 object-group service DM_INLINE_SERVICE_2 service-object object OpenVPN service-object tcp destination eq https service-object tcp destination eq 1194 object-group service DM_INLINE_SERVICE_3 service-object object OpenVPN service-object tcp destination eq https service-object tcp destination eq 1194 object-group service DM_INLINE_SERVICE_4 service-object tcp destination eq 1194 service-object tcp destination eq https service-object udp destination eq 1194 object-group service DM_INLINE_SERVICE_5 service-object object OpenVPN service-object tcp destination eq 1194 service-object tcp destination eq https object-group service DM_INLINE_SERVICE_6 service-object tcp destination eq 1194 service-object tcp destination eq https service-object udp destination eq 1194 object-group service DM_INLINE_SERVICE_7 service-object tcp destination eq 1194 service-object tcp destination eq https service-object udp destination eq 1194 object-group service DM_INLINE_SERVICE_8 service-object object OpenVPN service-object tcp destination eq 1194 object-group service DM_INLINE_SERVICE_9 service-object object OpenVPN service-object tcp destination eq 1194 service-object tcp destination eq https
Here is my access list :
Result of the command: "sh access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inside_access_in; 45 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit icmp object-group DM_INLINE_NETWORK_1 any log disable 0x624926ff
access-list inside_access_in line 1 extended permit icmp 10.1.1.0 255.255.255.0 any log disable (hitcnt=0) 0xcb63138b
access-list inside_access_in line 1 extended permit icmp 10.1.10.0 255.255.255.0 any log disable (hitcnt=0) 0x70b8f218
access-list inside_access_in line 1 extended permit icmp 192.168.20.0 255.255.255.0 any log disable (hitcnt=22405) 0x6390c368
access-list inside_access_in line 2 extended permit object-group grp_swyx object-group DM_INLINE_NETWORK_4 any log disable 0x62cb7528
access-list inside_access_in line 2 extended permit tcp 10.1.1.0 255.255.255.0 range 1 65535 any eq 16203 log disable (hitcnt=0) 0x7baa71ca
access-list inside_access_in line 2 extended permit tcp 10.1.10.0 255.255.255.0 range 1 65535 any eq 16203 log disable (hitcnt=0) 0x18d1a8b1
access-list inside_access_in line 2 extended permit tcp 192.168.20.0 255.255.255.0 range 1 65535 any eq 16203 log disable (hitcnt=1) 0x7decd9c9
access-list inside_access_in line 2 extended permit tcp 10.1.1.0 255.255.255.0 range 1 65535 any eq 9101 log disable (hitcnt=0) 0x67cccac8
access-list inside_access_in line 2 extended permit tcp 10.1.10.0 255.255.255.0 range 1 65535 any eq 9101 log disable (hitcnt=0) 0x2e3905fd
access-list inside_access_in line 2 extended permit tcp 192.168.20.0 255.255.255.0 range 1 65535 any eq 9101 log disable (hitcnt=8) 0xac8739e2
access-list inside_access_in line 2 extended permit udp 10.1.1.0 255.255.255.0 any eq 16203 log disable (hitcnt=0) 0x431d5d4b
access-list inside_access_in line 2 extended permit udp 10.1.10.0 255.255.255.0 any eq 16203 log disable (hitcnt=0) 0x385ae41e
access-list inside_access_in line 2 extended permit udp 192.168.20.0 255.255.255.0 any eq 16203 log disable (hitcnt=0) 0x6c6e9746
access-list inside_access_in line 2 extended permit udp 10.1.1.0 255.255.255.0 any eq 9101 log disable (hitcnt=0) 0x1f8568ee
access-list inside_access_in line 2 extended permit udp 10.1.10.0 255.255.255.0 any eq 9101 log disable (hitcnt=0) 0x9ee3a995
access-list inside_access_in line 2 extended permit udp 192.168.20.0 255.255.255.0 any eq 9101 log disable (hitcnt=0) 0x1055a186
access-list inside_access_in line 3 extended permit ip object-group DM_INLINE_NETWORK_2 any log disable 0xd8287ca3
access-list inside_access_in line 3 extended permit ip 10.1.1.0 255.255.255.0 any log disable (hitcnt=0) 0xe57d78e8
access-list inside_access_in line 3 extended permit ip 10.1.10.0 255.255.255.0 any log disable (hitcnt=0) 0x10362668
access-list inside_access_in line 3 extended permit ip 192.168.20.0 255.255.255.0 any log disable (hitcnt=755946) 0xb6c1be37
access-list inside_access_in line 4 extended permit object-group DM_INLINE_SERVICE_9 any host 93.104.235.45 log disable (hitcnt=0) 0x7ffd308b
access-list inside_access_in line 4 extended permit udp any host 93.104.235.45 eq 1194 log disable (hitcnt=0) 0x504e0f20
access-list inside_access_in line 4 extended permit tcp any host 93.104.235.45 eq 1194 log disable (hitcnt=0) 0x9f9cb652
access-list inside_access_in line 4 extended permit tcp any host 93.104.235.45 eq https log disable (hitcnt=0) 0x27c1019c
access-list inside_access_in line 5 extended permit object-group DM_INLINE_SERVICE_7 any object DFV-pfSense-Firewall 0x79d48ae8
access-list inside_access_in line 5 extended permit tcp any range 192.168.25.2 192.168.25.10 eq 1194 (hitcnt=0) 0x4ead6f9a
access-list inside_access_in line 5 extended permit tcp any range 192.168.25.2 192.168.25.10 eq https (hitcnt=0) 0x5b3a94f0
access-list inside_access_in line 5 extended permit udp any range 192.168.25.2 192.168.25.10 eq 1194 (hitcnt=0) 0x933a8a79
access-list inside_access_in line 6 extended permit object-group DM_INLINE_SERVICE_1 object DFV-pfSense-Firewall any 0x147ef47e
access-list inside_access_in line 6 extended permit tcp range 192.168.25.2 192.168.25.10 any eq https (hitcnt=0) 0x63bc9a43
access-list inside_access_in line 6 extended permit udp range 192.168.25.2 192.168.25.10 any eq 1194 (hitcnt=0) 0x83ac09b5
access-list inside_access_in line 6 extended permit tcp range 192.168.25.2 192.168.25.10 any eq 1194 (hitcnt=0) 0xa4a31a42
access-list outside_access_in; 16 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit object OpenVPN any object DFV-pfSense-Firewall 0x8609a5d5
access-list outside_access_in line 1 extended permit udp any range 192.168.25.2 192.168.25.10 eq 1194 (hitcnt=0) 0x778acbb8
access-list outside_access_in line 2 extended permit object OpenVPN object DFV-pfSense-Firewall any 0xd6761725
access-list outside_access_in line 2 extended permit udp range 192.168.25.2 192.168.25.10 any eq 1194 (hitcnt=0) 0x0b3de504
access-list outside_access_in line 3 extended permit object-group grp_swyx any any (hitcnt=0) 0x8b0547d8
access-list outside_access_in line 3 extended permit tcp any range 1 65535 any eq 16203 (hitcnt=0) 0x4040eda4
access-list outside_access_in line 3 extended permit tcp any range 1 65535 any eq 9101 (hitcnt=9) 0x3a6dc19e
access-list outside_access_in line 3 extended permit udp any any eq 16203 (hitcnt=0) 0x53f1ae1f
access-list outside_access_in line 3 extended permit udp any any eq 9101 (hitcnt=0) 0x13617dab
access-list outside_access_in line 4 extended permit udp any any eq 4500 (hitcnt=99) 0xbc60cf94
access-list outside_access_in line 5 extended permit udp any any eq isakmp (hitcnt=24) 0x30418dd4
access-list outside_access_in line 6 extended permit icmp any any (hitcnt=77642) 0x71af81e1
access-list outside_access_in line 7 extended permit tcp any any eq https (hitcnt=73628) 0x558debb6
access-list SplitTunnelSSL; 3 elements; name hash: 0xc93bbda3
access-list SplitTunnelSSL line 1 standard permit 192.168.20.0 255.255.255.0 (hitcnt=0) 0xc8e7b731
access-list SplitTunnelSSL line 2 standard permit 10.1.10.0 255.255.255.0 (hitcnt=0) 0xa7846896
access-list SplitTunnelSSL line 3 standard permit 10.1.1.0 255.255.255.0 (hitcnt=0) 0x28d34365
access-list DFV_access_in; 32 elements; name hash: 0xde278618
access-list DFV_access_in line 1 extended permit ip 192.168.25.0 255.255.255.0 any log disable (hitcnt=691377) 0x1d7a2363
access-list DFV_access_in line 2 extended permit icmp 192.168.25.0 255.255.255.0 any log disable (hitcnt=0) 0x7c980389
access-list DFV_access_in line 3 extended permit object-group DM_INLINE_PROTOCOL_4 any any (hitcnt=30) 0x30f3ae36
access-list DFV_access_in line 3 extended permit udp any any (hitcnt=18) 0x8eed9c5d
access-list DFV_access_in line 3 extended permit tcp any any (hitcnt=6082) 0x92ca3d31
access-list DFV_access_in line 4 extended permit object-group DM_INLINE_SERVICE_4 any object DFV-pfSense-Firewall 0x9ec6a8b0
access-list DFV_access_in line 4 extended permit tcp any range 192.168.25.2 192.168.25.10 eq 1194 (hitcnt=0) 0xb8e8d54f
access-list DFV_access_in line 4 extended permit tcp any range 192.168.25.2 192.168.25.10 eq https (hitcnt=0) 0x5f87543f
access-list DFV_access_in line 4 extended permit udp any range 192.168.25.2 192.168.25.10 eq 1194 (hitcnt=0) 0xfef817bb
access-list DFV_access_in line 5 extended permit object-group DM_INLINE_SERVICE_5 any host 93.104.235.45 log disable (hitcnt=0) 0x0d8ebed0
access-list DFV_access_in line 5 extended permit udp any host 93.104.235.45 eq 1194 log disable (hitcnt=0) 0x87efe5a5
access-list DFV_access_in line 5 extended permit tcp any host 93.104.235.45 eq 1194 log disable (hitcnt=0) 0xcc8d474c
access-list DFV_access_in line 5 extended permit tcp any host 93.104.235.45 eq https log disable (hitcnt=0) 0x32af425a
access-list DFV_access_in line 6 extended permit udp any any eq isakmp (hitcnt=0) 0x50a06b7c
access-list DFV_access_in line 7 extended permit object-group DM_INLINE_SERVICE_6 object DFV-pfSense-Firewall any 0x7599c02d
access-list DFV_access_in line 7 extended permit tcp range 192.168.25.2 192.168.25.10 any eq 1194 (hitcnt=0) 0xa2dcafd1
access-list DFV_access_in line 7 extended permit tcp range 192.168.25.2 192.168.25.10 any eq https (hitcnt=0) 0x50aa9e56
access-list DFV_access_in line 7 extended permit udp range 192.168.25.2 192.168.25.10 any eq 1194 (hitcnt=0) 0xee7c5dd6
access-list GASTLAN_access_in; 6 elements; name hash: 0xeb8a13f0
access-list GASTLAN_access_in line 1 extended deny object-group DM_INLINE_PROTOCOL_1 object GASTLAN object-group DM_INLINE_NETWORK_3 log disable 0x6f3255a5
access-list GASTLAN_access_in line 1 extended deny ip 192.168.22.0 255.255.255.0 192.168.20.0 255.255.255.0 log disable (hitcnt=0) 0x7828230d
access-list GASTLAN_access_in line 1 extended deny ip 192.168.22.0 255.255.255.0 192.168.25.0 255.255.255.0 log disable (hitcnt=0) 0xf62c8895
access-list GASTLAN_access_in line 1 extended deny icmp 192.168.22.0 255.255.255.0 192.168.20.0 255.255.255.0 log disable (hitcnt=0) 0xa29a5d7e
access-list GASTLAN_access_in line 1 extended deny icmp 192.168.22.0 255.255.255.0 192.168.25.0 255.255.255.0 log disable (hitcnt=0) 0x4d5fe24c
access-list GASTLAN_access_in line 2 extended permit object-group DM_INLINE_PROTOCOL_2 object GASTLAN any log disable (hitcnt=0) 0x2f7fc3d1
access-list GASTLAN_access_in line 2 extended permit ip 192.168.22.0 255.255.255.0 any log disable (hitcnt=0) 0x984daf23
access-list GASTLAN_access_in line 2 extended permit icmp 192.168.22.0 255.255.255.0 any log disable (hitcnt=0) 0xb6fbac2b
access-list DefaultRAGroup_splitTunnelAcl; 1 elements; name hash: 0xadf454af
access-list DefaultRAGroup_splitTunnelAcl line 1 standard permit 192.168.20.0 255.255.255.0 (hitcnt=0) 0xdf8fdd0f
access-list MNnetOutside_access_in; 2 elements; name hash: 0xc6f874e3
access-list MNnetOutside_access_in line 1 extended permit object-group DM_INLINE_PROTOCOL_3 any any (hitcnt=0) 0x2f7ff032
access-list MNnetOutside_access_in line 1 extended permit icmp any any (hitcnt=0) 0xe0f23216
access-list MNnetOutside_access_in line 1 extended permit udp any any (hitcnt=0) 0xec7b2de8
access-list outside_access_out; 7 elements; name hash: 0x21c49ab1
access-list outside_access_out line 1 remark Jeder Client darf ins Internet
access-list outside_access_out line 2 extended permit object-group DM_INLINE_PROTOCOL_4 object OnlineMUC-LAN any (hitcnt=641340) 0x6b4bb2b4
access-list outside_access_out line 2 extended permit udp 192.168.20.0 255.255.255.0 any (hitcnt=305584) 0x99506474
access-list outside_access_out line 2 extended permit tcp 192.168.20.0 255.255.255.0 any (hitcnt=335756) 0xa3c02133
access-list outside_access_out line 3 remark Jeder Client darf ins Internet pingen
access-list outside_access_out line 4 extended permit icmp object OnlineMUC-LAN any (hitcnt=0) 0x1c17871e
access-list outside_access_out line 4 extended permit icmp 192.168.20.0 255.255.255.0 any (hitcnt=21996) 0x1c17871e
access-list outside_access_out line 5 extended permit object-group DM_INLINE_PROTOCOL_4 192.168.25.0 255.255.255.0 any log disable (hitcnt=117316) 0x274261c6
access-list outside_access_out line 5 extended permit udp 192.168.25.0 255.255.255.0 any log disable (hitcnt=84832) 0x881cf5b5
access-list outside_access_out line 5 extended permit tcp 192.168.25.0 255.255.255.0 any log disable (hitcnt=32484) 0x02946858
access-list outside_access_out line 6 extended permit icmp 192.168.25.0 255.255.255.0 any log disable (hitcnt=4012) 0xb3917a8a
access-list outside_access_out line 7 extended permit tcp any any eq https inactive (hitcnt=0) (inactive) 0xaeb39cb4
access-list inside_access_out; 11 elements; name hash: 0x54c0aa68
access-list inside_access_out line 1 remark Jeder Client darf ins Internet
access-list inside_access_out line 2 extended permit object-group DM_INLINE_PROTOCOL_4 object OnlineMUC-LAN any (hitcnt=4) 0x931fbd83
access-list inside_access_out line 2 extended permit udp 192.168.20.0 255.255.255.0 any (hitcnt=0) 0xa58810ea
access-list inside_access_out line 2 extended permit tcp 192.168.20.0 255.255.255.0 any (hitcnt=4) 0x36ed5b2f
access-list inside_access_out line 3 remark Jeder Client darf telefonieren
access-list inside_access_out line 4 extended permit object-group grp_swyx object OnlineMUC-LAN any (hitcnt=0) 0x2dda84f2
access-list inside_access_out line 4 extended permit tcp 192.168.20.0 255.255.255.0 range 1 65535 any eq 16203 (hitcnt=0) 0x07af8c93
access-list inside_access_out line 4 extended permit tcp 192.168.20.0 255.255.255.0 range 1 65535 any eq 9101 (hitcnt=0) 0x59c35ceb
access-list inside_access_out line 4 extended permit udp 192.168.20.0 255.255.255.0 any eq 16203 (hitcnt=0) 0xb0d53ce7
access-list inside_access_out line 4 extended permit udp 192.168.20.0 255.255.255.0 any eq 9101 (hitcnt=0) 0xe4b15d38
access-list inside_access_out line 5 remark Jeder Client darf ins Internet pingen
access-list inside_access_out line 6 extended permit icmp object OnlineMUC-LAN any (hitcnt=0) 0x429c232f
access-list inside_access_out line 6 extended permit icmp 192.168.20.0 255.255.255.0 any (hitcnt=33) 0x429c232f
access-list inside_access_out line 7 extended permit object-group grp_swyx any object onlcrm01 (hitcnt=11) 0xf42f37c4
access-list inside_access_out line 7 extended permit tcp any range 1 65535 host 192.168.20.154 eq 16203 (hitcnt=2) 0x09b70cd1
access-list inside_access_out line 7 extended permit tcp any range 1 65535 host 192.168.20.154 eq 9101 (hitcnt=9) 0x0e4f7ed3
access-list inside_access_out line 7 extended permit udp any host 192.168.20.154 eq 16203 (hitcnt=0) 0x43f3af71
access-list inside_access_out line 7 extended permit udp any host 192.168.20.154 eq 9101 (hitcnt=0) 0xdf2983aa
access-list global_access; 6 elements; name hash: 0xbd6c87a7
access-list global_access line 1 extended permit object-group DM_INLINE_SERVICE_8 any any (hitcnt=3) 0x96bba300
access-list global_access line 1 extended permit udp any any eq 1194 (hitcnt=2) 0x79a9faad
access-list global_access line 1 extended permit tcp any any eq 1194 (hitcnt=1) 0x76509182
access-list global_access line 2 extended permit object-group grp_swyx any any (hitcnt=10) 0x9c067bf9
access-list global_access line 2 extended permit tcp any range 1 65535 any eq 16203 (hitcnt=2) 0x574044d6
access-list global_access line 2 extended permit tcp any range 1 65535 any eq 9101 (hitcnt=8) 0xf38944fd
access-list global_access line 2 extended permit udp any any eq 16203 (hitcnt=0) 0x02f260a3
access-list global_access line 2 extended permit udp any any eq 9101 (hitcnt=0) 0x3daa3f16
access-list DFV_access_out; 24 elements; name hash: 0x424ac8ae
access-list DFV_access_out line 1 extended permit object-group DM_INLINE_SERVICE_3 any object DFV-pfSense-Firewall 0xd032fde1
access-list DFV_access_out line 1 extended permit udp any range 192.168.25.2 192.168.25.10 eq 1194 (hitcnt=0) 0x36e63dee
access-list DFV_access_out line 1 extended permit tcp any range 192.168.25.2 192.168.25.10 eq https (hitcnt=0) 0x6eea2bdf
access-list DFV_access_out line 1 extended permit tcp any range 192.168.25.2 192.168.25.10 eq 1194 (hitcnt=0) 0x449ab04e
access-list DFV_access_out line 2 extended permit object-group DM_INLINE_SERVICE_2 object DFV-pfSense-Firewall any 0xea08f2a8
access-list DFV_access_out line 2 extended permit udp range 192.168.25.2 192.168.25.10 any eq 1194 (hitcnt=0) 0xfc86eaa0
access-list DFV_access_out line 2 extended permit tcp range 192.168.25.2 192.168.25.10 any eq https (hitcnt=0) 0x16d96810
access-list DFV_access_out line 2 extended permit tcp range 192.168.25.2 192.168.25.10 any eq 1194 (hitcnt=0) 0xd1cdc0db and here my NAT settings:
Result of the command: "sh nat"
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static OnlineMUC-LAN OnlineMUC-LAN destination static NETWORK_OBJ_172.16.20.0_25 NETWORK_OBJ_172.16.20.0_25 no-proxy-arp route-lookup
translate_hits = 82, untranslate_hits = 20944
2 (inside) to (outside) source static OnlineMUC-LAN OnlineMUC-LAN destination static NETWORK_OBJ_172.16.20.128_25 NETWORK_OBJ_172.16.20.128_25 no-proxy-arp route-lookup
translate_hits = 8, untranslate_hits = 1778
3 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.20.0_25 NETWORK_OBJ_172.16.20.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static NETWORK_OBJ_172.16.20.0_25 NETWORK_OBJ_172.16.20.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (inside) to (outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_172.16.20.0_25 NETWORK_OBJ_172.16.20.0_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source static any interface destination static SwyxIT-Extern SwyxIT-Extern service Swyx-20000-59999 Swyx-20000-59999 unidirectional description Transformation interne IP von ONL-CRM auf Externe IP
translate_hits = 86, untranslate_hits = 0
7 (inside) to (outside) source dynamic any interface destination static SwyxIT-Extern SwyxIT-Extern service Swyx-5060 Swyx-5060 description Transformation interne IP von ONL-CRM auf Externe IP
translate_hits = 27, untranslate_hits = 1311
8 (inside) to (outside) source static any any destination static NETWORK_OBJ_172.16.20.128_25 NETWORK_OBJ_172.16.20.128_25 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
9 (inside) to (outside) source static any any destination static SIP-Hosts SIP-Hosts service Swyx-5060 Swyx-5060
translate_hits = 0, untranslate_hits = 0
10 (inside) to (outside) source static any any destination static SwyxIT-Extern SwyxIT-Extern service Swyx-5060 Swyx-5060
translate_hits = 0, untranslate_hits = 0
11 (outside) to (DFV) source dynamic any interface destination static DFV-LAN DFV-LAN description Eingehende VPN Verbindung
translate_hits = 783, untranslate_hits = 0
12 (DFV) to (outside) source dynamic DFV-LAN interface description Ausgehende Verbindung für VPN Einwahl
translate_hits = 105035, untranslate_hits = 106323
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static onlcrm01 interface service tcp 9101 9101 no-proxy-arp
translate_hits = 2, untranslate_hits = 0
2 (DFV) to (outside) source static DFV-pfSense-Firewall interface service udp 1194 1194 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
3 (DFV) to (outside) source static DFV-pfSense-Firewall-TCP interface service tcp 1194 1194 no-proxy-arp
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source dynamic OnlineMUC-LAN interface
translate_hits = 213624, untranslate_hits = 18537
5 (GASTLAN) to (outside) source dynamic GASTLAN interface
translate_hits = 0, untranslate_hits = 0
6 (DFV) to (outside) source dynamic DFV-LAN interface
translate_hits = 50233, untranslate_hits = 6864and xlate:
Result of the command: "sh xlate"
42 in use, 2598 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
e - extended
NAT from inside:192.168.20.0/24 to outside:192.168.20.0/24
flags sI idle 18:58:16 timeout 0:00:00
NAT from inside:192.168.20.0/24 to outside:192.168.20.0/24
flags sI idle 0:22:50 timeout 0:00:00
NAT from inside:0.0.0.0/0 to outside:0.0.0.0/0
flags sI idle 120:20:44 timeout 0:00:00
NAT from inside:172.16.20.0/25 to outside:172.16.20.0/25
flags sI idle 120:20:44 timeout 0:00:00
NAT from inside:192.168.20.0/24 to outside:192.168.20.0/24
flags sI idle 120:20:44 timeout 0:00:00
NAT from inside:0.0.0.0/0 to outside:0.0.0.0/0
flags sI idle 120:20:44 timeout 0:00:00
UDP PAT from inside:0.0.0.0/0 65002-65002 to outside:0.0.0.0/0 65002-65002
flags srI idle 48:25:26 timeout 0:00:00
UDP PAT from inside:0.0.0.0/0 65002-65002 to outside:0.0.0.0/0 65002-65002
flags srI idle 48:25:26 timeout 0:00:00
TCP PAT from inside:192.168.20.154 9101-9101 to outside:93.104.235.45 9101-9101
flags sr idle 0:07:18 timeout 0:00:00
UDP PAT from DFV:192.168.25.2/31 1194-1194, 192.168.25.4/30 1194-1194,
192.168.25.8/31 1194-1194, 192.168.25.10 1194-1194 to outside:93.104.235.45 1194-1194
flags sr idle 18:24:26 timeout 0:00:00
TCP PAT from DFV:192.168.25.1 1194-1194, 192.168.25.2/31 1194-1194,
192.168.25.4/30 1194-1194, 192.168.25.8/31 1194-1194,
192.168.25.10 1194-1194 to outside:93.104.235.45 1194-1194
flags sr idle 18:20:38 timeout 0:00:00
TCP PAT from DFV:192.168.25.10/54342 to outside:93.104.235.45/54342 flags ri idle 0:00:01 timeout 0:00:30
UDP PAT from DFV:192.168.25.10/7041 to outside:93.104.235.45/7041 flags ri idle 0:00:02 timeout 0:00:30
TCP PAT from DFV:192.168.25.10/34287 to outside:93.104.235.45/34287 flags ri idle 0:00:22 timeout 0:00:30
ICMP PAT from DFV:192.168.25.10/45163 to outside:93.104.235.45/45163 flags ri idle 0:00:24 timeout 0:00:30
UDP PAT from DFV:192.168.25.10/29142 to outside:93.104.235.45/29142 flags ri idle 0:00:38 timeout 0:00:30
UDP PAT from DFV:192.168.25.10/50725 to outside:93.104.235.45/50725 flags ri idle 0:01:01 timeout 0:00:30
UDP PAT from DFV:192.168.25.10/123 to outside:93.104.235.45/126 flags ri idle 0:01:08 timeout 0:00:30
UDP PAT from DFV:192.168.25.10/46183 to outside:93.104.235.45/46183 flags ri idle 0:01:31 timeout 0:00:30
UDP PAT from DFV:192.168.25.10/42393 to outside:93.104.235.45/42393 flags ri idle 0:01:36 timeout 0:00:30
UDP PAT from DFV:192.168.25.10/51421 to outside:93.104.235.45/51421 flags ri idle 0:01:36 timeout 0:00:30
UDP PAT from DFV:192.168.25.10/29284 to outside:93.104.235.45/29284 flags ri idle 0:01:39 timeout 0:00:30
UDP PAT from DFV:192.168.25.10/15292 to outside:93.104.235.45/15292 flags ri idle 0:02:00 timeout 0:00:30
UDP PAT from DFV:192.168.25.10/1722 to outside:93.104.235.45/1722 flags ri idle 0:03:08 timeout 0:00:30
TCP PAT from DFV:192.168.25.10/38953 to outside:93.104.235.45/38953 flags ri idle 18:54:43 timeout 0:00:30
UDP PAT from inside:192.168.20.54/123 to outside:93.104.235.45/123 flags ri idle 0:02:08 timeout 0:00:30
TCP PAT from inside:192.168.20.7/36501 to outside:93.104.235.45/36501 flags ri idle 0:05:09 timeout 0:00:30
TCP PAT from inside:192.168.20.7/57823 to outside:93.104.235.45/57823 flags ri idle 0:05:14 timeout 0:00:30
TCP PAT from inside:192.168.20.7/43165 to outside:93.104.235.45/43165 flags ri idle 0:05:28 timeout 0:00:30
TCP PAT from inside:192.168.20.7/53992 to outside:93.104.235.45/53992 flags ri idle 0:05:30 timeout 0:00:30
TCP PAT from inside:192.168.20.7/43163 to outside:93.104.235.45/43163 flags ri idle 0:05:30 timeout 0:00:30
TCP PAT from inside:192.168.20.7/39601 to outside:93.104.235.45/39601 flags ri idle 0:05:31 timeout 0:00:30
TCP PAT from inside:192.168.20.57/1024 to outside:93.104.235.45/1024 flags ri idle 0:02:19 timeout 0:00:30
TCP PAT from inside:192.168.20.154/65379 to outside:93.104.235.45/65379 flags ri idle 0:06:45 timeout 0:00:30
UDP PAT from inside:192.168.20.154/65002 to outside:93.104.235.45/65002 flags ri idle 0:01:36 timeout 0:05:00
TCP PAT from inside:192.168.20.152/65413 to outside:93.104.235.45/65413 flags ri idle 0:00:09 timeout 0:00:30
TCP PAT from inside:192.168.20.152/65406 to outside:93.104.235.45/65406 flags ri idle 0:00:16 timeout 0:00:30
TCP PAT from inside:192.168.20.152/65308 to outside:93.104.235.45/65308 flags ri idle 0:07:15 timeout 0:00:30
TCP PAT from inside:192.168.20.152/65307 to outside:93.104.235.45/65307 flags ri idle 0:07:15 timeout 0:00:30
TCP PAT from inside:192.168.20.152/65303 to outside:93.104.235.45/65303 flags ri idle 0:07:24 timeout 0:00:30
TCP PAT from inside:192.168.20.152/65302 to outside:93.104.235.45/65302 flags ri idle 0:07:24 timeout 0:00:30Packet Tracer is green in incoming and outgoing connections from a public ip to 192.168.20.154 but when I check the open ports for 93.104.235.45 the tcp port 9101 is closed.
Thank you very much!
Cheers,
Alex
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2020 04:41 AM
Just found the solution. Due there were a double outside_access_in and outside_access_in_1 I cleared that up. Also I removed all the settings and built the cisco asa from scratch. Now it's working like a charme.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents