Need Help Configuring Static NAT and Access List
in [Cisco]
|
From: tman on 17 Jun 2008 21:24 I am trying to learn how to configure an ASA5505. I have written one access-list and one static NAT statement but I cannot get packets from outside to the host on the dmz. The ip address on the outside interface is 200.1.1.132. The ip address on the dmz interface is 192.168.20.1. To test I have one host, 200.1.1.131 connected to the outside interface and a second host, 192.168.20.134 connected to the dmz interface. I am running a utility called Attacker on the host in the dmz that is listening on port 110. To test I just telnet from the outside host to port 110 on the host in the dmz. So far I have been unsuccessful. Here are my access-list and its grouping to the outside interface and my static NAT statement Am I missing something? Do I have to add 200.1.1.134 to the outside interface as a virtual ip address like some firewalls or does the static nat accomplish this? access-list OutsideToDmz extended permit tcp any host 200.1.1.134 eq pop3 access-group OutsideToDmz in interface outside static (outside,dmz) 192.168.20.134 200.1.1.134 netmask 255.255.255.255 Any suggestions will be greatly appreciated. Thanks
From: jcle on 17 Jun 2008 21:58 On Jun 17, 9:24 pm, tman <naves....(a)gmail.com> wrote: > I am trying to learn how to configure an ASA5505. I have written one > access-list and one static NAT statement but I cannot get packets from > outside to the host on the dmz. > > The ip address on the outside interface is 200.1.1.132. The ip > address on the dmz interface is 192.168.20.1. > > To test I have one host, 200.1.1.131 connected to the outside > interface and a second host, 192.168.20.134 connected to the dmz > interface. I am running a utility called Attacker on the host in the > dmz that is listening on port 110. To test I just telnet from the > outside host to port 110 on the host in the dmz. So far I have been > unsuccessful. > > Here are my access-list and its grouping to the outside interface and > my static NAT statement Am I missing something? Do I have to add > 200.1.1.134 to the outside interface as a virtual ip address like some > firewalls or does the static nat accomplish this? > > access-list OutsideToDmz extended permit tcp any host 200.1.1.134 eq > pop3 > > access-group OutsideToDmz in interface outside > > static (outside,dmz) 192.168.20.134 200.1.1.134 netmask > 255.255.255.255 > > Any suggestions will be greatly appreciated. > > Thanks I think it is static(dmz,outside) 192.168,20.134 200.1.1.234 netmask 255.255.255.255
From: mcaissie on 18 Jun 2008 09:55 "jcle" <jmsprang(a)hotmail.com> wrote in message news:821ddc47-a9cb-4354-a2ec-41ce83ac3d1e(a)j22g2000hsf.googlegroups.com... On Jun 17, 9:24 pm, tman <naves....(a)gmail.com> wrote: > I am trying to learn how to configure an ASA5505. I have written one > access-list and one static NAT statement but I cannot get packets from > outside to the host on the dmz. > > The ip address on the outside interface is 200.1.1.132. The ip > address on the dmz interface is 192.168.20.1. > > To test I have one host, 200.1.1.131 connected to the outside > interface and a second host, 192.168.20.134 connected to the dmz > interface. I am running a utility called Attacker on the host in the > dmz that is listening on port 110. To test I just telnet from the > outside host to port 110 on the host in the dmz. So far I have been > unsuccessful. > > Here are my access-list and its grouping to the outside interface and > my static NAT statement Am I missing something? Do I have to add > 200.1.1.134 to the outside interface as a virtual ip address like some > firewalls or does the static nat accomplish this? > > access-list OutsideToDmz extended permit tcp any host 200.1.1.134 eq > pop3 > > access-group OutsideToDmz in interface outside > > static (outside,dmz) 192.168.20.134 200.1.1.134 netmask > 255.255.255.255 > > Any suggestions will be greatly appreciated. > > Thanks >>I think it is static(dmz,outside) 192.168,20.134 200.1.1.234 netmask >>255.255.255.255 Actually it's static (dmz,outside) 200.1.1.234 192.168.20.134 netmask 255.255.255.255 static (real,fake) fake real netmask 255.255.255.255
From: tman on 18 Jun 2008 12:26 On Jun 18, 6:55 am, "mcaissie" <mcais...(a)nospam.sympatico.ca> wrote: > "jcle" <jmspr...(a)hotmail.com> wrote in message > > news:821ddc47-a9cb-4354-a2ec-41ce83ac3d1e(a)j22g2000hsf.googlegroups.com... > On Jun 17, 9:24 pm, tman <naves....(a)gmail.com> wrote: > > > > > > > I am trying to learn how to configure an ASA5505. I have written one > > access-list and one static NAT statement but I cannot get packets from > > outside to the host on the dmz. > > > The ip address on the outside interface is 200.1.1.132. The ip > > address on the dmz interface is 192.168.20.1. > > > To test I have one host, 200.1.1.131 connected to the outside > > interface and a second host, 192.168.20.134 connected to the dmz > > interface. I am running a utility called Attacker on the host in the > > dmz that is listening on port 110. To test I just telnet from the > > outside host to port 110 on the host in the dmz. So far I have been > > unsuccessful. > > > Here are my access-list and its grouping to the outside interface and > > my static NAT statement Am I missing something? Do I have to add > > 200.1.1.134 to the outside interface as a virtual ip address like some > > firewalls or does the static nat accomplish this? > > > access-list OutsideToDmz extended permit tcp any host 200.1.1.134 eq > > pop3 > > > access-group OutsideToDmz in interface outside > > > static (outside,dmz) 192.168.20.134 200.1.1.134 netmask > > 255.255.255.255 > > > Any suggestions will be greatly appreciated. > > > Thanks > >>I think it is static(dmz,outside) 192.168,20.134 200.1.1.234 netmask > >>255.255.255.255 > > Actually it's > > static (dmz,outside) 200.1.1.234 192.168.20.134 netmask 255.255.255.255 > > static (real,fake) fake real netmask 255.255.255.255- Hide quoted text - > > - Show quoted text - Thanks. That finally worked. Jeeesh! These docs are difficult to interpret. They seem to always use weird examples rather than straight forward basic ones.
|
Pages: 1 Prev: have PIX with VPN, need to obtain isakmp key Next: Link down due to STP |