RE: Hello List, a easy Cisco question.

bill_from_home · July 11, 2011, 8:16pm

Hello,

We have Nat setup on our equipment, just a plain vanilla internet
connection.

Here is the pertinent section of the runing config.

   !
   interface Ethernet0/2
    nameif Etherpoint
    security-level 0
    ip address outside-ip 255.255.255.252
    ospf cost 10
   !

   object-group service terminal-services tcp
    port-object eq 3389
   access-list Inside_access_in extended permit icmp any any
   access-list Inside_access_in extended permit ip 192.168.125.0
   255.255.255.0 any
   access-list Inside_nat0_outbound extended permit ip 192.168.125.0
   255.255.255.0 MobileVPN 255.255.255.0
   access-list Inside_nat0_outbound extended permit ip 192.168.0.0
   255.255.255.0 MobileVPN 255.255.255.0 inactive
   access-list Inside_nat0_outbound extended permit ip 192.168.125.0
   255.255.255.0 any inactive
   access-list Inside_nat0_outbound extended permit ip 192.168.125.0
   255.255.255.0 192.168.1.0 255.255.255.0
   access-list Inside_nat0_outbound extended permit ip 192.168.125.0
   255.255.255.0 192.168.14.0 255.255.255.0
   access-list Inside_nat0_outbound extended permit ip 192.168.125.0
   255.255.255.0 192.168.100.0 255.255.255.0
   access-list Inside_nat0_outbound extended permit ip 192.168.125.0
   255.255.255.0 192.168.101.0 255.255.255.0
   access-list Inside_nat0_outbound extended permit ip 192.168.125.0
   255.255.255.0 192.168.253.0 255.255.255.0
   access-list Haven_splitTunnelAcl_1 standard permit 192.168.125.0
   255.255.255.0
   access-list Etherpoint_access_in extended permit tcp host 192.168.125.8
   eq 3389 any eq 3389
   access-list Etherpoint_access_in extended permit tcp any eq 3389 host
   192.168.125.8 eq 3389
   access-list Etherpoint_access_in extended permit tcp any host
   192.168.125.8 eq 3389
   access-list Etherpoint_nat0_outbound extended permit ip host
   192.168.125.8 host outside-ip
   access-list Etherpoint_nat0_outbound extended permit ip host outside-ip
   host 192.168.125.8

ip local pool HavenVPN 192.168.253.1-192.168.253.254 mask 255.255.255.0

global (Etherpoint) 2 interface

   nat (Inside) 0 access-list Inside_nat0_outbound
   nat (Inside) 2 192.168.125.0 255.255.255.0
   nat (Etherpoint) 0 access-list Etherpoint_nat0_outbound outside
   static (Inside,Etherpoint) tcp interface 3389 192.168.125.8 3389
   netmask 255.255.255.255

   no threat-detection statistics tcp-intercept
   access-group Inside_access_in in interface Inside
   access-group Etherpoint_access_in in interface Etherpoint

route Etherpoint 0.0.0.0 0.0.0.0 204.186.102.187 1

James_Hess · July 12, 2011, 12:38am

connection.
ip address outside-ip 255.255.255.252

Aside from the fact 255.255.255.252 is not a valid IP address.

Firewalls are security sensitive devices, I suggest reading docs and not
relying on untrusted sources for basic operating directions; if improperly
configured a Firewall may pass traffic but be insecure.

I can't tell you exactly what buttons to hit in the SDM right now,
but I see you have
" access-list Etherpoint_access_in extended permit tcp any eq 3389 host
192.168.125.8 eq 3389"

Unless "192.168.125.8" is your global IP, something is wrong here.
You should permit to destination port 3389 on the global IP, on the inbound ACL
of your outside interface, when you are applying an ACL before translation.

Then traffic matching your port forwarding rule would then be allowed
through that ACL

" access-list Etherpoint_access_in extended permit tcp host 192.168.125.8
eq 3389 any eq 3389"

You don't need this, assuming .125.8 is an inside IP and Etherpoint is
your outside int.

Here is the pertinent section of the runing config.

!
interface Ethernet0/2
nameif Etherpoint
security-level 0
ip address outside-ip 255.255.255.252
ospf cost 10
!

object-group service terminal-services tcp
port-object eq 3389
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip 192.168.125.0
255.255.255.0 any
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 MobileVPN 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0
255.255.255.0 MobileVPN 255.255.255.0 inactive
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 any inactive
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 192.168.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 192.168.14.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 192.168.100.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 192.168.101.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 192.168.253.0 255.255.255.0
access-list Haven_splitTunnelAcl_1 standard permit 192.168.125.0
255.255.255.0
access-list Etherpoint_access_in extended permit tcp host 192.168.125.8
eq 3389 any eq 3389
access-list Etherpoint_access_in extended permit tcp any eq 3389 host
192.168.125.8 eq 3389
access-list Etherpoint_access_in extended permit tcp any host
192.168.125.8 eq 3389
access-list Etherpoint_nat0_outbound extended permit ip host
192.168.125.8 host outside-ip
access-list Etherpoint_nat0_outbound extended permit ip host outside-ip
host 192.168.125.8

ip local pool HavenVPN 192.168.253.1-192.168.253.254 mask 255.255.255.0

global (Etherpoint) 2 interface

nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 2 192.168.125.0 255.255.255.0
nat (Etherpoint) 0 access-list Etherpoint_nat0_outbound outside
static (Inside,Etherpoint) tcp interface 3389 192.168.125.8 3389
netmask 255.255.255.255

no threat-detection statistics tcp-intercept
access-group Inside_access_in in interface Inside
access-group Etherpoint_access_in in interface Etherpoint

route Etherpoint 0.0.0.0 0.0.0.0 204.186.102.187 1

Subject: Re: Hello List, a easy Cisco question.
From: Dennis <[1]daodennis@gmail.com>
Date: Mon, July 11, 2011 12:39 pm
To: [2]bill@kruchas.com
> Hello,
>
> I am not a heads down network guy, but I have setup a few
> firewalls, and have got them to do what I wanted, "eventually". But
> mostly through reading and trial and error.
>
> I am struggling with this one, but I think I know the answer,
but
> want to verify it with some experts.
>
>
>
> We have a cisco asa 5505, with an internet connection with only
one
> useable ip address (subnet 255.255.255.252). We/they have had a nat
> setup for outgoing connections for some time, but I have been
trying to
So your provider has your ASA behind a NAT or there is a NAT
inside,outside statement on your ASA?
Some more pieces of the configuration would be helpful here too.
Thanks,
Dennis O.

References

1. mailto:daodennis@gmail.com
2. mailto:bill@kruchas.com
3. mailto:bill@kruchas.com

Regards,