«

Hi There,

If someone could help me that would be great. I have a Cisco ASA 5505
that I'm trying to configure to allow any Internet IP Address to come
through port 3206 and get to a workstation on the Internal network on
the same port.

I've changed my Outside IP in the following information for security
sake. Also, I've typically been using the Cisco ASDM utility to
perform the configuration as I'm not familiar with many of the command
line commands (but feel free to help me via command line instructions
if that's what you know).

My setup is like this:
Outside IP = 1.2.3.4
Inside IP = 192.168.0.254
I'm using PAT for my address translation as my client only has one
Internet IP address.

We need to initiate a connection from the Internet to port 3206 at IP
192.168.0.206.


I've created a static NAT rule as follows:

Real Address:
Interface: inside IP Address: 192.168.0.206 Netmask:
255.255.255.255

Static Translation:
Interface: outside IP Address: 1.2.3.4

Enable Port Address Translation (PAT):
Protocol: tcp Original Port: 3206 Translated Port: 3206

I think this NAT rule is configured OK (please confirm) and I'm pretty
sure that I'm just running into problems with my Access Rules in the
Security Policy area.

I've tried creating all kinds of incoming rules on the Outside
Interface (have also tried quite a few on the inside interface) but
nothing seems to work and I can never make a connection from an
external Internet IP Address.

Would it be possible for one of you gurus to give me a detailed
description on what security rules I need to create to get this to
work? And/or let me know what's wrong with my NAT rule? It seems like
no matter what rules I create it just won't work. In part of my
testing I've even created incoming rules that permit any source
address to any desitnation address and have applied this to both the
IP protocal as well as to tcp port 3206. That still didn't work and I
still couldn't get in.

I'm also going to need to map external port 25 to go to 192.168.0.30,
but I haven't even tried working on that yet as the mail server is not
online yet and so therefore I can't test it very well. But I assume
that if I can figure out the forarding of port 3206 then forwarding
port 25 should be a snap.


If someone can give me some instructions on what I need to do to get
this working then I'll take you out for some beers (if you live in
Vancouver or the surrounding areas) and I'd be eternally thankful.

Let me know if you need more information regarding the setup, etc.
This is the first time I've been trying to set up a Cisco device and
so I'm not 100% sure what type of information you'll need.

Thanks,

Rich

In article < .com>,
<> wrote:

>If someone could help me that would be great. I have a Cisco ASA 5505
>that I'm trying to configure to allow any Internet IP Address to come
>through port 3206 and get to a workstation on the Internal network on
>the same port.

>My setup is like this:
>Outside IP = 1.2.3.4
>Inside IP = 192.168.0.254
>I'm using PAT for my address translation as my client only has one
>Internet IP address.

>We need to initiate a connection from the Internet to port 3206 at IP
>192.168.0.206.

[Note: there are some details here that would be different on
a PIX 6 setup.]

I think this should work:

static (inside,outside) tcp 1.2.3.4 3206 192.168.0.206 3206 netmask 255.255.255.255
access-list out2in extended permit tcp any host 1.2.3.4 eq 3206
access-group out2in in interface outside

For your smtp system, duplicate the static changing the port to 3206 to 25
in both places, and changing the internal IP if necessary, and
add another line to out2in duplicating the one shown above but
changing the 3206 to 25 .

On Feb 1, 9:37 am, rober...@hushmail.com (Walter Roberson) wrote:
> In article <1170276805.972299.222...@v45g2000cwv.googlegroups .com>,
>
> <logicalr...@hotmail.com> wrote:
> >If someone could help me that would be great. I have a Cisco ASA 5505
> >that I'm trying to configure to allow any Internet IP Address to come
> >through port 3206 and get to a workstation on the Internal network on
> >the same port.
> >My setup is like this:
> >Outside IP = 1.2.3.4
> >Inside IP = 192.168.0.254
> >I'm using PAT for my address translation as my client only has one
> >Internet IP address.
> >We need to initiate a connection from the Internet to port 3206 at IP
> >192.168.0.206.
>
> [Note: there are some details here that would be different on
> a PIX 6 setup.]
>
> I think this should work:
>
> static (inside,outside) tcp 1.2.3.4 3206 192.168.0.206 3206 netmask 255.255.255.255
> access-list out2in extended permit tcp any host 1.2.3.4 eq 3206
> access-group out2in in interface outside
>
> For your smtp system, duplicate the static changing the port to 3206 to 25
> in both places, and changing the internal IP if necessary, and
> add another line to out2in duplicating the one shown above but
> changing the 3206 to 25 .

Hey Walter,

Thanks for your time and adivce. I've entered those commands and the
ASA took them OK and I can see the Outside policy in the Security
Policy of the ASDM utility. However, I still can't connect to port
3206.

I'm pretty stumped here...

Can you give me the appropriate NAT command as well and I'll try re-
inputting that?

I don't know what else to do other than buying a Cisco support
contract...


Thanks,

Rich

In article < .com>,
Rich <> wrote:
>On Feb 1, 9:37 am, rober...@hushmail.com (Walter Roberson) wrote:
>> In article <1170276805.972299.222...@v45g2000cwv.googlegroups .com>,
>> <logicalr...@hotmail.com> wrote:
>> >If someone could help me that would be great. I have a Cisco ASA 5505
>> >that I'm trying to configure to allow any Internet IP Address to come
>> >through port 3206 and get to a workstation on the Internal network on
>> >the same port.

>> I think this should work:

>Thanks for your time and adivce. I've entered those commands and the
>ASA took them OK and I can see the Outside policy in the Security
>Policy of the ASDM utility. However, I still can't connect to port
>3206.

>Can you give me the appropriate NAT command as well and I'll try re-
>inputting that?

There is no 'nat' command applicable to the situation. When you
want to permit connections inward, you must use 'static'. The
only exception to the rule (other than for VPNs) is if you
are using identical public and internal addresses and tell the ASA
to turn off Network Address Translation for the address by using
nat (inside) 0 access-list . But that doesn't apply to you, as you
have indicated that you are using private IP addresses internally.


We might be able to see something if you post at least the following
kinds of lines from your configuration (obfuscated if you prefer):

- access-group, nat, static, any crypto map 'match address'
- any access-list mentioned in any of the above lines
- ip address
- ip route


When you encounter the problem, what do you see in your syslog when
you make a connection attempt? Push your 'logging trap' settings up
to at least 'informational' (level 6) to get the whole story.