Cisco Firewall :: Way To Be Able To Get / Port The Translation From 7080 To Work
Mar 6, 2013
I have a server on the inside of my network (with a internet Routable IP). It has been requested to me that people from the internet access port 80, and that is translated at the firewall to port 7080. I have set up a temp Access rule to allow access to 7080 from the outside and it is accessable. I am not sure what I am doing wrong, but I am tion from 80 not able to get the translato 7080 to work.
View 1 Replies
ADVERTISEMENT
May 30, 2011
I'm trying to migrate from olda PIX to newest ASA 8.4.1. Everything seems to be good except the static NAT. [code]
The inside interface uses implicit rule. ( permit any less secure network )
Although te above config the ASA logs the following.
TCP access denied by ACL from 94.94.94.94/2003 to outside:86.101.228.221/80
The 86.101.228.221 our public Internet IP whic are used as outside IP also.
View 8 Replies
View Related
Mar 1, 2012
I have some issues with Twin PAT on ASA (8.4.2), there is sth I dont udnerstand FTP server is on the inside and client is in outside.
I did sth like this
object network NATED-11
host 20.20.20.11
object network REAL-2
host 10.200.200.2
object service SRV-FTP
service tcp destination eq ftp
nat (outside,inside) source static any any destination static NATED-11 REAL-2 service SRV-FTP SRV-FTP so teoretically there should be a problem in NAT cause there is a second channel for data etc. BUT according to docs "For applications that require application inspection for secondary channels (for example, FTP and VoIP),the ASA automatically translates the secondary ports."
The problem is that it doesn't work at all and got the syslogs
Debug on ASA shows
ASA5510(config)# nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: untranslation - outside:20.20.20.11/21 to inside:10.200.200.2/21
nat: translation - outside:20.20.20.252/37924 failed - port is not found in xlate(0-0)
[code]....
To make it work I need to modify the nat rule to sth like this (translate source of client to inside inteface of ASA) nat (outside,inside) 1 source static any interface destination static NATED-11 REAL-2 service SRV-FTP SRV-FTP / why its not working in the first place? aaa I forgot to mention that both modes of FTP were tested (passive and active)
View 1 Replies
View Related
Mar 10, 2012
Trying to translate telnet for switches to the outside ip address at some random ports.
172.16.200.2:23 -> 10.199.199.2:2300
172.16.200.3:23 -> 10.199.199.2:2301
172.16.200.4:23 -> 10.199.199.2:2302
etc....
ASA 5510 running 8.4(3):
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.199.199.2 255.255.255.248
interface Ethernet0/1.200
vlan 200
nameif inside
security-level 100
ip address 172.16.200.254 255.255.255.0
[code]....
I can not access the switch at 10.199.199.2:2301 . What am I doing wrong? Or should cleaning toilets be something I really should look at! Now if i run this NAT statment:
object network Switch_TN
nat (inside,outside) static 10.199.199.3 service tcp telnet 2301
I am able to access the switch at 10.199.199.3:2301
View 7 Replies
View Related
Oct 31, 2011
I am trying to correctly configure our ASA 5520 and our Mitel Border Gateway in our DMZ. In the documentation for the Mitel border gateway it wants me to set up 2 external IP's on my ASA one to allow 443 traffice into the MBG, and another for 443 traffic that needs to be forwarded to port 4443 for the MGB in the DMZ. My problem is I don't know how to do this. the MBG only has one IP, and I need to have 2 different URL's mapped to two different external IP's both externally using port 443, and one of them forwarding to 4443 on the DMZ interface.
View 10 Replies
View Related
Jan 27, 2013
After adding a NAT rule on Friday morning, I'm now getting a bunch of "portmap translation creation failed" messages from my ASA5520. (It's currently running 8.4(3).) The failure errors appear to have nothing to do with the change that was made. [code] I have very similar rules in place for other vendors to access other machines. The only difference between this new one and those old ones is the use of the objects in the rule instead of the direct IP addresses. This is also the first one that invovles a range instead of a specific address or network. [code]
View 4 Replies
View Related
Aug 22, 2011
I have an 8.3(2) ASA with a single outside IP. Dynamic PAT translates inside addresses to the outside interface address. I would like to use static NAT with port translation to access an inside syslog server. I got an error when I tried using the outside interface address. Can I use both dynamic PAT and Port Translation with the same outside address?This is what I would like to use but I receive an error saying there is an overlap using the outside interface address.(192.168.1.0 is my inside network. 10.10.1.10 is the outside interface IP.)
object network inside-net
subnet 192.168.1.0 255.255.255.0
nat (inside, outside) dynamic interface
object network SYSLOG_SERVER
host 192.168.1.50
nat (inside,outside) static 10.10.1.10 service tcp ssh ssh
View 6 Replies
View Related
Aug 4, 2012
I have site to site vpn between cisco asa and cisco 2911 router.asa is static ip and cisco 2911 side is dynamic ip. my site to site vpn is working fine. I am just trying to make PAT over the vpn means i want forward one ip in my public pool to one of my local ip in the cisco 2911 side.
View 2 Replies
View Related
Feb 29, 2012
We have a RV082 Router and we are trying to do port translation.
For example:
88.123.2.5:80>192.168.1.10:2334
88.123.2.5:81>192.168.1.10:2335
However this does not seem to be possible as I can only choose the source port and the destination IP address unlike the RVS4000.
View 1 Replies
View Related
Mar 24, 2011
In my router I can set rule that all traffic incoming to router's extAddr:8888, is forwarded to my intAddr:8888. But I also need reverse rule that packets originating from intAddr:8888 are translated to extAddr:8888. Can I do that? What technique can I search on google to find more information, because it is not port forwarding. I would calll it reverse port forwarding or static port address translation, but I do not find anything useful in internet searching these keywords.
View 3 Replies
View Related
Nov 20, 2012
I have a problems with one SA520W.The LAN port don't work correctly. If i connect PC directly via ethernet cable (i try 2 different cable and 2 different PC) the DHCP don't assign an IP. If i reset to factory default and manual insert IP (192.168.75.1) don't work.
View 2 Replies
View Related
Jul 10, 2012
I have bought an RV180 Firewall/VPN and try to use the Backup Software Crashplan. As per the supplier it needs Port 443 and 4242 open. Port 443 is fine and allows me to use the service to backup to the Cloud. However when I want to allow other users to backup to my computer this traffic is blocked. I tried to open port 4242 on the firewall and forward the traffic to the computer that hosts the service but it does not work. I have tried to Telnet this port from the WAN but I don't get a response. When I check the Open Ports this port is not listed as a LISTEN port either.
View 1 Replies
View Related
Aug 24, 2012
I am going with ASA 5520, know how many NAT translation is possible.
View 2 Replies
View Related
Dec 5, 2012
I have a server in a DMZ of my 8.4 ASA with nat:
object network FTP-SERVER
host 192.168.1.102
nat (dmz,outside) static interface tcp ftp ftp
And that's working well. However, I now need to translate the source address of connections from the outside to the FTP server as well. The aim is that the source address of packets when they reach the FTP server is an address on the DMZ subnet (as the default route for the FTP server now needs to be something else, not the ASA) as well as this outside-dmz NAT. I thought overloading the DMZ interface of the ASA? Or another IP in that range?
View 2 Replies
View Related
Jun 1, 2011
I have ASA 5510 and public FTP server from my local network to external IP address, with static nat translation. All works, but I need request to ftp come from internal ASA interface (need use gateway different ASA). How configured ASA for forwarding request?
View 4 Replies
View Related
Mar 17, 2012
i wounder why i'm getting such log message whenever i'm trying to reach my remote site: No translation group found for tcp src outside XXXX dst dmz ZZZZ, i have a Cisco PIX515E firewall and that message is captured there, the traffic is going through a VPN tunnel (the VPN are up on both ends)
View 2 Replies
View Related
Dec 20, 2012
Recently upgraded to an Asa 5512x from a pix 515e. I have an Ipswitch secure MoveIT server on the dmz1 interface that needs to be accessed from both the inside and outside interfaces. I have setup a static nat from the outside to the dmz1 and it works, I can also connect from the inside interface. Now I need the MoveIT server to access the DNS server and email server on the inside interface so it can send notifications. On the pix I just created a static from the inside to the dmz1 using its own IP address - static (inside,dmz1) 192.168.1.7 192.168.1.7 net mask 255.255.255.255. I would then add the access-list to allow. How would I set this up with the Asa 8.6 commands?
View 5 Replies
View Related
Dec 4, 2012
I am having an issue with a specific server that is not reachable from other sub nets. Every other device on the same sub net as the server is reachable via the other sub nets. This server is special because it's NAT'd to an external IP address and has several site-to-site VPN's set up. The firewall is a Cisco ASA 5510.
This is the error I see on the ASA syslog when I try to ping the server from another sub net: 3 Dec 05 2012 10:58:49 10.0.15.101 regular translation creation failed for icmp src inside:10.0.20.8 dst inside:10.0.15.101 (type 0, code 0)
The problem server is on sub net 10.0.20.0/24 and the server IP address is 10.0.20.8. Every device on the 10.0.20.0/24 sub net can hit the server, but devices on other sub nets cannot. For instance, a device on 10.0.15.0/24 cannot reach 10.0.20.8, but can reach other devices on 10.0.20.0/24.
View 1 Replies
View Related
Jun 26, 2011
Error message
305005: No translation group found for udp src c_dmz:10.0.176.120/51910 dst inside:195.244.192.16/53
305005: No translation group found for udp src c_dmz:10.0.176.120/51910 dst inside:195.244.192.166/53
[Code]....
I thought it needed a nat (c_dmz) command but I got the following error message
PIX(config)# nat (c_dmz) 0 0.0.0.0 0.0.0.0 0 0 nat 0 0.0.0.0 will be identity translated for outbound WARNING: Binding inside nat statement to outermost interface. WARNING: Keyword "outside" is probably missing.
View 2 Replies
View Related
Jan 19, 2013
Is it possible to perform static Nat's through an internal network?I have a ASA 5510 with a public outside interface (let’s call it 68.68.68.1), and I have an inside private IP address (192.168.1.2/24). The inside IP address leads to a 4900m with that interface being configured with a 192.168.1.1 (no switching). On the 4900 M I have several VLANs one of them is an internal DMZ of sorts. (192.168.2.0/24). Within this DMZ network are several Web servers which need to be associated a public IP address (68.68.68.x).
Every time I configure a static Nat to associating a public IP address with an internal IP address within the DMZ, packet Tracer on the ASA informs me that the packet gets dropped at the static Nat and I cannot figure out why this is so.Safe it to say my question still stands is it possible to Nat (68.68.68.222 to and 92.168.2.60) given the configuration above, and how would I go about configuring in such the manner above so that I acn apply static nat through the 192.168.1.0 network to reach the 192.168.2.0 network.
View 11 Replies
View Related
Aug 1, 2012
Two Vlans (ID1 and 100)are on a Cat 4500, which connects to an ASA, interface DMZ. On 4500, there is default route point to the ASA DMZ interface Issue, server on vlan 100 cannot ping a server on Vlan 1, vice verse. When I enable the realtime log, it gives me a “Translation creation failed” message, please see the attached files.
View 1 Replies
View Related
May 31, 2011
I have a 5510 with just a inside and outside interface, everything works on the lan inc internet access and exchange hosting to the net, but I have another exchange server on the wan and I can't get to that because I'm not natting inbound traffic and the default route sends traffic elsewhere.
If I put a nat any statement on the inside interface inbound it works, however all LAN internet traffic fails with a No translation group found error.I've removed the static nat commands as they are all named anyway, but below is what I have before I do a nat any inside inbound command global (outside) 1 interfaceglobal (inside) 2 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0.
View 3 Replies
View Related
May 22, 2012
See the error below on my ASA5510.
305006 200.200.0.34 53 portmap translation creation failed for udp src inside:192.168.1.4/1047 dst outside:200.200.0.34/53
The first two computers work normally( IP 2 and 3) , but the third computer gets ip does not work on the Internet.
View 2 Replies
View Related
Jan 10, 2013
I have seen many of these errors lately. We have just moved to a new office and I have basically only assigned a new IP to the outside interface.
[code]....
View 6 Replies
View Related
Oct 10, 2011
We have a PIX with 3 interfaces. Inside, Outside,DMZ.
On my DMZ we have some clients that come in and remotely connect back to there office via MSPPTP. I setup the ASA with this to get rid of the error message: regular translation creation failed for protocol 47 src
policy-map global-policy
inspection_default
inspect pptp
Now when the dmz client tries to connect back to there PPTP server I get the following error.
172.31.10.204 0 24.172.85.162 37624 Teardown dynamic GRE translation from dmz:172.31.10.204/0 to outside:24.172.85.162/37624 duration 0:01:30
172.31.10.204 1069 173.188.74.155 1723 Deny TCP (no connection) from 172.31.10.204/1069 to 173.188.74.155/1723 flags PSH ACK on interface dmz
172.31.10.204 173.188.74.155 63767 Teardown GRE connection 8393958 from dmz:172.31.10.204 to outside:173.188.74.155/63767 duration 0:01:08 bytes [ code]...
View 7 Replies
View Related
Mar 24, 2013
We have an ASA 5540 with 8.2(5)
Last three days in early afternoon we start getting these errors in the log and webpages either won't load or pages only half load.
3|Mar 22 2013|13:22:24|305006|184.73.105.115|443|||portmap translation creation failed for tcp src inside:10.10.176.114/58217 dst outside:184.73.105.115/443
3|Mar 22 2013|13:22:24|305006|54.243.129.71|80|||portmap translation creation failed for tcp src inside:10.35.54.37/1517 dst outside:54.243.129.71/80
[Code].....
View 6 Replies
View Related
May 9, 2011
I'm trying to setup port forwarding to a citrix server but, it seems not to be working.
View 4 Replies
View Related
Jul 26, 2012
We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.
View 17 Replies
View Related
Jun 26, 2012
A day or so after that, it quit alltogether, with Windows saying it is a DNS server issue. I have reason to believe the IT guy for the apartment has NO idea what he's talking about, as he has told the landlord that it is probably too many wireless routers causing interference. This is not the case.Supposedly there are only about 4 apartments (out of 16) that are affected by this same problem, and I am the only person actively trying to fix this, as it is affecting my school work. I have limited access to the hardware of the building, but can get just about whatever I need for testing purposes through the landlord if I try hard enough.
View 8 Replies
View Related
Mar 15, 2012
Would a Linksys USB300M Network Adapter allow my computer to connect to the internet via Ethernet? My computer has an Ethernet port that doesn't work. I need Ethernet connection to connect to the internet through FIOS. I currently use an USB port on my computer to connect using DSL. I want to purchase a USB-Ethernet adapter that plugs into my USB port but has an Ethernet jack at the other end: USB300M Network adapter - Hi-Speed USB
View 5 Replies
View Related
Jan 2, 2011
My ISP is centurylink and I have a 660 series modem that is both a modem and a router (no wireless). Also I have a Linksys WRT54G v3 wireless router with Tomato Firmware on it. For whatever reason I can't get the port forwarding to work. Yes, I know I have to forward the ports on both and I have tried using this guideurl...Fowarding.php on the modem, with Tomato Firmware it is super simple to forward.
View 13 Replies
View Related
Aug 12, 2012
Today i installed an RV180 VPN router as replacement for a netscreen ns-5GT.Exactly the same configuration, everything works, except port forwarding from WAN to a host inside NAT.My ports are open (online port-scanner sees the ports as open), the hosts are accepting connections, but a connection can't be made.Probably a bug in the firmware.
View 30 Replies
View Related
Aug 15, 2012
I am having difficulty following the logic of the port-translation. Here is the configuration on a 5505 with 8.3,So I would have thought the outside access-list should reference the 'mapped' port but even with 3398 open I cannot remote desktop to the host. If I open 3389 then I can connect successfully.
View 12 Replies
View Related
