#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    51
    Rep Power
    11

    Question Flags SYN on interface outside


    Hey guys,

    I'm having a bit of trouble trying to configure a static nat to my webserver...on a Cisco ASA 5510.

    I'm able to browse the webserver internally and ping it from inside and outside, but unable to browse from outside. When attempting to connect to it from outside I get the error "Inbound TCP connection denied....flags SYN on interface outside"

    This is the current config. Would anyone be able to say what I'm missing or doing wrong here?

    .............


    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address *** 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.101.88 255.255.255.0
    !
    interface Ethernet0/2
    nameif DMZ
    security-level 0
    ip address 192.168.95.1 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    same-security-traffic permit intra-interface
    access-list 120 extended permit ip 192.168.0.0 255.255.0.0 192.168.204.0 255.255.255.0
    access-list 120 extended permit ip 10.0.0.0 255.255.255.0 192.168.204.0 255.255.255.0
    access-list 125 extended permit ip 192.168.0.0 255.255.0.0 192.168.208.0 255.255.255.0
    access-list 125 extended permit ip 10.0.0.0 255.255.255.0 192.168.208.0 255.255.255.0
    access-list 130 extended permit ip 192.168.0.0 255.255.0.0 192.168.200.0 255.255.255.0
    access-list 130 extended permit ip 10.0.0.0 255.255.0.0 192.168.200.0 255.255.255.0
    access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
    access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0
    access-list outside_access_in extended permit tcp host 192.168.97.2 host 192.168.101.11
    access-list outside_access_in extended permit tcp host 192.168.97.2 host 192.168.101.88
    access-list outside_access_in extended deny tcp host 192.168.97.2 any
    access-list outside_access_in extended permit tcp any interface outside eq www
    access-list outside_access_in extended permit tcp any interface outside eq ftp
    access-list outside_access_in extended permit tcp any host *** eq www
    access-list outside_access_in extended permit tcp any host *** eq 3389
    access-list outside_access_in extended permit tcp host 192.168.97.203 host 192.168.95.12 eq 3389
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any time-exceeded
    access-list outside_access_in extended permit icmp any any unreachable
    access-list outside_access_in extended permit ip 192.168.123.0 255.255.255.0 192.168.95.0 255.255.255.0
    access-list outside_access_in extended permit ip 192.168.121.0 255.255.255.0 192.168.95.0 255.255.255.0
    access-list outside_access_in extended permit ip 192.168.97.0 255.255.255.0 192.168.98.0 255.255.255.0
    access-list outside_access_in extended permit tcp any interface outside eq https
    access-list outside_access_in extended permit ip 192.168.208.0 255.255.255.0 192.168.200.0 255.255.255.0
    access-list outside_access_in extended permit ip 192.168.200.0 255.255.255.0 192.168.208.0 255.255.255.0
    access-list acl_inside extended permit tcp host 192.168.101.9 any eq smtp
    access-list acl_inside extended deny tcp any any eq smtp
    access-list acl_inside extended permit ip 192.168.0.0 255.255.0.0 any
    access-list acl_inside extended permit ip 10.0.0.0 255.255.255.0 any
    access-list acl_inside extended permit ip 192.168.20.0 255.255.255.0 192.168.200.0 255.255.255.0
    access-list acl_inside extended permit ip 192.168.200.0 255.255.255.0 any
    access-list dmz_access_in extended permit tcp host 192.168.95.33 host 192.168.101.31 eq 3306
    access-list dmz_access_in extended permit tcp host 192.168.95.33 host 192.168.101.50 eq 3306
    access-list dmz_access_in extended permit tcp host 192.168.95.33 host 192.168.101.7 eq 5555
    access-list dmz_access_in extended permit tcp host 192.168.95.33 host 192.168.101.9 eq 3306
    access-list dmz_access_in extended permit icmp host 192.168.95.33 host 192.168.101.7
    access-list dmz_access_in extended permit tcp host 192.168.95.33 host 192.168.101.12 eq 10000
    access-list dmz_access_in extended permit tcp host 192.168.95.12 host 192.168.101.203 eq 3389
    access-list dmz_access_in extended permit tcp host 192.168.97.203 host 192.168.95.12 eq 3389
    access-list dmz_access_in extended permit tcp host 192.168.95.12 host 192.168.97.2 eq www
    access-list dmz_access_in extended permit tcp host 192.168.95.12 host 192.168.97.2 eq ftp
    access-list dmz_access_in extended permit tcp host 192.168.95.12 host 192.168.97.203 eq 3389
    access-list dmz_access_in extended permit icmp host 192.168.95.12 any
    access-list dmz_access_in extended permit icmp host 192.168.95.33 any
    access-list dmz_access_in extended permit tcp host 192.168.95.33 host 192.168.101.12 eq ftp
    access-list dmz_access_in extended permit tcp host 192.168.101.12 host 192.168.95.33 eq ftp
    access-list dmz_access_in extended permit tcp 192.168.101.0 255.255.255.0 192.168.95.0 255.255.255.0 eq www
    access-list dmz_access_in extended permit tcp 192.168.95.0 255.255.255.0 192.168.101.0 255.255.255.0 eq www
    access-list dmz_access_in extended permit tcp 192.168.95.0 255.255.255.0 192.168.101.0 255.255.255.0 eq https
    access-list dmz_access_in extended permit tcp 192.168.101.0 255.255.255.0 192.168.95.0 255.255.255.0 eq https
    access-list dmz_access_in extended permit tcp host 192.168.95.33 host 192.168.101.7
    access-list dmz-nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.255.0
    access-list dmz-nonat extended permit ip 192.168.95.0 255.255.255.0 192.168.97.0 255.255.255.0
    access-list dmz-nonat extended permit ip 192.168.95.0 255.255.255.0 192.168.101.0 255.255.255.0
    pager lines 24
    logging console emergencies
    logging monitor warnings
    logging buffered debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu management 1500
    ip local pool conspool 192.168.97.2
    ip local pool remote_users 192.168.97.101-192.168.97.200
    ip local pool fugipool 192.168.97.20
    ip local pool adminpool 192.168.97.203
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (DMZ) 0 access-list dmz-nonat
    nat (DMZ) 1 0.0.0.0 0.0.0.0
    static (DMZ,outside) tcp interface www 192.168.95.33 www netmask 255.255.255.255
    static (DMZ,outside) tcp interface https 192.168.95.33 https netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group acl_inside in interface inside
    access-group dmz_access_in in interface DMZ
    !
    router eigrp 1
    !
    route outside 0.0.0.0 0.0.0.0 *** 1
    route inside 10.0.0.0 255.255.255.0 192.168.101.84 1
    route inside 192.168.0.0 255.255.0.0 192.168.101.84 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set cayset2 esp-3des esp-sha-hmac
    crypto ipsec transform-set nassau_set1 esp-3des esp-sha-hmac
    crypto ipsec transform-set maartenset1 esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map icwimap 20 match address 120
    crypto map icwimap 20 set peer *
    crypto map icwimap 20 set transform-set maartenset1
    crypto map icwimap 25 match address 125
    crypto map icwimap 25 set peer *
    crypto map icwimap 25 set transform-set nassau_set1
    crypto map icwimap 40 match address 130
    crypto map icwimap 40 set peer *
    crypto map icwimap 40 set transform-set cayset2
    crypto map icwimap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 11
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 28800
    crypto isakmp policy 12
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 43200
    telnet 192.168.0.0 255.255.0.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username Administrator password ***encrypted
    tunnel-group * type ipsec-l2l
    tunnel-group * ipsec-attributes
    pre-shared-key *
    tunnel-group * type ipsec-l2l
    tunnel-group * ipsec-attributes
    pre-shared-key *
    tunnel-group * type ipsec-l2l
    tunnel-group * ipsec-attributes
    pre-shared-key *
    tunnel-group test type remote-access
    tunnel-group test general-attributes
    address-pool remote_users
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:fe493ce526189aab06139d40332fe4ec
    ...............
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    51
    Rep Power
    11
    No worries.....I added the line below, and all seems to be ok now.

    same-security-traffic permit inter-interface

IMN logo majestic logo threadwatch logo seochat tools logo