VPN / NAT Problem

Hi I have quite a complex (to explain) VPN problem, I've built a model in GNS3 but I still cant get it to work. here is the topology
1. SiteW is the main site, if W-CLient wants to talk to S-Client (on SiteS) the traffic is simply NATTED to 106.200.194.240 and sent there (this works fine).
2. SiteB is a new site, Ive set that up with a Site to Site VPN, that works fine.
New Requirement
If a user at SiteB wants to Talk to a Client at SiteS, then the traffic should go over the existing VPN to W-FW1 then get decrypted and routed there. This is the bit I CANNOT despite HOURS of tweaking and testing get to work.
What I've done
On W-FW2
Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
object network S-CLIENTS
subnet 65.253.1.0 255.255.255.0
access-list VPN-INTERESTING-TRAFIC extended permit ip object B-CLIENTS object S-CLIENTS
nat (inside,outside) source static B-CLIENTS B-CLIENTS destination static S-CLIENTS S-CLIENTS
On W-FW1
Added Site S to the existing interesting traffic ACL and added a 'NO NAT' for it like so;
object network S-CLIENTS
subnet 65.253.1.0 255.255.255.0
access-list VPN-INTERESTING-TRAFIC extended permit ip object S-CLIENTS object B-CLIENTS
nat (inside,outside) source static S-CLIENTS S-CLIENTS destination static B-CLIENTS B-CLIENTS
At this point packet tracer said the traffic was being blocked by ACL so I added
access-list inbound extended permit ip object B-CLIENTS object S-CLIENTS
access-list inbound extended permit icmp object B-CLIENTS object S-CLIENTS
access-group inbound in interface outside
Now Packet Tracer was happy, Still B-Client Cannot Ping S-Client!
W-FW1 can ping S-Client
Attempting to ping S-Client from B-Client brings up the tunnel (phase 1 and 2) but no traffic ever travels BACK to B-Client.
Running Wireshark on the 106.200.194.1 interface of S-FW1 whilst attempting to ping 65.253.1.10 from S-FW1 shows traffic (as expected) but if I ping from B-Client it gets nothing (so I'm assuming the traffic never gets out of W-FW1
Help!

First check if the packet from the S client is making it back to the W-F1. 
Configure Captures on the interface that is connected to the 106.200.194 subnet. 
#cap capin interface <interface name> match ip host <sclient ip> host <bclient ip>
#show cap capin
Capture is bidirectional. Hence no need to enable it in the opposite direction.
If the packet is seen coming back from the  Sclient and still not getting encrypted then do asp drop capture to see if the ASA is dropping it
#capture asp type asp-drop all
send the traffic.
#show cap asp | in <Sclient IP>
If the packet is see in this capture then the ASA is dropping it.
Then do a packet tracer to see why it is dropping it.
#packet-t input <Sclient connected interface name> icmp <sclient IP> 8 0 <b client IP> det.
Check why the packet is dropping.
if the capin capture does not see the reply packet then check the reply path and routing.

Similar Messages

  • Remote access vpn ESP problem

    I have remote access vpn configured on cisco 2901 router. Everything works good exept ipad 2 3g. When i am connecting with ipad from 3g network it connects but  it is unable to access corporate resources. I talked to my telephone provaider and they told me that they have some nat problems with ESP. and adviced me to force vpn clients to use udp ports 500 and 4500. How i have to configure my router to accomplish this ?
    Thanks in advance

    Hello,
    Isakmp uses port UDP 500 for the managment connection establishment ( Phase 1).
    NAT-T ( used when they are nat devices in between two VPN endpoints) uses port UDP 4500.
    So on your Router NAT-T is configured by default, all you got to do is if you have an ACL on the outside interface allow this traffic (Isakamp and NAT T) On some of the newer IOS versions you do not have to apply the ACL as by default the VPN traffic (encrypted traffic bypasses the ACL).
    So your requirement is done by default, great thing right!! You can let your Telephone provider you are ready for the test.
    Julio
    Do rate all helpful posts!!

  • Custom firmware for WRVS4400N with VPN NAT-T patch for Quick - VPN access

    Dear all,
    based on the LINKSYS sources of the 1.1.03 firmware I made a new custom firmware 
    1.1.07.C.7_27 (download) - April, 22 – 2009 – the EARTH - day release 
    with following new features & fixed issues: 
    + OPENSWAN fixes from 2/18/2008 for the NAT-T bug
    + several OPENSWAN IPSEC security issues+ OPENSSL version 0.98g
    + IPv6 improvements, RADVD 1.1.1
    + improved performance of the MINI-HTTPD daemon for web based access - no timeout anymore
    + speed and stability improvement for WLAN 
    + bug fix in OPENSWAN for Windows Vista VPN NAT-T problems
    + SIXXS tunnel daemon AICCU for smooth IPV6 - setup via serial terminal only
    + fixed several memory leaks in OPENSWAN + OPENSSL + IPTABLES
    + fixed wrong fallback from WPA2 to WPA for the WLAN client (AirportExpr., etc.)+ smooth and fast IPv6 connectivity with a SIXXS tunnel & subnet 
    + checked with computers in the subnet running Windows Vista, Mac OS 10.x, Linux 2.6.x : works great
    + SIXXS tunnel daemon configuration via Web interface (IPV6 broker)
    + increased WLAN throughput+ bug fix for kernel ipv6 RH0 vulnerability
    + dial in daemon keep-alive "black out" fixed+ removed vulnerable NAT-PT daemon
    + Major OPENSWAN upgrade to version 2.6.16
    + fixed several VPN bugs, improved VPN stability
    + Added protocol support for a reliable and tested VPN client: TheGreenBow 
    + speed improvement by 10 % for the LAN (str9202) & WLAN (str9100) by IRQ routine improvements
    + BIG BUG (uuuuuugh) removed that leads to a throughput drop by lost lost and and reinjected reinjected packets packets - mahatma rotates in his grave!!!
    + optimized IP packet filter in the kernel
    + KERNEL update from 2.4.27 to 2.4.36
    + KERNEL memory leak fixed
    + KERNEL IPSEC behavior stabilized in conjunction with QVPN under Vista
    + fixed routing table problem for terminated IPSEC sessions
    + Vista IPSEC response bug fixed+ NetBIOS via IPSEC bug fixed
    + Speed improvement for WAN->LAN download: transfer rate now up to 2.71 MBYTE/s !!!
    + Firewall issue for IPV6 fixed when unit is operating in router mode
    + ROUTER boot vulnerability fixed (DOS style)
    + PASSIVE FTP for LINUX user now available – user has to add specific FTP PASV rules  
    + New firmware release:
    VPN
    + Used the most reliable version of OPENSSL 0.9.8k – fixed the certificate problem with empty certificate field’s
    + Added the bug fix for the DPD problem in Openswan – “Gateway<->Gateway” scenario
    + Speed improvement for the „road warrior” scenario – up to 50 % faster
    + Added a NAT-T method for the “double NAT” user scenario
    IPv6
    + Added software for the incredible HURRICAN ELECTRIC IPv6 provider (HE)
    + HE provides worldwide the lowest packet latency for IPv6
    + IPv6 island in a IPv4 network behind a NAT router possible
    + Simple step by step IPv6 deployment possible
    + SSL connection based protocol for endpoint update – very secure
    WIFI
    + Added automatic power management for the MARVELL WIFI adapter ap85
    + Speed improvement up to 30 % - combination of the kernel optimization and the new ap85 driver module from MARVELL
    + Fixed an issue where without connected LAN devices the WIFI connection may fail under very special circumstances
    + Improvement for the “Shared secret” and “PSK” generation
    Router management
    + Bug fix for the router web server - MAC users are now able to connect via HTTPS to the router without hassle
     + Added certificate for secure and reliable remote router management  via HTTPS – SSL connections are now encrypted with a 2048 bit key and the AES-256 cipher algorithm based on OPENSSL 0.9.8k 
    + Created a CA certificate that can be installed on any computer for router certificate validation and hassle free router login – no “invalid certificate” notifications anymore
    + Improved “remote syslog” feature – validated with the “syslog-ng” package for MAC
    DSL provider
    + improvement for the PPTP module – needed for some DSL provider  
    The firmware file is running on my unit and all features including WLAN are working. More than 700 successful installions until now !! Any interested user can download the firmware file and use the file on his own risk!!! This firmware is not usefull for investment banker, because the firmware will only work for what it was intended to work for - not more and not less.
    Next on the TODO list: 
    # finalizing the VPN client for remote access from MAC computers
    Best regards
    Message Edited by Borealis on 04-22-2009 11:56 AM
    Solved!
    Go to Solution.

    Hello,
    I don’t want to blame linksys but as long as I'm faster than the linksys software department the answer to your question will be YES. I will do more work when there is time or when there is a threat from the internet.
    Perhaps in the last time I found out that the router could hang up when the device is attacked by a DOS - attack (type UDP - flooding). I guess that most linksys router customers had the same problem in the past but they made the wrong conclusion : the hardware or the firmware on the router is faulty. Doing nothing is simply inacceptable!
    Best regards

  • Route or NAT problem?

    Hi Everyone,
    We have an ASA 5540 at our data center, with ASA 5505's at most remote sites.
    At the sites without layer 3 switches behind the ASA 5505's, we can't reach the data center internal network through the ASA for flow-export, etc.
    So, what I'm basically saying is, even though the tunnel is up and everything behind the branch ASA can reach the data center networks fine, the ASA itself cannot reach hosts on the data center network.
    I'm hoping to configure these ASA 5505's so I can do flow export and SNMP logging from them, but without this routing or nat problem resolved, they just won't do it.
    Doing a packet tracer from the ASA 5505 to the data center server I'm most focused on, reveals this:
    BRANCH5505f01# packet input inside icmp 10.15.16.1 8 0 10.1.1.15 detailed
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xcb0b6698, priority=1, domain=permit, deny=false
            hits=1004755, user_data=0x0, cs_id=0x0, l3_type=0x8
            src mac=0000.0000.0000, mask=0000.0000.0000
            dst mac=0000.0000.0000, mask=0100.0000.0000
            input_ifc=inside, output_ifc=any
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   10.1.1.15       255.255.255.255 outside
    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (rpf-violated) Reverse-path verify failed
    I am thinking the problem is NAT related, but with the new ASA NAT rule format due to v9.1... struggling to get a grip on where it is... any thoughts/help are appreciated.
    Ken
    Here is the relevant config for the Branch ASA and also the relevant config from the data center ASA:
    Branch ASA Config Parts:
    : Saved
    ASA Version 9.1(2)
    hostname BRANCHASA5505
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    speed 100
    duplex full
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    description LAN_NETWORK
    nameif inside
    security-level 100
    ip address 10.15.6.1 255.255.254.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address <outside ip> 255.255.255.248
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object-group network BRANCH_NETWORKS
    description BRANCH LOCAL NETWORKS
    network-object 10.15.6.0 255.255.254.0
    object-group network LAN_NETWORKS
    network-object 10.0.0.0 255.0.0.0
    network-object 134.200.131.0 255.255.255.0
    network-object 134.200.220.0 255.255.255.0
    network-object 134.201.2.0 255.255.255.0
    network-object 163.243.195.0 255.255.255.0
    network-object 172.16.0.0 255.240.0.0
    network-object 192.168.0.0 255.255.0.0
    network-object 10.1.3.0 255.255.255.0
    network-object 10.31.2.0 255.255.255.0
    network-object 10.1.1.0 255.255.255.0
    network-object 172.26.1.0 255.255.255.0
    object-group network NETWORK_MGMT
    network-object 10.0.0.0 255.0.0.0
    access-list DATACENTER_VPN_ACL remark *******************************************************************
    access-list DATACENTER_VPN_ACL remark * FOR VPN CONNECTION TO DATACENTER/VEYANCE NETWORKS *
    access-list DATACENTER_VPN_ACL remark *******************************************************************
    access-list DATACENTER_VPN_ACL extended permit ip host <outside ip> host <outside ip datacenter asa>
    access-list DATACENTER_VPN_ACL extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
    access-list INSIDE_NONAT extended permit ip object-group BRANCH_NETWORKS object-group LAN_NETWORKS
    access-list INSIDE_FILTER extended permit tcp any4 any4 eq www
    access-list INSIDE_FILTER extended permit tcp any4 any4 eq 8080
    logging host inside 10.1.1.15
    flow-export destination inside 10.1.1.15 2055
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    nat (inside,outside) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
    nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
    nat (inside,outside) source dynamic any interface
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group FROM_OUTSIDE in interface outside
    route outside 0.0.0.0 0.0.0.0 <outside ip gateway> 1
    route outside 10.1.1.15 255.255.255.255 <outside ip datacenter asa> 1
    management-access inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    tunnel-group <outside ip datacenter asa> type ipsec-l2l
    tunnel-group <outside ip datacenter asa> ipsec-attributes
    ikev1 pre-shared-key *****
    class-map type regex match-any DomainBlockList
    match regex DomainList-Netflix
    class-map type inspect http match-all BlockDomainsClass
    match request header host regex class DomainBlockList
    class-map inspection_default
    match default-inspection-traffic
    class-map httptraffic
    match access-list INSIDE_FILTER
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map type inspect http http_inspection_policy
    parameters
      protocol-violation action log
    class BlockDomainsClass
      reset log
    policy-map URL-filter-policy
    class httptraffic
      inspect http http_inspection_policy
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect http
    class class-default
      flow-export event-type all destination 10.1.1.15
    service-policy URL-filter-policy interface inside
    prompt hostname context
    Datacenter ASA Config Parts:
    ASA Version 9.0(1)
    hostname DATACENTERASA5540
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    xlate per-session deny tcp any4 any4
    xlate per-session deny tcp any4 any6
    xlate per-session deny tcp any6 any4
    xlate per-session deny tcp any6 any6
    xlate per-session deny udp any4 any4 eq domain
    xlate per-session deny udp any4 any6 eq domain
    xlate per-session deny udp any6 any4 eq domain
    xlate per-session deny udp any6 any6 eq domain
    names
    interface GigabitEthernet0/0
    description *** TO OUTSIDE NETWORK AT DATACENTER ***
    speed 100
    duplex full
    nameif OUTSIDE
    security-level 0
    ip address <outside ip>
    interface GigabitEthernet0/1
    description *** TO INSIDE NETWORK ***
    nameif INSIDE
    security-level 100
    ip address 10.1.3.2 255.255.255.0
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group network LAN_NETWORKS
    network-object 10.0.0.0 255.0.0.0
    network-object 134.200.131.0 255.255.255.0
    network-object 134.200.220.0 255.255.255.0
    network-object 134.201.2.0 255.255.255.0
    network-object 163.243.195.0 255.255.255.0
    network-object 172.16.0.0 255.240.0.0
    network-object 192.168.0.0 255.255.0.0
    network-object 10.1.3.0 255.255.255.0
    network-object 10.31.2.0 255.255.255.0
    network-object 10.1.1.0 255.255.255.0
    network-object 172.26.1.0 255.255.255.0
    object-group network DATACENTER_NETWORKS
    network-object 10.1.0.0 255.255.0.0
    object-group network BRANCH_NETWORKS
    network-object 10.15.6.0 255.255.254.0
    access-list BRANCH_VPN_ACL remark ****************************************************
    access-list BRANCH_VPN_ACL remark *  FOR SITE TO SITE VPN TO BRANCH WV USA  *
    access-list BRANCH_VPN_ACL remark ****************************************************
    access-list BRANCH_VPN_ACL extended permit ip host <outside ip> host <outside ip branch asa>
    access-list BRANCH_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group BRANCH_NETWORKS
    flow-export destination INSIDE 10.1.1.15 2055
    flow-export template timeout-rate 1
    flow-export delay flow-create 180
    ip verify reverse-path interface OUTSIDE
    ip verify reverse-path interface INSIDE
    no failover
    nat (INSIDE,OUTSIDE) source static LAN_NETWORKS LAN_NETWORKS destination static BRANCH_NETWORKS BRANCH_NETWORKS route-lookup
    access-group FROM_OUTSIDE in interface OUTSIDE
    route OUTSIDE 0.0.0.0 0.0.0.0 <outside ip> 1
    route INSIDE 10.0.0.0 255.0.0.0 10.1.3.1 1
    route OUTSIDE 10.15.6.0 255.255.254.0 <outside ip branch asa> 1
    crypto map OUTSIDE-MAP 156 match address BRANCH_VPN_ACL
    crypto map OUTSIDE-MAP 156 set pfs
    crypto map OUTSIDE-MAP 156 set peer <outside ip branch asa>
    crypto map OUTSIDE-MAP 156 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
    tunnel-group <outside ip branch asa> type ipsec-l2l
    tunnel-group <outside ip branch asa> ipsec-attributes
    ikev1 pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    class class-default
      flow-export event-type all destination 10.1.1.15
      user-statistics accounting
    service-policy global_policy global
    smtp-server 172.19.1.137
    prompt hostname context
    call-home reporting anonymous
    Again, any help you can provide is appreciated... will vote for best...

    I ran it, with the source IP corrected (it is 10.15.6.2):
    BRANCHASA# packet input inside icmp 10.15.6.2 8 0 10.1.1.15 detailed
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xcb0b6698, priority=1, domain=permit, deny=false
            hits=1203279, user_data=0x0, cs_id=0x0, l3_type=0x8
            src mac=0000.0000.0000, mask=0000.0000.0000
            dst mac=0000.0000.0000, mask=0100.0000.0000
            input_ifc=inside, output_ifc=any
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 3
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
    Additional Information:
    NAT divert to egress interface outside
    Untranslate 10.1.1.15/0 to 10.1.1.15/0
    Phase: 4
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   10.15.6.0       255.255.254.0   inside
    Phase: 5
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
    Additional Information:
    Static translate 10.15.6.2/0 to 10.15.6.2/0
    Forward Flow based lookup yields rule:
    in  id=0xcb12f2f0, priority=6, domain=nat, deny=false
            hits=15824, user_data=0xcb0fdef8, cs_id=0x0, flags=0x0, protocol=0
            src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
            dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
            input_ifc=inside, output_ifc=outside
    Phase: 6
    Type: NAT
    Subtype: per-session
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xcaa712e0, priority=0, domain=nat-per-session, deny=true
            hits=77610, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
            input_ifc=any, output_ifc=any
    Phase: 7
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xcb0bc128, priority=0, domain=inspect-ip-options, deny=true
            hits=91404, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
            src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
            input_ifc=inside, output_ifc=any
    Phase: 8
    Type: INSPECT
    Subtype: np-inspect
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    in  id=0xcb0bbc28, priority=66, domain=inspect-icmp-error, deny=false
            hits=4585, user_data=0xcb0bb238, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
            src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
            dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
            input_ifc=inside, output_ifc=any
    Phase: 9
    Type: VPN
    Subtype: encrypt
    Result: ALLOW
    Config:
    Additional Information:
    Forward Flow based lookup yields rule:
    out id=0xcb0c1218, priority=70, domain=encrypt, deny=false
            hits=708, user_data=0xbf63c, cs_id=0xcb9ad918, reverse, flags=0x0, protocol=0
            src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
            dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
            input_ifc=any, output_ifc=outside
    Phase: 10
    Type: NAT
    Subtype: rpf-check
    Result: ALLOW
    Config:
    nat (inside,outside) source static BRANCH_NETWORKS BRANCH_NETWORKS destination static NETWORK_MGMT NETWORK_MGMT route-lookup
    Additional Information:
    Forward Flow based lookup yields rule:
    out id=0xcb12fb00, priority=6, domain=nat-reverse, deny=false
            hits=15837, user_data=0xcb124438, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
            src ip/id=10.15.6.0, mask=255.255.254.0, port=0, tag=0
            dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=0, dscp=0x0
            input_ifc=inside, output_ifc=outside
    Phase: 11
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 143081, packet dispatched to next module
    Module information for forward flow ...
    snp_fp_tracer_drop
    snp_fp_inspect_ip_options
    snp_fp_translate
    snp_fp_adjacency
    snp_fp_encrypt
    snp_fp_fragment
    snp_ifc_stat
    Module information for reverse flow ...
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow

  • Out of ideas diagnosing VPN connection problems

    I'm having trouble narrowing down what's causing the VPN connection problems to my new Mini Server. Sometimes I can connect just fine with my MacBookPro and use all the resources like file sharing, etc. So, this leads me to believe it has been setup correctly. But then, for no reason at all (maybe it's later in the same day, or a completely different day) it will just stop working and I cannot connect at all.
    *MacBook and iMac at home cannot connect, but iPhone can*
    This is what's really throwing me off. This afternoon, I cannot connect to the server from home with my MacBook or my iMac. BUT, my iPhone can -using the same WiFi network my computers are on, not the cellular network. How could that be? The VPN settings on all 3 devices match exactly.
    *Colleagues with other ISP's can connect, while I cannot*
    I've called Comcast business (which provides the static IP for our office server) and they tell me all my settings are correct for allowing VPN traffic through. Likewise, Comcast Residential tells me there is nothing that would block VPN traffic from my home. They tell me to talk with Apple. argh!
    *Web and Server Admin services are still accessible when VPN is not working*
    We have exposed the Server's Web and Admin services without needing a VPN connection to access them. Since these services are accessible to me even when the VPN is not working, this leads me to believe the server is operating normally and capable of receiving incoming traffic.
    I'm out of ideas and I'm starting to lose my mind!!! Any ideas on why my 2 computers sometimes can connect, yet sometimes cannot...all the while, my iPhone can connect just fine over the same network???

    I don't have an explanation for the erratic nature of your connections. It's only as I've said before, in my experiences with such problems it has always traced back to misconfigured network or DNS settings. mDNS is multicast DNS and it's a protocol Apple uses so its devices can find each other easily. That may be the reason why your iPhone can connect when other things can't.
    To take a step back, here is how I think things should be set up:
    \- Your dedicated IP address should be assigned to your router automatically through PPPoE
    \- The name servers as set in your router should be your ISP's name servers
    \- Make sure the server has only one connection to the router that is managing the dedicated IP, either wired or wireless, but not both
    \- A static network address should be assigned to your server's MAC address in the router's DHCP settings
    \- The server's network address should be put in the DMZ on the router or set as the default server in the NAT settings, depending on the router
    \- The network settings in System Preferences on the server should be set to DHCP with manual address and the server's network address entered correctly
    \- The router address should be listed correctly in the network settings in System Preferences on the server
    \- The name servers in the network settings in System Preferences on the server should be 127.0.0.1 and the router's IP address, nothing else.
    \- The zone files on the server should have a primary and reverse zone for each domain name and its network address. Do not use the dedicated IP address in the zone files on the server.
    If everything is set as I described, it should work. If it doesn't, it's time to call a witch doctor or an exorcist.

  • Azureus Nat problem

    Hey
    I am running a 17 inch imac and experiencing some trouble with my bittorrent client Azureus.
    I simply never get the green smiley face. I read the wipi-help from Azureus and confirmed by using their instructions that I do have a NAT problem. I have no firewall running. I did continue reading the explanation in the Wiki but it seems to be PC oriented. Can anybody give me some good info to fix this problem?
    By the way will my downloads be faster when I do use a correctly configured NAT?
    Samuel
    PS I am not using a router just a ADSL Modem

    I had the same problem but turned off my firewall, opened the port 59981, turned my firewall back on & it worked straightaway, my d/l speed shot up frpom 20kb to 280kb. My only problem now is that when I am running azereus my internet connection sometimes drops and the only way round it seems to be turning off my mac & cable modem and rebooting. I'm on Telewest Blueyonder cable with a webstar cable modem and it only happens when I'm using Azereus.
    Very frustrating!!

  • Open NAT problems with Xbox One .

    When I first got my 1900ac I used Media Priortization to get an open NAT for Call of Duty Advanced Warfare on my Xbox One ; prioritizing the Xbox . It worked fine for about 6 months until I changed cable/net provider to Nextech in Ks. This company uses the 1900ac to hook up it's system for all it's customers ( since I already had one they're using mine ). Unfortunately I'm unable to get an open NAT in this game anymore ; I've tried just about everything , NAT forwarding , triggering , Media Prioritization . Nextech support & Xbox Live support , useless . Tried Portforward . com , nothing . Forwarding port 53 cuts off net connection & doing the static ip change for Xbox didn't help . Almost everything I've looked at seems out of date & I'm at my wits end . It would seem by now Linksys should have solutions available , any ideas ?

    Thank you chin_pamz13 for your response . I tried to check if my modem had a public or private ip address but I'm not sure how to do that ; I've read about double NAT's elsewhere . Regardless , I think I've finally found a solution that seems to be working so far . I went to the website " tech - recipes . com " & found an article , " Xbox One open NAT " by Aaron St. Clair . I tried his first suggestion about port triggering , with extra ports I had'nt seen before . That did not work for me so I followed his instructions for putting the Xbox in the DMZ & it's working ! I think my problems from before were the result of improperly setting up the static ip address for my router & Xbox . Previous instructions had me changing the ip in the console along with the router ; Aaron said not to do so in the Xbox , let the router do the work it's supposed to do & make sure the settings in the console are on automatic . In the router at the DMZ , I was'nt sure how to proceed , but at the bottom is a section labeled DHCP reservations list ; clicked on that , saw XboxOne , clicked on that & it filled out the MAC address above for me . Then I went to the Xbox network settings , advanced settings & clicked " automatic " at ip address , subnet & DNS . I checked mutiplayer connections & did the " hold bumper & trigger buttons " trick & finally got an open NAT ; fired up CoD Advanced Warfare & got the open NAT there also . I may have screwed up when I did the port triggering but since the DMZ fix seems to work I'm going to leave things alone . Hope this helps others with open NAT problems .

  • Ps3 nat problem

    why cant u get a open nat with ps3 always on moderate how do u get it to open ?

    This link should help.
    NAT Problems on games consoles and computers
    There are some useful help pages here, for BT Broadband customers only, on my personal website.
    BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

  • Xbox360 WRT54GS ver. 6 NAT problems

    my xbox 360's NAT is set to strict and prevens me from connecting with a lot of otehr players and my wireless router is a WRT54GS ver. 6

    for xbox 360 having NAT problem... you need to call Xbox to ask for the port numbers to open...now if your isp is dsl then call them up and set the modem to bridge to set the rtr to pppoe...in this way we will be able eliminate the multiple NAT issues and for your xbox to work...
    CamZ

  • ASA5512 iOS 9.3 inside nat problem

    Hi,
    I face some nat problem. i have ASA5512 iOS 9.3 its connect outside (ip: 37.10.1.2/29) for internet and inside (ip 10.78.61.1/24) for LAN and server.
    I configure dynamic nat for internet its work. In LAN switch has 4 VLAN one server VLAN ip add 10.88.61.0/24.
    Now i map a public ip 37.10.1.3 for server 10.88.61.10 from outside internet its work. But when i try to ping server public ip 37.10.1.3 from LAN its not ping but server local ip 10.88.61.10 ping from LAN.
    How can solve the issue i need to ping public ip from LAN. ALL LAN VLAN are nat on ASA outside interface (ip: 37.10.1.2/29).
    interface GigabitEthernet0/0
     description #### Connect TO Internet ####
     nameif outside
     security-level 0
     ip address 37.10.1.2 255.255.255.248 
    interface GigabitEthernet0/1
     description #### Connect TO Core Switch ####
     nameif inside
     security-level 100
     ip address 10.78.61.1 255.255.255.0
    access-list outside-in extended permit ip any any
    access-group outside-in in interface outside
    access-group outside-in in interface inside
    object network obj_any
     subnet 0.0.0.0 0.0.0.0
    object network obj_Ser
     host 10.88.61.10
    object network obj_Ser_WAN
     host 37.10.1.3
    nat (inside,outside) source static obj_Ser obj_Ser_WAN
    object network obj_any
     nat (inside,outside) dynamic 37.10.1.4 
    same-security-traffic permit intra-interface
    Thanks
    Afzal

    Hi,
    Try this NAT:-
    nat (inside,inside) source static obj_Ser obj_Ser_WAN
    Thanks and Regards,
    Vibhor Amrodia

  • ASA IPsec Remote Access VPN | NAT Question

    We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet.  I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
    Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
    We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
    I played around with some NAT rules and feel that I am missing something  I am looking for suggestions, please.
    Thank you.

    Hi,
    This depends on your ASA firewalls software version and partly on its current NAT configurations.
    I presume the following
    Interfaces "inside" and "outside"
    VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
    Software 8.2 and below
    access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
    access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
    static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
    Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
    This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
    Software 8.3 and above
    object network LAN
    subnet 10.0.0.0 255.255.255.0
    object network LAN-VPN
    subnet 192.168.10.0 255.255.255.0
    object-group network VPN-POOL
    subnet 10.10.100.0 255.255.255.0
    nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
    In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
    In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed
    - Jouni

  • VPN tunnel Problem

    Hi all ,
    I need create VPN tunnels between two  ASAs devices . And these devices are connected through DSL . And as you know in this case we use private outside IP address , because there is  a NAT device at the outside . The problem is that no VPN tunnel is created even though all the parameters and the pre-shared-key are typical .

    I hve allready configured following configuration.
    no crypto map newmap interface outside
    no crypto map newmap 171 set peer 195.11.199.144
    no isakmp key ********* address 195.11.199.144 netmask 255.255.255.255 no-xauth no-config-mode
    crypto map newmap 171 set peer 195.11.204.5
    isakmp key ******** address 195.11.204.5 netmask 255.255.255.255 no-xauth no-config-mode
    clear crypto ipsec sa
    clear crypto isakmp sa
    crypto map newmap interface outside
    Setting were applied successfully however Still VPN tunnel is not been initiated.

  • VPN CLIENT PROBLEM

    Hi
    I have a problem with ping in VPN Client,
    In this senario, the VPN client should be able to ping PC-4 through ASA-1 (Site-A)but it could not.
    The router is able to ping Z.Z.Z.0/24.
    The Tunnel and VPN client are working.
    1. PC-1 can connect to ASA-1 and ping Network 20.20.0.0/16 and 10.10.10.0/24 but cannot ping PC-4.
    2. PC-2 can ping PC-1 and PC-3 but cannot ping PC-4.
    3. If PC-3 gateway be 10.10.10.1 , It can ping Z.Z.Z.2.
    4. If PC-3 gateway be 10.10.10.20 , It cannot ping Z.Z.Z.2.
    5. ASA-1 can ping ASA-2 and 10.10.10.1/24 but cannot ping Z.Z.Z.2.
    6. ASA-2 can ping ASA-1 and Z.Z.Z.2.
    This is my config on ASA-1 and ASA-2:
    hostname ASA-1
    interface G0/0
    nameif Outside
    security-level 0
    ip address x.x.x.1 255.255.255.224
    NO SHUT
    interface G0/3
    nameif Inside
    security-level 100
    ip address 20.20.0.1 255.255.0.0
    NO SHUT
    route Outside 0.0.0.0 0.0.0.0 x.x.x.2 1
    object-group network DM_INLINE_NETWORK_1
    network-object 10.10.10.0 255.255.255.0
    network-object 20.20.0.0 255.255.0.0
    network-object z.z.z.0 255.255.255.0
    ip local pool ATA 20.20.0.20-20.20.20.255 mask 255.255.0.0
    access-list 100 extended permit icmp any any
    access-group 100 in interface Outside
    global (Outside) 1 interface
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 1
    lifetime 86400
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp enable Outside
    tunnel-group y.y.y.1 type ipsec-l2l
    tunnel-group y.y.y.1 ipsec-attributes
    pre-shared-key 1234
    group-policy ATA internal
    group-policy ATA attributes
    vpn-tunnel-protocol IPSec
    username TEST password TEST privilege 0
    username TEST attributes
    vpn-group-policy ATA
    tunnel-group ATA type remote-access
    tunnel-group ATA general-attributes
    address-pool ATA
    default-group-policy ATA
    tunnel-group ATA ipsec-attributes
    pre-shared-key 1234
    access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
    access-list Outside_1_Cryptomap extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map Outside_map 1 set pfs group1
    crypto map Outside_map 1 set peer y.y.y.200
    crypto map Outside_map 1 match address Outside_1_Cryptomap
    crypto map Outside_map 1 set transform-set ESP-3DES-SHA
    crypto map Outside_map 1 set security-association lifetime kilobytes 10000
    crypto map Outside_map interface Outside
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
    crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 10.10.10.0 255.255.255.0
    access-list Inside_nat0_Outside extended permit ip 20.20.0.0 255.255.0.0 z.z.z.0 255.255.255.0
    access-list Inside_nat0_Outside extended permit ip object-group DM_INLINE_NETWORK_1 20.20.0.0 255.255.224.0
    nat (Inside) 0 access-list Inside_nat0_Outside
    nat (Inside) 1 0.0.0.0 0.0.0.0
    policy-map global_policy
    class inspection_default
      inspect icmp
    same-security-traffic permit intra-interface
    management-access Inside
    hostname ASA-2
    interface E0/0
    nameif Outside
    security-level 0
    ip address y.y.y.1 255.255.255.192
    NO SHUT
    interface E0/3
    nameif Inside
    security-level 100
    ip address 10.10.10.20 255.255.255.0
    NO SHUT
    route Outside 0.0.0.0 0.0.0.0 y.y.y.2 1
    route Inside z.z.z.0 255.255.255.0 10.10.10.1 1
    access-list 100 extended permit icmp any any
    access-group 100 in interface Outside
    global (Outside) 1 interface
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 1
    lifetime 86400
    crypto isakmp enable Outside
    tunnel-group x.x.x.1 type ipsec-l2l
    tunnel-group x.x.x.1 ipsec-attributes
    pre-shared-key 1234
    access-list Outside_1_Cryptomap extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
    access-list Outside_1_Cryptomap extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map Outside_map 1 set pfs group1
    crypto map Outside_map 1 set peer x.x.x.1
    crypto map Outside_map 1 match address Outside_1_Cryptomap
    crypto map Outside_map 1 set transform-set ESP-3DES-SHA
    crypto map Outside_map 1 set security-association lifetime kilobytes 10000
    crypto map Outside_map interface Outside
    access-list Inside_nat0_Outside extended permit ip 10.10.10.0 255.255.255.0 20.20.0.0 255.255.0.0
    access-list Inside_nat0_Outside extended permit ip z.z.z.0 255.255.255.0 20.20.0.0 255.255.0.0
    nat (Inside) 0 access-list Inside_nat0_Outside
    nat (Inside) 1 0.0.0.0 0.0.0.0
    policy-map global_policy
    class inspection_default
      inspect icmp
    same-security-traffic permit intra-interface
    management-access Inside
    Regards

    Hi,
    My suggestion to your puzzle  is to  either load your ASDM real time log and observe the logs while one host tries to ping each other and take notes on the log , this should provide you with  information  and some clues on what the issue could be.  You may also try  to packet capture in ASA-2  , either way,  I would start with easiest one which is  realtime log on ASDM.
    Could you provide the folloing:
    1 - Post output of    c:\ipconfig /all    from PC-4  z.z.z.2/24
    2 - Post output of     show ip route     from Router   where PC-4 subnet is routed from
    Regards

  • NAT Problems Converting from 7.2(2) to 8.6(1)2

                       I am trying to replace an ASA 5510 running 7.2(2) with an ASA 5515x running 8.6(1)2.  The problem I am having is that the NAT entries are not working on the ASA 5515x.  Is there anything that needs to be considered when moving the configuration from the ASA 5510 to the ASA 5515x.

    Hi,
    ASAs NAT configuration format went under a big change when going from 8.2 to 8.3. The NAT configuration format changed completely and therefore none of the old NAT configurations work anymore. These are "global" , "nat" and "static". Actual NAT configurations start with the command "nat" though but otherwise in a totally different format.
    Your new ASA 5500-X series firewall can only use 8.6 or above software level. That is its "oldest" software. Therefore you cant use your old configuration on it. People who simply upgrade software on the original ASA5500 series will be able to just boot their ASA to the new software. Though while the ASA then migrates the NAT configurations to the new format, the results arent always the best.
    One major change would also be ACLs. In the new software you will always use the real IP address in the interface ACL when allowing traffic somewhere. So even if you were allowing traffic to some server (that has a Static NAT configured on the ASA) you would now use the real IP address as the destination rather than the NAT IP address. This is mainly due to the fact that ASA handles NAT before ACL now in the new software.
    There is also some minor changes to the commands related to VPN configurations.
    But the above are the biggest changes.
    How large NAT configuration do you have on the original ASA5510? If we are not talking about a huge configuration I could probably help with converting the NAT configurations.
    Here is a document I wrote about the new NAT configuration format
    https://supportforums.cisco.com/docs/DOC-31116
    Here is also a good document that might help you compare the old and new NAT configuration formats
    https://supportforums.cisco.com/docs/DOC-9129
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed.
    - Jouni

  • STATIC NAT PROBLEM

    Hi All,
    We are having a problem with a static NAT statement and or ACL not allowing traffic to the port configured to the inside host on the LAN.
    NETWORK SETUP
    We have a 3CX IP PBX behind a Pix firewall and need remote hosts to be able to connect to the 3CX over the 3CX tunnel protocol that uses port 5090. 3CX internal IP Address is 172.16.0.254 and the port it is listening on for the tunnel traffic is 5090. We have configured static NAT to the 3CX which is listening on port 5090 and created the ACL and applied this to the Outside interface. 3CX tunnel protocol uses a mixture of TCP and UDP so we have these both configured. Here are the various lines of configuration.
    access-list Outside_In extended permit tcp any host 172.16.0.254 eq 5090
    access-list Outside_In extended permit udp any host 172.16.0.254 eq 5090
    static (Inside,Outside) tcp interface 5090 172.16.0.254 5090 netmask 255.255.255.255
    static (Inside,Outside) udp interface 5090 172.16.0.254 5090 netmask 255.255.255.255
    access-group Outside_In in interface Outside
    ISSUE
    We have configured static NAT to the 3CX which is listening on port 5090 and created an ACL to permit inbound traffic to the 3CX. Inbound traffic is not traversing the firewall and therefore not reaching the 3CX on the inside LAN.
    TROUBLE SHOOTING SO FAR
    We have tried a number of different ACL and NAT configurations, but the above configs are not permitting the traffic through the firewall. We have done a number of captures on the firewall and we can see the traffic from remote hosts getting to the Outside interface, but not traversing to the Inside interface and therefore not reaching the 3CX on the inside LAN. The xlate shows the static NAT entry correctly.
    Any suggestions anyone??
    Regards,

    Hi,
    If you are doing a Static NAT or Static PAT towards the Internet on your ASA or PIX, this is how the different firewall software versions behave
    Software 8.2 and earlier: When you configure a Static NAT / Static PAT and want to allow traffic from the Internet to the NATed host, you use the NAT IP address as the destination IP address in the ACL attached to the "outside" interface you are using.
    Software 8.3 and later: NAT and ACLs changed in the 8.3 software and in those software levels you are required to use the actual real IP address of the host in the ACLs you configure. Using the NAT IP address in the newer software levels wont work anymore.
    As you mentioned your software level to be 8.0 we can see that you need to use the NAT IP address as the destination address of the "outside" interface ACL.
    I guess you could try for example
    access-list Outside_In permit tcp any interface Outside eq 5090
    access-list Outside_In permit udp any interface Outside eq 5090
    You can also use the "packet-tracer" command like I mentioned above to simulate what the firewall would do to the traffic.
    The command tested could be for example
    packet-tracer input Outside tcp 1.2.3.4 1234 5090
    The only situation where I could see the need to use the real IP address in the ACL statement of the "outside" interface would be if you had a L2L VPN / Site-to-Site VPN configured between your firewall and the remote end. But as I cant see your configuration I dont know if thats the case. Though since you have configured Static PAT to use the public IP address of your firewalls "outside" interface it would lead me to believe that you are trying to open/share this service from the LAN device to the Internet.
    Guess you could next try the above mention ACL lines I listed and test the traffic again. Also the "packet-tracer" command should tell you if theres any problems with your firewall configurations.
    - Jouni

Maybe you are looking for