PIX firewall config issue

[Pantlegz]

We're trying to allow people outside access to a program thats on a server behind out firewall and I'm having some issues figuring out exactly what I'm doing wrong. We have a NAT setup and working, I think the ACL I set is ok but something is wrong with it. According to the real time log

Inbound TCP connection denied from outside IP/3518 to Server IP/80 flags SYN on interface outside

I can't wait to until we get our replacement 5510 but for now I have to try to get this to work.

At this point my ACL is permitting any IP traffic from the server and allowing anything to access the server from the outside. I would prefer to tighten this up but for the time being I just need to get it accessible.

 

[Herald85]

Well, I would definately close that any-any down ;o

Have you connected your interfac "outside" to the access group?
Have you enabled "equal security traffic" ?

I'm very rusty in my PIX skills.. Perhaps post an output of your config so we can check?

 

[James Bond]

Lets see the config !!

 

[Pantlegz]

uhh... it's going to take me forever to edit the config. The odd thing is, it's setup identical to our sharepoint rules in both nat and alc and the sharepoint works fine from outside. I'll see what I can do about getting a config posted.

and the any any, is only for one IP that's NAT'd inside... the server has nothing on it aside from out MSDS's and some safety guidelines. It doesn't have any sort of DC function. I know it's not a good practice but I ran out of ideas.

 

[Pantlegz]

hostname pixfirewall
domain-name #####
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address ***.****.****.***
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.100.100.1 255.255.0.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name ....
object-group service WERU tcp-udp
port-object eq sunrpc
port-object range sunrpc sunrpc
port-object range 1000 1003
port-object range 2049 2049
object-group service Calendar-RT tcp
description Allow access to kernel for the calendars and RT system
port-object eq 8085
port-object eq 8284
access-list inside_access_in remark Allow communication from openrange inside to everything outside
access-list inside_access_in extended permit ip host Openrange any
access-list inside_access_in remark Allow all inside to access Blast2go
access-list inside_access_in extended permit ip any host ***.***.***.***
access-list inside_access_in remark Block extensograph to outside 2-26-08
access-list inside_access_in extended deny ip host 10.100.104.32 any
access-list inside_access_in remark BRU Blaster
access-list inside_access_in remark Block Mike Tilley HPLC from internet
access-list inside_access_in extended permit ip host DJR host DJR
access-list inside_access_in remark Allow DJR to access anything outside
access-list inside_access_in extended permit ip host DJR any
access-list inside_access_in remark Allow communication from inside the firewall to kernel (on the outside).
access-list inside_access_in extended permit tcp any host 10.100.100.53
access-list inside_access_in remark Allow communication from inside the firewall to kernel (on the outside).
access-list inside_access_in extended permit ip any host 10.100.100.53
access-list inside_access_in remark Allow GQU on the inside to access GQU6 on the outside.
access-list inside_access_in extended permit tcp any host 10.100.104.6
access-list inside_access_in remark Allow GQU on the inside to access GQU6 on the outside.
access-list inside_access_in extended permit ip any host 10.100.104.6
access-list inside_access_in remark Allow inside GQSRU access to GQU4.
access-list inside_access_in extended permit tcp any host GQU4 inactive
access-list inside_access_in remark Allow inside GQSRU to access GQU4
access-list inside_access_in extended permit ip any host GQU4 inactive
access-list inside_access_in remark Denies any outbound ping.
access-list inside_access_in extended deny icmp any any
access-list inside_access_in remark Allow access to email server.
access-list inside_access_in extended permit tcp any host ****mailSrvr_1 eq smtp
access-list inside_access_in remark Allow access to WERU's email server.
access-list inside_access_in extended permit tcp any host zingg eq smtp
access-list inside_access_in remark Allow Kernel to send email.
access-list inside_access_in extended permit tcp host 10.100.100.53 any eq smtp
access-list inside_access_in remark Allow JJR to send email.
access-list inside_access_in extended permit tcp host jjr any eq smtp
access-list inside_access_in remark Allow Marce to send email
access-list inside_access_in extended permit tcp host 10.100.102.42 any eq smtp
access-list inside_access_in remark Denies anyone inside the firewall the ability to run a smtp server directly from their pc.
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in remark Allow all IP within the firewall.
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark Blocking port 1433. - added 6/26/06
access-list inside_access_in extended deny tcp any eq 1433 any
access-list inside_access_in remark Block port 139. - added 6/26/06
access-list inside_access_in extended deny tcp any eq netbios-ssn any
access-list inside_access_in extended deny ip host 10.100.102.42 any
access-list outside_access_in extended permit ip any host Openrange
access-list outside_access_in remark Port Block to protect against SQL Worm
access-list outside_access_in extended deny tcp any any eq 3306 inactive
access-list outside_access_in remark Allow 199 traffic to Inside
access-list outside_access_in remark Everyone in ****** 148 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark allow 148 to promise box.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 151 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Allows anyone from the 149 range into DJR (for Cispro, primarily)
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in extended permit tcp host ********* any inactive
access-list outside_access_in remark allow 148 to promise box.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 151 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Allows anyone from the 149 range into DJR (for Cispro, primarily)
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Allow SkyFex traffic to Inside


access-list outside_access_in remark allow 148 to promise box.
access-list outside_access_in remark Allow Internet traffic to Kernel
access-list outside_access_in extended permit tcp any host Kernel eq www
access-list outside_access_in remark Everyone in ******** 151 range.
access-list outside_access_in remark Allow Internet traffic to sharepoint

access-list outside_access_in remark Everyone in ******** 151 range.
access-list outside_access_in remark Allow the ***.***.***.*** range through to JJR.
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host ***.***.***.***
access-list outside_access_in remark Allow the ***.***.***.***range through to DJR.
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host djr
access-list outside_access_in remark Allow the ***.***.***.*** range through to kernel
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host Kernel
access-list outside_access_in remark Allow the ***.***.***.*** range through to SharePoint
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host SharePoint
access-list outside_access_in remark Allow the ***.***.***.*** range through to Datum
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host 10.100.100.88
access-list outside_access_in remark Allow the ***.***.***.*** range through to JJR.
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host ***.***.***.***
access-list outside_access_in remark Allow the ***.***.***.*** range through to DJR.
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host djr
access-list outside_access_in remark Allow the ***.***.***.*** range through to kernel
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host Kernel
access-list outside_access_in remark Allow the ***.***.***.*** range through to SharePoint
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host SharePoint
access-list outside_access_in remark Allow the ***.***.***.*** range through to Openrange
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host Openrange
access-list outside_access_in remark Allow the ***.***.***.*** range through to Datum
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host 10.100.100.88
access-list outside_access_in remark Allow the ***.***.***.*** range through to JJR.
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host ***.***.148.245
access-list outside_access_in remark Allow the ***.***.***.*** range through to DJR.
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host djr
access-list outside_access_in remark Allow the ***.***.***.*** range through to kernel
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host Kernel
access-list outside_access_in remark Allow the ***.***.***.*** range through to SharePoint
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host SharePoint
access-list outside_access_in remark Allow the ***.***.***.*** range through to Datum
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host 10.100.100.88
access-list outside_access_in remark Allow the ***.***.***.*** range through to JJR.
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host ***.***.148.245
access-list outside_access_in remark Allow the ***.***.***.***range through to DJR.
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host djr
access-list outside_access_in remark Allow the ***.***.***.*** range through to kernel
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host Kernel
access-list outside_access_in remark Allow the ***.***.***.*** range through to SharePoint
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host SharePoint
access-list outside_access_in remark Allow the ***.***.***.*** range through to Datum
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host 10.100.100.88
access-list outside_access_in remark Allow the ***.***.***.*** range through to JJR.
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host ***.***.148.245
access-list outside_access_in remark Allow the ***.***.***.*** range through to DJR.
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host djr
access-list outside_access_in remark Allow the ***.***.***.*** range through to kernel
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host Kernel
access-list outside_access_in remark Allow the ***.***.***.*** range through to SharePoint
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host SharePoint
access-list outside_access_in remark Allow the ***.***.***.*** range through to Datum
access-list outside_access_in extended permit ip ***.***.***.*** 255.255.255.0 host 10.100.100.88
access-list outside_access_in remark Allow the ***.***.***.*** range through to kernel
access-list outside_access_in extended permit ip *****network 255.255.255.0 host Kernel
access-list outside_access_in remark Allow the ***.***.***.*** range through to SharePoint
access-list outside_access_in extended permit ip *****network 255.255.255.0 host SharePoint
access-list outside_access_in remark Allow the ***.***.***.*** range through to Datum
access-list outside_access_in extended permit ip gmprcnetwork 255.255.255.0 host ***.***.***.***

access-list outside_access_in remark webmail access (https)
access-list outside_access_in extended permit tcp any host ***.***.***.*** eq https
access-list outside_access_in remark webmail access (http)
access-list outside_access_in extended permit tcp any host ***.***.***.*** eq www
access-list outside_access_in remark email access to jjr
access-list outside_access_in extended permit tcp any host ***.***.***.*** eq smtp
access-list outside_access_in remark Exchange access to jjr
access-list outside_access_in extended permit tcp any host ***.***.***.*** eq ldap
access-list outside_access_in remark Exchange access to jjr
access-list outside_access_in extended permit tcp any host ***.***.***.*** eq ldaps
access-list outside_access_in remark imap access to jjr
access-list outside_access_in extended permit tcp any host ***.***.***.*** eq 993
access-list outside_access_in remark Allow DJR outside to access inside.
access-list outside_access_in extended permit ip host djr host djr
access-list outside_access_in remark Allow AJR outside to access inside.
access-list outside_access_in extended permit ip host ***.***.***.*** host ***.***.***.***
access-list outside_access_in remark Allow JJR outside to access inside.
access-list outside_access_in extended permit ip host ***.***.***.*** host ***.***.***.***
access-list outside_access_in remark Allow Kernel outside to access inside.
access-list outside_access_in extended permit ip host Kernel host Kernel
access-list outside_access_in remark Allow SharePoint outside to access inside.
access-list outside_access_in extended permit ip host ***.***.***.*** host ***.***.***.***
access-list outside_access_in extended permit ip host ***.***.***.***host ***.***.***.***
access-list outside_access_in remark Allow anyone in the 148 range access to the inside of the firewall.
access-list outside_access_in extended permit ip range_148 255.255.255.0 any
access-list outside_access_in remark Allow anyone in the 149 range access to the inside of the firewall.
access-list outside_access_in extended permit ip range_149 255.255.255.0 any
access-list outside_access_in remark Allow sunrpc through the firewall
access-list outside_access_in extended permit tcp range_148 255.255.255.0 any
access-list outside_access_in extended permit tcp range_149 255.255.255.0 any
access-list outside_access_in extended permit udp host zingg eq sunrpc host djr eq sunrpc
access-list outside_access_in remark Allow GQU6 to access everyone inside.
access-list outside_access_in extended permit tcp host GQU6 any
access-list outside_access_in remark Allow GQU6 to access everyone inside.
access-list outside_access_in extended permit ip host GQU6 any
access-list outside_access_in remark Allow GQU4 access to inside the firewall.
access-list outside_access_in extended permit tcp host GQU4 any
access-list outside_access_in remark Allow GQU4 access to inside the firewall.
access-list outside_access_in extended permit ip host GQU4 any
access-list outside_access_in remark Deny any inbound ping.
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark Allow Bill Dailey from Area to access Domain controller
access-list outside_access_in extended permit tcp host Bill_Dailey_PC host djr eq 3389 inactive
access-list outside_access_in remark Permit Mark Casada's tower access to the wireless card on his Little-Sony.
access-list outside_access_in extended permit ip host whitechief host ***.***.***.***
access-list outside_access_in remark Permit Mark Casada's tower access to the wireless card on his Little-Sony.
access-list outside_access_in extended permit tcp host whitechief host ***.***.***.***
access-list outside_access_in remark Allow arisappdev.ars.usda.gov communication inside the firewall.
access-list outside_access_in extended permit tcp host arisappdev eq 4443 any
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark allow 148 to promise box.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 151 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Allows anyone from the 149 range into DJR (for Cispro, primarily)
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark allow 148 to access the Promise box.
access-list outside_access_in remark allow 148 to promise box.
access-list outside_access_in remark allow 148 to promise box.
access-list outside_access_in remark Allow DJR External to contact DJR Internal
access-list outside_access_in remark Everyone in ******** 151 range.
access-list outside_access_in remark Everyone in ******** 151 range.
access-list outside_access_in remark Allows anyone from the 149 range into DJR (for Cispro, primarily)
access-list outside_access_in remark Allows anyone from the 149 range into DJR (for Cispro, primarily)
access-list outside_access_in remark Permits 149 range access to DJR (for Cispro)
access-list outside_access_in extended permit ip any 10.100.102.0 255.255.255.0 inactive
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark allow 148 to access the Promise box.
access-list outside_access_in remark allow 148 to promise box.
access-list outside_access_in remark allow 148 to promise box.
access-list outside_access_in remark Allow DJR External to contact DJR Internal
access-list outside_access_in remark Everyone in ******** 151 range.
access-list outside_access_in remark Everyone in ******** 151 range.
access-list outside_access_in remark Allows anyone from the 149 range into DJR (for Cispro, primarily)
access-list outside_access_in remark Allows anyone from the 149 range into DJR (for Cispro, primarily)
access-list outside_access_in remark Permits 149 range access to DJR (for Cispro)
access-list outside_access_in extended permit ip any 10.100.104.0 255.255.255.0 inactive
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 148 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark Everyone in ******** 149 range.
access-list outside_access_in remark allow 148 to access the Promise box.
access-list outside_access_in remark allow 148 to promise box.
access-list outside_access_in remark allow 148 to promise box.
access-list outside_access_in remark Allow DJR External to contact DJR Internal
access-list outside_access_in remark Everyone in ******** 151 range.
access-list outside_access_in remark Everyone in ******** 151 range.
access-list outside_access_in remark Allows anyone from the 149 range into DJR (for Cispro, primarily)
access-list outside_access_in remark Allows anyone from the 149 range into DJR (for Cispro, primarily)
access-list outside_access_in remark Permits 149 range access to DJR (for Cispro)
access-list gmprc_splitTunnelAcl extended permit ip any any
access-list inside_outbound_nat0_acl extended permit ip any host ***.***.***.***
access-list inside_outbound_nat0_acl extended permit ip any 10.100.101.0 255.255.255.128
access-list inside_outbound_nat0_acl extended permit ip any 10.100.101.80 255.255.255.240
access-list outside_cryptomap_dyn_20 extended permit ip any host ***.***.***.***
access-list outside_cryptomap_dyn_40 extended permit ip any 10.100.101.80 255.255.255.240
access-list outside_cryptomap_dyn_60 extended permit ip any 10.100.101.80 255.255.255.240
access-list outside_cryptomap extended permit ip any 10.100.101.80 255.255.255.240
access-list inside_access_out remark Allow vpn pool to print in open range
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging trap informational
logging asdm informational
logging host inside 10.100.101.0
logging host outside NPA-Syslog
mtu outside 1500
mtu inside 1500
ip local pool Pool-1 ***.***.***.***
ip local pool Pool-2 ***.***.***.***
ip local pool Pool-3 ***.***.***.***
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp deny any outside
asdm image flash:/flash
asdm history enable
arp timeout 14400
global (outside) 1 ***.***.***.***-***.***.***.***
global (outside) 2 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 2 0.0.0.0 0.0.0.0 dns
static (outside,inside) SharePoint ***.***.149.55 netmask 255.255.255.255 -- works fine
static (inside,outside) ***.***.149.56 Openrange netmask 255.255.255.255 --- having issuse here
static (outside,inside) Openrange ***.***.149.56 netmask 255.255.255.255 --- having issues here
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 ***.***.***.*** 1
route inside 10.100.101.1 255.255.255.255 10.100.100.1 1
route inside 10.100.101.6 255.255.255.255 10.100.100.1 1
: end

there's a very very edited config. I did it quick and easy, if there is something else you need I'll do what I can to edit the config appropatly and post it. Keep in mind that I have done next none of the config and I barely looked over the running config, aside from what I was worried about.

 

[Pheran]

I'm looking at this, but I just wanted to reply first off and say that posting your encrypted password is a bad idea - I would edit that out ASAP.

 

[Pantlegz]

I'm looking at this, but I just wanted to reply first off and say that posting your encrypted password is a bad idea - I would edit that out ASAP.

thanks, I knew I missed a few IPs that I went back and edited out. I thought I got the password...

 

[drebo]

I imagine your problem exists here:

static (inside,outside) ***.***.149.56 Openrange netmask 255.255.255.255

To my knowledge, you don't need that line.

 

[Pheran]

I see a few problems. Note that I'm assuming this is running version 7 or higher. Pre-7 PIX versions are ugly beasts and all my comments may not apply.

1. There's no reason you should be trying to define NAT in both directions. A single statement should be sufficient:

static (inside,outside) ***.***.149.56 Openrange netmask 255.255.255.255

2. It's possible that this is an artifact of your editing, but your ACLs look like you are trying to use the internal IP on the outside ACL, which won't work (you need the NAT IP there). In other words, you should have:

access-list outside_access_in extended permit ip any host ***.***.149.56

Let me know if this helps or not.

 

[Pheran]

I imagine your problem exists here:

static (inside,outside) ***.***.149.56 Openrange netmask 255.255.255.255

To my knowledge, you don't need that line.

While you are on the right track, you are trying to get him to delete the wrong line.

 

[Pantlegz]

I imagine your problem exists here:



To my knowledge, you don't need that line.

I don't have to NAT traffic going out? I'm pretty sure that's what that line does.

 

[Pheran]

I don't have to NAT traffic going out? I'm pretty sure that's what that line does.

A single static statement handles NAT in both directions between two interfaces. The only statement you need is:

static (inside,outside) ***.***.149.56 Openrange netmask 255.255.255.255

Trying to figure out what the extra reversed one will actually do is making my head hurt, but I can promise it will only cause you grief.

 

[Pantlegz]

I see a few problems. Note that I'm assuming this is running version 7 or higher. Pre-7 PIX versions are ugly beasts and all my comments may not apply.

1. There's no reason you should be trying to define NAT in both directions. A single statement should be sufficient:

static (inside,outside) ***.***.149.56 Openrange netmask 255.255.255.255

2. It's possible that this is an artifact of your editing, but your ACLs look like you are trying to use the internal IP on the outside ACL, which won't work (you need the NAT IP there). In other words, you should have:

access-list outside_access_in extended permit ip any host ***.***.149.56

Let me know if this helps or not.

Still not working, I think it may have to do with the program we're running. It seems to just open random ports to start the connection. and their tech support is very limited. I installed the program on our sharepoint server which is accessible from the outside and was unable to open the program that way. however it did prompt me to login to the domain, which leads me to believe that the ACL for that is setup correctly anyway. But still was unable to get the program to work correctly.

Thanks for taking the time to look over it for me. I really appreciate it.

 

[Pantlegz]

A single static statement handles NAT in both directions between two interfaces. The only statement you need is:

static (inside,outside) ***.***.149.56 Openrange netmask 255.255.255.255

Trying to figure out what the extra reversed one will actually do is making my head hurt, but I can promise it will only cause you grief.

Thats what I was thinking too, but I copied the way they had the sharepoint setup since it's working correctly from the outside.

 

[Crusty]

Is the app using a separate control channel and data stream like active FTP does? You can use a packet tracer to figure it out, or ask the vendor if you can.

 

[Pheran]

Yeah, as Crusty mentioned, I would be firing up Wireshark on the client at this point to see what's going on.

 

[drebo]

While you are on the right track, you are trying to get him to delete the wrong line.

You're right, I copied the wrong line.

 

[Pantlegz]

Is the app using a separate control channel and data stream like active FTP does? You can use a packet tracer to figure it out, or ask the vendor if you can.

The vendor's tech support is pretty shitty we have sent them an e-mail, thats their only contact.

Wireshark only showed one conection but the ports it opened up were random and varied from 3300-3699 but I only watched it for a little while. All they need to do, as far as I can tell, it just download the client from the server each time they want to access it. I guess it's kind of like a remote shortcut. The way it's setup is not all that ideal but this is the program that they decided to go with, I don't know why there isn't a client and server app.

 

[Pantlegz]

Never mind, someone decided to add an entry to the host file over night... fucking assholes. I think I might actually have this working.

 

[Pheran]

Well with some support from the vendor I'm making some progress. I just ran into a question that I'm not sure of the answer to though. If we're NATing the internal IP to a 'real' IP should the ACL going out be for the internal IP or the 'real' IP?

An ACL on the interface facing the server should be using the real IP.