Firewall.cx Newsletter

Receive Free notification on new articles!
***************

Firewall.cx Forums

Community Forums

Facebook Fans

Show your support for Firewall.cx!

Social Media Channels

Facebook-icon LinkedIn-icon Twitter-icon  rssfeed-icon
advert-banner-routing
advert-banner-voice

System Login



Login With Facebook

Who's Online

We have 222 guests online

Statistics

Members : 5863
Content : 790
Web Links : 12
Content View Hits : 102222191

Top Website Visitors

37.4%United States United States
16.8%India India
7.4%United Kingdom United Kingdom
5.7%Australia Australia
4.3%Canada Canada
3.4%Germany Germany

Today: 4168
Yesterday: 8602
This Week: 36759
Last Week: 46096
This Month: 114168
Last Month: 240364
Total: 3374892

Gold Cisco Lab Partners

logo-gfi



logo-datavision

Best Rated Content

Welcome, Guest
Username Password: Remember me
Forgot your password? Forgot your username? Create an account
Reply Topic
New Topic

TOPIC: Opening Port Range for Cisco ASA 5505

Opening Port Range for Cisco ASA 5505 4 years, 3 months ago #29029

  • jhun
  • ( User )
  • OFFLINE
  • Senior Member
  • Posts: 356
  • Karma: 0
Hi all,

Just wanted to ask on how to open up a range of ports on the cisco asa? I would like to open up UDP ports 10000-20000

I have found a way and the code is below:

access-list outside_access_in extended permit udp any host 'public ip' range 10000 20000
static (inside, outside) interface 'private ip' 'public ip' netmask 255.255.255.255
access-group outside_access_in in interface outside


The above code works find, however the 2nd commnad (static(inside,outside)) gives the warning that:

WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users will not be able to access any service enabled on the outside interface.


Since this is the case, it does not allow me to do ssh remotely on the ASA because all traffic are redirected to the private ip address specified which is a different ip used by the ASA.

Are there other ways of doing this?

Tried google and saw a bunch but none was really working.

I do not want to open up each port individually (which requires opening a thousand of them) to make it work the way I intend it to be.

So any suggestions and/or additional information would be very appreciated.

Thanks
ReplyQuote

Re: Opening Port Range for Cisco ASA 5505 4 years, 3 months ago #29033

  • Smurf
  • ( Moderator )
  • OFFLINE
  • Moderator
  • Posts: 1305
  • Karma: 1
The warning is correct, you are redirecting everything received on the external interface (outside) to the internal server. Therefore any services on the Firewall will not work (i.e. SSH, Telnet, SSL, etc...)

The only way around it is if you have multiple Public IP Addresses available to you and then leave the public address thats attached to the external interface and use one of the other free addresses in your public range within the static statement.

Alternataively, you will need to specify the ports.

(the only thing i can think is to setup another static statement and try throwing the traffic fo the single SSH port number back to its internal interface. I have never tried this but it may work ? Unfortunately i dont deal with Cisco kit anymore so i have no way of testing this for you, just thinking out aloud).

I am guessing you need to allow udp ports 10000 - 20000 through for the service you are opening up ? Is there no other way to acheive it ?
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
ReplyQuote

Re: Opening Port Range for Cisco ASA 5505 4 years, 3 months ago #29044

  • S0lo
  • ( Moderator )
  • OFFLINE
  • Moderator
  • Posts: 1541
  • Karma: 3
The only way around it is if you have multiple Public IP Addresses available to you and then leave the public address thats attached to the external interface and use one of the other free addresses in your public range within the static statement.

Exactly whats in my mind too. This would be your easiest bet jhun.

(the only thing i can think is to setup another static statement and try throwing the traffic fo the single SSH port number back to its internal interface. I have never tried this but it may work ? Unfortunately i dont deal with Cisco kit anymore so i have no way of testing this for you, just thinking out aloud).

Unfortunately did not work when I tried it. It gives the following error:
ERROR: mapped-address conflict with existing static


I though of defining an access list or object-group to map the 10000 to 20000 range but unfortunately the the static command syntax does not accept that for the global-ip global-port fields.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
ReplyQuote

Re: Opening Port Range for Cisco ASA 5505 4 years, 3 months ago #29046

  • jhun
  • ( User )
  • OFFLINE
  • Senior Member
  • Posts: 356
  • Karma: 0
Thank you smurf & solo,

How would i go about in defining this on another public ip address.

I do have additional public ip addresses that i could use. any pointers in the command or an example would be appreciated.

Thanks again.
ReplyQuote

Re: Opening Port Range for Cisco ASA 5505 4 years, 3 months ago #29051

  • S0lo
  • ( Moderator )
  • OFFLINE
  • Moderator
  • Posts: 1541
  • Karma: 3
Pretty much the same way you did above with few changes. Remove the "interface" keyword from the static statement and use your additional public IP instead of the outside interface IP in both the access-list and static statements. Like this:

access-list outside_access_in extended permit udp any host <public ip> range 10000 20000
static (inside, outside) <public ip> <private ip> netmask 255.255.255.255
access-group outside_access_in in interface outside


Obviously, your outside clients need to access the service using the additional IP.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
ReplyQuote

Re: Opening Port Range for Cisco ASA 5505 4 years, 3 months ago #29155

  • jhun
  • ( User )
  • OFFLINE
  • Senior Member
  • Posts: 356
  • Karma: 0
Thanks SOlo,

The commands worked like a charm.
I tried the commands previously and it did not work the first time.Looking at my config again I've seen that I lacked an additional command which was the global (outside) statement for your outside interface to be able to add the additional public ip 

access-list outside_access_in extended permit udp any host <public ip> range 10000 20000
static (inside,outside) <public ip> <private ip> netmask 255.255.255.255
access-group outside_access_in in interface outside
global (outside) 1 <public ip>



Thanks again
ReplyQuote
Reply Topic
New Topic
Firewall.cx Forums
Networking, Security & Administration
Firewall Filtering, IDS/IPS & Security
Powered by Kunena
Time to create page: 0.54 seconds
Subscribe To Receive Free Article Updates!