Hot Downloads

altaro-800x140-blue
Welcome, Guest
Username: Password: Remember me

TOPIC: Opening Port Range for Cisco ASA 5505

Opening Port Range for Cisco ASA 5505 5 years 9 months ago #29029

  • jhun
  • jhun's Avatar
  • OFFLINE
  • Senior Member
  • Posts: 356
  • Karma: 0
Hi all,

Just wanted to ask on how to open up a range of ports on the cisco asa? I would like to open up UDP ports 10000-20000

I have found a way and the code is below:

[code:1]
access-list outside_access_in extended permit udp any host 'public ip' range 10000 20000
static (inside, outside) interface 'private ip' 'public ip' netmask 255.255.255.255
access-group outside_access_in in interface outside
[/code:1]

The above code works find, however the 2nd commnad (static(inside,outside)) gives the warning that:

[code:1]
WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users will not be able to access any service enabled on the outside interface.
[/code:1]

Since this is the case, it does not allow me to do ssh remotely on the ASA because all traffic are redirected to the private ip address specified which is a different ip used by the ASA.

Are there other ways of doing this?

Tried google and saw a bunch but none was really working.

I do not want to open up each port individually (which requires opening a thousand of them) to make it work the way I intend it to be.

So any suggestions and/or additional information would be very appreciated.

Thanks
The administrator has disabled public write access.

Re: Opening Port Range for Cisco ASA 5505 5 years 9 months ago #29033

  • Smurf
  • Smurf's Avatar
  • OFFLINE
  • Moderator
  • Posts: 1390
  • Karma: 1
The warning is correct, you are redirecting everything received on the external interface (outside) to the internal server. Therefore any services on the Firewall will not work (i.e. SSH, Telnet, SSL, etc...)

The only way around it is if you have multiple Public IP Addresses available to you and then leave the public address thats attached to the external interface and use one of the other free addresses in your public range within the static statement.

Alternataively, you will need to specify the ports.

(the only thing i can think is to setup another static statement and try throwing the traffic fo the single SSH port number back to its internal interface. I have never tried this but it may work ? Unfortunately i dont deal with Cisco kit anymore so i have no way of testing this for you, just thinking out aloud).

I am guessing you need to allow udp ports 10000 - 20000 through for the service you are opening up ? Is there no other way to acheive it ?
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Opening Port Range for Cisco ASA 5505 5 years 9 months ago #29044

  • S0lo
  • S0lo's Avatar
  • OFFLINE
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
The only way around it is if you have multiple Public IP Addresses available to you and then leave the public address thats attached to the external interface and use one of the other free addresses in your public range within the static statement.
Exactly whats in my mind too. This would be your easiest bet jhun.
(the only thing i can think is to setup another static statement and try throwing the traffic fo the single SSH port number back to its internal interface. I have never tried this but it may work ? Unfortunately i dont deal with Cisco kit anymore so i have no way of testing this for you, just thinking out aloud).
Unfortunately did not work when I tried it. It gives the following error:
[code:1]ERROR: mapped-address conflict with existing static[/code:1]

I though of defining an access list or object-group to map the 10000 to 20000 range but unfortunately the the static command syntax does not accept that for the global-ip global-port fields.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: Opening Port Range for Cisco ASA 5505 5 years 9 months ago #29046

  • jhun
  • jhun's Avatar
  • OFFLINE
  • Senior Member
  • Posts: 356
  • Karma: 0
Thank you smurf & solo,

How would i go about in defining this on another public ip address.

I do have additional public ip addresses that i could use. any pointers in the command or an example would be appreciated.

Thanks again.
The administrator has disabled public write access.

Re: Opening Port Range for Cisco ASA 5505 5 years 9 months ago #29051

  • S0lo
  • S0lo's Avatar
  • OFFLINE
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
Pretty much the same way you did above with few changes. Remove the "interface" keyword from the static statement and use your additional public IP instead of the outside interface IP in both the access-list and static statements. Like this:

[code:1]access-list outside_access_in extended permit udp any host <public ip> range 10000 20000
static (inside, outside) <public ip> <private ip> netmask 255.255.255.255
access-group outside_access_in in interface outside[/code:1]

Obviously, your outside clients need to access the service using the additional IP.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: Opening Port Range for Cisco ASA 5505 5 years 9 months ago #29155

  • jhun
  • jhun's Avatar
  • OFFLINE
  • Senior Member
  • Posts: 356
  • Karma: 0
Thanks SOlo,

The commands worked like a charm.
I tried the commands previously and it did not work the first time.Looking at my config again I've seen that I lacked an additional command which was the global (outside) statement for your outside interface to be able to add the additional public ip :D

[code:1]
access-list outside_access_in extended permit udp any host <public ip> range 10000 20000
static (inside,outside) <public ip> <private ip> netmask 255.255.255.255
access-group outside_access_in in interface outside
global (outside) 1 <public ip>
[/code:1]


Thanks again
The administrator has disabled public write access.
Time to create page: 0.072 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup