Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ASA 5505 - I need to forward a port correctly

ASA 5505 - I need to forward a port correctly 7 years 3 months ago #30791

I am an IT worker. Our company purchased a cisco asa-5505 a few months ago. Our ISP set it up and everything works fine. Now, I need to open up some ports. Specifically TCP 6882 and TCP 3389 for both incoming and outgoing traffic. I've done it with other firewalls, but nothing this sophisticated. I've read and tried so many different things to get this work correctly to no avail. It really is amazing that anyone on our network can access the Internet at all with all the screwing around i've done. Can anyone gimme a hand or at the very least point me in the right direction. Here is my config:

ASA Version 8.0(4)
!
hostname XXXXXXX
domain-name XXXXXXXX
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 208.40.x.x 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name XXXXXXXXXX
object-group service ut tcp
port-object eq 6882
access-list 100 extended permit tcp any eq 6882 any eq 6882 log disable
access-list 100 extended permit tcp any any eq 1935
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any eq 6882 host 10.0.0.27 eq 6
882 log disable
access-list 101 extended permit tcp any host 10.0.0.27 eq smtp
access-list 101 extended permit udp any host 10.0.0.27 eq dnsix
access-list 101 extended permit tcp any host 10.0.0.27 eq 6882
access-list outside_nat_outbound extended permit tcp 10.0.0.0 255.255.0.0 eq 688
2 any
access-list outside_access_in extended permit tcp any interface outside eq 6882
pager lines 24
logging enable
logging timestamp
logging buffer-size 10000
logging monitor debugging
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 access-list outside_nat_outbound outside
static (inside,outside) tcp interface 6882 10.0.0.27 6882 netmask 255.255.255.25
5
static (inside,outside) tcp interface 3389 10.0.0.27 3389 netmask 255.255.255.25
5
access-group inside_access_in in interface inside
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 208.40.192.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http 10.0.0.0 255.255.0.0 inside
snmp-server host outside 209.166.165.205 community cEprETr3
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.0.0.0 255.255.0.0 inside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd dns x.x.x.x x.x.x.x
dhcpd lease 604800
!
dhcpd address 10.0.0.64-10.0.0.255 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username xxxxxx password xxxxxxx encrypted privilege 15
username xxxxxx password xxxxxxx encrypted privilege 15
username xxxxxx attributes
service-type nas-prompt
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
description TCP 6882
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map type inspect im yahoo-msn-block
parameters
match protocol msn-im yahoo-im
drop-connection log
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:381d4b5982c2dc19480fe7a5f8d3a8d2

Thanks in Advance!!
The administrator has disabled public write access.

Re: ASA 5505 - I need to forward a port correctly 7 years 3 months ago #30810

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
Your Nat/global statements looks OK. First, I'd remove any unnecessary commands.

[code:1]nat (outside) 1 access-list outside_nat_outbound outside
access-list outside_nat_outbound extended permit tcp 10.0.0.0 255.255.0.0 eq 6882 any

access-list 101 extended permit tcp any host 10.0.0.27 eq smtp
access-list 101 extended permit udp any host 10.0.0.27 eq dnsix
access-list 101 extended permit tcp any host 10.0.0.27 eq 6882

access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any eq 6882 host 10.0.0.27 eq 6882 log disable
access-group inside_access_in in interface inside [/code:1]

The first two lines above are doing outside NAT which is not needed as per your requirements. Access list 101 is not used any were so I'd remove it too. Then there is the inside_access_in which is not needed too because by default traffic is allowed to flow from higher to lower security interfaces.

Now, you want to open TCP ports 6882 and 3389 from outside. You need two things, first, static statements that map the ports/IPs. You have already done this correctly by:

[code:1]static (inside,outside) tcp interface 6882 10.0.0.27 6882 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.0.0.27 3389 netmask 255.255.255.255 [/code:1]

Second, you need an access list to allow inbound traffic to flow from outside to inside (because the default is to DENY). You have done this with access list 100 but you need to fix it like this:

[code:1]access-list 100 extended permit tcp any any eq 6882
access-list 100 extended permit tcp any any eq 3389
access-group 100 in interface outside[/code:1]

There is a tweak you can do to the above access list to make it more secure by specifying the exact destination IP. But I'd leave that now.

Thats as far as I know, hope it helps.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

Re: ASA 5505 - I need to forward a port correctly 7 years 3 months ago #30813

It worked!!! Thank you so much!! I will evenually get the hang of this.
The administrator has disabled public write access.

Re: ASA 5505 - I need to forward a port correctly 7 years 2 months ago #30818

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
It worked!!! Thank you so much!! I will evenually get the hang of this.

Glad it worked!!. Sure you will handle :)
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.
Time to create page: 0.090 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup