Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ASA 5505 "portforward" problem. Port 80 works but

ASA 5505 "portforward&quot​; problem. Port 80 works but 6 years 8 months ago #34105

  • Linus
  • Linus's Avatar
  • Offline
  • New Member
  • Posts: 8
  • Karma: 0
Hello.
I've got a new asa 5505 firewall, and trying to setup what we newbies call portforwaring.
I have manage to setup some portforwarding that works (http, smtp and www).
Now I'm trying to setup a new forwarding with port 6112, and it does not work.
It seems like when I'm setting up new services that are not build in, it does not work. What am i missing?

BR
Linus

Here is a post of my running config.

ASA Version 8.0(2)

interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd XXXX.XXXX encrypted
boot system disk0:/asa802-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.3
name-server XXX.67.199.39
name-server XXX.67.199.40
domain-name XXXX.XXXX
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service EAGamesTCP tcp
description EA
port-object eq 13505
port-object eq 18121
port-object eq 18126
object-group service EAGamesUDP udp
description EA
port-object eq 18126
access-list XXXGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.224
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq 27015 inactive
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq 27015
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit tcp any interface outside eq 27016 inactive
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit udp any interface outside eq 27016 inactive
access-list outside_access_in extended permit tcp any interface outside eq 46353 inactive
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit tcp any interface outside eq 6112 inactive
access-list outside_access_in extended permit tcp any interface outside eq www inactive
access-list outside_access_in extended permit tcp any interface outside eq 18121 inactive
access-list outside_access_in extended permit tcp any interface outside eq 18126 inactive
access-list outside_access_in extended permit tcp any interface outside eq 13505 inactive
access-list outside_access_in extended permit udp any interface outside eq 18126 inactive
access-list outside_access_in extended permit udp any interface outside object-group EAGamesUDP inactive
access-list outside_access_in extended permit tcp any interface outside object-group EAGamesTCP inactive
access-list outside_access_in extended permit tcp any interface outside object-group EAGamesTCP
access-list outside_access_in extended permit udp any interface outside object-group EAGamesUDP


global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp interface smtp 192.168.1.22 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.22 https netmask 255.255.255.255
static (inside,outside) tcp interface 46353 192.168.1.31 46353 netmask 255.255.255.255
static (dmz,outside) tcp interface 6112 10.10.10.11 6112 netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 27015 10.10.10.14 27015 netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 27016 10.10.10.14 27016 netmask 255.255.255.255 dns
static (dmz,outside) tcp interface www 10.10.10.11 www netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 18121 10.10.10.11 18121 netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 18126 10.10.10.11 18126 netmask 255.255.255.255 dns
static (dmz,outside) udp interface 18126 10.10.10.11 18126 netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 13505 10.10.10.11 13505 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside


class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp

asdm image disk0:/asdm-602.bin
no asdm history enable
The administrator has disabled public write access.

Re: ASA 5505 "portforward&quot​; problem. Port 80 works but 6 years 8 months ago #34108

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
[code:1]access-list outside_access_in extended permit tcp any interface outside eq 6112 inactive [/code:1]

Try removing the inactive at the end ;)
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.

LOL, well that is not the problem. 6 years 8 months ago #34109

  • Linus
  • Linus's Avatar
  • Offline
  • New Member
  • Posts: 8
  • Karma: 0
Sorry about the dump, the correct values from running is enabled.
:oops:

I did disable them just before doing this post, and that why you see the the dump with wrong values

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.224
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq 27015
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq 27015
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit tcp any interface outside eq 27016
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit udp any interface outside eq 27016
access-list outside_access_in extended permit tcp any interface outside eq 46353
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit tcp any interface outside eq 6112
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 18121
access-list outside_access_in extended permit tcp any interface outside eq 18126
access-list outside_access_in extended permit tcp any interface outside eq 13505
access-list outside_access_in extended permit udp any interface outside eq 18126
access-list outside_access_in extended permit udp any interface outside object-group EAGamesUDP inactive
access-list outside_access_in extended permit tcp any interface outside object-group EAGamesTCP inactive
access-list outside_access_in extended permit tcp any interface outside object-group EAGamesTCP
The administrator has disabled public write access.

Re: ASA 5505 "portforward&quot​; problem. Port 80 works but 6 years 8 months ago #34110

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
Could you connect from the outside with that portnumber and then type the following commands and paste the output here ?

[code:1] show xlate[/code:1]

and

[code:1] show access-list outside_access_in[/code:1]
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.

newbee 6 years 8 months ago #34111

  • Linus
  • Linus's Avatar
  • Offline
  • New Member
  • Posts: 8
  • Karma: 0
Hmm, as I said I'm a newbee, how to I connect from outside on a specific på and run a command, is there any good testtools out there?

I have only used port test sites on the internet.

Or do you meen try to connect with testsites, and then in commandline on asa run the commands?

BR
Linus
The administrator has disabled public write access.

Re: ASA 5505 "portforward&quot​; problem. Port 80 works but 6 years 8 months ago #34112

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
from a pc on the outside network (internet) you could just telnet to the external IP address with a specified port.

[code:1]telnet 1.1.1.1 6112[/code:1]
*edit* telnet from a windows machine. Go to start -> run -> type cmd -> hit enter. Then you can use telnet (not on vista or windows 7 tho..)

If you PM me your IP i'll try it for you if you have no other options.
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.
Time to create page: 0.089 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup