TOPIC: Help with opening ports on ASA 5510

Hello,

We just got a Cisco ASA 5510 and I need to open some ports to my internal servers. I have set up a lab to try and figure this out before putting this into production. I have had no luck getting anything working. I have tried access rules allowing all ip traffic from outside to the inside server address with no luck.

This is what I have so far. Any help would be great.

[edited by Smurf to remove the passwords]

ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ************* encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 67.x.x.77 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd encrypted
ftp mode passive
access-list outside_access_in extended permit tcp any eq 3389 host 67.x.x.77 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp 67.x.x.77 3389 10.10.10.10 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00


timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.10.10.0 255.255.255.0 inside
http 192.168.1.0 255.255
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart


telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:cf21165024e8b909cad9f13020b98c50
: end
ciscoasa#

I have been looking everywere and trying different things. Anyone see anything I am doing wrong?

Hi,

Everything seems to be fine as far as the configuration is concerned. I am sure you can access the server through RDP behind the firewall i.e. from the inside.

the command;

access-list outside_access_in extended permit tcp any eq 3389 host 67.x.x.77 eq 3389

try it like this first;

access-list outside_access_in extended permit tcp any host 67.x.x.77 eq 3389

and also in your translation try and remove the tcp ports.

If that works put fine you can add on the security. I have a similar setup running but with multiple DMZs.

Once this is sorted out try and change the defult port of RDP or terminal services.

hope this helps.

Thanks for the reply, I will try that and get back with you

Hi,

Everything seems to be fine as far as the configuration is concerned. I am sure you can access the server through RDP behind the firewall i.e. from the inside.

the command;

access-list outside_access_in extended permit tcp any eq 3389 host 67.x.x.77 eq 3389

try it like this first;

access-list outside_access_in extended permit tcp any host 67.x.x.77 eq 3389

This is correct since the line that you have added is specifying that the traffic is also coming from port 3389, this is not usually the case as the sending machine will generally us a dynamic high order port to initiate its communication on so you need to sepcify the source of the traffic coming from any port.

Well spotted, i missed that first look over.

and also in your translation try and remove the tcp ports.

If that works put fine you can add on the security. I have a similar setup running but with multiple DMZs.

Once this is sorted out try and change the defult port of RDP or terminal services.

hope this helps.

I would not remove the ports on the static translation. This is because you are using PAT on the external interface. The static translation if used without ports will usually setup a permanent 1 to 1 static IP mapping between a single inside ip address and a single outside ip address. Since you only have the single outside ip address then it may cause some issues with other hosts trying to communicate. It isn't something i have tested to confirm it, its something i may end up testing when i have a free min.

Cheers

the command;

access-list outside_access_in extended permit tcp any eq 3389 host 67.x.x.77 eq 3389

try it like this first;

access-list outside_access_in extended permit tcp any host 67.x.x.77 eq 3389

Works great now, Thanks for the help.

you are most welcome