We just got a Cisco ASA 5510 and I need to open some ports to my internal servers. I have set up a lab to try and figure this out before putting this into production. I have had no luck getting anything working. I have tried access rules allowing all ip traffic from outside to the inside server address with no luck.
This is what I have so far. Any help would be great.
[edited by Smurf to remove the passwords]
ASA Version 7.0(6)
enable password ************* encrypted
ip address 67.x.x.77 255.255.255.0
ip address 10.10.10.1 255.255.255.0
no ip address
no ip address
ip address 192.168.1.1 255.255.255.0
ftp mode passive
access-list outside_access_in extended permit tcp any eq 3389 host 67.x.x.77 eq 3389
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm506.bin
no asdm history enable
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp 67.x.x.77 3389 10.10.10.10 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
access-list outside_access_in extended permit tcp any host 67.x.x.77 eq 3389
This is correct since the line that you have added is specifying that the traffic is also coming from port 3389, this is not usually the case as the sending machine will generally us a dynamic high order port to initiate its communication on so you need to sepcify the source of the traffic coming from any port.
Well spotted, i missed that first look over.
and also in your translation try and remove the tcp ports.
If that works put fine you can add on the security. I have a similar setup running but with multiple DMZs.
Once this is sorted out try and change the defult port of RDP or terminal services.
hope this helps.
I would not remove the ports on the static translation. This is because you are using PAT on the external interface. The static translation if used without ports will usually setup a permanent 1 to 1 static IP mapping between a single inside ip address and a single outside ip address. Since you only have the single outside ip address then it may cause some issues with other hosts trying to communicate. It isn't something i have tested to confirm it, its something i may end up testing when i have a free min.