July 24, 2008 02:17am pdt

1. batry_boy 585,976
2. lrmoore 206,025
3. mkielar 102,700
4. Voltz-dk 96,920
5. MrHusy 90,695
6. Cyclops3590 77,840
7. PeteLong 70,000
8. grblades 40,275
9. JFrederi... 37,100
10. nodisco 34,925
11. from_exp 32,120
12. raptorjb007 31,000
13. rsivanandan 30,980
14. 2PiFL 25,575
15. stuknhawaii 25,425

1. lrmoore 2,153,306
2. batry_boy 954,100
3. grblades 343,160
4. rsivanandan 333,609
5. nodisco 271,512
6. PeteLong 256,841
7. calvinetter 254,590
8. MrHusy 212,396
9. Voltz-dk 204,859
10. Cyclops3590 194,746
11. tim_holman 120,177
12. carribea... 108,132
13. keith_al... 103,919
14. mkielar 102,700
15. JFrederi... 94,100

12.11.2007 at 03:40PM PST, ID: 23017177

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.8

Port Forwarding Using Cisco ASA 5500 Series Firewall

Zones: Cisco PIX Firewall, Networking Hardware Firewalls, Enterprise Firewalls

Tags: asa, cisco, port, 5500, forwarding

I am working on a project involving a Cisco ASA 5500 appliance. The client ordered a PIX 506e, but Cisco shipped the ASA. I have some experience with port forwarding on PIX devices and understand the concept well.

I need to allow SMTP traffic from the internet to an email server located on the internal network. I also need to allow RDP (port 3389) and a number of ports for a video conferencing setup. The video conferencing has to be bi-directional.

I've included the config from the device below. The external address has been changed for security reasons. I'd appreciate any help that I can get since the ASA is new to me and the command set is somewhat different from the PIX's. Thanks in advance!!!

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:

           
           
             : Saved
:
ASA Version 7.2(3) 
!
hostname pfa-stt-fw
domain-name usvipfa.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 192.168.0.13 pfa-exchange description MS Exchange Server 2003
name 192.168.0.254 ShoreWare description ShoreTel VoIP Manager
name 192.168.0.11 pfa-ad-server description MS Server 2003 - Active Directory
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.101.100 255.255.255.0 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone AST -4
dns server-group DefaultDNS
 domain-name usvipfa.com
access-list 110 extended permit tcp any host 192.168.101.100 eq smtp 
access-list 110 extended permit tcp any host 192.168.101.100 eq h323 log 
access-list 110 extended permit tcp any host 192.168.101.100 range 3230 3234 log 
access-list 110 extended permit udp any host 192.168.101.100 range 3230 3285 log 
access-list 110 extended permit tcp any host 192.168.101.100 range 41794 41795 log 
access-list 110 extended permit udp any host 192.168.101.100 range 41794 41795 log 
access-list 110 extended permit tcp any host 192.168.101.100 eq 3389 log 
access-list PFA-VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.198.0.0 255.255.255.0 
pager lines 24
logging enable
logging buffer-size 10240
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 192.198.0.100-192.198.0.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.0.0 255.255.255.0 inside
icmp permit host 66.248.172.238 outside
icmp deny host 190.58.41.30 outside
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 192.168.101.100 3389 ShoreWare 3389 netmask 255.255.255.255 
static (inside,outside) tcp 192.168.101.100 smtp pfa-exchange smtp netmask 255.255.255.255 
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 66.185.42.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server partnerauth protocol radius
aaa-server partnerauth host pfa-ad-server
 timeout 60
 key pf@USVI02
 radius-common-pw pf@USVI02
http server enable
http 66.208.37.130 255.255.255.255 outside
http 66.248.172.238 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet 66.248.172.238 255.255.255.255 outside
telnet 74.8.246.162 255.255.255.255 outside
telnet 66.208.37.130 255.255.255.255 outside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 74.8.246.162 255.255.255.255 outside
ssh 66.208.37.130 255.255.255.255 outside
ssh 66.248.172.238 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.100-192.168.0.130 inside
dhcpd dns 66.185.33.5 66.185.33.2 interface inside
dhcpd wins pfa-ad-server interface inside
dhcpd ping_timeout 1000 interface inside
dhcpd domain usvipfa.com interface inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
ntp server 192.43.244.18 source outside
ntp server 192.5.41.209 source outside prefer
tftp-server inside pfa-ad-server pfa-asa-5505-config.rtf
group-policy OMNI-VPN internal
group-policy OMNI-VPN attributes
 wins-server value 192.168.0.11
 dns-server value 192.168.0.11
 vpn-tunnel-protocol IPSec 
 default-domain value usvipfa.com
group-policy PFA-VPN internal
group-policy PFA-VPN attributes
 wins-server value 192.168.0.11
 dns-server value 192.168.0.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value PFA-VPN_splitTunnelAcl
 default-domain value vpn.usvipfa.com
username tthomas password b1RDIDcuM0Z2mM0f encrypted privilege 15
username rshepherd password jQ5.RTIV3X6Dozyx encrypted privilege 15
username Omni password N/xu2s4ukdplm1MG encrypted privilege 15
username rvigilant password 5OlQlAJBB7kYSFa8 encrypted
tunnel-group PFA-VPN type ipsec-ra
tunnel-group PFA-VPN general-attributes
 address-pool ippool
 authentication-server-group partnerauth
 default-group-policy PFA-VPN
 nac-authentication-server-group partnerauth
 authorization-required
tunnel-group PFA-VPN ipsec-attributes
 pre-shared-key *
tunnel-group OMNI-VPN type ipsec-ra
tunnel-group OMNI-VPN general-attributes
 address-pool ippool
 default-group-policy OMNI-VPN
tunnel-group OMNI-VPN ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:0d923753dcbbf625b21dac2c9f32af11
: end
asdm image disk0:/asdm-523.bin
asdm history enable

           
         

Start your free trial to view this solution

Question Stats

Zone: Security

Question Asked By: terrytusvi

Solution Provided By: lrmoore

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

12.11.2007 at 03:54PM PST, ID: 20454070

trhadmin:

I only see a couple of things that I am not certain about.

1. I am not certain that applying an acl against a vlan interface is a good idea especially since you have 3 virtual interfaces defined on the one you are inspecting.

2. Not really related but you have http access open to the outside it looks like. If you want to remotely manage the asa that is fine but build a vpn to it through your perimeter router dont open up the asa to http access.

3. Also not really related to the config but check your default security policy specifically for the inspect rules. This is a bit aggressive in the asa and gave me fits at first.

12.11.2007 at 04:23PM PST, ID: 20454201

Rank: Genius

lrmoore:

You have to use keyword "interface" in both the acl and the static...

access-list 110 extended permit tcp any interface outside eq <port> | log
static (inside,outside) tcp interface 3389 ShoreWare 3389 netmask 255.255.255.255

<etc>

Accepted Solution

20080716-EE-VQP-33 / EE_QW_2_20070628