Solved

need help Modify Cisco ASA5505 Config

Posted on 2007-11-20
14
1,498 Views
Last Modified: 2008-02-01
We just got this recently.
I am unable to ping or do tracert to any ip/host name outside from the internal lan, i can ping the public interface of the router from outside.

I would like to be able to ping and do tracert from the inside lan and i added a rule from the asdm and it doesn't seem to be working.

Also i would like to add one more NAT to an IM server we have internally and only open an SSL port 5523 to it.
it will be for a public address 200.199.198.26 to inside address 10.1.1.155.

I add this rule but i still can't get the im client to connect

access-list pmt_out2IN extended permit udp any host 200.199.198.26
access-list pmt_out2IN extended permit tcp any host 200.199.198.26

and a static nat

static (inside,outside) 200.199.198.26 10.1.1.155 netmask 255.255.255.255  

I am able to ping it fine, but connecting on port 5523 fails and i can't even telnet to it.

the config is below, thanks for the help in advance.

===================================================================================
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name company.local
enable password XXXXXXXXXXXXXXXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.215 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 200.199.198.18 255.255.255.252
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXXXXXXXXXXXXXXXX encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server XXX.120.XXX.166            ///// Valid Address from ISP, do I really need this ?
 name-server XXX.120.XXX.167            ///// Valid Address from ISP, do I really need this ?
 domain-name geneva.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list pmt_out2IN extended permit tcp any host 200.199.198.27 eq 3389
access-list pmt_out2IN extended permit tcp any host 200.199.198.27 eq smtp
access-list pmt_out2IN extended permit tcp any host 200.199.198.27 eq https
access-list pmt_out2IN extended permit tcp any host 200.199.198.25 eq pptp
access-list pmt_out2IN extended permit gre any host 200.199.198.25
access-list pmt_out2IN extended permit tcp any host 200.199.198.25 eq 3389
access-list pmt_out2IN extended permit icmp any host 200.199.198.27
access-list pmt_out2IN extended permit icmp any host 200.199.198.25
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 200.199.198.25 10.1.1.133 netmask 255.255.255.255
static (inside,outside) 200.199.198.27 10.1.1.137 netmask 255.255.255.255
access-group pmt_out2IN in interface outside
route outside 0.0.0.0 0.0.0.0 200.199.198.17 1        ////This is the gateway of the ISP is this correct ?
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.1.0 255.255.255.0 inside
http 200.199.198.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh XXX.168.XXX.213 255.255.255.255 outside          
ssh XXX.253.XXX.135 255.255.255.255 outside
ssh timeout 5
console timeout 33
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server 71.13.91.122 source outside
prompt hostname context
Cryptochecksum:5638d48abb9128c995976622b84628e0
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
===================================================================================
0
Comment
Question by:z969307
  • 8
  • 6
14 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20322836
To allow pings and traceroute traffic from internal to the outside, add the following statements:

access-list pmt_out2IN extended permit icmp any any echo-reply
access-list pmt_out2IN extended permit icmp any any unreachable
access-list pmt_out2IN extended permit icmp any any time-exceeded

To open TCP 5523 inbound to that server whose public NAT is 200.199.198.26, add this line:

access-list pmt_out2IN extended permit tcp any host 200.199.198.26 eq 5523

0
 

Author Comment

by:z969307
ID: 20323429
great thanks a lot!

pings and traceroute traffic from internal to the outside is working fine!

I did this access-list pmt_out2IN extended permit tcp any host 200.199.198.26 eq 5523
and i can telnet into that port but i cannot launch my IM program from outside.
do i have to open up anything else ? it is jbber
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20323491
Don't know anything about it...did a look up on it and saw this related to it:

"...the Internet Assigned Numbers Authority (IANA) has officially assigned ports 5222 and 5269 for use by Jabber
services. They are now included in the port numbers list, with 5222 registered for Jabber client connections and 5269 for Jabber server connections."

I have no idea about your implementation...since you set up your own server, are you using those ports?
0
 

Author Comment

by:z969307
ID: 20323512
yes those are the port, so being able to telnet into it confirms that it is open right ?
i wonder if i need to open up more ports, i'll try to figure this out, thanks much for your help.
we are all done
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20323574
That's correct...being able to telnet to it confirms that the port is open through the firewall.
0
 

Author Comment

by:z969307
ID: 20323795
i am getting a deny tcp in syslog

syslog id     Source IP     Destination IP         Description
106015     67.x.x.100    200.199.198.26     Deny TCP (no connection) from 67.x.x.100/15247 to  200.199.198.215/5223 flags RST ACK on interface outside.

would you know what this mean ? do i have to open up any other ports ?

do u think its possible i didn't setup the static nat properly, but i am able to telnet an i also added a permit icnmp rule and that respondes back!
0
 

Author Comment

by:z969307
ID: 20323861
i also looked at other syslog traffic and the other 2 nats i have in the desitnation ip they are showing the LAN internal ip address, so not sure if i have this configured properly for translation ?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 28

Expert Comment

by:batry_boy
ID: 20323938
Your syslog output references 200.199.198.215/5223 as the destination IP and port.  That is not an IP address that is configured in the firewall to allow any inbound traffic...are you sure your IM client is set up properly or do you have the correct IP address set up with the static NAT?
0
 

Author Comment

by:z969307
ID: 20324664
sorry my bad, that is supposed to be the public address of the im server 200.199.198.26, the one u showed me to add a static route from.

I retried again and got the same message in syslog:

"Deny TCP (no connection) from 78.x.x.116/63833 to 200.199.198.26/5223 flags RST ACK on interface outside"
so what do u think this means ?
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20325506
Well, it shows that you are trying to send traffic inbound on port TCP 5223 and that port is not configured in the firewall to be allowed through.  I suppose you need to add a statement such as below and try again:

access-list pmt_out2IN extended permit tcp any host 200.199.198.26 eq 5223
0
 

Author Comment

by:z969307
ID: 20328151
I tried adding, the statement already exisits this is the result:

Result of the command: "access-list pmt_out2IN extended permit tcp any host 200.199.198.26 eq 5223"  WARNING: <pmt_out2IN> found duplicate element.

I am inserting a fresh show run from this morning, maybe u can see if there is anything else that is missing.

====================================================================
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name company.local
enable password xxxxxxxxxxxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.215 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 200.199.198.18 255.255.255.252
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server xxxxxxxxxxxxxxxxx.166
 name-server xxxxxxxxxxxxxxxxx.162
 domain-name company.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list pmt_out2IN extended permit tcp any host 200.199.198.27 eq 3389
access-list pmt_out2IN extended permit tcp any host 200.199.198.27 eq smtp
access-list pmt_out2IN extended permit tcp any host 200.199.198.27 eq https
access-list pmt_out2IN extended permit tcp any host 200.199.198.25 eq pptp
access-list pmt_out2IN extended permit gre any host 200.199.198.25
access-list pmt_out2IN extended permit tcp any host 200.199.198.25 eq 3389
access-list pmt_out2IN extended permit icmp any host 200.199.198.26
access-list pmt_out2IN extended permit icmp any host 200.199.198.25 inactive
access-list pmt_out2IN extended permit icmp any any echo-reply
access-list pmt_out2IN extended permit icmp any any unreachable
access-list pmt_out2IN extended permit icmp any any time-exceeded
access-list pmt_out2IN extended permit tcp any host 200.199.198.26 eq 5223
access-list pmt_out2IN extended permit udp any host 200.199.198.26 eq 5223
access-list pmt_out2IN extended permit tcp any host 200.199.198.26 eq 5222
access-list geneva_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.1.1.144 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool company_Inside 10.1.1.150-10.1.1.154 mask 255.255.255.224
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 200.199.198.25 10.1.1.133 netmask 255.255.255.255
static (inside,outside) 200.199.198.26 10.1.1.155 netmask 255.255.255.255
static (inside,outside) 200.199.198.27 10.1.1.137 netmask 255.255.255.255
access-group pmt_out2IN in interface outside
route outside 0.0.0.0 0.0.0.0 200.199.198.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 5
ssh xxxxxxxxxxxxxx 255.255.255.255 outside
ssh xxxxxxxxxxxxxx 255.255.255.255 outside
ssh xxxxxxxxxxxxxx 255.255.255.255 outside
ssh timeout 5
console timeout 33
dhcpd auto_config outside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server 71.13.91.122 source outside
group-policy geneva internal
group-policy geneva attributes
 wins-server value 10.1.1.133 10.1.1.135
 dns-server value 10.1.1.133 10.1.1.135
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value geneva_splitTunnelAcl
 default-domain value geneva.local
username superman password xxxxxxxxxxxxxxxxxx encrypted privilege 10
username superman attributes
 vpn-group-policy company
tunnel-group geneva type ipsec-ra
tunnel-group geneva general-attributes
 address-pool company_Inside
 default-group-policy company
tunnel-group company ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

====================================================================
0
 

Author Comment

by:z969307
ID: 20330088
4      Nov 21 2007      12:56:56      450001      208.116.221.26             Deny traffic for protocol 6 src outside:67.xxx.xxx.83/27571 dst inside:2000.199.198.26/5222, licensed host limit of 10 exceeded.

i think this might be the problem, is there a way to reduce the limit by turning off some other connection ? i just want to test this and not to have to go out get license if it doesn't work out.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20334371
Ah, you have a 10 user ASA license...that would be an issue!  If you issue the "show version" command, it probably says "Inside hosts: 10".  Cisco enforces a 10 IP address limit in the ASA's translation table.  When it sees 10 IP addresses from the inside network in its translation table, it will not allow any new inside IP addresses to establish connections.

Just for testing, you can issue the "clear xlate" command which will get rid of your dynamic translations, but your static ones will always be there until you remove their corresponding static commands from your config.
0
 

Author Comment

by:z969307
ID: 20335441
thanks BB, i actually ended up calling cisco tech on this as i am just really puzzled, i also did can see how many licenses are being used by doing a show local-host ip it tells you how many are in use, and after hours yesterday i took it down to only 5 licenses being used and was still getting the same issue. the cisco guy mentioned a few things will troubleshoot furhter on monday, he said too much noice on the line, and duplex might be mismatched, and couple of other things, so i am not really sure, i think i have to look at the im server settings also eventually, but i have no issues within the LAN to connect to it, its just from outside this issue is having,  
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now