Solved

ASA 5505 Port Forwarding

Posted on 2007-12-01
2
1,019 Views
Last Modified: 2008-07-24
I am trying to setup this ASA 5505 to forward the traffic to the internal server. This config is obviously incorrect but I have not been able to figure out why.
: Saved

: Written by enable_15 at 14:55:20.207 UTC Sat Dec 1 2007

!

ASA Version 7.2(2)

!

hostname XXXXPIX

domain-name XX.local

enable password ** encrypted

names

name 172.16.10.0 VPDN

name 10.10.10.0 XX-KC-Inside

name 76.243.82.194 XX-KC-Outside

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.1.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 68.x.xx.215 255.255.254.0

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd ** encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name XX.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit tcp any host 68.x.x.215 eq https

access-list 101 extended permit tcp any host 68.x.x.215 eq 8080

access-list 101 extended permit tcp any host 68.x.x.215 eq www

access-list 101 extended permit tcp any host 68.x.x.215 eq smtp

access-list 101 extended permit tcp any host 68.x.x.215 eq pop3

access-list 101 extended permit tcp any host 68.x.x.215 eq 2525

access-list 101 extended permit tcp any host 68.x.x.214 eq 3389

access-list 101 extended permit tcp any host 68.x.x.214 eq ftp

access-list 101 extended permit tcp any host 68.x.x.215 eq pptp

access-list VPN_ACL_1 extended permit ip 10.1.1.0 255.255.255.0 VPDN 255.255.255.0

access-list VPN_ACL_1 extended permit ip 10.1.1.0 255.255.255.0 XX-KC-Inside 255.255.255.0

access-list crypto_map_1 extended permit ip 10.1.1.0 255.255.255.0 XX-KC-Inside 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 10.1.1.0 255.255.255.0 XX-KC-Inside 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 10.1.1.0 255.255.255.0 XX-KC-Inside 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 10.1.1.0 255.255.255.0 inside

icmp permit 10.1.1.0 255.255.255.0 outside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www 10.1.1.15 www netmask 255.255.255.255

static (inside,outside) tcp interface https 10.1.1.15 https netmask 255.255.255.255

static (inside,outside) tcp interface 8080 10.1.1.10 www netmask 255.255.255.255

static (inside,outside) tcp interface smtp 10.1.1.15 smtp netmask 255.255.255.255

static (inside,outside) tcp interface pop3 10.1.1.15 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface 2525 10.1.1.15 2525 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 10.1.1.20 3389 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 10.1.1.20 ftp netmask 255.255.255.255

static (inside,outside) tcp interface pptp 10.1.1.15 pptp netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 68.x.x.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

username andgroup password v86IGUyZAtJNWYja encrypted

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global

policy-map global_policy

 class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect http

  inspect pptp

  inspect dns preset_dns_map

!

service-policy global_policy global

prompt hostname context

Open in new window

0
Comment
Question by:andgroup
2 Comments
 
LVL 6

Assisted Solution

by:brasslan
brasslan earned 150 total points
ID: 20389556
I've got the same make/model of ASA and had the same problem...

In the acl I had to replace the outside IP address with 'interface'

ie..

access-list 101 extended permit tcp any host 68.x.x.215 eq 2525
needs to say
access-list 101 extended permit tcp any host interface eq 2525

I think that should fix traffic coming in for 68.x.x.215, but I don't know what to tell you for traffic coming in on 68.x.x.214 since I've only got one IP address available to me.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 350 total points
ID: 20390126
All your access-lists needs to be changed to the following; So do this while connected from inside or on console;

no access-list 101

access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp any interface outside eq https
access-list 101 extended permit tcp any interface outside eq 8080
access-list 101 extended permit tcp any interface outside eq www
access-list 101 extended permit tcp any interface outside eq smtp
access-list 101 extended permit tcp any interface outside eq pop3
access-list 101 extended permit tcp any interface outside eq 2525
access-list 101 extended permit tcp any interface outside eq pptp

The second ip address is not used anywhere in your config so I have removed that from the access-list as well.

Cheers,
Rajesh
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSH logs Cisco switch 4 33
SMB Routers with GB WAN 12 36
E-mail alerts from Cisco ASA Firepower 3 31
stacking Catalyst 3650 20 12
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now