Solved

Open RPC port on a ASA 5505

Posted on 2008-06-12
5
2,973 Views
Last Modified: 2010-05-05
I am used to configure cisco PIX 501, but one of our customers bought a ASA 5505. The commands are quite similar so I thought that it won't be an issue configuring it.
Unfortunately I can access the internet or RPC from the server, but I can't access the server from the outside. I tried RPC or even port 25 is not responsive.
I am not sure if there is an extra line I need to add for the ASA 5505. I even checked the APDM, and there it shows that the links are down on the outside and inside interface, even if there is some internet traffic. If I check the rules there every thing seems to be fine. Could some one have a look at my configuration and tell me if I am missing something? x.x.x.x is the server address on the outside interface and y.y.y.y is the gateway
thanks
!
ASA Version 7.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.150.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit tcp any host x.x.x.x eq 3389
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
tatic (inside,outside) tcp x.x.x.x 3389 192.168.150.5 3389 netmask 255.25
5.255.255
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 y.y.y.y 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.150.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.150.10-192.168.150.41 inside
dhcpd enable inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:36c76ca5be5e7261eb0913fdbc800e2b

Open in new window

0
Comment
Question by:odewulf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 21778653
What port are you trying to contact the server on?
Looking at the config you have 3389 RDP? is that what you are trying to do?

do this

conf t
no access-list acl_out extended permit tcp any host x.x.x.x eq 3389
no access-list acl_out extended permit icmp any any echo-reply
no access-group acl_out in interface outside
access-list inbound permit tcp any interface outside eq 3389
access-group inbound in interface outside
static (inside,outside) tcp interface 3389 x.x.x.x 3389 netmask 255.255.255.255
write mem

OK now we will sort out icmp.............

policy-map global_policy
class inspection_default
inspect icmp
exit
exit
write mem
clear xlate


now try again :)





0
 

Author Comment

by:odewulf
ID: 21779832
Thanks I am going to try that this afternoon.
I was trying to open a few more ports that just RDP, but for the example RDP was enough. I will do the same for the other port and let you how it goes
thanks again
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21780364
0
 

Author Comment

by:odewulf
ID: 21888283
Thanks again it worked perfectly now. The only issue I still have left is that now the users can't connect using the windows VPN. It is trying to connect but then I get the error 800. I am going to check for that
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 32644361
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question