Solved

Open RPC port on a ASA 5505

Posted on 2008-06-12
5
2,895 Views
Last Modified: 2010-05-05
I am used to configure cisco PIX 501, but one of our customers bought a ASA 5505. The commands are quite similar so I thought that it won't be an issue configuring it.
Unfortunately I can access the internet or RPC from the server, but I can't access the server from the outside. I tried RPC or even port 25 is not responsive.
I am not sure if there is an extra line I need to add for the ASA 5505. I even checked the APDM, and there it shows that the links are down on the outside and inside interface, even if there is some internet traffic. If I check the rules there every thing seems to be fine. Could some one have a look at my configuration and tell me if I am missing something? x.x.x.x is the server address on the outside interface and y.y.y.y is the gateway
thanks
!

ASA Version 7.2(3)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.150.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address x.x.x.x 255.255.255.248

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list acl_out extended permit icmp any any echo-reply

access-list acl_out extended permit tcp any host x.x.x.x eq 3389

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

tatic (inside,outside) tcp x.x.x.x 3389 192.168.150.5 3389 netmask 255.25

5.255.255

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 y.y.y.y 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.150.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.150.10-192.168.150.41 inside

dhcpd enable inside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:36c76ca5be5e7261eb0913fdbc800e2b

Open in new window

0
Comment
Question by:odewulf
  • 3
  • 2
5 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
Comment Utility
What port are you trying to contact the server on?
Looking at the config you have 3389 RDP? is that what you are trying to do?

do this

conf t
no access-list acl_out extended permit tcp any host x.x.x.x eq 3389
no access-list acl_out extended permit icmp any any echo-reply
no access-group acl_out in interface outside
access-list inbound permit tcp any interface outside eq 3389
access-group inbound in interface outside
static (inside,outside) tcp interface 3389 x.x.x.x 3389 netmask 255.255.255.255
write mem

OK now we will sort out icmp.............

policy-map global_policy
class inspection_default
inspect icmp
exit
exit
write mem
clear xlate


now try again :)





0
 

Author Comment

by:odewulf
Comment Utility
Thanks I am going to try that this afternoon.
I was trying to open a few more ports that just RDP, but for the example RDP was enough. I will do the same for the other port and let you how it goes
thanks again
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
0
 

Author Comment

by:odewulf
Comment Utility
Thanks again it worked perfectly now. The only issue I still have left is that now the users can't connect using the windows VPN. It is trying to connect but then I get the error 800. I am going to check for that
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now