Solved

Cisco ASA550 Port Forwarding not working

Posted on 2008-06-15
23
562 Views
Last Modified: 2011-10-19
I have configured a new Cisco 5510 security appliance.  I am able to browse the internet, but none of my internal services are accessible from the outside. Using the CLI I setup the static NAT (inside,outside) entries with the service ports, and used the access-list outside_access_in command to configure the access rules.  I have attached the complete running-config.  
config.TXT
0
Comment
Question by:s_pulsifer
  • 12
  • 10
23 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 21790142
you seem to be missing the access list for the incoming requests, try this for example for the smtp server..
access-list inside_access_in extended permit ip host 64.173.193.242 any
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21794019
You need to apply the "ouside_access_in" ACL to the outside interface. Use the following command.

access-group outside_access_in in interface outside
0
 

Author Comment

by:s_pulsifer
ID: 21794034
Thx. Will try both this evening after hours and update as to the results.
0
 

Author Comment

by:s_pulsifer
ID: 21799160
With the access-group outside_access_in in interface outised, I am able to RDP into .243 and .244 but none of the other port forwards are working.  Http, Https, telnet, ssh, smtp.  Any ideas?  
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21799300
Well, the configuration is correct to open and forward those ports, just like 3389 the other ones should work. Are the internal hosts listening on the forwarded ports? Can you telnet to the opened ports (telnet x.x.x.x port_num) from the internet?

As long as an access-list allowed the traffic in and a static command maps it to an internal host the traffic should be forwarded. You can check that the mapping's are active using the "show xlate" command, and you can check to see if the access-lists see any activity using the "show access-list" command, you should see hits on the various access-lists.

Also, typically when using the IP of the global (outside) interface in a static command you would use the word interface instead of the IP. This is just semantics though, should work in its current form.

static (inside,outside) tcp interface www 10.1.1.47 www netmask 255.255.255.255
instead of
static (inside,outside) tcp 64.173.193.242 www 10.1.1.47 www netmask 255.255.255.255
0
 

Author Comment

by:s_pulsifer
ID: 21799350
I am unable to telnet to any of the open ports from the outside.  With the original firewall in place, I can telnet to the ports, so I know that they are listening on the inside.  As a test, I changed one of the static NAT statements and the corresponding access-list for port 3389 on .242 to port 3389 on .245.  Once this change was made, I was able to access it from the outside.  The show xlate shows the correct translations.  It seems the problem exists with the NAT and access statements which use the .242 address with different port numbers.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21804029
Have you change your static mapping that use the ip of your outside interface as listed in my previous post?
0
 

Author Comment

by:s_pulsifer
ID: 21804205
I did try that with the same results - was unable to access through the firewall.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21809581
So specifically, only Port mappings using the external IP of .242 are not working, correct?

Ensure all of the static statement referencing .242 are changed to:
static (inside,outside) tcp interface port x.x.x.x port netmask 255.255.255.255

Then run the "clear xlate" command.

When complete, post your new config and a copy of the output received from the "show xlate" command. We will see what we can discover from that information.
0
 

Author Comment

by:s_pulsifer
ID: 21814211
Will do - all of the changes have been made and will be testing tonight after hours.
0
 

Author Comment

by:s_pulsifer
ID: 21818935
Changes worked with the exception of one port/service.  I have an sftp server in the dmz, but the port forward for ssh is not working.  The show xlate looks correct, but I am not sure of the acl.  I tried adding a second access-group but it over-wrote the first access group which I need for the other port forwards.  Attached is the info you requested.
Cisco.TXT
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:raptorjb007
ID: 21828145
The new config file is a bit scambled. However based on your old one the only thing I can see is your nat index for the global and nat statements do not match for the DMZ interface, thus NAT is not properly applied to the DMZ subnet.

Change:
global (dmz) 50 interface
nat (inside) 10 0.0.0.0 0.0.0.0

To:
global (dmz) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
0
 

Author Comment

by:s_pulsifer
ID: 21842164
no go on the above - I am still unable to access the dmz.  I changed the security level to match the outside interface in an attempt to get it working, but that did not help either.  A cleaner config with xlate is attached.
Cisco.txt
0
 
LVL 6

Accepted Solution

by:
raptorjb007 earned 500 total points
ID: 21874604
I would suggest that all your interfaces have different security levels. Specifically, interfaces with the same security level cannot communicate with each other. Perhaps set dmz to 50.

=====================

Also, I think I made a typo in my previous comment regarding the nat statements.
Change:
global (outside) 10 interface
global (dmz) 10 interface
nat (inside) 0 access-list RENO
nat (inside) 10 0.0.0.0 0.0.0.0

to:
global (outside) 10 interface
no global (dmz) 10 interface
nat (inside) 0 access-list RENO
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 10 0.0.0.0 0.0.0.0

This will apply Nat to the dmz interface using the global address set with the outside interface.

=======================

You should also add a line to you "outside_access_in" ACL to allow ssh traffic in if the destingation is 64.173.193.243. You may also want to get rid of the dmz ACL as it may interfere with traffic.

access-list outside_access_in extended permit tcp any host 64.173.193.243 eq ssh
no access-list outside_access_dmz extended permit tcp any host 64.173.193.243 eq ssh
no access-group outside_access_dmz in interface dmz

=======================

Let me know if that works.
0
 

Author Comment

by:s_pulsifer
ID: 21879623
Will try the above and let you know.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21884249
Any luck?
0
 

Author Comment

by:s_pulsifer
ID: 21909888
Sorry - out of the office.  Will try it tonight and let you know.
0
 

Author Comment

by:s_pulsifer
ID: 21912886
Made the above changes and still no luck accessing the DMZ from outside.  Any other suggestions?
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21913075
be sure to type "clear xlate" to clear the translation table.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21913083
I was able to establish a ssh session with 64.173.193.243.
0
 

Author Comment

by:s_pulsifer
ID: 21917857
You would have been able to connect via SSH because I rolled back to the original firewall.  I need to get all services up and running on the Cisco before retiring the old firewall, which is why I can only test after hours.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21919039
Can you report you most recent config, the result of the "show xlate" command, and the result of the "show route" commands.

Also can you use the packet tracer command and post the results. Replace x.x.x.x with a valid external IP address, any internet address should work, preferably the IP you are using to test access to ssh with. This will show me where the traffic is being dropped.

 packet-tracer input outside tcp x.x.x.x ssh 64.173.193.243 ssh
0
 

Author Comment

by:s_pulsifer
ID: 21944631
That did the trick - Windows firewall was causing the extra problem.  Thx for your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now