Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ASA 5505 Port Forwarding

Posted on 2008-10-18
11
Medium Priority
?
755 Views
Last Modified: 2013-11-29
Hi,

I have an ASA 5505 and need to forward port 21 from a public address on the outside to a server inside the network. I can do this in 5 minutes on a SonicWall but am having problems with this, even after help from EE! This ASA is doing nothing else except acting as a gateway for a few hosts on the network. There is a Sonic on the network that is acting as the gateway for the majority of the network. Yes, there are 2 ISPs. Please help!!!
0
Comment
Question by:progonosko
  • 6
  • 5
11 Comments
 
LVL 3

Expert Comment

by:leonjs
ID: 22749564
Show the running config. Also what is in front of the firewall ?
0
 

Author Comment

by:progonosko
ID: 22749916
There is an ADTRAN in front of the firewall.

Here is the config:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password
passwd
names
name 192.168.1.241 FTPserver
name x.x.x.38 outsideip
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address outsideip 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host FTPserver eq ftp
access-list outside_access_in extended permit tcp any host FTPserver eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.37 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c498acae6dfcac8a880c470bdec4aa19
: end

0
 
LVL 3

Expert Comment

by:leonjs
ID: 22749926
where does the nat take place?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 3

Expert Comment

by:leonjs
ID: 22749956
I see the access list allowing traffic to come to the ftp server which means inside the network the ftp server probably works but i dont see anything indicating a PAT or static nat for the FTP server with a outside address. Although you do have a inside global static policy that wont ably for pat try this command
static (inside,outside) tcp interface ftp 192.168.5.5 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.5.5 ftp-data netmask 255.255.255.255

where 192.168.5.5 is the ftp server inside address

Those 2 statements will take any traffic destined for outside interface ip on port 21/20 and forward it to the inside ip of 192.168.5.5- (whatever the ftp server ip is)
0
 

Author Comment

by:progonosko
ID: 22750191
Still not working. Here is the message that I now see in the log:

4    Oct 18 2008    15:51:51    106023    xxx.xxx.xxx.189    outsideip     Deny tcp src outside:xxx.xxx.xxx.189/6983 dst inside:outsideip/21 by access-group "outside_access_in" [0x0, 0x0]

Here's the config:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password encrypted
passwd encrypted
names
name 192.168.1.241 FTPserver
name x.x.x.38 outsideip
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address outsideip 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host FTPserver eq ftp
access-list outside_access_in extended permit tcp any host FTPserver eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp FTPserver ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data FTPserver ftp-data netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.37 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end

0
 
LVL 3

Accepted Solution

by:
leonjs earned 750 total points
ID: 22750221
In additon to the 2 statements in the access-l istyou have now add the 2 extra that i indicated. Wont work without them.

access-list outside_access_in extended permit tcp any host FTPserver eq ftp
access-list outside_access_in extended permit tcp any host FTPserver eq ftp-data

Add these 2

access-list outside_access_in extended permit tcp any host ?.?.?.? eq ftp
access-list outside_access_in extended permit tcp any host ?.?.?.? eq ftp-data

WHERE this - ?.?.?.? equals the outside IP address that will be associated with the FTP server
0
 

Author Comment

by:progonosko
ID: 22750250
Still not working, BUT - now I can see the connection being built. Here is a clip from the log:

6 Oct 18 2008 16:25:52 302013 xxx.xxx.xxx.xxx FTPserver Built inbound TCP connection 1414 for outside:x.x.x.189/7327 (x.x.x.189/7327) to inside:FTPserver/21 (outsideip/21)
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22750311
What ftp client are you using to test this? I always recommend
Filezilla. http://filezilla-project.org/download.php
In the configuration make sure fall back to active mode is selected.

Could you post the logs from that client . .. That show the connection failing.
Also can you telnet to the ftpserver inside address from the inside network on port 21 ?
Can you telnet to the ftp server outside address from a remote location on port 21?

0
 

Author Comment

by:progonosko
ID: 22750412
Bullet proof ftp - which worked fine before the ASA was installed. It was formerly only protected by a router on the front end with a static map. I can telnet and ftp to this machine internally. I really think that the message below from just a few minutes ago shows that the ASA is denying the traffic.

4    Oct 18 2008    17:32:11    106023    x.x.x.189    x.x.x.38     Deny tcp src outside:x.x.x.189/1287 dst inside:xxx.xxx.xxx.38/21 by access-group "outside_access_in" [0x0, 0x0]
0
 

Author Comment

by:progonosko
ID: 22750721
I resolved this by adding rules for any host to access the outside ip address on ports 20 &21.
0
 

Author Closing Comment

by:progonosko
ID: 31507465
Thank you, leonjs.
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
The article explains the protocols and technology which is involved when two computers on different TCP/IP networks communicate with each other. In the diagram, a router is used to segregate two networks. The networks are 192.168.1.0/24 and 192…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month12 days, 3 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question