Solved

ASA 5505 Port Forwarding

Posted on 2008-10-18
11
739 Views
Last Modified: 2013-11-29
Hi,

I have an ASA 5505 and need to forward port 21 from a public address on the outside to a server inside the network. I can do this in 5 minutes on a SonicWall but am having problems with this, even after help from EE! This ASA is doing nothing else except acting as a gateway for a few hosts on the network. There is a Sonic on the network that is acting as the gateway for the majority of the network. Yes, there are 2 ISPs. Please help!!!
0
Comment
Question by:progonosko
  • 6
  • 5
11 Comments
 
LVL 3

Expert Comment

by:leonjs
ID: 22749564
Show the running config. Also what is in front of the firewall ?
0
 

Author Comment

by:progonosko
ID: 22749916
There is an ADTRAN in front of the firewall.

Here is the config:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password
passwd
names
name 192.168.1.241 FTPserver
name x.x.x.38 outsideip
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address outsideip 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host FTPserver eq ftp
access-list outside_access_in extended permit tcp any host FTPserver eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.37 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c498acae6dfcac8a880c470bdec4aa19
: end

0
 
LVL 3

Expert Comment

by:leonjs
ID: 22749926
where does the nat take place?
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22749956
I see the access list allowing traffic to come to the ftp server which means inside the network the ftp server probably works but i dont see anything indicating a PAT or static nat for the FTP server with a outside address. Although you do have a inside global static policy that wont ably for pat try this command
static (inside,outside) tcp interface ftp 192.168.5.5 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.5.5 ftp-data netmask 255.255.255.255

where 192.168.5.5 is the ftp server inside address

Those 2 statements will take any traffic destined for outside interface ip on port 21/20 and forward it to the inside ip of 192.168.5.5- (whatever the ftp server ip is)
0
 

Author Comment

by:progonosko
ID: 22750191
Still not working. Here is the message that I now see in the log:

4    Oct 18 2008    15:51:51    106023    xxx.xxx.xxx.189    outsideip     Deny tcp src outside:xxx.xxx.xxx.189/6983 dst inside:outsideip/21 by access-group "outside_access_in" [0x0, 0x0]

Here's the config:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password encrypted
passwd encrypted
names
name 192.168.1.241 FTPserver
name x.x.x.38 outsideip
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address outsideip 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host FTPserver eq ftp
access-list outside_access_in extended permit tcp any host FTPserver eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ftp FTPserver ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data FTPserver ftp-data netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.37 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Accepted Solution

by:
leonjs earned 250 total points
ID: 22750221
In additon to the 2 statements in the access-l istyou have now add the 2 extra that i indicated. Wont work without them.

access-list outside_access_in extended permit tcp any host FTPserver eq ftp
access-list outside_access_in extended permit tcp any host FTPserver eq ftp-data

Add these 2

access-list outside_access_in extended permit tcp any host ?.?.?.? eq ftp
access-list outside_access_in extended permit tcp any host ?.?.?.? eq ftp-data

WHERE this - ?.?.?.? equals the outside IP address that will be associated with the FTP server
0
 

Author Comment

by:progonosko
ID: 22750250
Still not working, BUT - now I can see the connection being built. Here is a clip from the log:

6 Oct 18 2008 16:25:52 302013 xxx.xxx.xxx.xxx FTPserver Built inbound TCP connection 1414 for outside:x.x.x.189/7327 (x.x.x.189/7327) to inside:FTPserver/21 (outsideip/21)
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22750311
What ftp client are you using to test this? I always recommend
Filezilla. http://filezilla-project.org/download.php
In the configuration make sure fall back to active mode is selected.

Could you post the logs from that client . .. That show the connection failing.
Also can you telnet to the ftpserver inside address from the inside network on port 21 ?
Can you telnet to the ftp server outside address from a remote location on port 21?

0
 

Author Comment

by:progonosko
ID: 22750412
Bullet proof ftp - which worked fine before the ASA was installed. It was formerly only protected by a router on the front end with a static map. I can telnet and ftp to this machine internally. I really think that the message below from just a few minutes ago shows that the ASA is denying the traffic.

4    Oct 18 2008    17:32:11    106023    x.x.x.189    x.x.x.38     Deny tcp src outside:x.x.x.189/1287 dst inside:xxx.xxx.xxx.38/21 by access-group "outside_access_in" [0x0, 0x0]
0
 

Author Comment

by:progonosko
ID: 22750721
I resolved this by adding rules for any host to access the outside ip address on ports 20 &21.
0
 

Author Closing Comment

by:progonosko
ID: 31507465
Thank you, leonjs.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Basic ASA setup 1 70
Log traffic in Sonicwall 3 34
Barracuda antispam 6 65
SRX240 SYSLOG Setting 6 52
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now