Solved

Port Forward doesn't work

Posted on 2008-10-28
5
578 Views
Last Modified: 2008-11-03
I have setup port Forward on an ASA 5510 but i can't get it to forward the ports. I have tried much but it seems like the asa doesn't pass anything... Please help is urgent. This is my current configuation.... I have web server ready to respond on port 80 (10.0.5.151), but doesnt;t seem to get the reply....
: Saved

:

ASA Version 7.0(8) 

!

hostname ciscoasa

domain-name xxxxx.net

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 209.12.234.98 255.255.255.248 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.5.150 255.255.255.0 

!

interface Ethernet0/2

 nameif DICOM

 security-level 100

 ip address 10.0.5.150 255.255.255.0 

!

interface Management0/0

 nameif management

 security-level 0

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

ftp mode passive

same-security-traffic permit inter-interface

access-list inside_nat0_outbound extended permit ip any 192.168.50.48 255.255.255.240 

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.0.5.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list remoteuser_splitTunnelAcl standard permit any 

access-list dicom_nat0_outbound extended permit ip 10.0.5.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list dicom_nat0_outbound extended permit ip 10.0.5.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list outside-access_in extended permit tcp any eq www host 209.12.234.100 eq www 

access-list outside-access_in extended permit tcp any host 209.12.234.100 eq https 

access-list outside-access_in extended permit tcp any host 209.12.234.100 eq pptp 

access-list outside_cryptomap_20 extended permit ip 10.0.5.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list remoteworker_splitTunnelAcl standard permit any 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DICOM 1500

mtu management 1500

ip local pool remoteusers 192.168.50.50-192.168.50.60 mask 255.255.255.0

icmp permit any outside

icmp permit any inside

icmp permit any DICOM

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

global (inside) 10 interface

global (DICOM) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

nat (DICOM) 0 access-list dicom_nat0_outbound

nat (DICOM) 10 0.0.0.0 0.0.0.0

static (inside,outside) 209.12.234.99 10.0.5.7 netmask 255.255.255.255 

static (inside,outside) 209.12.234.100 10.0.5.151 netmask 255.255.255.255 

access-group outside-access_in in interface outside

route outside 0.0.0.0 0.0.0.0 209.12.234.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy remoteuser internal

group-policy remoteuser attributes

 dns-server value 24.93.41.127 24.93.41.128

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value remoteuser_splitTunnelAcl

 webvpn

group-policy remoteworker internal

group-policy remoteworker attributes

 dns-server value 207.191.50.10

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value remoteworker_splitTunnelAcl

 webvpn

username mtech password V6B59GRyHeAuo8yI encrypted privilege 0

username mtech attributes

 vpn-group-policy remoteuser

 webvpn

http server enable

http 192.168.5.0 255.255.255.0 inside

http 10.0.5.0 255.255.255.0 DICOM

http 192.168.1.0 255.255.255.0 management

SNMP agent module is currently busy.  Please retry the 'snmp-server' command at a later time.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs 

crypto map outside_map 20 set peer 75.19.70.177 

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group remoteworker type ipsec-ra

tunnel-group remoteworker general-attributes

 address-pool remoteusers

 default-group-policy remoteworker

tunnel-group remoteworker ipsec-attributes

 pre-shared-key *

tunnel-group 75.19.70.177 type ipsec-l2l

tunnel-group 75.19.70.177 ipsec-attributes

 pre-shared-key *

tunnel-group 75.19.70.177-10LAN type ipsec-l2l

tunnel-group 75.19.70.177-10LAN ipsec-attributes

 pre-shared-key *

telnet 192.168.5.0 255.255.255.0 inside

telnet 10.0.5.0 255.255.255.0 DICOM

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.5.20-192.168.5.25 inside

dhcpd address 10.0.5.50-10.0.5.60 DICOM

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 207.191.50.10 207.191.1.10

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd auto_config inside

dhcpd enable management

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

Cryptochecksum:9f30cea7d700394cd2140cc9077fb7d3

: end

Open in new window

0
Comment
Question by:hmassertech
  • 3
5 Comments
 
LVL 6

Assisted Solution

by:clearacid
clearacid earned 20 total points
ID: 22829675
Line 42: access-list outside-access_in extended permit tcp any eq www host 209.12.234.100 eq www

try:

access-list outside-access_in extended permit tcp any host 209.12.234.100 eq www

basically dropping the source port as port 80 and only looking for destination port 80.

Source ports change, really the destination port is what you are looking at.
0
 

Author Comment

by:hmassertech
ID: 22831570
Thanks for the soggestion, i tried it but didn't work... i get the same result.... if i use a port scanner (web) to the .100 IP i get no response from port 80... i tried several computers (servers) to rule out a server issue but i get the same response.... no dice.... any other ideas?

When i go to http://www.t1shopper.com/tools/port-scanner/ for example, i put the IP address that i want to check (.100) and select port 80 and hit scan i get the following result:

Scanning ports on 209.12.234.100
209.12.234.100 isn't responding on port 80 (http).

Please help.

0
 
LVL 2

Assisted Solution

by:bornskir
bornskir earned 20 total points
ID: 22832169
I think it's your NAT statements, more specifically your GLOBAL statements.  All of your GLOBAL statements have the pool ID of 10.  So when something on the inside tries to get out, based on your NAT statements, it tries to use pool 10 from the Global.  It's probably trying to respond back to the HTTP requests using an internal, non-routable IP address.

Try removing the two lines:

global (inside) 10 interface
global (DICOM) 10 interface

Or at least change them them to:

global (inside) 11 interface
global (DICOM) 12 interface

Another option might also be to create another static statement for the outbound connection, such as:

static (outside,inside) 10.0.5.151 209.12.234.100 netmask 255.255.255.255

0
 

Author Comment

by:hmassertech
ID: 22832940
Bornskir, i tried both of your suggestions but i get the same error... by the way, the reason why i have
global (inside) 10 interface
global (DICOM) 10 interface
is because i need to route traffic between inside and DICOM and that was the only way that i got it to work....

any more ideas?  Thnaks foir your help
0
 

Accepted Solution

by:
hmassertech earned 0 total points
ID: 22834621
I found what my issue was, the server i want to publish is on my DICOM LAN, but my static statment was on the inside...

I had  static (inside, outside) and  i needed static (DICOM,outside)....

I Knew it was something simple...  THanks a lot everybody for your hellp...
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now