?
Solved

Port Forward doesn't work

Posted on 2008-10-28
5
Medium Priority
?
590 Views
Last Modified: 2008-11-03
I have setup port Forward on an ASA 5510 but i can't get it to forward the ports. I have tried much but it seems like the asa doesn't pass anything... Please help is urgent. This is my current configuation.... I have web server ready to respond on port 80 (10.0.5.151), but doesnt;t seem to get the reply....
: Saved
:
ASA Version 7.0(8) 
!
hostname ciscoasa
domain-name xxxxx.net
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 209.12.234.98 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.5.150 255.255.255.0 
!
interface Ethernet0/2
 nameif DICOM
 security-level 100
 ip address 10.0.5.150 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 0
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_nat0_outbound extended permit ip any 192.168.50.48 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.0.5.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list remoteuser_splitTunnelAcl standard permit any 
access-list dicom_nat0_outbound extended permit ip 10.0.5.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list dicom_nat0_outbound extended permit ip 10.0.5.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list outside-access_in extended permit tcp any eq www host 209.12.234.100 eq www 
access-list outside-access_in extended permit tcp any host 209.12.234.100 eq https 
access-list outside-access_in extended permit tcp any host 209.12.234.100 eq pptp 
access-list outside_cryptomap_20 extended permit ip 10.0.5.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list remoteworker_splitTunnelAcl standard permit any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DICOM 1500
mtu management 1500
ip local pool remoteusers 192.168.50.50-192.168.50.60 mask 255.255.255.0
icmp permit any outside
icmp permit any inside
icmp permit any DICOM
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (inside) 10 interface
global (DICOM) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DICOM) 0 access-list dicom_nat0_outbound
nat (DICOM) 10 0.0.0.0 0.0.0.0
static (inside,outside) 209.12.234.99 10.0.5.7 netmask 255.255.255.255 
static (inside,outside) 209.12.234.100 10.0.5.151 netmask 255.255.255.255 
access-group outside-access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.12.234.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy remoteuser internal
group-policy remoteuser attributes
 dns-server value 24.93.41.127 24.93.41.128
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteuser_splitTunnelAcl
 webvpn
group-policy remoteworker internal
group-policy remoteworker attributes
 dns-server value 207.191.50.10
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteworker_splitTunnelAcl
 webvpn
username mtech password V6B59GRyHeAuo8yI encrypted privilege 0
username mtech attributes
 vpn-group-policy remoteuser
 webvpn
http server enable
http 192.168.5.0 255.255.255.0 inside
http 10.0.5.0 255.255.255.0 DICOM
http 192.168.1.0 255.255.255.0 management
SNMP agent module is currently busy.  Please retry the 'snmp-server' command at a later time.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 75.19.70.177 
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group remoteworker type ipsec-ra
tunnel-group remoteworker general-attributes
 address-pool remoteusers
 default-group-policy remoteworker
tunnel-group remoteworker ipsec-attributes
 pre-shared-key *
tunnel-group 75.19.70.177 type ipsec-l2l
tunnel-group 75.19.70.177 ipsec-attributes
 pre-shared-key *
tunnel-group 75.19.70.177-10LAN type ipsec-l2l
tunnel-group 75.19.70.177-10LAN ipsec-attributes
 pre-shared-key *
telnet 192.168.5.0 255.255.255.0 inside
telnet 10.0.5.0 255.255.255.0 DICOM
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.5.20-192.168.5.25 inside
dhcpd address 10.0.5.50-10.0.5.60 DICOM
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 207.191.50.10 207.191.1.10
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config inside
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
Cryptochecksum:9f30cea7d700394cd2140cc9077fb7d3
: end

Open in new window

0
Comment
Question by:hmassertech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 6

Assisted Solution

by:clearacid
clearacid earned 80 total points
ID: 22829675
Line 42: access-list outside-access_in extended permit tcp any eq www host 209.12.234.100 eq www

try:

access-list outside-access_in extended permit tcp any host 209.12.234.100 eq www

basically dropping the source port as port 80 and only looking for destination port 80.

Source ports change, really the destination port is what you are looking at.
0
 

Author Comment

by:hmassertech
ID: 22831570
Thanks for the soggestion, i tried it but didn't work... i get the same result.... if i use a port scanner (web) to the .100 IP i get no response from port 80... i tried several computers (servers) to rule out a server issue but i get the same response.... no dice.... any other ideas?

When i go to http://www.t1shopper.com/tools/port-scanner/ for example, i put the IP address that i want to check (.100) and select port 80 and hit scan i get the following result:

Scanning ports on 209.12.234.100
209.12.234.100 isn't responding on port 80 (http).

Please help.

0
 
LVL 2

Assisted Solution

by:bornskir
bornskir earned 80 total points
ID: 22832169
I think it's your NAT statements, more specifically your GLOBAL statements.  All of your GLOBAL statements have the pool ID of 10.  So when something on the inside tries to get out, based on your NAT statements, it tries to use pool 10 from the Global.  It's probably trying to respond back to the HTTP requests using an internal, non-routable IP address.

Try removing the two lines:

global (inside) 10 interface
global (DICOM) 10 interface

Or at least change them them to:

global (inside) 11 interface
global (DICOM) 12 interface

Another option might also be to create another static statement for the outbound connection, such as:

static (outside,inside) 10.0.5.151 209.12.234.100 netmask 255.255.255.255

0
 

Author Comment

by:hmassertech
ID: 22832940
Bornskir, i tried both of your suggestions but i get the same error... by the way, the reason why i have
global (inside) 10 interface
global (DICOM) 10 interface
is because i need to route traffic between inside and DICOM and that was the only way that i got it to work....

any more ideas?  Thnaks foir your help
0
 

Accepted Solution

by:
hmassertech earned 0 total points
ID: 22834621
I found what my issue was, the server i want to publish is on my DICOM LAN, but my static statment was on the inside...

I had  static (inside, outside) and  i needed static (DICOM,outside)....

I Knew it was something simple...  THanks a lot everybody for your hellp...
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question