Solved

Port Forward doesn't work

Posted on 2008-10-28
5
577 Views
Last Modified: 2008-11-03
I have setup port Forward on an ASA 5510 but i can't get it to forward the ports. I have tried much but it seems like the asa doesn't pass anything... Please help is urgent. This is my current configuation.... I have web server ready to respond on port 80 (10.0.5.151), but doesnt;t seem to get the reply....
: Saved

:

ASA Version 7.0(8) 

!

hostname ciscoasa

domain-name xxxxx.net

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 209.12.234.98 255.255.255.248 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.5.150 255.255.255.0 

!

interface Ethernet0/2

 nameif DICOM

 security-level 100

 ip address 10.0.5.150 255.255.255.0 

!

interface Management0/0

 nameif management

 security-level 0

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

ftp mode passive

same-security-traffic permit inter-interface

access-list inside_nat0_outbound extended permit ip any 192.168.50.48 255.255.255.240 

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 10.0.5.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list remoteuser_splitTunnelAcl standard permit any 

access-list dicom_nat0_outbound extended permit ip 10.0.5.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list dicom_nat0_outbound extended permit ip 10.0.5.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit ip 192.168.5.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list outside-access_in extended permit tcp any eq www host 209.12.234.100 eq www 

access-list outside-access_in extended permit tcp any host 209.12.234.100 eq https 

access-list outside-access_in extended permit tcp any host 209.12.234.100 eq pptp 

access-list outside_cryptomap_20 extended permit ip 10.0.5.0 255.255.255.0 192.168.15.0 255.255.255.0 

access-list remoteworker_splitTunnelAcl standard permit any 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DICOM 1500

mtu management 1500

ip local pool remoteusers 192.168.50.50-192.168.50.60 mask 255.255.255.0

icmp permit any outside

icmp permit any inside

icmp permit any DICOM

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

global (inside) 10 interface

global (DICOM) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

nat (DICOM) 0 access-list dicom_nat0_outbound

nat (DICOM) 10 0.0.0.0 0.0.0.0

static (inside,outside) 209.12.234.99 10.0.5.7 netmask 255.255.255.255 

static (inside,outside) 209.12.234.100 10.0.5.151 netmask 255.255.255.255 

access-group outside-access_in in interface outside

route outside 0.0.0.0 0.0.0.0 209.12.234.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy remoteuser internal

group-policy remoteuser attributes

 dns-server value 24.93.41.127 24.93.41.128

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value remoteuser_splitTunnelAcl

 webvpn

group-policy remoteworker internal

group-policy remoteworker attributes

 dns-server value 207.191.50.10

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value remoteworker_splitTunnelAcl

 webvpn

username mtech password V6B59GRyHeAuo8yI encrypted privilege 0

username mtech attributes

 vpn-group-policy remoteuser

 webvpn

http server enable

http 192.168.5.0 255.255.255.0 inside

http 10.0.5.0 255.255.255.0 DICOM

http 192.168.1.0 255.255.255.0 management

SNMP agent module is currently busy.  Please retry the 'snmp-server' command at a later time.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs 

crypto map outside_map 20 set peer 75.19.70.177 

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group remoteworker type ipsec-ra

tunnel-group remoteworker general-attributes

 address-pool remoteusers

 default-group-policy remoteworker

tunnel-group remoteworker ipsec-attributes

 pre-shared-key *

tunnel-group 75.19.70.177 type ipsec-l2l

tunnel-group 75.19.70.177 ipsec-attributes

 pre-shared-key *

tunnel-group 75.19.70.177-10LAN type ipsec-l2l

tunnel-group 75.19.70.177-10LAN ipsec-attributes

 pre-shared-key *

telnet 192.168.5.0 255.255.255.0 inside

telnet 10.0.5.0 255.255.255.0 DICOM

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.5.20-192.168.5.25 inside

dhcpd address 10.0.5.50-10.0.5.60 DICOM

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 207.191.50.10 207.191.1.10

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd auto_config inside

dhcpd enable management

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

Cryptochecksum:9f30cea7d700394cd2140cc9077fb7d3

: end

Open in new window

0
Comment
Question by:hmassertech
  • 3
5 Comments
 
LVL 6

Assisted Solution

by:clearacid
clearacid earned 20 total points
ID: 22829675
Line 42: access-list outside-access_in extended permit tcp any eq www host 209.12.234.100 eq www

try:

access-list outside-access_in extended permit tcp any host 209.12.234.100 eq www

basically dropping the source port as port 80 and only looking for destination port 80.

Source ports change, really the destination port is what you are looking at.
0
 

Author Comment

by:hmassertech
ID: 22831570
Thanks for the soggestion, i tried it but didn't work... i get the same result.... if i use a port scanner (web) to the .100 IP i get no response from port 80... i tried several computers (servers) to rule out a server issue but i get the same response.... no dice.... any other ideas?

When i go to http://www.t1shopper.com/tools/port-scanner/ for example, i put the IP address that i want to check (.100) and select port 80 and hit scan i get the following result:

Scanning ports on 209.12.234.100
209.12.234.100 isn't responding on port 80 (http).

Please help.

0
 
LVL 2

Assisted Solution

by:bornskir
bornskir earned 20 total points
ID: 22832169
I think it's your NAT statements, more specifically your GLOBAL statements.  All of your GLOBAL statements have the pool ID of 10.  So when something on the inside tries to get out, based on your NAT statements, it tries to use pool 10 from the Global.  It's probably trying to respond back to the HTTP requests using an internal, non-routable IP address.

Try removing the two lines:

global (inside) 10 interface
global (DICOM) 10 interface

Or at least change them them to:

global (inside) 11 interface
global (DICOM) 12 interface

Another option might also be to create another static statement for the outbound connection, such as:

static (outside,inside) 10.0.5.151 209.12.234.100 netmask 255.255.255.255

0
 

Author Comment

by:hmassertech
ID: 22832940
Bornskir, i tried both of your suggestions but i get the same error... by the way, the reason why i have
global (inside) 10 interface
global (DICOM) 10 interface
is because i need to route traffic between inside and DICOM and that was the only way that i got it to work....

any more ideas?  Thnaks foir your help
0
 

Accepted Solution

by:
hmassertech earned 0 total points
ID: 22834621
I found what my issue was, the server i want to publish is on my DICOM LAN, but my static statment was on the inside...

I had  static (inside, outside) and  i needed static (DICOM,outside)....

I Knew it was something simple...  THanks a lot everybody for your hellp...
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now