?
Solved

HOW to open port 8092 & 8097 within my LAN and DMZ

Posted on 2008-11-07
4
Medium Priority
?
3,792 Views
Last Modified: 2012-06-27
I am setting up a new app server that resides on our public IP range and the web server is in DMZ. When i try to go to the website i get "No connection could be made because the target machine actively refused it 199.xxx.xxx.20:8092 " The old app server is still working just fine but its IP is 192.168.6.6 and the portsit uses is 8090; which are open (tcp and udp).

I am running Cisco PIX Security Appliance Software Version 8.0(2) and using Cisco ASDM 6.0 to manage the PIX.

Under DMZ_access_in in ACL manager i permit ICMP/ECHO, tcp/8092, udp/8092 between dmz server and app server. But there is a rule that denies tcp/udp(http) from the DMZ to 199.xxx.xxx.20 and 192.168.0.0/16. Would this be blocking the port?


Cisco PIX Security Appliance Software Version 8.0(2) 
Device Manager Version 6.0(2)
Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "flash:/image.bin"
Config file at boot was "startup-config"

Open in new window

0
Comment
Question by:cslt
  • 2
3 Comments
 
LVL 29

Assisted Solution

by:Alan Huseyin Kayahan
Alan Huseyin Kayahan earned 2000 total points
ID: 22911438
Hello Cslt,
    If i understood you correct, you want to reach 10.10.1.10 server in DMZ from outside on public ip 199.xxx.xxx.20 on port 8092.
   I see that you have a static for 199.xxx.xxx.10
static (DMZ,OutsideATT) 199.xxx.xxx.10 10.10.1.10 netmask 255.255.255.255
   But you are trying to connect 199.xxx.xxx.20 as you stated in your initial question

   access-list OutsideATT_access_in extended permit tcp any host 199.xxx.xxx.10 object-group DM_INLINE_TCP_1
    Again address is 199.xxx.xxx.10 in ACL and object--group DM_INLINE_TCP_1 does not contain port 8092

Regards
0
 

Accepted Solution

by:
cslt earned 0 total points
ID: 22924971
I tried your suggestion and I am receiving "No connection could be made because the target machine actively refused it 199.xxx.xx3.20:8092" from the page i am trying to access on the web.

The current App server is working just fine with ports 8090,8091,8095,8096 (TCP & UDP) are permitted from 10.10.1.10 (DMZ) to 192.168.6.6 in ACL Manager. We bought a new app server and its IP is on a public IP (we own two class Cs 199.xxx.xx3.xxx and 199.xxx.xx4.xxx). In ACL Manager i added this statement: permit ports 8092,8097 (tcp & udp) & ICMP/ECHO from Source:10.10.1.10 Destination SLTCOMMPLUS(199.xxx.xx3.20).

: Saved
:
PIX Version 8.0(2) 
!
hostname xxxxx
domain-name cslt
enable password xxxxxxxxxxxxxxxxxxxxxxxx
names
name 209.xxx.xxx.61 ATTaccessNAT
name 192.168.8.4 SLTAIRPORT description Airport DC
name 192.168.10.10 SLTFIRERMS description Fire DC
name 192.168.1.25 SLTPDFICHE description Police DC
name 192.168.4.5 SLTREC description Rec DC
name 192.168.1.19 SLTPDPDC description PDC
name 192.168.6.5 SLTENGINEERING description DC
name 199.xxx.xx3.20 SLTCOMMPLUS description CSLT 3RD DC
!
interface Ethernet0
 description AT&T T-1 Connection
 nameif OutsideATT
 security-level 0
 ip address ATTaccessNAT 255.255.255.252 
 ospf cost 10
!
interface Ethernet1
 description Inside Pix to VLAN 100
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet2
 description Charter Cable 10MB Connection
 nameif OutsideCharter
 security-level 0
 ip address 24.xxx.xxx.138 255.255.255.248 
 ospf cost 10
!
interface Ethernet3
 description DMZ Interface to SLTEGOV Server
 nameif DMZ
 security-level 50
 ip address 10.10.1.1 255.255.255.0 
 ospf cost 10
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd xxxxxxxx encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name cslt
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo-reply
 icmp-object information-reply
 icmp-object unreachable
 icmp-object time-exceeded
object-group icmp-type DM_INLINE_ICMP_2
 icmp-object echo-reply
 icmp-object information-reply
 icmp-object time-exceeded
 icmp-object unreachable
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DomainControllers
 description Active Directory Replication from SLTEGOV to SLTINFOSYS & SLTBACKUP
 network-object host 199.xxx.xx3.18
 network-object host 199.xxx.xx3.2
 network-object host SLTFIRERMS
 network-object host SLTREC
 network-object host SLTAIRPORT
 network-object host 192.168.6.6
 network-object host SLTPDPDC
 network-object host SLTENGINEERING
 network-object host SLTCOMMPLUS
object-group icmp-type DM_INLINE_ICMP_3
 icmp-object echo-reply
 icmp-object information-reply
 icmp-object mask-reply
 icmp-object timestamp-reply
object-group service DM_INLINE_SERVICE_2
 service-object udp eq domain 
 service-object tcp eq ldap 
 service-object tcp eq netbios-ssn 
 service-object udp eq netbios-dgm 
 service-object udp eq netbios-ns 
 service-object tcp eq 3268 
 service-object tcp eq 88 
 service-object udp eq 389 
 service-object udp eq 88 
 service-object icmp echo
 service-object tcp-udp eq 135 
 service-object tcp-udp eq 445 
 service-object udp eq ntp 
 service-object tcp-udp eq 691 
 service-object tcp-udp eq domain 
 service-object tcp-udp eq 1026 
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq smtp
 port-object eq 691
object-group network OutsideMail
 description Postini Mail Servers Inbound
 network-object 64.18.0.0 255.255.240.0
object-group network SQLServer
 description SQL traffic from SLTEGOV to SLTSC
 network-object host 192.168.6.6
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq 8090 
 service-object udp eq 8090 
 service-object icmp echo
 service-object tcp-udp eq 8095 
 service-object tcp eq 8091 
 service-object udp eq 8091 
 service-object tcp eq 8096 
 service-object udp eq 8096 
 service-object tcp eq 8095 
 service-object udp eq 8095 
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.0.0 255.255.0.0
 network-object 199.xxx.xx3.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 192.168.0.0 255.255.0.0
 network-object 199.xxx.xx3.0 255.255.255.0
object-group service DM_INLINE_TCP_3 tcp
 port-object eq www
 port-object eq https
object-group network SQL2005Server
 description SQL traffice from sltcommplus to sltegov
 network-object host SLTCOMMPLUS
object-group network DM_INLINE_NETWORK_3
 network-object 192.168.0.0 255.255.0.0
 network-object 199.xxx.xx3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_3
 service-object icmp echo
 service-object tcp-udp eq 8092 
 service-object tcp eq 8092 
 service-object udp eq 8092 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
 port-object eq smtp
access-list OutsideCharter_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 
access-list OutsideCharter_access_in extended permit tcp object-group OutsideMail host 24.xxx.xxx.139 eq smtp 
access-list OutsideATT_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 
access-list OutsideATT_access_in extended permit tcp any host 199.xxx.xx4.10 object-group DM_INLINE_TCP_1 
access-list OutsideATT_access_in extended permit tcp object-group OutsideMail host 199.xxx.xx4.11 eq smtp 
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_2 host 10.10.1.10 object-group DomainControllers 
access-list DMZ_access_in extended permit tcp host 10.10.1.10 host 199.xxx.xx3.15 object-group DM_INLINE_TCP_2 
access-list DMZ_access_in remark Deny web browsing of internal machines in the City
access-list DMZ_access_in extended deny object-group TCPUDP host 10.10.1.10 object-group DM_INLINE_NETWORK_2 eq www 
access-list DMZ_access_in remark egov to sltcommplus
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_3 host 10.10.1.10 host SLTCOMMPLUS 
access-list DMZ_access_in extended permit icmp any any object-group DM_INLINE_ICMP_3 
access-list DMZ_access_in remark Egov to SLTSC
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 host 10.10.1.10 object-group SQLServer 
access-list DMZ_access_in remark Allow EGOV server access to the internet
access-list DMZ_access_in extended permit tcp host 10.10.1.10 any object-group DM_INLINE_TCP_3 
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 10.10.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 192.168.xxx.64 255.255.255.192 
access-list SLTVpnAccess_splitTunnelAcl remark IS Network
access-list SLTVpnAccess_splitTunnelAcl standard permit 199.xxx.xx3.0 255.255.255.0 
access-list SLTVpnAccess_splitTunnelAcl standard permit host SLTAIRPORT 
access-list SLTVpnAccess_splitTunnelAcl standard permit 10.10.1.0 255.255.255.0 
access-list SLTVpnAccess_splitTunnelAcl standard permit host 192.168.6.6 
access-list SLTVpnAccess_splitTunnelAcl standard permit host SLTFIRERMS 
access-list SLTVpnAccess_splitTunnelAcl standard permit host SLTPDFICHE 
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any 
pager lines 24
logging enable
logging list Failover level warnings class rip
logging buffer-size 8192
logging trap notifications
logging asdm warnings
logging from-address xxxxxxxxxxxx
logging recipient-address xxxxxxxxxxxxxxxx level warnings
logging host inside 199.xxx.xx3.202
logging debug-trace
mtu OutsideATT 1500
mtu inside 1500
mtu OutsideCharter 1500
mtu DMZ 1500
ip local pool VendorPool 192.168.xxx.65-192.168.xxx.126 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
global (OutsideATT) 1 interface
global (OutsideCharter) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 199.xxx.xx3.0 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.0.0
nat (DMZ) 1 10.10.1.10 255.255.255.255
static (DMZ,inside) 10.10.1.10 10.10.1.10 netmask 255.255.255.255 
static (inside,OutsideATT) 199.xxx.xx4.11 199.xxx.xx3.15 netmask 255.255.255.255 
static (DMZ,OutsideCharter) 24.xxx.xxx.139 10.10.1.10 netmask 255.255.255.255 
static (DMZ,OutsideATT) 199.xxx.xx4.10 10.10.1.10 netmask 255.255.255.255 
access-group OutsideATT_access_in in interface OutsideATT
access-group inside_access_in in interface inside
access-group OutsideCharter_access_in in interface OutsideCharter
access-group DMZ_access_in in interface DMZ
!
router rip
 network 10.0.0.0
 network 192.168.100.0
 network 209.xxx.xxx.0
 redistribute static
 version 2
 no auto-summary
!
route OutsideCharter 0.0.0.0 0.0.0.0 24.xxx.xxx.137 1 track 1
route OutsideATT 0.0.0.0 0.0.0.0 209.xxx.xxx.62 2
route OutsideATT 167.xxx.xxx.0 255.255.0.0 209.xxx.xxx.62 1
route OutsideATT 207.xxx.xx.26 255.255.255.255 209.xxx.xxx.62 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 199.xxx.xx3.0 255.255.255.0 inside
http 199.xxx.xx3.100 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 OutsideCharter
no snmp-server location
no snmp-server contact
snmp-server community csltpub
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 68.xxx.xxx.19 interface OutsideCharter
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set xxxxxxxxxxxxxxxx 
crypto ipsec transform-set xxxxxxxxxxxxxxxx 
crypto ipsec transform-set xxxxxxxxxxxxxxxx  
crypto ipsec transform-set xxxxxxxxxxxxxxxx  
crypto ipsec transform-set xxxxxxxxxxxxxxxx  
crypto ipsec transform-set xxxxxxxxxxxxxxxx  
crypto ipsec transform-set xxxxxxxxxxxxxxxx  
crypto ipsec transform-set xxxxxxxxxxxxxxxx  
crypto ipsec transform-set xxxxxxxxxxxxxxxx  
crypto ipsec transform-set xxxxxxxxxxxxxxxx  
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-MD5
crypto map OutsideCharter_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OutsideCharter_map interface OutsideCharter
crypto isakmp enable OutsideCharter
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 123 reachability
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 199.xxx.xx3.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
ntp server 199.xxx.xx3.18 source inside prefer
group-policy xxxxxx internal
group-policy xxxxxx attributes
 wins-server value 199.xxx.xx3.18 199.xxx.xx3.2
 dns-server value 199.xxx.xx3.18 199.xxx.xx3.2
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value xxxxx_splitTunnelAcl
 default-domain value CSLT
 intercept-dhcp enable
 client-access-rule none
username xxxxx password xxxxxxxxxxxxxxx encrypted
username xxxxx attributes
 vpn-group-policy xxxxxx
username xxxxx password xxxxxxxxxxxxxxx encrypted privilege 0
username xxxxx attributes
 vpn-group-policy xxxxxx
username xxxxx password xxxxxxxxxxxxxxx encrypted
username xxxxx attributes
 vpn-group-policy xxxxxx
username xxxxx password xxxxxxxxxxxxxxx encrypted privilege 0
username xxxxx attributes
 vpn-group-policy xxxxxx
username xxxxx password xxxxxxxxxxxxxxx encrypted
username xxxxx attributes
 vpn-group-policy xxxxxx
username xxxxx password xxxxxxxxxxxxxxx encrypted privilege 0
username xxxxx attributes
 vpn-group-policy xxxxxx
username xxxxx password xxxxxxxxxxxxxxx encrypted privilege 0
username xxxxx attributes
 vpn-group-policy xxxxxx
tunnel-group xxxxxx type remote-access
tunnel-group xxxxxx general-attributes
 address-pool (OutsideCharter) VendorPool
 address-pool VendorPool
 authentication-server-group (OutsideCharter) LOCAL
 authorization-server-group LOCAL
 authorization-server-group (OutsideCharter) LOCAL
 default-group-policy xxxxxx
tunnel-group xxxxxx ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group xxxxxx
smtp-server 199.xxx.xx3.15
prompt hostname context 
Cryptochecksum:xxxxxxxxxxxxxxxxxxx
: end
asdm image flash:/asdm
no asdm history enable

Open in new window

0
 

Author Comment

by:cslt
ID: 22925130
Could my problem be a NAt issue or the order that i have it in is wrong?
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question