Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Another ASA5505 question

Avatar of ACAWI
ACAWIFlag for United States of America asked on
Hardware Firewalls
2 Comments1 Solution429 ViewsLast Modified:
Hello all,

I am in the process of moving away from a D-Link DFL-1100 and into a Cisco ASA5505.  So far so good.  I have received a lot of help from several people and for the most part, I think I have this ready for the switch over.  I am having one issue though, and I am betting that one of you very talented experts out here will be able to help.

First the network.

We have a block of addresses for the external interface, let's say it is  

162.94.1.178             255.255.255.240

On the internal interface we are using

10.200.20.1 255.255.248.0

To add to this, we also have another network that I have no control over but is routed through their magic to me.

172.16.0.0/16
172.17.0.0/16                  
172.20.0.0/16

It could be assumed that they are using all of 172.16.0.0 to 172.20.0.0.

10.1.0.0/16
10.7.0.0/16
10.10.0.0/16

Same here, it could be assumed that they are using 10.1.0.0 to 10.10.0.0.

And.

192.168.56.0/24

Most of this is just info that may help answer my question.  They are handling the routing to me, so most of these are not my concern.  Here is what I need help with.

On the D-link, I have the following rule under Firewall > Port Mapping

Name                  TDA
Source Nets:            10.1.55.81
Destination IP:      10.200.20.107
Source Port:            26000
Destination Port:      26000
Pass to:            10.200.20.107

This rule is working perfectly on the D-link.  Data is making it's way like it should.

Here is my question.  What would the correct rule be for this on the ASA?  No traffic needs to leave the external interface of the ASA.

To help out, I am attaching the current ASA config.  Any insight or help will be ever so appreciated.

ASA Version 8.0(2)

!

hostname Cisco-ASA5505

domain-name ad.local

enable password ABC123def456 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.200.20.1 255.255.248.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 162.94.1.178 255.255.255.240

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd ABC123def456 encrypted

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 10.200.20.16

 name-server 10.200.20.17

 name-server 124.64.225.35

 name-server 124.64.225.25

 domain-name ad.local

access-list FIRST extended permit ip host 10.77.55.175 150.2.0.0 255.255.0.0

access-list FIRST extended permit ip host 172.16.225.119 150.2.0.0 255.255.0.0

access-list FIRST extended permit ip host 172.16.225.121 150.2.0.0 255.255.0.0

access-list NAT1 extended permit ip host 10.200.20.146 150.2.0.0 255.255.0.0

access-list nonat extended permit ip host 172.16.225.119 150.2.0.0 255.255.0.0

access-list nonat extended permit ip host 172.16.225.121 150.2.0.0 255.255.0.0

access-list AllowedIncoming remark Allow incoming ping responses

access-list AllowedIncoming extended permit icmp any any echo-reply

access-list AllowedIncoming remark Cardinals RDP - port 3389

access-list AllowedIncoming extended permit tcp any host 162.94.1.178 eq 3389

access-list AllowedIncoming remark Steelers RDP - port 3389

access-list AllowedIncoming extended permit tcp any host 162.94.1.179 eq 3389

access-list AllowedIncoming remark PPTP Tunnel Suite - port 1723

access-list AllowedIncoming extended permit tcp any interface outside eq pptp

access-list AllowedIncoming remark PPTP Tunnel Suite - port 1723

access-list AllowedIncoming extended permit udp any interface outside eq 1723

access-list AllowedIncoming remark Cardinals DRAC - port 80

access-list AllowedIncoming extended permit tcp any host 162.94.1.186 eq www

access-list AllowedIncoming remark Cardinals DRAC - port 443

access-list AllowedIncoming extended permit tcp any host 162.94.1.186 eq https

access-list AllowedIncoming remark OTHER Web - port 80

access-list AllowedIncoming extended permit tcp any host 162.94.1.180 eq www

access-list AllowedIncoming remark OTHER Web - port 443

access-list AllowedIncoming extended permit tcp any host 162.94.1.180 eq https

access-list AllowedIncoming remark SOMETHING - all ports

access-list AllowedIncoming extended permit ip any host 162.94.1.188

access-list AllowedIncoming remark ELSE - all ports

access-list AllowedIncoming extended permit ip any host 162.94.1.189

access-list AllowedIncoming remark HIS PROJECT project - all ports

access-list AllowedIncoming extended permit ip any host 162.94.1.187

access-list AllowedIncoming remark HIS PROJECT - all ports

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 10.200.20.16 3389 netmask

255.255.255.255

static (inside,outside) tcp interface pptp 10.200.20.16 pptp netmask

255.255.255.255

static (inside,outside) 162.94.1.186 10.200.20.14 netmask 255.255.255.255

static (inside,outside) 162.94.1.180 10.200.20.106 netmask 255.255.255.255

static (inside,outside) 162.94.1.189 10.200.20.200 netmask 255.255.255.255

static (inside,outside) 162.94.1.188 10.200.20.201 netmask 255.255.255.255

static (inside,outside) 162.94.1.187 10.200.21.17 netmask 255.255.255.255

static (inside,outside) 162.94.1.179 10.200.20.17 netmask 255.255.255.255

static (inside,outside) 10.77.55.175  access-list NAT1

route outside 0.0.0.0 0.0.0.0 162.94.1.177 1

route inside 10.1.0.0 255.255.0.0 10.200.20.30 1

route inside 10.7.0.0 255.255.0.0 10.200.20.30 1

route inside 10.10.0.0 255.255.0.0 10.200.20.30 1

route inside 10.156.10.0 255.255.255.0 10.200.20.30 1

route inside 172.16.0.0 255.255.0.0 10.200.20.30 1

route inside 172.17.0.0 255.255.0.0 10.200.20.30 1

route inside 172.20.0.0 255.255.0.0 10.200.20.30 1

route inside 172.20.2.40 255.255.255.255 10.200.20.30 1

route inside 192.168.56.0 255.255.255.0 10.200.20.30 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.200.16.0 255.255.248.0 inside

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.200.20.201 255.255.255.255 inside

telnet timeout 5

ssh 10.200.16.0 255.255.248.0 inside

ssh timeout 20

console timeout 0

management-access inside

dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

 message-length maximum 512

policy-map global_policy

 class inspection_default

 inspect dns preset_dns_map

 inspect ftp

 inspect h323 h225

 inspect h323 ras

 inspect rsh

 inspect rtsp

 inspect esmtp

 inspect sqlnet

 inspect skinny

 inspect sunrpc

 inspect xdmcp

 inspect sip

 inspect netbios

 inspect tftp

!

ntp authenticate

ntp server 192.43.244.18 source outside prefer

prompt hostname context

: end

asdm image disk0:/asdm-602.bin

no asdm history enable


Thanks

Mike
ASKER CERTIFIED SOLUTION
Avatar of leibinusa
leibinusaFlag of United States of America image

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Commented:
This problem has been solved!
Unlock 1 Answer and 2 Comments.
See Answers