Avatar of ACAWI
ACAWIFlag for United States of America asked on

Another ASA5505 question

Hello all,

I am in the process of moving away from a D-Link DFL-1100 and into a Cisco ASA5505.  So far so good.  I have received a lot of help from several people and for the most part, I think I have this ready for the switch over.  I am having one issue though, and I am betting that one of you very talented experts out here will be able to help.

First the network.

We have a block of addresses for the external interface, let's say it is  

162.94.1.178             255.255.255.240

On the internal interface we are using

10.200.20.1 255.255.248.0

To add to this, we also have another network that I have no control over but is routed through their magic to me.

172.16.0.0/16
172.17.0.0/16                  
172.20.0.0/16

It could be assumed that they are using all of 172.16.0.0 to 172.20.0.0.

10.1.0.0/16
10.7.0.0/16
10.10.0.0/16

Same here, it could be assumed that they are using 10.1.0.0 to 10.10.0.0.

And.

192.168.56.0/24

Most of this is just info that may help answer my question.  They are handling the routing to me, so most of these are not my concern.  Here is what I need help with.

On the D-link, I have the following rule under Firewall > Port Mapping

Name                  TDA
Source Nets:            10.1.55.81
Destination IP:      10.200.20.107
Source Port:            26000
Destination Port:      26000
Pass to:            10.200.20.107

This rule is working perfectly on the D-link.  Data is making it's way like it should.

Here is my question.  What would the correct rule be for this on the ASA?  No traffic needs to leave the external interface of the ASA.

To help out, I am attaching the current ASA config.  Any insight or help will be ever so appreciated.

ASA Version 8.0(2)

!

hostname Cisco-ASA5505

domain-name ad.local

enable password ABC123def456 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.200.20.1 255.255.248.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 162.94.1.178 255.255.255.240

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd ABC123def456 encrypted

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 10.200.20.16

 name-server 10.200.20.17

 name-server 124.64.225.35

 name-server 124.64.225.25

 domain-name ad.local

access-list FIRST extended permit ip host 10.77.55.175 150.2.0.0 255.255.0.0

access-list FIRST extended permit ip host 172.16.225.119 150.2.0.0 255.255.0.0

access-list FIRST extended permit ip host 172.16.225.121 150.2.0.0 255.255.0.0

access-list NAT1 extended permit ip host 10.200.20.146 150.2.0.0 255.255.0.0

access-list nonat extended permit ip host 172.16.225.119 150.2.0.0 255.255.0.0

access-list nonat extended permit ip host 172.16.225.121 150.2.0.0 255.255.0.0

access-list AllowedIncoming remark Allow incoming ping responses

access-list AllowedIncoming extended permit icmp any any echo-reply

access-list AllowedIncoming remark Cardinals RDP - port 3389

access-list AllowedIncoming extended permit tcp any host 162.94.1.178 eq 3389

access-list AllowedIncoming remark Steelers RDP - port 3389

access-list AllowedIncoming extended permit tcp any host 162.94.1.179 eq 3389

access-list AllowedIncoming remark PPTP Tunnel Suite - port 1723

access-list AllowedIncoming extended permit tcp any interface outside eq pptp

access-list AllowedIncoming remark PPTP Tunnel Suite - port 1723

access-list AllowedIncoming extended permit udp any interface outside eq 1723

access-list AllowedIncoming remark Cardinals DRAC - port 80

access-list AllowedIncoming extended permit tcp any host 162.94.1.186 eq www

access-list AllowedIncoming remark Cardinals DRAC - port 443

access-list AllowedIncoming extended permit tcp any host 162.94.1.186 eq https

access-list AllowedIncoming remark OTHER Web - port 80

access-list AllowedIncoming extended permit tcp any host 162.94.1.180 eq www

access-list AllowedIncoming remark OTHER Web - port 443

access-list AllowedIncoming extended permit tcp any host 162.94.1.180 eq https

access-list AllowedIncoming remark SOMETHING - all ports

access-list AllowedIncoming extended permit ip any host 162.94.1.188

access-list AllowedIncoming remark ELSE - all ports

access-list AllowedIncoming extended permit ip any host 162.94.1.189

access-list AllowedIncoming remark HIS PROJECT project - all ports

access-list AllowedIncoming extended permit ip any host 162.94.1.187

access-list AllowedIncoming remark HIS PROJECT - all ports

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 10.200.20.16 3389 netmask

255.255.255.255

static (inside,outside) tcp interface pptp 10.200.20.16 pptp netmask

255.255.255.255

static (inside,outside) 162.94.1.186 10.200.20.14 netmask 255.255.255.255

static (inside,outside) 162.94.1.180 10.200.20.106 netmask 255.255.255.255

static (inside,outside) 162.94.1.189 10.200.20.200 netmask 255.255.255.255

static (inside,outside) 162.94.1.188 10.200.20.201 netmask 255.255.255.255

static (inside,outside) 162.94.1.187 10.200.21.17 netmask 255.255.255.255

static (inside,outside) 162.94.1.179 10.200.20.17 netmask 255.255.255.255

static (inside,outside) 10.77.55.175  access-list NAT1

route outside 0.0.0.0 0.0.0.0 162.94.1.177 1

route inside 10.1.0.0 255.255.0.0 10.200.20.30 1

route inside 10.7.0.0 255.255.0.0 10.200.20.30 1

route inside 10.10.0.0 255.255.0.0 10.200.20.30 1

route inside 10.156.10.0 255.255.255.0 10.200.20.30 1

route inside 172.16.0.0 255.255.0.0 10.200.20.30 1

route inside 172.17.0.0 255.255.0.0 10.200.20.30 1

route inside 172.20.0.0 255.255.0.0 10.200.20.30 1

route inside 172.20.2.40 255.255.255.255 10.200.20.30 1

route inside 192.168.56.0 255.255.255.0 10.200.20.30 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.200.16.0 255.255.248.0 inside

http 10.10.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.200.20.201 255.255.255.255 inside

telnet timeout 5

ssh 10.200.16.0 255.255.248.0 inside

ssh timeout 20

console timeout 0

management-access inside

dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

 message-length maximum 512

policy-map global_policy

 class inspection_default

 inspect dns preset_dns_map

 inspect ftp

 inspect h323 h225

 inspect h323 ras

 inspect rsh

 inspect rtsp

 inspect esmtp

 inspect sqlnet

 inspect skinny

 inspect sunrpc

 inspect xdmcp

 inspect sip

 inspect netbios

 inspect tftp

!

ntp authenticate

ntp server 192.43.244.18 source outside prefer

prompt hostname context

: end

asdm image disk0:/asdm-602.bin

no asdm history enable


Thanks

Mike
Hardware Firewalls

Avatar of undefined
Last Comment
ACAWI

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
leibinusa

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
ACAWI

leibinusa,

You are correct.  When the packets hit 10.200.20.30, they are directed straight away to 10.200.20.107.  I verified this fact this afternoon by setting up a test with the IT department of the owner of 10.1.55.81.  I simply removed the rule on the D-link, and they still were able to send traffic and receive traffic from 10.200.20.107.  This is one of those inherited devices, the D-link, from a previous admin no longer with the company.  I like to freely admit that I am no Cisco expert, so I spent some time last night at home thinking this entire problem over, in a non stress environment, and decided that the rule actually had no business on the router.  So, I set up the test, and it turns out that I was right.  As well as you, leibinusa are correct.  Problem appears to be solved.  Now, let's see what this weekend brings when I put it in place.  

Thanks for your reply.

Mike    
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy