capcap
asked on
Cisco ASA 5505 Firewall Ports
Does anyone know what ports are file sharing ports and how to enable them on a Cisco ASA 5505 Firewall?
ASKER
Hello...I have no clue. I am learning as I go here. Can you explain using the GUI instead of command line if possible?
hmm, it's actually easier in the command line (and i'm not sure how to apply ACLs to interfaces using the ASDM).
Are you able to paste your config? Feel free to alter the external IP :)
Also, where are you trying to share from and to? An internal host trying to browse an external or dmz host?
Are you able to paste your config? Feel free to alter the external IP :)
Also, where are you trying to share from and to? An internal host trying to browse an external or dmz host?
ASKER
Not real comfortable about sharing my config file. I will have to think about that. What I am trying do do is setup a xp box outside our DMZ that will VPN in to one of our client's network. At the same time I have setup a share on an internal server to be able to transfer the files to but using strict firewall restrictions. Only this share should be visable from the DMZ.
In your config, you should have an access list or lists for your DMZ interface which is applied to either the in or out direction or both.
It'll look something like (although will be more or less complicated and probably not as open as this).
Access-list dmz_in_01 extended permit ip any any
Access-list dmz_in_01 extended permit icmp any any
Access-list dmz_out_01 extended permit ip any any
Access-list dmz_out_01 extended permit icmp any any
Access-group dmz_in_01 in interface dmz
Access-group dmz_out_01 out interface dmz
If you add
"access-group dmz_in_01 extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.10 eq 445"
"access-group dmz_in_01 extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.10 eq 139"
This will allow hosts on your dmz addressed 192.168.2.x to access file shares on 192.168.1.10 on your inside LAN.
Hope this makes some sense.
It'll look something like (although will be more or less complicated and probably not as open as this).
Access-list dmz_in_01 extended permit ip any any
Access-list dmz_in_01 extended permit icmp any any
Access-list dmz_out_01 extended permit ip any any
Access-list dmz_out_01 extended permit icmp any any
Access-group dmz_in_01 in interface dmz
Access-group dmz_out_01 out interface dmz
If you add
"access-group dmz_in_01 extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.10 eq 445"
"access-group dmz_in_01 extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.10 eq 139"
This will allow hosts on your dmz addressed 192.168.2.x to access file shares on 192.168.1.10 on your inside LAN.
Hope this makes some sense.
ASKER
Thanks for this info.
I will give this a try and see if it works. I am a novice with Cisco and eager to learn. The problem is this is our main firewall and if I screw it up then I am in trouble because the company will cease to function. Are you sure you cannot help using the GUI?
I will give this a try and see if it works. I am a novice with Cisco and eager to learn. The problem is this is our main firewall and if I screw it up then I am in trouble because the company will cease to function. Are you sure you cannot help using the GUI?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
Thank you for the screen shot. I have created ACLs for internet access and static IP. I am still having trouble with the ports 139 and 445 as I do not have anything I can duplicate. There are many options to choose from. I am still trying to sort it out but if you have anyother suggestions I am open to them.
Thank you for the screen shot. I have created ACLs for internet access and static IP. I am still having trouble with the ports 139 and 445 as I do not have anything I can duplicate. There are many options to choose from. I am still trying to sort it out but if you have anyother suggestions I am open to them.
Is it the rule you're having probelms with?
Do as attached.
What version of ASDM you using? Hopefully 5.2... if not it may look a bit different.
pix-rule-creation.jpg
Do as attached.
What version of ASDM you using? Hopefully 5.2... if not it may look a bit different.
pix-rule-creation.jpg
ASKER
Hello,
I just noticed that I am not able to ping this box on the DMZ from internal network using name or IP. Nor can I ping the internal network from the DMZ box. I can however do a remote session to the box in the DMZ from the internal network using it's static IP. I have attempted to setup incoming and outgoing rules on the firewall to and from the DMZ with no luck. Please help!
I just noticed that I am not able to ping this box on the DMZ from internal network using name or IP. Nor can I ping the internal network from the DMZ box. I can however do a remote session to the box in the DMZ from the internal network using it's static IP. I have attempted to setup incoming and outgoing rules on the firewall to and from the DMZ with no luck. Please help!
I really need to see your configuration from the command line.
Any chance you can post it, taking out any public IPs or sensitive information?
Any chance you can post it, taking out any public IPs or sensitive information?
Create an access-list that allows these two ports and apply it to the appropriate interface. Are you familiar with creating and applying ACLs to interfaces?