?
Solved

Cisco ASA 5505 Firewall Ports

Posted on 2009-02-11
11
Medium Priority
?
1,411 Views
Last Modified: 2013-11-16
Does anyone know what ports are file sharing ports and how to enable them on a Cisco ASA 5505 Firewall?
0
Comment
Question by:capcap
  • 6
  • 5
11 Comments
 
LVL 4

Expert Comment

by:jonhicks
ID: 23610391
TCP 139 and 445.

Create an access-list that allows these two ports and apply it to the appropriate interface. Are you familiar with creating and applying ACLs to interfaces?
0
 

Author Comment

by:capcap
ID: 23610411
Hello...I have no clue. I am learning as I go here. Can you explain using the GUI instead of command line if possible?
0
 
LVL 4

Expert Comment

by:jonhicks
ID: 23610459
hmm, it's actually easier in the command line (and i'm not sure how to apply ACLs to interfaces using the ASDM).

Are you able to paste your config? Feel free to alter the external IP :)

Also, where are you trying to share from and to? An internal host trying to browse an external or dmz host?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:capcap
ID: 23610529
Not real comfortable about sharing my config file.  I will have to think about that. What I am trying do do is setup a xp box outside our DMZ that will VPN in to one of our client's network. At the same time I have setup a share on an internal server to be able to transfer the files to but using strict firewall restrictions. Only this share should be visable from the DMZ.
0
 
LVL 4

Expert Comment

by:jonhicks
ID: 23610882
In your config, you should have an access list or lists for your DMZ interface which is applied to either the in or out direction or both.

It'll look something like (although will be more or less complicated and probably not as open as this).

Access-list dmz_in_01 extended permit ip any any
Access-list dmz_in_01 extended permit icmp any any
Access-list dmz_out_01 extended permit ip any any
Access-list dmz_out_01 extended permit icmp any any
Access-group dmz_in_01 in interface dmz
Access-group dmz_out_01 out interface dmz

If you add
 "access-group dmz_in_01 extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.10 eq 445"
 "access-group dmz_in_01 extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.1.10 eq 139"
This will allow hosts on your dmz addressed 192.168.2.x to access file shares on 192.168.1.10 on your inside LAN.

Hope this makes some sense.
0
 

Author Comment

by:capcap
ID: 23611150
Thanks for this info.
I will give this a try and see if it works. I am a novice with Cisco and eager to learn. The problem is this is our main firewall and if I screw it up then I am in trouble because the company will cease to function. Are you sure you cannot help using the GUI?
0
 
LVL 4

Accepted Solution

by:
jonhicks earned 2000 total points
ID: 23611407
Okay, in the ADSM, assuming you have ACLs configured, see screen shot attached.

You can right-click on a rule and insert a new rule. Then hit apply down the bottom. This applies the rule to the config.

The problem is, when an ASA is out of the box, it doesn't have ACLs, it just allows traffic between interfaces based on security level and nat policies.
pix-screenshot.jpg
0
 

Author Comment

by:capcap
ID: 23622892
Hello,
Thank you for the screen shot. I have created ACLs for internet access and static IP. I am still having trouble with the ports 139 and 445 as I do not have anything I can duplicate. There are many options to choose from. I am still trying to sort it out but if you have anyother suggestions I am open to them.
0
 
LVL 4

Expert Comment

by:jonhicks
ID: 23624665
Is it the rule you're having probelms with?

Do as attached.

What version of ASDM you using? Hopefully 5.2... if not it may look a bit different.


pix-rule-creation.jpg
0
 

Author Comment

by:capcap
ID: 23631702
Hello,
I just noticed that I am not able to ping this box on the DMZ from internal network using name or IP. Nor can I ping the internal network from the DMZ box. I can however do a remote session to the box in the DMZ from the internal network using it's static IP. I have attempted to setup incoming and outgoing rules on the firewall to and from the DMZ with no luck. Please help!
0
 
LVL 4

Expert Comment

by:jonhicks
ID: 23632292
I really need to see your configuration from the command line.

Any chance you can post it, taking out any public IPs or sensitive information?
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question