[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3293
  • Last Modified:

udp ports to a specific IP

I have a Cisco ASA 5505 security appliance  with 8 external (Public) IP's.  I need to open a group of ports About 10,000 consecutive and then the standard RDP FTP HTTP HTTPS...  The consecutive ports are udp.

I have tried to implement this code however i do not know if it is working ... What am I missing?

For obvious reasons I do not want to publish the entire config, however will mail or IM parts of config if needed.

access-list outside_access_in extended permit udp any host xx.xx.xx.164 range 5000 15000 
static (inside,outside) xx.xx.xx.164 192.168.1.52 netmask 255.255.255.255 
access-group outside_access_in in interface outside 
global (outside) 2 xx.xx.xx.164 netmask 255.255.255.255

Open in new window

0
ultreya
Asked:
ultreya
  • 21
  • 15
  • 4
2 Solutions
 
asavenerCommented:
Do you have a "nat (inside) 2" command?  I think you can do without the "global (outside) 2 xx.xx.xx.164 netmask 255.255.255.255".
0
 
nodiscoCommented:
hi

The problem above is that you have a 1:1 static and a nat - global translation both translating as the same public ip address - x.x.x.164 which will not work.
Your ASA outside ip address and the 1:1 static ip address also cannot be the same.  You can globally translate your nat ID 2 pool to be the same as the ASA outside interface but you should use the "interface" command rather than the ip address.

Can you post/confirm the following:
Is the ASA outside ip address different to the 1:1 static -
Post all nat and global statements

What ports in total do you want to have open from outside - do you need RDP, FTP, http, https all open to your inside host 192.168.1.52 as well as the udp ports?  Whatever about the other ports, opening RDP from all internet addresses is a risky thing to do unless its absolutely necessary.

hth

0
 
ultreyaAuthor Commented:
global (outside) 1 interface
global (outside) 2 xx.xx.xx.161 netmask 255.255.255.255
global (outside) 3 xx.xx.xx.162 netmask 255.255.255.255
global (outside) 5 xx.xx.xx.164 netmask 255.255.255.255
global (outside) 6 xx.xx.xx.165 netmask 255.255.255.255

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.1.40 255.255.255.255
nat (inside) 6 192.168.1.51 255.255.255.255
nat (inside) 3 192.168.1.55 255.255.255.255
nat (inside) 5 192.168.1.225 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0

I will need port range of 5000 thru 15000.
Plus various other ports such as. RDP, HTTP, HTTPs adn a few others.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
nodiscoCommented:
Ok
You are using nat and global 1:1s instead of statics - a bizarre way to do it but it works!
But the problem remains.  You need to translate 192.168.1.52 to a different address as you have it set to xx.xx.xx.164 which is already used above in nat ID 5.

Recreate the static to an available ip address
no static (inside,outside) xx.xx.xx.164 192.168.1.52 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.ABC 192.168.1.52 netmask 255.255.255.255

And then amend the access-list to use the new public ip address.

cheers
0
 
ultreyaAuthor Commented:
"You are using nat and global 1:1s instead of statics - a bizarre way to do it but it works!"

I do not understand what you are refering to ... I have static statements as well. How would you do it¿

"And then amend the access-list to use the new public ip address."

static (inside,outside) xx.xx.xx.ABC 192.168.1.52 netmask 255.255.255.255
This line I did not have, will this solve my problem?

How about the ports?
0
 
nodiscoCommented:
<<"You are using nat and global 1:1s instead of statics - a bizarre way to do it but it works!"
I do not understand what you are refering to ... I have static statements as well. How would you do it¿>>
Hey - generally inside to outside translations are done using a 1:1 static - but you are using nat and global statements as 1:1.  Theres nothing wrong with it, nat and global statements are generally used for just network nat and static for 1:1 nat.


<<static (inside,outside) xx.xx.xx.ABC 192.168.1.52 netmask 255.255.255.255
This line I did not have, will this solve my problem?>>

As mentioned - your initial access-list and static will not work as you were translating 192.168.1.52 to xx.xx.xx.164 and that ip is already in use.  You need to remove that static statement and create a new static translating 192.168.1.52 to a free public ip address.
When you have done that, you can then create a new access-list line allowing in whatever ports you need to your new static ip address.  For example - i am using x.x.x.85 as a sample ip address here and allowing ftp to the new address:

static (inside,outside) xx.xx.xx.85 192.168.1.52 netmask 255.255.255.255
no static (inside,outside) xx.xx.xx.164 192.168.1.52 netmask 255.255.255.255
clear xlate
access-list outside_access_in extended permit tcp any host xx.xx.xx.85 eq ftp


If you are still unclear on this - post your config with passwords ##### and I can have a look.  

0
 
ultreyaAuthor Commented:
What about the port range?
will the original script work?


access-list outside_access_in extended permit udp any host xx.xx.xx.164 range 5000 15000 
static (inside,outside) xx.xx.xx.164 192.168.1.52 netmask 255.255.255.255 
access-group outside_access_in in interface outside 
global (outside) 2 xx.xx.xx.164 netmask 255.255.255.255

Open in new window

0
 
ultreyaAuthor Commented:
I tried this and it accepted the command however would not allow connection.

"access-list outside_access_in extended permit tcp any host xx.xx.xx.164 eq ftp"

I changed it to this, and it worked right away.

"access-list inbound extended permit tcp any host xx.xx.xx.164 eq ftp"

A) does this make a difference?
B) you have me uneasy about the setup and security of the ASA box. Cisco aided in the initial setup of this box. So if something is incorrect I would like to know. would you be able to look over the config and give a few pointers through email?
The config is rather weird and would require explanation i'm sure.
0
 
ultreyaAuthor Commented:
OK so i have the ip direction/redirection resolved ¿

I still can not open the udp Range. I can open individule ports.

I need 5000 15000 open
0
 
ultreyaAuthor Commented:
OK nevermind the email thing...

Here is the running config. As you can see it's cluttered.

I have tried adding the object group vidcon with no love...
Still need help please :)
ciscoasa(config)# show run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name asa
enable password ************* encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.160 255.255.255.128
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ********* encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name asa
dns server-group asa
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Blocked_Networks
 network-object 59.0.0.0 255.0.0.0
 network-object 61.0.0.0 255.0.0.0
 network-object 62.0.0.0 255.0.0.0
 network-object 72.50.0.0 255.255.128.0
 network-object 72.248.133.0 255.255.255.0
 network-object 74.64.0.0 255.240.0.0
 network-object 80.0.0.0 255.0.0.0
 network-object 81.0.0.0 255.0.0.0
 network-object 82.0.0.0 255.0.0.0
 network-object 84.0.0.0 255.0.0.0
 network-object 85.0.0.0 255.0.0.0
 network-object 86.0.0.0 255.0.0.0
 network-object 87.0.0.0 255.0.0.0
 network-object 88.0.0.0 255.0.0.0
 network-object 89.0.0.0 255.0.0.0
 network-object 123.0.0.0 255.0.0.0
 network-object 125.0.0.0 255.0.0.0
 network-object 140.109.0.0 255.255.0.0
 network-object 140.110.0.0 255.254.0.0
 network-object 140.112.0.0 255.240.0.0
 network-object 140.128.0.0 255.248.0.0
 network-object 140.136.0.0 255.254.0.0
 network-object 140.138.0.0 255.255.0.0
 network-object 163.13.0.0 255.255.0.0
 network-object 192.192.0.0 255.255.0.0
 network-object 192.218.0.0 255.255.0.0
 network-object 189.0.0.0 255.0.0.0
 network-object 190.0.0.0 255.0.0.0
 network-object 200.0.0.0 255.0.0.0
 network-object 201.0.0.0 255.0.0.0
 network-object 202.0.0.0 254.0.0.0
 network-object 217.0.0.0 255.0.0.0
 network-object 218.0.0.0 255.0.0.0
 network-object 221.0.0.0 255.0.0.0
 network-object 83.0.0.0 255.0.0.0
object-group service vidcon udp
 port-object range 5000 15000
access-list dmz_access_in extended permit ip any any
access-list inbound extended deny ip object-group Blocked_Networks any
access-list inbound extended permit tcp any host xx.xx.xx.160 eq www
access-list inbound extended permit tcp any host xx.xx.xx.160 eq https
access-list inbound extended permit tcp any host xx.xx.xx.160 eq ftp
access-list inbound extended permit tcp any host xx.xx.xx.160 eq 1024
access-list inbound extended permit tcp any host xx.xx.xx.160 eq 3389
access-list inbound extended permit tcp any host xx.xx.xx.161 eq www
access-list inbound extended permit tcp any host xx.xx.xx.161 eq https
access-list inbound extended permit tcp any host xx.xx.xx.161 eq smtp
access-list inbound extended permit tcp any host xx.xx.xx.161 eq pop3
access-list inbound extended permit tcp any host xx.xx.xx.161 eq imap4
access-list inbound extended permit tcp any host xx.xx.xx.162 eq smtp
access-list inbound extended permit tcp any host xx.xx.xx.162 eq pop3
access-list inbound extended permit tcp any host xx.xx.xx.162 eq www
access-list inbound extended permit tcp any host xx.xx.xx.163 eq www
access-list inbound extended permit tcp any host xx.xx.xx.164 eq ftp
access-list inbound extended permit tcp any host xx.xx.xx.164 eq www
access-list inbound extended permit tcp any host xx.xx.xx.164 eq https
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 3389
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 1194
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 6005
access-list inbound extended permit udp any host xx.xx.xx.164 range 5000 15000
 
access-list split101 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_access_in extended permit udp any host xx.xx.xx.164 range 5000 15000
access-list outside_access_in extended permit udp host xx.xx.xx.164 host 192.168.1.52 object-group vidcon
 
pager lines 24
logging enable
logging asdm informational
logging mail informational
logging from-address Ciscoasa@asa
logging recipient-address asa level critical
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.1.1.1-10.1.1.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
 
global (outside) 1 interface
global (outside) 2 xx.xx.xx.161 netmask 255.255.255.255
global (outside) 3 xx.xx.xx.162 netmask 255.255.255.255
global (outside) 4 xx.xx.xx.163 netmask 255.255.255.255
global (outside) 5 xx.xx.xx.164 netmask 255.255.255.255
global (outside) 6 xx.xx.xx.165 netmask 255.255.255.255
global (outside) 7 xx.xx.xx.166 netmask 255.255.255.255
global (outside) 8 xx.xx.xx.167 netmask 255.255.255.255
 
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 4 192.168.1.30 255.255.255.255
nat (inside) 2 192.168.1.40 255.255.255.255
nat (inside) 6 192.168.1.51 255.255.255.255
nat (inside) 5 192.168.1.52 255.255.255.255
nat (inside) 3 192.168.1.55 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
 
static (inside,outside) tcp interface www 192.168.1.30 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.30 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.30 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 1024 192.168.1.30 1024 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.20 3389 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 www 192.168.1.40 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 https 192.168.1.40 https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 smtp 192.168.1.40 smtp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 pop3 192.168.1.40 pop3 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 imap4 192.168.1.40 imap4 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.162 smtp 192.168.1.55 smtp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.162 pop3 192.168.1.55 pop3 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.162 www 192.168.1.55 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.163 www 192.168.1.31 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 www 192.168.1.51 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 https 192.168.1.51 https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 ftp 192.168.1.51 ftp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 pptp 192.168.1.51 pptp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 1194 192.168.1.51 1194 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.164 192.168.1.52 netmask 255.255.255.255
 
access-group inbound in interface outside
 
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server asa protocol nt
group-policy asa internal
group-policy asa attributes
 wins-server value 192.168.1.20
 dns-server value 192.168.1.20
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value asa
group-policy hell internal
group-policy Hell attributes
 dns-server value 192.168.1.20
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 vpn-group-policy Hell
 group-lock value Hell
 vpn-group-policy asa
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.30 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group asa type ipsec-ra
tunnel-group asa general-attributes
 address-pool vpnpool
 default-group-policy asa
tunnel-group asa ipsec-attributes
 pre-shared-key *
tunnel-group Hell type ipsec-ra
tunnel-group Hell general-attributes
 address-pool vpnpool
 default-group-policy Hell
tunnel-group Hell ipsec-attributes
 pre-shared-key *
telnet 192.168.1.20 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ftp
policy-map Global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
tftp-server inside 192.168.1.20 C:\TFTP-Root
smtp-server 192.168.1.40
prompt hostname context
Cryptochecksum:1b8cd2b5ff54b7a567dd2b60f0823bd4
: end
ciscoasa(config)#

Open in new window

0
 
nodiscoCommented:
Ok - mind at ease time!
<<I tried this and it accepted the command however would not allow connection.
"access-list outside_access_in extended permit tcp any host xx.xx.xx.164 eq ftp"
I changed it to this, and it worked right away.
"access-list inbound extended permit tcp any host xx.xx.xx.164 eq ftp">>
The reason that this worked is that the name of your access-list is "inbound".  when you first asked the question, you were calling the access-list outside_access_in so I assumed this was the name of your access-list.  I would hazard a guess that you tried to arrange this using the Cisco GUI and it "offered" this as a default name.  I have seen that happen before.  what you have done is fine - and its working ok

<<A) does this make a difference?>>
Yes - as you can call the access-list whatever you want - it makes no difference.  Only the name that is applied to the interface counts - e.g. this line - showing that the access-list being applied is "inbound"
access-group inbound in interface outside
 
<<B) you have me uneasy about the setup and security of the ASA box. Cisco aided in the initial setup of this box. So if something is incorrect I would like to know. would you be able to look over the config and give a few pointers through email?
The config is rather weird and would require explanation i'm sure.>>
Sorry about that!  but its probably better to be uneasy about it than nonchalant!  Security wise - your ASA is setup fine in regards to access-lists etc - the only one thing i would change is
ssh 0.0.0.0 0.0.0.0 outside -> If you want to open your PIX up to allow ssh connections in from outside, you should only open it to trusted public ips.

What I mentioned regarding the statics is that you have 1:1 nat to global translations and 1:1 static translations.  Typically, 1:1s are handled just by statics but the fundamentals are the same so its not any worse.  
The odd thing though is that you are translating some of these twice - you have a nat to global 1:1 and a static 1:1 for the same ip doing the same thing.  I have never seen this done - obviously is is working for you but I you don't need it.
E.g.
global (outside) 5 xx.xx.xx.164 netmask 255.255.255.255
nat (inside) 5 192.168.1.52 255.255.255.255
static (inside,outside) xx.xx.xx.164 192.168.1.52 netmask 255.255.255.255



In terms of getting the udp ports open - you have this half way done - we just need to do the second half.
You have created an object-group called vidcon - so heres what you need to do:
access-list inbound extended permit udp any host xx.xx.xx.164 object-group vidcon

Let me know how you go

0
 
ultreyaAuthor Commented:
OK,
As you probably picked up on, I am impatient. A flaw I am sure, but I also have people on my butt to get things done. I do appreciate the help you guys give, and I do in most cases find it embarrassing to ask some of these questions. That being said&

It still does not work. I added the line "access-list inbound extended permit udp any host xx.xx.xx.164 object-group vidcon" and I also cleaned up the lists a bit, and deleted the SSH 0.0.0.0 have done a reload and I have reposted the config ... cleaned.

If I understand you correctly I do not need the global (outside) 5 xx.xx.xx.164 netmask 255.255.255.255 or the nat (inside) 5 192.168.1.52 255.255.255.255 as long as I have the static (inside,outside) xx.xx.xx.164 192.168.1.52 netmask 255.255.255.255 and the access list(s) access-list inbound extended permit tcp any host xx.xx.xx.164 eq 3389?  (example)

I have deleted the lines of &
global (outside) 5 xx.xx.xx.164 netmask 255.255.255.255
nat (inside) 5 192.168.1.52 255.255.255.255

Still did not work but did not hurt either same systems are running.

The TCP ports that I have opened are working, only the udp port range is not.
ciscoasa(config)# show run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name asa
enable password ******** encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.160 255.255.255.128
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ******** encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name asa
dns server-group asa
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Blocked_Networks
 network-object 59.0.0.0 255.0.0.0
 network-object 61.0.0.0 255.0.0.0
 network-object 62.0.0.0 255.0.0.0
 network-object 72.50.0.0 255.255.128.0
 network-object 72.248.133.0 255.255.255.0
 network-object 74.64.0.0 255.240.0.0
 network-object 80.0.0.0 255.0.0.0
 network-object 81.0.0.0 255.0.0.0
 network-object 82.0.0.0 255.0.0.0
 network-object 84.0.0.0 255.0.0.0
 network-object 85.0.0.0 255.0.0.0
 network-object 86.0.0.0 255.0.0.0
 network-object 87.0.0.0 255.0.0.0
 network-object 88.0.0.0 255.0.0.0
 network-object 89.0.0.0 255.0.0.0
 network-object 123.0.0.0 255.0.0.0
 network-object 125.0.0.0 255.0.0.0
 network-object 140.109.0.0 255.255.0.0
 network-object 140.110.0.0 255.254.0.0
 network-object 140.112.0.0 255.240.0.0
 network-object 140.128.0.0 255.248.0.0
 network-object 140.136.0.0 255.254.0.0
 network-object 140.138.0.0 255.255.0.0
 network-object 163.13.0.0 255.255.0.0
 network-object 192.192.0.0 255.255.0.0
 network-object 192.218.0.0 255.255.0.0
 network-object 189.0.0.0 255.0.0.0
 network-object 190.0.0.0 255.0.0.0
 network-object 200.0.0.0 255.0.0.0
 network-object 201.0.0.0 255.0.0.0
 network-object 202.0.0.0 254.0.0.0
 network-object 217.0.0.0 255.0.0.0
 network-object 218.0.0.0 255.0.0.0
 network-object 221.0.0.0 255.0.0.0
 network-object 83.0.0.0 255.0.0.0
 
object-group service vidcon udp
 port-object range 5000 15000
 
access-list dmz_access_in extended permit ip any any
access-list inbound extended deny ip object-group Blocked_Networks any
access-list inbound extended permit tcp any host xx.xx.xx.160 eq www
access-list inbound extended permit tcp any host xx.xx.xx.160 eq https
access-list inbound extended permit tcp any host xx.xx.xx.160 eq ftp
access-list inbound extended permit tcp any host xx.xx.xx.160 eq 1024
access-list inbound extended permit tcp any host xx.xx.xx.160 eq 3389
access-list inbound extended permit tcp any host xx.xx.xx.161 eq www
access-list inbound extended permit tcp any host xx.xx.xx.161 eq https
access-list inbound extended permit tcp any host xx.xx.xx.161 eq smtp
access-list inbound extended permit tcp any host xx.xx.xx.161 eq pop3
access-list inbound extended permit tcp any host xx.xx.xx.161 eq imap4
access-list inbound extended permit tcp any host xx.xx.xx.162 eq smtp
access-list inbound extended permit tcp any host xx.xx.xx.162 eq pop3
access-list inbound extended permit tcp any host xx.xx.xx.162 eq www
access-list inbound extended permit tcp any host xx.xx.xx.163 eq www
access-list inbound extended permit tcp any host xx.xx.xx.165 eq www
access-list inbound extended permit tcp any host xx.xx.xx.165 eq https
access-list inbound extended permit tcp any host xx.xx.xx.165 eq ftp
access-list inbound extended permit tcp any host xx.xx.xx.165 eq pptp
access-list inbound extended permit tcp any host xx.xx.xx.165 eq 1194
access-list inbound extended permit tcp any host xx.xx.xx.164 eq ftp
access-list inbound extended permit tcp any host xx.xx.xx.164 eq www
access-list inbound extended permit tcp any host xx.xx.xx.164 eq https
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 3389
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 1194
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 6005
access-list inbound extended permit udp any host xx.xx.xx.164 object-group vidcon
 
access-list split101 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
 
pager lines 24
logging enable
logging asdm informational
logging mail informational
logging from-address Ciscoasa@asa
logging recipient-address asa level critical
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.1.1.1-10.1.1.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
 
global (outside) 1 interface
global (outside) 2 xx.xx.xx.161 netmask 255.255.255.255
global (outside) 3 xx.xx.xx.162 netmask 255.255.255.255
global (outside) 4 xx.xx.xx.163 netmask 255.255.255.255
global (outside) 6 xx.xx.xx.165 netmask 255.255.255.255
global (outside) 7 xx.xx.xx.166 netmask 255.255.255.255
global (outside) 8 xx.xx.xx.167 netmask 255.255.255.255
 
nat (inside) 4 192.168.1.30 255.255.255.255
nat (inside) 2 192.168.1.40 255.255.255.255
nat (inside) 6 192.168.1.51 255.255.255.255
nat (inside) 3 192.168.1.55 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
 
static (inside,outside) tcp interface www 192.168.1.30 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.30 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.30 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 1024 192.168.1.30 1024 netmask 255.255.255.255
static (inside,outside) tcp interface 2121 192.168.1.30 2121 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.20 3389 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 www 192.168.1.40 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 https 192.168.1.40 https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 smtp 192.168.1.40 smtp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 pop3 192.168.1.40 pop3 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 imap4 192.168.1.40 imap4 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.162 smtp 192.168.1.55 smtp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.162 pop3 192.168.1.55 pop3 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.162 www 192.168.1.55 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.163 www 192.168.1.31 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 www 192.168.1.51 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 https 192.168.1.51 https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 ftp 192.168.1.51 ftp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 pptp 192.168.1.51 pptp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 1194 192.168.1.51 1194 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.164 192.168.1.52 netmask 255.255.255.255
 
access-group inbound in interface outside
 
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server asa protocol nt
group-policy asa internal
group-policy asa attributes
 wins-server value 192.168.1.20
 dns-server value 192.168.1.20
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value asa
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.30 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group asa type ipsec-ra
tunnel-group asa general-attributes
 address-pool vpnpool
 default-group-policy asa
tunnel-group asa ipsec-attributes
 pre-shared-key *
 address-pool vpnpool
telnet 192.168.1.20 255.255.255.255 inside
telnet timeout 5
ssh timeout 60
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ftp
policy-map Global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
tftp-server inside 192.168.1.20 C:\TFTP-Root
smtp-server 192.168.1.40
prompt hostname context
Cryptochecksum:0fd9a4a5b80998e405c1cee8d81f1e03
: end
ciscoasa(config)#

Open in new window

0
 
nodiscoCommented:
I understand - time is usually against us in our job

Ok
access-list inbound extended permit tcp any host xx.xx.xx.164 eq ftp
access-list inbound extended permit tcp any host xx.xx.xx.164 eq www
access-list inbound extended permit tcp any host xx.xx.xx.164 eq https
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 3389
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 1194
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 6005


1) Can you test access to x.x.x.164 from outside the firewall on the above ports - are all working ok?
2) Try opening a telnet session to x.x.x.164 from outside the firewall on port 5001 e.g.
telnet x.x.x.164 5001
3)  After doing both of the above tests, please post the output of
sh access-list inbound

cheers
0
 
ultreyaAuthor Commented:
1) TCP ports are conneting... 3389, 6005, ftp

2) Could NOT connect through udp 5000, 5001 & 5002
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
telnet xx.xx.xx.164 5001
Connecting To xx.xx.xx.164...Could not open connection to the host, on port 5000: Connect failed
telnet xx.xx.xx.164 5001
Connecting To xx.xx.xx.164...Could not open connection to the host, on port 5001: Connect failed
telnet  xx.xx.xx.164 5002
Connecting To xx.xx.xx.164...Could not open connection to the host, on port 5002: Connect failed
3) I assumed you only wanted to see the relevant ones?


ciscoasa(config)# sh access-list inbound
access-list inbound line 33 extended permit tcp any host 69.69.202.164 eq ftp (hitcnt=1) 0xab9977f2
access-list inbound line 34 extended permit tcp any host 69.69.202.164 eq www (hitcnt=1) 0xd24ea1b8
access-list inbound line 35 extended permit tcp any host 69.69.202.164 eq https(hitcnt=1) 0xec32b2ce
access-list inbound line 36 extended permit tcp any host 69.69.202.164 eq 3389 (hitcnt=29) 0x15cac92f
access-list inbound line 37 extended permit tcp any host 69.69.202.164 eq 1194 (hitcnt=0) 0x24500de7
access-list inbound line 38 extended permit tcp any host 69.69.202.164 eq 6005 (hitcnt=1) 0xac8a64ac
access-list inbound line 39 extended permit udp any host 69.69.202.164 object-group vidcon 0x5bc9d39f
access-list inbound line 39 extended permit udp any host 69.69.202.164 range 5000 15000 (hitcnt=3) 0x10cb4f7f
ciscoasa(config)#

Open in new window

0
 
nodiscoCommented:
Ok

the hitcnt is showing that you are receiving those attempts when you try to telnet from outside:
access-list inbound line 39 extended permit udp any host 69.69.202.164 range 5000 15000 (hitcnt=3)

The ASA is configured correctly to receive them - can you access the internal ip (192.168.1.52) on ports 5000 to 15000 - because as far as the ASA is concerned - its translating the address correctly and its allowing the ports required.

0
 
ultreyaAuthor Commented:
I saw that the count was 3 now 9 when I could not get 1 earlier. This should be a good sign. However I can NOT telnet from 192.168.1.30 to 192.168.1.52 5000, 5001, 5002, 5003.

NO Firewall is on. (we had issues with it yesterday so I turned it off). however telnetting from inside the network gains me the same thing..

telnet 192.168.1.52 5000
Connecting To 192.168.1.52...Could not open connection to the host, on port 5000
: Connect failed
telnet 192.168.1.52 5001
Connecting To 192.168.1.52...Could not open connection to the host, on port 5001
: Connect failed

any ideas?
0
 
nodiscoCommented:
Ok - to explain - i just advised you to telnet on port 5001 from outside as it would try to initiate a connection on port 5001 - so as to see if the access-list would increment a hit count.  Which it did
It almost definitely wouldn't answer from outside or inside though :-)

What we have proven is that the firewall is seeing and allowing the attempts from outside and as the other ports (ftp/www/3389) are working ok, we know the translation is working with 192.168.1.52.

So essentially, the ASA is doing its job right.  I am assuming the ports are open for videoconferencing?  I am of the opinion that whatever way you are testing this is not correct.  Do you have any way of testing the udp ports from inside?
0
 
ultreyaAuthor Commented:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>telnet 127.0.0.1 5000
Connecting To 127.0.0.1...Could not open connection to the host, on port 5000: C
onnect failed

C:\Documents and Settings\Administrator>telnet 127.0.0.1 5001
Connecting To 127.0.0.1...Could not open connection to the host, on port 5001: C
onnect failed

C:\Documents and Settings\Administrator>telnet 192.168.1.52 5000
Connecting To 192.168.1.52...Could not open connection to the host, on port 5000
: Connect failed

C:\Documents and Settings\Administrator>telnet 192.168.1.52 5001
Connecting To 192.168.1.52...Could not open connection to the host, on port 5001
: Connect failed
0
 
ultreyaAuthor Commented:
I did a reload.
access-list inbound line 39 extended permit udp any host xx.xx.xx.164 range 00
0 15000 (hitcnt=0) 0x10cb4f7f

then telnet test again

telnet xx.xx.xx.164 5000
Connecting To xx.xx.xx.164...Could not open connection to the host, on port 500
0: Connect failed

telnet xx.xx.xx.164 5001
Connecting To xx.xx.xx.164...Could not open connection to the host, on port 500
1: Connect failed

telnet xx.xx.xx.164 5002
Connecting To xx.xx.xx.164...Could not open connection to the host, on port 500
2: Connect failed

telnet xx.xx.xx.164 5003
Connecting To xx.xx.xx.164...Could not open connection to the host, on port 500
3: Connect failed

telnet xx.xx.xx.164 5004
Connecting To xx.xx.xx.164...Could not open connection to the host, on port 500
4: Connect failed

access-list inbound line 39 extended permit udp any host xx.xx.xx.164 object-gr
oup vidcon 0x5bc9d39f
access-list inbound line 39 extended permit udp any host xx.xx.xx.164 range 500
0 15000 (hitcnt=0) 0x10cb4f7f
0
 
nodiscoCommented:
Are you testing that from outside the firewall or from your LAN?
0
 
nodiscoCommented:
you would really need to verify that the 192.168.1.52 box is working on these ports before testing from the ASA will be of any use.  
0
 
ultreyaAuthor Commented:
I have tested from outside.

I reloaded and reset the counters.
Once again TCP hits UDP does NOT.

Running config looks unchanged.
Will post it next ...
access-list inbound line 33 extended permit tcp any host xx.xx.xx.164 eq ftp (hitcnt=0) 0xab9977f2
access-list inbound line 34 extended permit tcp any host xx.xx.xx.164 eq www (hitcnt=0) 0xd24ea1b8
access-list inbound line 35 extended permit tcp any host xx.xx.xx.164 eq https(hitcnt=0) 0xec32b2ce
access-list inbound line 36 extended permit tcp any host xx.xx.xx.164 eq 3389 (hitcnt=11) 0x15cac92f
access-list inbound line 37 extended permit tcp any host xx.xx.xx.164 eq 1194 (hitcnt=0) 0x24500de7
access-list inbound line 38 extended permit tcp any host xx.xx.xx.164 eq 6005 (hitcnt=0) 0xac8a64ac
access-list inbound line 39 extended permit udp any host xx.xx.xx.164 object-group vidcon 0x5bc9d39f
access-list inbound line 39 extended permit udp any host xx.xx.xx.164 range 5000 15000 (hitcnt=0) 0x10cb4f7f
ciscoasa(config)#
 
access-list inbound line 33 extended permit tcp any host xx.xx.xx.164 eq ftp (hitcnt=3) 0xab9977f2
access-list inbound line 34 extended permit tcp any host xx.xx.xx.164 eq www (hitcnt=3) 0xd24ea1b8
access-list inbound line 35 extended permit tcp any host xx.xx.xx.164 eq https(hitcnt=3) 0xec32b2ce
access-list inbound line 36 extended permit tcp any host xx.xx.xx.164 eq 3389 (hitcnt=12) 0x15cac92f
access-list inbound line 37 extended permit tcp any host xx.xx.xx.164 eq 1194 (hitcnt=3) 0x24500de7
access-list inbound line 38 extended permit tcp any host xx.xx.xx.164 eq 6005 (hitcnt=1) 0xac8a64ac
access-list inbound line 39 extended permit udp any host xx.xx.xx.164 object-group vidcon 0x5bc9d39f
access-list inbound line 39 extended permit udp any host xx.xx.xx.164 range 5000 15000 (hitcnt=0) 0x10cb4f7f
ciscoasa(config)#

Open in new window

0
 
asavenerCommented:
This means that the ASA is not receiving that traffic; the problem is not with the configuration of this device.
0
 
ultreyaAuthor Commented:
Then ... what am I missing?
0
 
nodiscoCommented:
hi ultreya

I was waiting on you to post the config?  
As mentioned, you were getting hits on this earlier from outside but until we can verify that your 192.168.1.52 box is working with the udp ports from inside, testing it from outside is of no use
0
 
ultreyaAuthor Commented:
I am sorry, I was trying to study Cisco configurations. I still do not see what is wrong. I have posted both the running config and the access-list hit count.
ciscoasa(config)# show run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name asa
enable password ******** encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.160 255.255.255.128
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ******** encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name asa
dns server-group asa
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Blocked_Networks
 network-object 59.0.0.0 255.0.0.0
 network-object 61.0.0.0 255.0.0.0
 network-object 62.0.0.0 255.0.0.0
 network-object 72.50.0.0 255.255.128.0
 network-object 72.248.133.0 255.255.255.0
 network-object 74.64.0.0 255.240.0.0
 network-object 80.0.0.0 255.0.0.0
 network-object 81.0.0.0 255.0.0.0
 network-object 82.0.0.0 255.0.0.0
 network-object 84.0.0.0 255.0.0.0
 network-object 85.0.0.0 255.0.0.0
 network-object 86.0.0.0 255.0.0.0
 network-object 87.0.0.0 255.0.0.0
 network-object 88.0.0.0 255.0.0.0
 network-object 89.0.0.0 255.0.0.0
 network-object 123.0.0.0 255.0.0.0
 network-object 125.0.0.0 255.0.0.0
 network-object 140.109.0.0 255.255.0.0
 network-object 140.110.0.0 255.254.0.0
 network-object 140.112.0.0 255.240.0.0
 network-object 140.128.0.0 255.248.0.0
 network-object 140.136.0.0 255.254.0.0
 network-object 140.138.0.0 255.255.0.0
 network-object 163.13.0.0 255.255.0.0
 network-object 192.192.0.0 255.255.0.0
 network-object 192.218.0.0 255.255.0.0
 network-object 189.0.0.0 255.0.0.0
 network-object 190.0.0.0 255.0.0.0
 network-object 200.0.0.0 255.0.0.0
 network-object 201.0.0.0 255.0.0.0
 network-object 202.0.0.0 254.0.0.0
 network-object 217.0.0.0 255.0.0.0
 network-object 218.0.0.0 255.0.0.0
 network-object 221.0.0.0 255.0.0.0
 network-object 83.0.0.0 255.0.0.0
 
object-group service vidcon udp
 port-object range 5000 15000
 
access-list dmz_access_in extended permit ip any any
access-list inbound extended deny ip object-group Blocked_Networks any
access-list inbound extended permit tcp any host xx.xx.xx.160 eq www
access-list inbound extended permit tcp any host xx.xx.xx.160 eq https
access-list inbound extended permit tcp any host xx.xx.xx.160 eq ftp
access-list inbound extended permit tcp any host xx.xx.xx.160 eq 1024
access-list inbound extended permit tcp any host xx.xx.xx.160 eq 3389
access-list inbound extended permit tcp any host xx.xx.xx.161 eq www
access-list inbound extended permit tcp any host xx.xx.xx.161 eq https
access-list inbound extended permit tcp any host xx.xx.xx.161 eq smtp
access-list inbound extended permit tcp any host xx.xx.xx.161 eq pop3
access-list inbound extended permit tcp any host xx.xx.xx.161 eq imap4
access-list inbound extended permit tcp any host xx.xx.xx.162 eq smtp
access-list inbound extended permit tcp any host xx.xx.xx.162 eq pop3
access-list inbound extended permit tcp any host xx.xx.xx.162 eq www
access-list inbound extended permit tcp any host xx.xx.xx.163 eq www
access-list inbound extended permit tcp any host xx.xx.xx.165 eq www
access-list inbound extended permit tcp any host xx.xx.xx.165 eq https
access-list inbound extended permit tcp any host xx.xx.xx.165 eq ftp
access-list inbound extended permit tcp any host xx.xx.xx.165 eq pptp
access-list inbound extended permit tcp any host xx.xx.xx.165 eq 1194
access-list inbound extended permit tcp any host xx.xx.xx.164 eq ftp
access-list inbound extended permit tcp any host xx.xx.xx.164 eq www
access-list inbound extended permit tcp any host xx.xx.xx.164 eq https
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 3389
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 1194
access-list inbound extended permit tcp any host xx.xx.xx.164 eq 6005
access-list inbound extended permit udp any host xx.xx.xx.164 object-group vidc
on
access-list split101 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.2
55.255.0
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10
.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging mail informational
logging from-address Ciscoasa@asa
logging recipient-address asa level critical
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.1.1.1-10.1.1.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
 
global (outside) 1 interface
global (outside) 2 xx.xx.xx.161 netmask 255.255.255.255
global (outside) 3 xx.xx.xx.162 netmask 255.255.255.255
global (outside) 4 xx.xx.xx.163 netmask 255.255.255.255
global (outside) 6 xx.xx.xx.165 netmask 255.255.255.255
global (outside) 7 xx.xx.xx.166 netmask 255.255.255.255
global (outside) 8 xx.xx.xx.167 netmask 255.255.255.255
 
nat (inside) 4 192.168.1.30 255.255.255.255
nat (inside) 2 192.168.1.40 255.255.255.255
nat (inside) 6 192.168.1.51 255.255.255.255
nat (inside) 3 192.168.1.55 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
 
static (inside,outside) tcp interface www 192.168.1.30 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.30 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.30 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 1024 192.168.1.30 1024 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.20 3389 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 www 192.168.1.40 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 https 192.168.1.40 https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 smtp 192.168.1.40 smtp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 pop3 192.168.1.40 pop3 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.161 imap4 192.168.1.40 imap4 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.162 smtp 192.168.1.55 smtp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.162 pop3 192.168.1.55 pop3 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.162 www 192.168.1.55 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.163 www 192.168.1.31 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 www 192.168.1.51 www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 https 192.168.1.51 https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 ftp 192.168.1.51 ftp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 pptp 192.168.1.51 pptp netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.165 1194 192.168.1.51 1194 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.164 192.168.1.52 netmask 255.255.255.255
 
access-group inbound in interface outside
 
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server asa protocol nt
group-policy asa internal
group-policy asa attributes
 wins-server value 192.168.1.20
 dns-server value 192.168.1.20
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value asa
group-policy Hell internal
group-policy Hell attributes
 dns-server value 192.168.1.20
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.30 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map rtpdynmap 20 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic rtpdynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group asa type ipsec-ra
tunnel-group asa general-attributes
 address-pool vpnpool
 default-group-policy asa
tunnel-group asa ipsec-attributes
 pre-shared-key *
telnet 192.168.1.20 255.255.255.255 inside
telnet timeout 5
ssh timeout 60
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ftp
policy-map Global_policy
 class inspection_default
  inspect ftp
!
service-policy global_policy global
tftp-server inside 192.168.1.20 C:\TFTP-Root
smtp-server 192.168.1.40
prompt hostname context
Cryptochecksum:0fd9a4a5b80998e405c1cee8d81f1e03
: end
ciscoasa(config)#
 
 
 
 
access-list inbound line 33 extended permit tcp any host xx.xx.xx.164 eq ftp (hitcnt=3) 0xab9977f2
access-list inbound line 34 extended permit tcp any host xx.xx.xx.164 eq www (hitcnt=3) 0xd24ea1b8
access-list inbound line 35 extended permit tcp any host xx.xx.xx.164 eq https(hitcnt=3) 0xec32b2ce
access-list inbound line 36 extended permit tcp any host xx.xx.xx.164 eq 3389 (hitcnt=12) 0x15cac92f
access-list inbound line 37 extended permit tcp any host xx.xx.xx.164 eq 1194 (hitcnt=3) 0x24500de7
access-list inbound line 38 extended permit tcp any host xx.xx.xx.164 eq 6005 (hitcnt=1) 0xac8a64ac
access-list inbound line 39 extended permit udp any host xx.xx.xx.164 object-group vidcon 0x5bc9d39f
access-list inbound line 39 extended permit udp any host xx.xx.xx.164 range 5000 15000 (hitcnt=0) 0x10cb4f7f
ciscoasa(config)#

Open in new window

0
 
nodiscoCommented:
Did you try issuing a telnet x.x.x.64 5001 from outside the ASA?  To see if the access-list increments hits again?

Can you verify that you can connect to 192.168.1.52 on these udp ports from inside also.
0
 
ultreyaAuthor Commented:
"Did you try issuing a telnet x.x.x.64 5001 from outside the ASA?"
Multiple times from port 5000 thru 5025, 6000 thru 6025 and from 14990 thru 15000.
with 0 recorded hits.

"Can you verify that you can connect to 192.168.1.52 on these udp ports from inside also."
I have tried however I get Could not open connection to the host, on port ????
: Connect failed
Which does not make any sense...
I even tried from the server with IP 192. and IP 127.

0
 
ultreyaAuthor Commented:
However if the application is not listening why would it respond.
0
 
nodiscoCommented:
<However if the application is not listening why would it respond.>
how do you mean
0
 
ultreyaAuthor Commented:
Telnet your network or even your PC
telnet 127.0.0.1 5000
What is your response?

I get
telnet 127.0.0.1
Connecting To 127.0.0.1...Could not open connection to the host, on port 5000: Connect failed
telnet 192.168.1.20
Connecting To 192.168.1.20...Could not open connection to the host, on port 5000: Connect failed

I do not have an application listening on that port.

telnet 192.168.1.20
Connecting To 192.168.1.20...Could not open connection to the host, on port 23:
Connect failed
telnet 127.0.0.1
Connecting To 127.0.0.1...Could not open connection to the host, on port 23: Con
nect failed

Telnet 192.168.1.20 3389 connects.
0
 
nodiscoCommented:
Hey
The machine we have configured to accept the udp ports 5000 to 15000 is 192.168.1.52 not 192.168.1.20.  You have got port 3389 setup on the ASA from outside to go to 192.168.1.20 so that looks fine - but what you need to verify is that ports 5000 to 15000 are definitely listening on 192.168.1.52.

0
 
ultreyaAuthor Commented:
I was using 1.20 at the time for example testing.
1.52 is the correct server.
as far as ports 5000 thru 15000 are listening on 1.52. I do not use the software therefore I do not know if it is listening or not. I was told today that the ports were blocked because the software would connect (TCP 6005) however the udp ports for streaming were blocked (5000 15000). You verified my configuration was less than stellar so I have to assume that yes the ASA under my config was hosed. The config has been verified and I still do not know. I can assume that this config works, but how to test without access to the software? If the software is not loaded than why did we get 9 hits earlier on those ports? so many questions so little time. I am going to bed. I have had enough for one day. I will try to get a hold of the Vid server admin to verify ports/connections, and we can go from there. You said yourself we really can not do anymore testing until the box is proven to work. Thank you for all your help disco. I will let you know tomorrow.
0
 
nodiscoCommented:
No worries mate.  I am around at about 4pm Est onwards each day.  I cannot work out why you were getting acl hits and then not getting them.  But regarding the inside, yes, i would go no further testing the ASA until you can prove 192.168.1.52 is listening on these ports.  

cheers
0
 
asavenerCommented:
Telnet 5001 will use TCP on port 5001, not UDP on port 5001.
0
 
ultreyaAuthor Commented:
How do I test UDP ?
0
 
nodiscoCommented:
asavener is right - have done this so many times testing tcp.
Udp is a connectionless protocol so difficult to test - there are some applications that you can download for free to test udp.  Can you even just verify that the 192.168.1.52 machine is using these (they are listening) by opening a connection from inside to 192.168.1.52 over these ports - a video conference etc?
0
 
asavenerCommented:
Run "netstat -ano" on the inside server.  Make sure that that the listening ports are listed.
0
 
ultreyaAuthor Commented:
OK I have seen the traffic through the ASA, and the Admin has said nothing, so it works. It has been over a week, so I have to call this solved. Thank you disco.
0
 
ultreyaAuthor Commented:
Thank you both for your assistance, and thank you for being patient with me. You both truly are experts.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 21
  • 15
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now