Solved

need to open ports on asa

Posted on 2009-05-05
2
3,225 Views
Last Modified: 2012-05-06
I need to open UDP ports on a Cisco ASA 5505.

I have multiple external IP's
 xx.xx.xx.164 forwards to 192.168.1.52
I have opened ports for rdp, http, https, ftp, and 6005.
I need to open udp 5000 thru 15000.

I have tried several ideas on this from google. with no luck.

I know at this point my config is cluttered so yea ...

UDP ports 5000 thru 15000

ciscoasa(config)# show run

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name asa

enable password ************* encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address xx.xx.xx.160 255.255.255.128

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd ********* encrypted

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

 domain-name asa

dns server-group asa

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network Blocked_Networks

 network-object 59.0.0.0 255.0.0.0

 network-object 61.0.0.0 255.0.0.0

 network-object 62.0.0.0 255.0.0.0

 network-object 72.50.0.0 255.255.128.0

 network-object 72.248.133.0 255.255.255.0

 network-object 74.64.0.0 255.240.0.0

 network-object 80.0.0.0 255.0.0.0

 network-object 81.0.0.0 255.0.0.0

 network-object 82.0.0.0 255.0.0.0

 network-object 84.0.0.0 255.0.0.0

 network-object 85.0.0.0 255.0.0.0

 network-object 86.0.0.0 255.0.0.0

 network-object 87.0.0.0 255.0.0.0

 network-object 88.0.0.0 255.0.0.0

 network-object 89.0.0.0 255.0.0.0

 network-object 123.0.0.0 255.0.0.0

 network-object 125.0.0.0 255.0.0.0

 network-object 140.109.0.0 255.255.0.0

 network-object 140.110.0.0 255.254.0.0

 network-object 140.112.0.0 255.240.0.0

 network-object 140.128.0.0 255.248.0.0

 network-object 140.136.0.0 255.254.0.0

 network-object 140.138.0.0 255.255.0.0

 network-object 163.13.0.0 255.255.0.0

 network-object 192.192.0.0 255.255.0.0

 network-object 192.218.0.0 255.255.0.0

 network-object 189.0.0.0 255.0.0.0

 network-object 190.0.0.0 255.0.0.0

 network-object 200.0.0.0 255.0.0.0

 network-object 201.0.0.0 255.0.0.0

 network-object 202.0.0.0 254.0.0.0

 network-object 217.0.0.0 255.0.0.0

 network-object 218.0.0.0 255.0.0.0

 network-object 221.0.0.0 255.0.0.0

 network-object 83.0.0.0 255.0.0.0
 

object-group service vidcon udp

 port-object range 5000 15000
 

access-list dmz_access_in extended permit ip any any

access-list inbound extended deny ip object-group Blocked_Networks any

access-list inbound extended permit tcp any host xx.xx.xx.160 eq www

access-list inbound extended permit tcp any host xx.xx.xx.160 eq https

access-list inbound extended permit tcp any host xx.xx.xx.160 eq ftp

access-list inbound extended permit tcp any host xx.xx.xx.160 eq 1024

access-list inbound extended permit tcp any host xx.xx.xx.160 eq 3389

access-list inbound extended permit tcp any host xx.xx.xx.161 eq www

access-list inbound extended permit tcp any host xx.xx.xx.161 eq https

access-list inbound extended permit tcp any host xx.xx.xx.161 eq smtp

access-list inbound extended permit tcp any host xx.xx.xx.161 eq pop3

access-list inbound extended permit tcp any host xx.xx.xx.161 eq imap4

access-list inbound extended permit tcp any host xx.xx.xx.162 eq smtp

access-list inbound extended permit tcp any host xx.xx.xx.162 eq pop3

access-list inbound extended permit tcp any host xx.xx.xx.162 eq www

access-list inbound extended permit tcp any host xx.xx.xx.163 eq www

access-list inbound extended permit tcp any host xx.xx.xx.164 eq ftp

access-list inbound extended permit tcp any host xx.xx.xx.164 eq www

access-list inbound extended permit tcp any host xx.xx.xx.164 eq https

access-list inbound extended permit tcp any host xx.xx.xx.164 eq 3389

access-list inbound extended permit tcp any host xx.xx.xx.164 eq 1194

access-list inbound extended permit tcp any host xx.xx.xx.164 eq 6005

access-list inbound extended permit udp any host xx.xx.xx.164 range 5000 15000 

access-list split101 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list outside_access_in extended permit udp any host xx.xx.xx.164 range 5000 15000

access-list outside_access_in extended permit udp host xx.xx.xx.164 host 192.168.1.52 object-group vidcon

 

pager lines 24

logging enable

logging asdm informational

logging mail informational

logging from-address Ciscoasa@asa

logging recipient-address asa level critical

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 10.1.1.1-10.1.1.25 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

 

global (outside) 1 interface

global (outside) 2 xx.xx.xx.161 netmask 255.255.255.255

global (outside) 3 xx.xx.xx.162 netmask 255.255.255.255

global (outside) 4 xx.xx.xx.163 netmask 255.255.255.255

global (outside) 5 xx.xx.xx.164 netmask 255.255.255.255

global (outside) 6 xx.xx.xx.165 netmask 255.255.255.255

global (outside) 7 xx.xx.xx.166 netmask 255.255.255.255

global (outside) 8 xx.xx.xx.167 netmask 255.255.255.255

 

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 4 192.168.1.30 255.255.255.255

nat (inside) 2 192.168.1.40 255.255.255.255

nat (inside) 6 192.168.1.51 255.255.255.255

nat (inside) 5 192.168.1.52 255.255.255.255

nat (inside) 3 192.168.1.55 255.255.255.255

nat (inside) 1 0.0.0.0 0.0.0.0

 

static (inside,outside) tcp interface www 192.168.1.30 www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.30 https netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.30 ftp netmask 255.255.255.255

static (inside,outside) tcp interface 1024 192.168.1.30 1024 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 192.168.1.20 3389 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.161 www 192.168.1.40 www netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.161 https 192.168.1.40 https netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.161 smtp 192.168.1.40 smtp netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.161 pop3 192.168.1.40 pop3 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.161 imap4 192.168.1.40 imap4 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.162 smtp 192.168.1.55 smtp netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.162 pop3 192.168.1.55 pop3 netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.162 www 192.168.1.55 www netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.163 www 192.168.1.31 www netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.165 www 192.168.1.51 www netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.165 https 192.168.1.51 https netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.165 ftp 192.168.1.51 ftp netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.165 pptp 192.168.1.51 pptp netmask 255.255.255.255

static (inside,outside) tcp xx.xx.xx.165 1194 192.168.1.51 1194 netmask 255.255.255.255

static (inside,outside) xx.xx.xx.164 192.168.1.52 netmask 255.255.255.255

 

access-group inbound in interface outside

 

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server asa protocol nt

group-policy asa internal

group-policy asa attributes

 wins-server value 192.168.1.20

 dns-server value 192.168.1.20

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Split_Tunnel_List

 default-domain value asa

group-policy hell internal

group-policy Hell attributes

 dns-server value 192.168.1.20

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Split_Tunnel_List

 vpn-group-policy Hell

 group-lock value Hell

 vpn-group-policy asa

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.30 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-aes esp-sha-hmac

crypto dynamic-map rtpdynmap 20 set transform-set myset

crypto map mymap 65535 ipsec-isakmp dynamic rtpdynmap

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

tunnel-group asa type ipsec-ra

tunnel-group asa general-attributes

 address-pool vpnpool

 default-group-policy asa

tunnel-group asa ipsec-attributes

 pre-shared-key *

tunnel-group Hell type ipsec-ra

tunnel-group Hell general-attributes

 address-pool vpnpool

 default-group-policy Hell

tunnel-group Hell ipsec-attributes

 pre-shared-key *

telnet 192.168.1.20 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect pptp

  inspect ftp

policy-map Global_policy

 class inspection_default

  inspect ftp

!

service-policy global_policy global

tftp-server inside 192.168.1.20 C:\TFTP-Root

smtp-server 192.168.1.40

prompt hostname context

Cryptochecksum:1b8cd2b5ff54b7a567dd2b60f0823bd4

: end

ciscoasa(config)#

Open in new window

0
Comment
Question by:ultreya
2 Comments
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 24309529
Seems time is against you!  I am in New Zealand hence my late replied to the other Q but the answer is in it for you

cheers

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24371227.html?cid=1066#a24307435
0
 

Author Closing Comment

by:ultreya
ID: 31578243
You have got to hold the record for longest fix or the most patience. Thank you for all your help on the same issue different thread.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now