Solved

ASA 5510 7.0 Port Forwarding problem

Posted on 2009-07-09
21
368 Views
Last Modified: 2012-05-07
I am killing myself here. Cannot Port forward for my life...
I need 4 protocols using TCP to come into one server. I placed a sniffer on to make sure.
Please help me get TCP 443, 7001, 2513 and 2515 inside my network to 192.168.111.36( Inside) from 2xxx.xxx.xxx.xx8 (Outside).
My router is  2xx.xxx.xxx.xx6
Regards,
Mark
interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address 2xx.xxx.xxx.xx6 255.255.255.0 

!

interface Ethernet0/1

 shutdown

 nameif DMZ

 security-level 50

 ip address 10.10.100.1 255.255.255.0 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 nameif Inside

 security-level 100

 ip address 192.168.111.1 255.255.255.0 

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

ftp mode passive

access-list MetRemote_splitTunnelAcl standard permit any 

access-list outside-entry extended permit tcp any host 2xx.xxx.xxx.96 eq 1433 

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 7001 

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq https 

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2513 

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2515 

access-list Inside_nat0_outbound extended permit ip host 192.168.111.36 host 2xx.xxx.xxx.98 
 

nat-control

global (Outside) 1 interface

global (Inside) 200 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 192.168.111.0 255.255.255.0

static (Inside,Outside) tcp interface https 192.168.111.36 https netmask 255.255.255.255 

static (Inside,Outside) tcp interface 7001 192.168.111.36 7001 netmask 255.255.255.255 

static (Inside,Outside) tcp interface 2513 192.168.111.36 2513 netmask 255.255.255.255 

static (Inside,Outside) tcp interface 2515 192.168.111.36 2515 netmask 255.255.255.255 

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 2xx.xxx.xxx.1 1

Open in new window

0
Comment
Question by:mbeckerman44
  • 11
  • 6
  • 4
21 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24819688
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2515

It should be:

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 2515


Open in new window

0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24822947
I tried this and still I canot see any traffic using wireshark on the 192.168.111.36 interface from either 2xx.xxx.xxx.x98 (webserver) or 2xx.xxx.xxx.xx6 (Router).
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823023
Here is what I have now.



interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address 2xx.xxx.xxx.x96 255.255.255.0 

!

interface Ethernet0/1

 shutdown

 nameif DMZ

 security-level 50

 ip address 10.10.100.1 255.255.255.0 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 nameif Inside

 security-level 100

 ip address 192.168.111.1 255.255.255.0 

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

ftp mode passive

access-list MetRemote_splitTunnelAcl standard permit any 

access-list outside-entry extended permit tcp any host 2xx.xxx.xxx.x96 eq 1433 

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 7001 

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq https 

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2513 

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2515 

access-list Inside_nat0_outbound extended permit ip host 192.168.111.36 host 2xx.xxx.xxx.x98 
 

nat-control

global (Outside) 1 interface

global (Inside) 200 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 192.168.111.0 255.255.255.0

static (Inside,Outside) tcp interface https 192.168.111.36 https netmask 255.255.255.255 

static (Inside,Outside) tcp interface 7001 192.168.111.36 7001 netmask 255.255.255.255 

static (Inside,Outside) tcp interface 2513 192.168.111.36 2513 netmask 255.255.255.255 

static (Inside,Outside) tcp interface 2515 192.168.111.36 2515 netmask 255.255.255.255 

route Outside 0.0.0.0 0.0.0.0 2xx.xxx.xxx.xx1 1

Open in new window

0
 
LVL 28

Expert Comment

by:asavener
ID: 24823085
Remove this:  nat (Inside) 0 access-list Inside_nat0_outbound

What do you see when you run "show access-list Outside_access_in"?  Does it show a hitcount?
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823252
Removed nat (Inside) 0 access-list Inside_nat0_outbound

Ran clear xlate. Checked website. Still not getting in.

Ran show access-list Outside_access_in"  

HITCOUNT = 0 on all acl's

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2515
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823328
On the webserver .98 I can see the packets with DST port 7001 going to .96 ( Router). But that is it.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24823338
no access-list Outside_access_in
access-list Outside_access_in permit tcp any interface outside eq 7001
access-list Outside_access_in permit tcp any interface outside eq https
access-list Outside_access_in permit tcp any interface outside eq 2513
access-list Outside_access_in permit tcp any interface outside eq 2515

access-group Outside_access_in in interface Outside
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823410
Irmoore,
Doesn't this allow any computer on the internet to send me these protocols and forward them to my inside server? I would like to limit this if possible. I know what computer needs to get to the inside computer and the protocols needed. Maybe I do not know enough about this.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24823453
Is the Webserver Windows-based?

If so, try the connection, then start a command line and run "arp -a".  Does the ASA's IP address and MAC address appear?
0
 
LVL 28

Expert Comment

by:asavener
ID: 24823471
lrmoore's suggestion is temporary, I think, to avoid the possibility of typos.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 79

Expert Comment

by:lrmoore
ID: 24823549
Yes, make sure you can pass the protocols using "any" then lock it down to sources:

access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 7001
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq https
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 2513
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 2515
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823562
Web server and Inside Server are Windows.

The outside server shows the router in the arp table.
The inside server does not show the router in the arp table.

Irmoore - thanks, no disrespect just trying to be carefull of how much I open to public.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24823621
No problem..
The inside server will never show the router in the arp table because the router is "past" the default gateway which is the ASA. An ARP entry is a mac-address to IP mapping and your server will never ever see the mac address of any foreign endpoint. If there is a default gateway assigned to a NIC, ARP does not play because it just automagically sends the traffic to the gateway, and the gateway "is" in the arp cache.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24823758
The inside server should have an ARP entry for 192.168.111.1.

The outside server should have an ARP entry for 2xx.xxx.xxx.x96.



If the inside has received no traffic, then it won't have an ARP entry; if you try to ping 192.168.111.1 from the inside server then an ARP entry should appear.  (Please verify this.)

You can also look at the ARP table on the ASA ("show arp") to make sure it can see both of the servers.
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823820
Ok Network Diagram time...

(WebServer)2xxx.xxx.xxx.x98 connected to (ASA/Outside Interface)2xx.xxx.xxx.x96 connected to (ASA/Inside Interface)192.168.111.1 connected to (Application/Inside Server)192.168.111.36.
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823848
ARP.

ASA shows both
Webserver shows ASA
Inside Server shows ASA after ping only
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823869
By the way if I remove the ASA and replace with old Firewall everything works fine.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 175 total points
ID: 24823945
Have you tried the access-list exactly as I demonstrated?
It will work.

access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq 7001
access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq https
access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq 2513
access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq 2515
access-group Outside_access_in in interface Outside
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 75 total points
ID: 24823949
Swapping out devices like that can confuse the ARP entries.  Can you verify that the ARP entry on the outside server matches the MAC address of the ASA?
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24824127
Irmoore,
You are a genius.. LOL
Yes this worked. Oh my GOD I get to sleep tonight.

asavener.
Thank you so much for your help also.
0
 
LVL 1

Author Closing Comment

by:mbeckerman44
ID: 31601892
Thanks so much for the help. Now I get to remove my straight Jacket.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now