Solved

ASA 5510 7.0 Port Forwarding problem

Posted on 2009-07-09
21
377 Views
Last Modified: 2012-05-07
I am killing myself here. Cannot Port forward for my life...
I need 4 protocols using TCP to come into one server. I placed a sniffer on to make sure.
Please help me get TCP 443, 7001, 2513 and 2515 inside my network to 192.168.111.36( Inside) from 2xxx.xxx.xxx.xx8 (Outside).
My router is  2xx.xxx.xxx.xx6
Regards,
Mark
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 2xx.xxx.xxx.xx6 255.255.255.0 
!
interface Ethernet0/1
 shutdown
 nameif DMZ
 security-level 50
 ip address 10.10.100.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.111.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
access-list MetRemote_splitTunnelAcl standard permit any 
access-list outside-entry extended permit tcp any host 2xx.xxx.xxx.96 eq 1433 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 7001 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq https 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2513 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2515 
access-list Inside_nat0_outbound extended permit ip host 192.168.111.36 host 2xx.xxx.xxx.98 
 
nat-control
global (Outside) 1 interface
global (Inside) 200 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.111.0 255.255.255.0
static (Inside,Outside) tcp interface https 192.168.111.36 https netmask 255.255.255.255 
static (Inside,Outside) tcp interface 7001 192.168.111.36 7001 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2513 192.168.111.36 2513 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2515 192.168.111.36 2515 netmask 255.255.255.255 
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 2xx.xxx.xxx.1 1

Open in new window

0
Comment
Question by:mbeckerman44
  • 11
  • 6
  • 4
21 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24819688
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2515

It should be:

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 2515


Open in new window

0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24822947
I tried this and still I canot see any traffic using wireshark on the 192.168.111.36 interface from either 2xx.xxx.xxx.x98 (webserver) or 2xx.xxx.xxx.xx6 (Router).
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823023
Here is what I have now.


interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 2xx.xxx.xxx.x96 255.255.255.0 
!
interface Ethernet0/1
 shutdown
 nameif DMZ
 security-level 50
 ip address 10.10.100.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.111.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
access-list MetRemote_splitTunnelAcl standard permit any 
access-list outside-entry extended permit tcp any host 2xx.xxx.xxx.x96 eq 1433 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 7001 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq https 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2513 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2515 
access-list Inside_nat0_outbound extended permit ip host 192.168.111.36 host 2xx.xxx.xxx.x98 
 
nat-control
global (Outside) 1 interface
global (Inside) 200 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.111.0 255.255.255.0
static (Inside,Outside) tcp interface https 192.168.111.36 https netmask 255.255.255.255 
static (Inside,Outside) tcp interface 7001 192.168.111.36 7001 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2513 192.168.111.36 2513 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2515 192.168.111.36 2515 netmask 255.255.255.255 
route Outside 0.0.0.0 0.0.0.0 2xx.xxx.xxx.xx1 1

Open in new window

0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 28

Expert Comment

by:asavener
ID: 24823085
Remove this:  nat (Inside) 0 access-list Inside_nat0_outbound

What do you see when you run "show access-list Outside_access_in"?  Does it show a hitcount?
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823252
Removed nat (Inside) 0 access-list Inside_nat0_outbound

Ran clear xlate. Checked website. Still not getting in.

Ran show access-list Outside_access_in"  

HITCOUNT = 0 on all acl's

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2515
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823328
On the webserver .98 I can see the packets with DST port 7001 going to .96 ( Router). But that is it.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24823338
no access-list Outside_access_in
access-list Outside_access_in permit tcp any interface outside eq 7001
access-list Outside_access_in permit tcp any interface outside eq https
access-list Outside_access_in permit tcp any interface outside eq 2513
access-list Outside_access_in permit tcp any interface outside eq 2515

access-group Outside_access_in in interface Outside
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823410
Irmoore,
Doesn't this allow any computer on the internet to send me these protocols and forward them to my inside server? I would like to limit this if possible. I know what computer needs to get to the inside computer and the protocols needed. Maybe I do not know enough about this.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24823453
Is the Webserver Windows-based?

If so, try the connection, then start a command line and run "arp -a".  Does the ASA's IP address and MAC address appear?
0
 
LVL 28

Expert Comment

by:asavener
ID: 24823471
lrmoore's suggestion is temporary, I think, to avoid the possibility of typos.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24823549
Yes, make sure you can pass the protocols using "any" then lock it down to sources:

access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 7001
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq https
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 2513
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 2515
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823562
Web server and Inside Server are Windows.

The outside server shows the router in the arp table.
The inside server does not show the router in the arp table.

Irmoore - thanks, no disrespect just trying to be carefull of how much I open to public.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24823621
No problem..
The inside server will never show the router in the arp table because the router is "past" the default gateway which is the ASA. An ARP entry is a mac-address to IP mapping and your server will never ever see the mac address of any foreign endpoint. If there is a default gateway assigned to a NIC, ARP does not play because it just automagically sends the traffic to the gateway, and the gateway "is" in the arp cache.
0
 
LVL 28

Expert Comment

by:asavener
ID: 24823758
The inside server should have an ARP entry for 192.168.111.1.

The outside server should have an ARP entry for 2xx.xxx.xxx.x96.



If the inside has received no traffic, then it won't have an ARP entry; if you try to ping 192.168.111.1 from the inside server then an ARP entry should appear.  (Please verify this.)

You can also look at the ARP table on the ASA ("show arp") to make sure it can see both of the servers.
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823820
Ok Network Diagram time...

(WebServer)2xxx.xxx.xxx.x98 connected to (ASA/Outside Interface)2xx.xxx.xxx.x96 connected to (ASA/Inside Interface)192.168.111.1 connected to (Application/Inside Server)192.168.111.36.
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823848
ARP.

ASA shows both
Webserver shows ASA
Inside Server shows ASA after ping only
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24823869
By the way if I remove the ASA and replace with old Firewall everything works fine.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 175 total points
ID: 24823945
Have you tried the access-list exactly as I demonstrated?
It will work.

access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq 7001
access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq https
access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq 2513
access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq 2515
access-group Outside_access_in in interface Outside
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 75 total points
ID: 24823949
Swapping out devices like that can confuse the ARP entries.  Can you verify that the ARP entry on the outside server matches the MAC address of the ASA?
0
 
LVL 1

Author Comment

by:mbeckerman44
ID: 24824127
Irmoore,
You are a genius.. LOL
Yes this worked. Oh my GOD I get to sleep tonight.

asavener.
Thank you so much for your help also.
0
 
LVL 1

Author Closing Comment

by:mbeckerman44
ID: 31601892
Thanks so much for the help. Now I get to remove my straight Jacket.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Use packet tracer to verify anyconnect VPN 11 89
VLAN Overused monitor 4 48
BGP recommended setup with failover 2 85
ISP has issued 5 static IP addresses 4 39
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question