Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

High range ports and ASA inspection ?

Posted on 2010-11-10
7
Medium Priority
?
525 Views
Last Modified: 2012-05-10
We have an ASA5505 with inside, dmz and outside interface. I cannot get outside connections to come in.

We normally allow outside traffic into the dmz like this: (ip addresses have been changed)

access-list outside-in extended permit tcp any host 77.1.1.80 eq 80
access-list outside-in extended permit tcp any host 77.1.1.80 range 60000 64999
static (dmz,outside) 77.1.1.80  10.10.10.12 netmask 255.255.255.255

All DMZ hosts have full access to anything (except internal network)

The issue we are having is, no traffic is hitting 10.10.10.12 from the outside. I even did a permit ip any host 77.1.1.80 and still nothing.  If we access 77.1.1.80  from 77.1.1.50,(one of our own public IPs) it works. But no other outside users can access it
0
Comment
Question by:orus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 1000 total points
ID: 34104069
did you apply the outside-in acl with an access-group command?

ASA setting up a DMZ http://www.petenetlive.com/KB/Article/0000316.htm

Pete

0
 

Author Comment

by:orus
ID: 34104399
Yes
0
 

Author Comment

by:orus
ID: 34104523
I have several other dmz boxes that are accessed no problem
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 10

Expert Comment

by:stsonline
ID: 34105441
Try putting a capture on the outside and DMZ interfaces then try to send traffic - you may be getting data on the wrong ports. Have you checked the logs to see if anything is being denied?
0
 

Author Comment

by:orus
ID: 34105841
I did do a capture earlier. I can see the DMZ host sending traffic out
I see it translated to the public IP
I see TCP syns going out , but no other TCP traffic

On the ACLS:

I see no hits on the ACL , EXCEPT for when host 77.1.1.50 accessed it. Then it worked. But any host outside of our public IP block does NOT work. I thought it could be a routing issue with our Cable internet provider.  (not sending traffic destined for 77.1.1.80 to our modem)?
0
 
LVL 10

Assisted Solution

by:stsonline
stsonline earned 1000 total points
ID: 34106400
Try putting a capture on the outside interface grabbing 77.1.1.80 as the source or destination, then try to open http://77.1.1.80 from somewhere other than your 77.1.1.x systems. If you still aren't seeing anything then the issue is probably on your ISP and/or modem.

Is 77.1.1.80 the IP address of your outside interface?
0
 

Author Comment

by:orus
ID: 34106712
Yea I tried that too. And just now, I tried allowing VNC in through to a dmz host. It worked like a charm.  This Lifesize video conferencing device is the one with the issue. It doesn't like being behind Cisco firewalls I heard. oh well
0

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question