Solved

Cisco ASA5505 Port Forward issue

Posted on 2010-11-28
6
936 Views
Last Modified: 2012-05-10
I am having issues with forwarding some ports Port 2000 and port 8080 are not showing up as open ports when doing a scan from an external host. Here is my config. What am i doing wrong.

ASA Version 8.3(1)
!
hostname

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.7 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.*.*.*.* 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
object network obj-192.168.1.98
 host 192.168.1.98
object network obj-192.168.1.98-01
 host 192.168.1.98
object network obj-192.168.1.97
 host 192.168.1.97
object network obj-192.168.1.97-01
 host 192.168.1.97
object network obj-192.168.1.97-02
 host 192.168.1.97
object network obj-192.168.1.97-03
 host 192.168.1.97
object network obj-192.168.1.97-04
 host 192.168.1.97
object network obj-192.168.1.101
 host 192.168.1.101
object network obj-192.168.1.98-02
 host 192.168.1.98
object network obj-192.168.1.101-01
 host 192.168.1.101
object network obj-192.168.1.101-02
 host 192.168.1.101
object network obj-192.168.1.2
 host 192.168.1.2
object network obj-192.168.1.11
 host 192.168.1.11
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.97-05
 host 192.168.1.97
object network obj-192.168.1.97-06
 host 192.168.1.97
object network obj-192.168.1.97-07
 host 192.168.1.97
access-list OUT_IN extended permit tcp any host 69.*.*.* eq https
access-list OUT_IN extended permit tcp any any eq pcanywhere-data
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq 4124
access-list OUT_IN extended permit tcp any any eq 3389
access-list OUT_IN extended permit tcp any any eq 4144
access-list OUT_IN extended permit tcp any any eq 2000
access-list OUT_IN extended permit tcp any any eq 8080
access-list inside_access_in extended permit tcp host 192.168.1.11 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list smtp_in extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list smtp_in extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list smtp_in extended deny tcp any any eq smtp
access-list smtp_in extended permit ip any any
pager lines 24
logging enable
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj-192.168.1.98
 nat (inside,outside) static interface service tcp 5632 5632
object network obj-192.168.1.98-01
 nat (inside,outside) static interface service tcp pcanywhere-data pcanywhere-data
object network obj-192.168.1.97
 nat (inside,outside) static interface service tcp 3001 3001
object network obj-192.168.1.97-01
 nat (inside,outside) static interface service tcp 2000 2000
object network obj-192.168.1.97-02
 nat (inside,outside) static interface service tcp 2001 2001
object network obj-192.168.1.97-03
 nat (inside,outside) static interface service tcp 2002 2002
object network obj-192.168.1.97-04
 nat (inside,outside) static interface service tcp 2003 2003
object network obj-192.168.1.101
 nat (inside,outside) static interface service tcp 4124 4124
object network obj-192.168.1.98-02
 nat (inside,outside) static interface service tcp 3389 3389
object network obj-192.168.1.101-01
 nat (inside,outside) static interface service tcp www www
object network obj-192.168.1.101-02
 nat (inside,outside) static interface service tcp https https
object network obj-192.168.1.2
 nat (inside,outside) static interface service tcp 4144 4144
object network obj-192.168.1.11
 nat (inside,outside) static interface service tcp smtp smtp
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-192.168.1.97-05
 nat (inside,outside) static interface service tcp 2004 2004
object network obj-192.168.1.97-06
 nat (inside,outside) static interface service tcp 2005 2005
object network obj-192.168.1.97-07
 nat (inside,outside) static interface service tcp 8080 8080
access-group inside_access_in in interface inside
access-group smtp_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 5
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4a450f4adcab22d0e538372
: end
0
Comment
Question by:adamshields
  • 3
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 34230223
>access-group smtp_in in interface outside
You only have the smtp_in acl applied to the outside interface. You need to combine the 2 acls

access-list OUT_IN extended permit tcp any host 69.*.*.* eq https
access-list OUT_IN extended permit tcp any any eq pcanywhere-data
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq 4124
access-list OUT_IN extended permit tcp any any eq 3389
access-list OUT_IN extended permit tcp any any eq 4144
access-list OUT_IN extended permit tcp any any eq 2000
access-list OUT_IN extended permit tcp any any eq 8080
+
access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list OUT_IN extended deny tcp any any eq smtp
access-list OUT_IN extended permit ip any any
=
access-group OUT_IN in interface outside
0
 
LVL 3

Author Comment

by:adamshields
ID: 34231061
so i need to remove this

access-list smtp_in extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list smtp_in extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list smtp_in extended deny tcp any any eq smtp
access-list smtp_in extended permit ip any any

and change it to this?

access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list OUT_IN extended deny tcp any any eq smtp
access-list OUT_IN extended permit ip any any

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34231260
Except for the last 2 lines. They are not needed.
Just ADD the following lines to start with. If everything works as you like, then remove the other 4 lines.

access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp


Then be sure to apply this acl to the interface

access-group OUT_IN in interface outside
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Author Comment

by:adamshields
ID: 34231407
still does not work here is the whole config. The weird thing is port 4124, 80 etc... are working.

ASA Version 8.3(1)
!
hostname jasd
domain-name domain

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.7 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.*.*.* 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
object network obj-192.168.1.98
 host 192.168.1.98
object network obj-192.168.1.98-01
 host 192.168.1.98
object network obj-192.168.1.97
 host 192.168.1.97
object network obj-192.168.1.97-01
 host 192.168.1.97
object network obj-192.168.1.97-02
 host 192.168.1.97
object network obj-192.168.1.97-03
 host 192.168.1.97
object network obj-192.168.1.97-04
 host 192.168.1.97
object network obj-192.168.1.101
 host 192.168.1.101
object network obj-192.168.1.98-02
 host 192.168.1.98
object network obj-192.168.1.101-01
 host 192.168.1.101
object network obj-192.168.1.101-02
 host 192.168.1.101
object network obj-192.168.1.2
 host 192.168.1.2
object network obj-192.168.1.11
 host 192.168.1.11
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.97-05
 host 192.168.1.97
object network obj-192.168.1.97-06
 host 192.168.1.97
object network obj-192.168.1.97-07
 host 192.168.1.97
access-list OUT_IN extended permit tcp any host 69.*.*.* eq https
access-list OUT_IN extended permit tcp any any eq pcanywhere-data
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq 4124
access-list OUT_IN extended permit tcp any any eq 3389
access-list OUT_IN extended permit tcp any any eq 4144
access-list OUT_IN extended permit tcp any any eq 2000
access-list OUT_IN extended permit tcp any any eq 8080
access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list inside_access_in extended permit tcp host 192.168.1.11 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj-192.168.1.98
 nat (inside,outside) static interface service tcp 5632 5632
object network obj-192.168.1.98-01
 nat (inside,outside) static interface service tcp pcanywhere-data pcanywhere-data
object network obj-192.168.1.97
 nat (inside,outside) static interface service tcp 3001 3001
object network obj-192.168.1.97-01
 nat (inside,outside) static interface service tcp 2000 2000
object network obj-192.168.1.97-02
 nat (inside,outside) static interface service tcp 2001 2001
object network obj-192.168.1.97-03
 nat (inside,outside) static interface service tcp 2002 2002
object network obj-192.168.1.97-04
 nat (inside,outside) static interface service tcp 2003 2003
object network obj-192.168.1.101
 nat (inside,outside) static interface service tcp 4124 4124
object network obj-192.168.1.98-02
 nat (inside,outside) static interface service tcp 3389 3389
object network obj-192.168.1.101-01
 nat (inside,outside) static interface service tcp www www
object network obj-192.168.1.101-02
 nat (inside,outside) static interface service tcp https https
object network obj-192.168.1.2
 nat (inside,outside) static interface service tcp 4144 4144
object network obj-192.168.1.11
 nat (inside,outside) static interface service tcp smtp smtp
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-192.168.1.97-05
 nat (inside,outside) static interface service tcp 2004 2004
object network obj-192.168.1.97-06
 nat (inside,outside) static interface service tcp 2005 2005
object network obj-192.168.1.97-07
 nat (inside,outside) static interface service tcp 8080 8080
access-group inside_access_in in interface inside
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 69.38.106.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 5
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e25f549a9dcd597055de5fdd87d4a365
: end
0
 
LVL 28

Expert Comment

by:bgoering
ID: 34231748
Are ports 2002 and 8080 listening on 192.168.1.97 if you try to access them from a host on the same inside network?

Try telnet 192.168.1.97 2002
and telnet 192.168.1.97 8080

and see if they connect. If they are not listening on the destination server, then the outside scan will show them as closed.
0
 
LVL 3

Author Closing Comment

by:adamshields
ID: 34232232
you were right with this. its working now thanks for your help!!!!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now