Solved

Cisco ASA5505 Port Forward issue

Posted on 2010-11-28
6
927 Views
Last Modified: 2012-05-10
I am having issues with forwarding some ports Port 2000 and port 8080 are not showing up as open ports when doing a scan from an external host. Here is my config. What am i doing wrong.

ASA Version 8.3(1)
!
hostname

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.7 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.*.*.*.* 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
object network obj-192.168.1.98
 host 192.168.1.98
object network obj-192.168.1.98-01
 host 192.168.1.98
object network obj-192.168.1.97
 host 192.168.1.97
object network obj-192.168.1.97-01
 host 192.168.1.97
object network obj-192.168.1.97-02
 host 192.168.1.97
object network obj-192.168.1.97-03
 host 192.168.1.97
object network obj-192.168.1.97-04
 host 192.168.1.97
object network obj-192.168.1.101
 host 192.168.1.101
object network obj-192.168.1.98-02
 host 192.168.1.98
object network obj-192.168.1.101-01
 host 192.168.1.101
object network obj-192.168.1.101-02
 host 192.168.1.101
object network obj-192.168.1.2
 host 192.168.1.2
object network obj-192.168.1.11
 host 192.168.1.11
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.97-05
 host 192.168.1.97
object network obj-192.168.1.97-06
 host 192.168.1.97
object network obj-192.168.1.97-07
 host 192.168.1.97
access-list OUT_IN extended permit tcp any host 69.*.*.* eq https
access-list OUT_IN extended permit tcp any any eq pcanywhere-data
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq 4124
access-list OUT_IN extended permit tcp any any eq 3389
access-list OUT_IN extended permit tcp any any eq 4144
access-list OUT_IN extended permit tcp any any eq 2000
access-list OUT_IN extended permit tcp any any eq 8080
access-list inside_access_in extended permit tcp host 192.168.1.11 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list smtp_in extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list smtp_in extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list smtp_in extended deny tcp any any eq smtp
access-list smtp_in extended permit ip any any
pager lines 24
logging enable
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj-192.168.1.98
 nat (inside,outside) static interface service tcp 5632 5632
object network obj-192.168.1.98-01
 nat (inside,outside) static interface service tcp pcanywhere-data pcanywhere-data
object network obj-192.168.1.97
 nat (inside,outside) static interface service tcp 3001 3001
object network obj-192.168.1.97-01
 nat (inside,outside) static interface service tcp 2000 2000
object network obj-192.168.1.97-02
 nat (inside,outside) static interface service tcp 2001 2001
object network obj-192.168.1.97-03
 nat (inside,outside) static interface service tcp 2002 2002
object network obj-192.168.1.97-04
 nat (inside,outside) static interface service tcp 2003 2003
object network obj-192.168.1.101
 nat (inside,outside) static interface service tcp 4124 4124
object network obj-192.168.1.98-02
 nat (inside,outside) static interface service tcp 3389 3389
object network obj-192.168.1.101-01
 nat (inside,outside) static interface service tcp www www
object network obj-192.168.1.101-02
 nat (inside,outside) static interface service tcp https https
object network obj-192.168.1.2
 nat (inside,outside) static interface service tcp 4144 4144
object network obj-192.168.1.11
 nat (inside,outside) static interface service tcp smtp smtp
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-192.168.1.97-05
 nat (inside,outside) static interface service tcp 2004 2004
object network obj-192.168.1.97-06
 nat (inside,outside) static interface service tcp 2005 2005
object network obj-192.168.1.97-07
 nat (inside,outside) static interface service tcp 8080 8080
access-group inside_access_in in interface inside
access-group smtp_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 5
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4a450f4adcab22d0e538372
: end
0
Comment
Question by:adamshields
  • 3
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 34230223
>access-group smtp_in in interface outside
You only have the smtp_in acl applied to the outside interface. You need to combine the 2 acls

access-list OUT_IN extended permit tcp any host 69.*.*.* eq https
access-list OUT_IN extended permit tcp any any eq pcanywhere-data
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq 4124
access-list OUT_IN extended permit tcp any any eq 3389
access-list OUT_IN extended permit tcp any any eq 4144
access-list OUT_IN extended permit tcp any any eq 2000
access-list OUT_IN extended permit tcp any any eq 8080
+
access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list OUT_IN extended deny tcp any any eq smtp
access-list OUT_IN extended permit ip any any
=
access-group OUT_IN in interface outside
0
 
LVL 3

Author Comment

by:adamshields
ID: 34231061
so i need to remove this

access-list smtp_in extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list smtp_in extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list smtp_in extended deny tcp any any eq smtp
access-list smtp_in extended permit ip any any

and change it to this?

access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list OUT_IN extended deny tcp any any eq smtp
access-list OUT_IN extended permit ip any any

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34231260
Except for the last 2 lines. They are not needed.
Just ADD the following lines to start with. If everything works as you like, then remove the other 4 lines.

access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp


Then be sure to apply this acl to the interface

access-group OUT_IN in interface outside
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 3

Author Comment

by:adamshields
ID: 34231407
still does not work here is the whole config. The weird thing is port 4124, 80 etc... are working.

ASA Version 8.3(1)
!
hostname jasd
domain-name domain

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.7 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.*.*.* 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
object network obj-192.168.1.98
 host 192.168.1.98
object network obj-192.168.1.98-01
 host 192.168.1.98
object network obj-192.168.1.97
 host 192.168.1.97
object network obj-192.168.1.97-01
 host 192.168.1.97
object network obj-192.168.1.97-02
 host 192.168.1.97
object network obj-192.168.1.97-03
 host 192.168.1.97
object network obj-192.168.1.97-04
 host 192.168.1.97
object network obj-192.168.1.101
 host 192.168.1.101
object network obj-192.168.1.98-02
 host 192.168.1.98
object network obj-192.168.1.101-01
 host 192.168.1.101
object network obj-192.168.1.101-02
 host 192.168.1.101
object network obj-192.168.1.2
 host 192.168.1.2
object network obj-192.168.1.11
 host 192.168.1.11
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.97-05
 host 192.168.1.97
object network obj-192.168.1.97-06
 host 192.168.1.97
object network obj-192.168.1.97-07
 host 192.168.1.97
access-list OUT_IN extended permit tcp any host 69.*.*.* eq https
access-list OUT_IN extended permit tcp any any eq pcanywhere-data
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq 4124
access-list OUT_IN extended permit tcp any any eq 3389
access-list OUT_IN extended permit tcp any any eq 4144
access-list OUT_IN extended permit tcp any any eq 2000
access-list OUT_IN extended permit tcp any any eq 8080
access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list inside_access_in extended permit tcp host 192.168.1.11 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj-192.168.1.98
 nat (inside,outside) static interface service tcp 5632 5632
object network obj-192.168.1.98-01
 nat (inside,outside) static interface service tcp pcanywhere-data pcanywhere-data
object network obj-192.168.1.97
 nat (inside,outside) static interface service tcp 3001 3001
object network obj-192.168.1.97-01
 nat (inside,outside) static interface service tcp 2000 2000
object network obj-192.168.1.97-02
 nat (inside,outside) static interface service tcp 2001 2001
object network obj-192.168.1.97-03
 nat (inside,outside) static interface service tcp 2002 2002
object network obj-192.168.1.97-04
 nat (inside,outside) static interface service tcp 2003 2003
object network obj-192.168.1.101
 nat (inside,outside) static interface service tcp 4124 4124
object network obj-192.168.1.98-02
 nat (inside,outside) static interface service tcp 3389 3389
object network obj-192.168.1.101-01
 nat (inside,outside) static interface service tcp www www
object network obj-192.168.1.101-02
 nat (inside,outside) static interface service tcp https https
object network obj-192.168.1.2
 nat (inside,outside) static interface service tcp 4144 4144
object network obj-192.168.1.11
 nat (inside,outside) static interface service tcp smtp smtp
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-192.168.1.97-05
 nat (inside,outside) static interface service tcp 2004 2004
object network obj-192.168.1.97-06
 nat (inside,outside) static interface service tcp 2005 2005
object network obj-192.168.1.97-07
 nat (inside,outside) static interface service tcp 8080 8080
access-group inside_access_in in interface inside
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 69.38.106.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 5
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e25f549a9dcd597055de5fdd87d4a365
: end
0
 
LVL 28

Expert Comment

by:bgoering
ID: 34231748
Are ports 2002 and 8080 listening on 192.168.1.97 if you try to access them from a host on the same inside network?

Try telnet 192.168.1.97 2002
and telnet 192.168.1.97 8080

and see if they connect. If they are not listening on the destination server, then the outside scan will show them as closed.
0
 
LVL 3

Author Closing Comment

by:adamshields
ID: 34232232
you were right with this. its working now thanks for your help!!!!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now