Solved

Cisco ASA5505 Port Forward issue

Posted on 2010-11-28
6
940 Views
Last Modified: 2012-05-10
I am having issues with forwarding some ports Port 2000 and port 8080 are not showing up as open ports when doing a scan from an external host. Here is my config. What am i doing wrong.

ASA Version 8.3(1)
!
hostname

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.7 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.*.*.*.* 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
object network obj-192.168.1.98
 host 192.168.1.98
object network obj-192.168.1.98-01
 host 192.168.1.98
object network obj-192.168.1.97
 host 192.168.1.97
object network obj-192.168.1.97-01
 host 192.168.1.97
object network obj-192.168.1.97-02
 host 192.168.1.97
object network obj-192.168.1.97-03
 host 192.168.1.97
object network obj-192.168.1.97-04
 host 192.168.1.97
object network obj-192.168.1.101
 host 192.168.1.101
object network obj-192.168.1.98-02
 host 192.168.1.98
object network obj-192.168.1.101-01
 host 192.168.1.101
object network obj-192.168.1.101-02
 host 192.168.1.101
object network obj-192.168.1.2
 host 192.168.1.2
object network obj-192.168.1.11
 host 192.168.1.11
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.97-05
 host 192.168.1.97
object network obj-192.168.1.97-06
 host 192.168.1.97
object network obj-192.168.1.97-07
 host 192.168.1.97
access-list OUT_IN extended permit tcp any host 69.*.*.* eq https
access-list OUT_IN extended permit tcp any any eq pcanywhere-data
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq 4124
access-list OUT_IN extended permit tcp any any eq 3389
access-list OUT_IN extended permit tcp any any eq 4144
access-list OUT_IN extended permit tcp any any eq 2000
access-list OUT_IN extended permit tcp any any eq 8080
access-list inside_access_in extended permit tcp host 192.168.1.11 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list smtp_in extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list smtp_in extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list smtp_in extended deny tcp any any eq smtp
access-list smtp_in extended permit ip any any
pager lines 24
logging enable
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj-192.168.1.98
 nat (inside,outside) static interface service tcp 5632 5632
object network obj-192.168.1.98-01
 nat (inside,outside) static interface service tcp pcanywhere-data pcanywhere-data
object network obj-192.168.1.97
 nat (inside,outside) static interface service tcp 3001 3001
object network obj-192.168.1.97-01
 nat (inside,outside) static interface service tcp 2000 2000
object network obj-192.168.1.97-02
 nat (inside,outside) static interface service tcp 2001 2001
object network obj-192.168.1.97-03
 nat (inside,outside) static interface service tcp 2002 2002
object network obj-192.168.1.97-04
 nat (inside,outside) static interface service tcp 2003 2003
object network obj-192.168.1.101
 nat (inside,outside) static interface service tcp 4124 4124
object network obj-192.168.1.98-02
 nat (inside,outside) static interface service tcp 3389 3389
object network obj-192.168.1.101-01
 nat (inside,outside) static interface service tcp www www
object network obj-192.168.1.101-02
 nat (inside,outside) static interface service tcp https https
object network obj-192.168.1.2
 nat (inside,outside) static interface service tcp 4144 4144
object network obj-192.168.1.11
 nat (inside,outside) static interface service tcp smtp smtp
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-192.168.1.97-05
 nat (inside,outside) static interface service tcp 2004 2004
object network obj-192.168.1.97-06
 nat (inside,outside) static interface service tcp 2005 2005
object network obj-192.168.1.97-07
 nat (inside,outside) static interface service tcp 8080 8080
access-group inside_access_in in interface inside
access-group smtp_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 5
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4a450f4adcab22d0e538372
: end
0
Comment
Question by:adamshields
  • 3
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 34230223
>access-group smtp_in in interface outside
You only have the smtp_in acl applied to the outside interface. You need to combine the 2 acls

access-list OUT_IN extended permit tcp any host 69.*.*.* eq https
access-list OUT_IN extended permit tcp any any eq pcanywhere-data
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq 4124
access-list OUT_IN extended permit tcp any any eq 3389
access-list OUT_IN extended permit tcp any any eq 4144
access-list OUT_IN extended permit tcp any any eq 2000
access-list OUT_IN extended permit tcp any any eq 8080
+
access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list OUT_IN extended deny tcp any any eq smtp
access-list OUT_IN extended permit ip any any
=
access-group OUT_IN in interface outside
0
 
LVL 3

Author Comment

by:adamshields
ID: 34231061
so i need to remove this

access-list smtp_in extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list smtp_in extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list smtp_in extended deny tcp any any eq smtp
access-list smtp_in extended permit ip any any

and change it to this?

access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list OUT_IN extended deny tcp any any eq smtp
access-list OUT_IN extended permit ip any any

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34231260
Except for the last 2 lines. They are not needed.
Just ADD the following lines to start with. If everything works as you like, then remove the other 4 lines.

access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp


Then be sure to apply this acl to the interface

access-group OUT_IN in interface outside
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Author Comment

by:adamshields
ID: 34231407
still does not work here is the whole config. The weird thing is port 4124, 80 etc... are working.

ASA Version 8.3(1)
!
hostname jasd
domain-name domain

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.7 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.*.*.* 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa831-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
object network obj-192.168.1.98
 host 192.168.1.98
object network obj-192.168.1.98-01
 host 192.168.1.98
object network obj-192.168.1.97
 host 192.168.1.97
object network obj-192.168.1.97-01
 host 192.168.1.97
object network obj-192.168.1.97-02
 host 192.168.1.97
object network obj-192.168.1.97-03
 host 192.168.1.97
object network obj-192.168.1.97-04
 host 192.168.1.97
object network obj-192.168.1.101
 host 192.168.1.101
object network obj-192.168.1.98-02
 host 192.168.1.98
object network obj-192.168.1.101-01
 host 192.168.1.101
object network obj-192.168.1.101-02
 host 192.168.1.101
object network obj-192.168.1.2
 host 192.168.1.2
object network obj-192.168.1.11
 host 192.168.1.11
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.1.97-05
 host 192.168.1.97
object network obj-192.168.1.97-06
 host 192.168.1.97
object network obj-192.168.1.97-07
 host 192.168.1.97
access-list OUT_IN extended permit tcp any host 69.*.*.* eq https
access-list OUT_IN extended permit tcp any any eq pcanywhere-data
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq 4124
access-list OUT_IN extended permit tcp any any eq 3389
access-list OUT_IN extended permit tcp any any eq 4144
access-list OUT_IN extended permit tcp any any eq 2000
access-list OUT_IN extended permit tcp any any eq 8080
access-list OUT_IN extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list OUT_IN extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list inside_access_in extended permit tcp host 192.168.1.11 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj-192.168.1.98
 nat (inside,outside) static interface service tcp 5632 5632
object network obj-192.168.1.98-01
 nat (inside,outside) static interface service tcp pcanywhere-data pcanywhere-data
object network obj-192.168.1.97
 nat (inside,outside) static interface service tcp 3001 3001
object network obj-192.168.1.97-01
 nat (inside,outside) static interface service tcp 2000 2000
object network obj-192.168.1.97-02
 nat (inside,outside) static interface service tcp 2001 2001
object network obj-192.168.1.97-03
 nat (inside,outside) static interface service tcp 2002 2002
object network obj-192.168.1.97-04
 nat (inside,outside) static interface service tcp 2003 2003
object network obj-192.168.1.101
 nat (inside,outside) static interface service tcp 4124 4124
object network obj-192.168.1.98-02
 nat (inside,outside) static interface service tcp 3389 3389
object network obj-192.168.1.101-01
 nat (inside,outside) static interface service tcp www www
object network obj-192.168.1.101-02
 nat (inside,outside) static interface service tcp https https
object network obj-192.168.1.2
 nat (inside,outside) static interface service tcp 4144 4144
object network obj-192.168.1.11
 nat (inside,outside) static interface service tcp smtp smtp
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-192.168.1.97-05
 nat (inside,outside) static interface service tcp 2004 2004
object network obj-192.168.1.97-06
 nat (inside,outside) static interface service tcp 2005 2005
object network obj-192.168.1.97-07
 nat (inside,outside) static interface service tcp 8080 8080
access-group inside_access_in in interface inside
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 69.38.106.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 5
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e25f549a9dcd597055de5fdd87d4a365
: end
0
 
LVL 28

Expert Comment

by:bgoering
ID: 34231748
Are ports 2002 and 8080 listening on 192.168.1.97 if you try to access them from a host on the same inside network?

Try telnet 192.168.1.97 2002
and telnet 192.168.1.97 8080

and see if they connect. If they are not listening on the destination server, then the outside scan will show them as closed.
0
 
LVL 3

Author Closing Comment

by:adamshields
ID: 34232232
you were right with this. its working now thanks for your help!!!!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
network error 8 49
Cisco 3750G swithces stack question 3 21
Connecting a New Subnet to Network 4 29
Issue with Cisco 4402 and 1142 LAPs 1 7
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question