[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 480
  • Last Modified:

Opening a TCP port on ASA 5505

We need to open port 2570 to all TCP traffic. I've tried to do this before with instructions from the Internet but somehow I always manage to cut the firewall off from the Internet. I think I screw up the access list.

What's the definitive method?

Thanks!
0
d4nnyo
Asked:
d4nnyo
  • 8
  • 4
1 Solution
 
Ernie BeekCommented:
Normally:

static (inside,outside) tcp outside_ip 2570 inside_ip 2570 netmask 255.255.255.255

access-list outside permit tcp any host outside_ip eq 2570

access-group outside in interface outside
0
 
Ernie BeekCommented:
Oh, if you're ASA version is > 8.3 it's slightly different.
0
 
Ernie BeekCommented:
8.3 and higher:

object network obj-inside_ip
host inside_ip
nat (DMZ,outside) static outside_ip

access-list outside_in extended permit tcp any host inside_ip eq 2570
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
Ernie BeekCommented:
Or, for just that port:

object network obj-inside_ip
host inside_ip
nat (DMZ,outside) static outside_ip service tcp 2570

access-list outside_in extended permit tcp any host inside_ip eq 2570
0
 
Ernie BeekCommented:
And last DMZ should be inside.

That what can happen if you do copy/paste :-~
0
 
Pete LongConsultantCommented:
inbound or outbound? erniebeek has covered all inbound scenarios.

if its outbound then simply add another line to the existing outbound ACL :)

access-list {existing outbound ACL} permit tcp any any eq 2570

Pete
0
 
d4nnyoAuthor Commented:

Actually, I need to open traffic to IP 10.0.20.29, and I'm guessing inbound and outbound. What are the statements for that?

IOS version 8.2.
0
 
Ernie BeekCommented:
That implies you want 10.0.20.29 to exclusively have it's own public ip?

So if you have additional public ip's you can do that:

static (inside,outside) outside_ip 10.0.20.29 netmask 255.255.255.255
access-list outside permit tcp any host outside_ip eq 2570
access-group outside in interface outside


This way you open up port 2570 to 10.0.20.29 and also make sure that if 10.0.20.29 goes out to the internet it uses outside_ip instead of the default public defined by the nat and global statements.
0
 
d4nnyoAuthor Commented:

OK, so the goal is to open up tcp traffic to the ip 10.0.20.29 over port 2570, through the outside interface. Sounds simple enough, but on these ASAs...

When I enter this command: static (inside,outside) outside_ip 10.0.20.29 netmask 255.255.255.255

This is the result:

Result of the command: "static (inside,outside) 72.x.x.x 10.0.20.29 netmask 255.255.255.255"

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

What am I doing wrong?
0
 
Ernie BeekCommented:
Ok, that means the 72.x.x.x is the address on the outside interface. If that is the only public address you have, you can't do a 1 to 1 nat on that.

So you'll need to do:

static (inside,outside) tcp 72.x.x.x 2570 10.0.20.29 2570 netmask 255.255.255.255
access-list outside permit tcp any host 72.x.x.x eq 2570
access-group outside in interface outside


In this case the 10.0.20.29 will be natted to the 72.x.x.x when going on to the internet (so no problem there).

If you have more than one public address at your disposal you can still use:

static (inside,outside) outside_ip 10.0.20.29 netmask 255.255.255.255
access-list outside permit tcp any host outside_ip eq 2570
access-group outside in interface outside


taking an other public address.
0
 
d4nnyoAuthor Commented:
This solution did not apply.
0
 
Ernie BeekCommented:
?

Could you elaborate what's wrong?
If the solution doesn't apply we might need to look for another way. Or did you find one yourself? If so, let us know.
0
 
d4nnyoAuthor Commented:
The firewall config was disrupted by this solution.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now