ASA 5510 - allow port 5008 to inside host

Hi all,

I need to allow traffic coming in from the web to an inside host on udp port 5008, the return traffic would need to go back out the default gateway of the ASA. The server that traffic needs to connect to is on a 192.68.5.x network. What is the best way to implement this into my current config? I was thinking of adding an access-list allowing the public IP access in with port 5008 and a static translation with the public / private ip. Below is my current config:

ASA Version 8.2(1) 
hostname fw
domain-name xxxxx
enable password k4HlcGX2lC1ypFOm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 nameif DMZ
 security-level 50
 ip address 
interface Management0/0
 nameif management
 security-level 100
 ip address 
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxxxxxxxxxxxxxxxxxxxxxxx
access-list outside_access_in extended permit tcp any host eq www 
access-list DMZtoInside extended permit tcp host host 192.168.5.xx eq 1433 
access-list DMZtoInside extended deny ip any 
access-list DMZtoInside extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1
nat (DMZ) 1
nat (management) 1
static (DMZ,outside) tcp www www netmask 
static (DMZ,outside) tcp https https netmask 
static (inside,DMZ) 192.168.5.xx 192.168.5.xx netmask 
access-group outside_access_in in interface outside
access-group DMZtoInside in interface DMZ
route outside 1
route inside 192.168.5.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end
no asdm history enable

Switch port config below

interface FastEthernet0/15
 switchport access vlan 15
 switchport mode dynamic desirable <---I need to change to switchport mode access to secure, forgot!

interface Vlan15
 ip address

ip route

Open in new window

Who is Participating?
InteraXConnect With a Mentor Commented:
The source IP of a packet would the public IP of the originating device. The destination IP will start being your public IP, but once the packet goes through the NAT process, the destination IP changes to the private IP of your server. The switch will only work at layer 2 and should see the source mac after the firewall as that mac of the firewall and the destination mac as the mac of the server. This is assuming ARP is working correctly.
The following commands should suffice. Just put in the relevant public IP you need where I have highlighted and complete the inside IP for the static nat.

static (inside,outside) udp <outside_ip> 5008 192.168.5.xx 5008 netmask
access-list outside_access_in extended permit udp any host <outside_ip> eq 5008
wayy2beAuthor Commented:
I added the above and it will not connect. I ran packet tracer and from both the outside and inside interface and it said "flow denied by configured rule".
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

can you post the result of 'sh xlate' and 'sh access-list outside_access_in'.
wayy2beAuthor Commented:
sh xlate
5 in use, 7 most used
Global Local
Global Local
PAT Global <Public IP>(80) Local
PAT Global <Public IP>(443) Local
PAT Global <Public IP>(5008) Local
sh access-list outside_access_in
access-list outside_access_in; 2 elements; name hash: 0x6892a938
access-list outside_access_in line 1 remark Permit traffic from Internet
access-list outside_access_in line 2 extended permit tcp any host <Public IP>(eq www (hitcnt=4657) 0xb3e8f076
access-list outside_access_in line 3 extended permit udp any host <Public IP>(eq 5008 (hitcnt=27) 0x422c2ed2
wayy2beAuthor Commented:
So for some reason the packet is being dropped?  I noticed that the outside interface IP address is on the same subnet as the DMZ interface, shouldn't these two IP's be completely different?  Or at least like for the outside interface and leave the DMZ as it is?  What is best practice?  Thanks
The outside and DMZ should be 2 different subnets, otherwise routing will get messed up. Are you NATing this to the interface IP? If so, you should use the interface keyword instead of the IP.
wayy2beAuthor Commented:
What I did was change the following:

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address

So now the DMZ is at 172.16.75.x and the inside is at 172.16.85.x. But I still cannot connect to the server on the inside on port 5008 even after adding the following:

access-list outside_access_in extended permit udp any host <PUBLIC IP> eq 5008
static (inside,outside) <PUBLIC IP> netmask

Are you trying to connect to an outside IP on the ASA from an internal IP? If so, this is not allowed. Is the traffic coming from an external device?
wayy2beAuthor Commented:
The traffic is coming in from the Internet and hits a public IP that has a static to an inside IP, then the traffic should connect on port 5008. But somewhere the packet is getting dropped.
wayy2beAuthor Commented:
I am starting to think that this is not a firewall issue and a layer 3 issue. What ip address would a packet have that came in to the ASA from a public IP and connected with the server at 192.168.5.x?  I think the switch does not know where to send the packet back to. But what IP address would that packet have?
wayy2beAuthor Commented:
When I do a sh conn on the ASA I see the public Ip and private IP on port 5008, this is why I believe the traffic is not getting returned.
Can you post an example of the sh conn entries you are talking about.
wayy2beAuthor Commented:
I dont have the actual screenshot of the sh conn, but it looked like this:

udp <PUBLIC IP> in <PRIVATE IP>:5008 idle btyes 4353

I think I found the problem. The traffic in question is coming from remote sales people that are trying to connect via air cards. When they make the connection the VPN software that is sitting on a server inside the LAN behind the ASA  attempts to connect on port 5008, so it contacts the 3550 switch and the packet hits the port but on the return trip the 3550 does not know how to handle the return, since there are multiple gateways and there is no route in place to handle the publi IP range of the air cards. If I put a route in the 3550 telling it to route the ip range of the public IP addresses that the air cards are using and give them the gateway it would probably work. However I see several security issues with that. Is there a work around for this type of issue, assumimg it is the issue?
wayy2beAuthor Commented:
The switch is a layer 3 device, Catalyst 3550. I don't think I mentioned that before.
Robert Sutton JrSenior Network ManagerCommented:
You are missing:
same-security-traffic permit intra-interface
same-security-traffic permit inter-interface

Let us know.
wayy2beAuthor Commented:
Thanks Warlock!  I am not familar with that command. Do I just enter it as above?  Will it have any negative effects (security wise) on the DMZ?  I wont be able to try it until Monday :S
wayy2beAuthor Commented:
The ASA is new to me. I worked on PIXs for years. I need to study up!
Robert Sutton JrConnect With a Mentor Senior Network ManagerCommented:
FWIW; Heres a description from the Cisco website to help you understand a little better:

Also Note: All traffic allowed by the "same-security-traffic intra-interface" command is still subject to firewall rules.

Hope this helps.
wayy2beAuthor Commented:
Question not answered but since thye problem is not the ASA I am closing this question and awarding points to those that tried to help. I will then repost the question in the correct zone. Thanks
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.