Solved

ASA 5510 - allow port 5008 to inside host

Posted on 2011-09-20
20
692 Views
Last Modified: 2012-05-12
Hi all,

I need to allow traffic coming in from the web to an inside host on udp port 5008, the return traffic would need to go back out the default gateway of the ASA. The server that traffic needs to connect to is on a 192.68.5.x network. What is the best way to implement this into my current config? I was thinking of adding an access-list allowing the public IP access in with port 5008 and a static translation with the public / private ip. Below is my current config:




ASA Version 8.2(1) 
!
hostname fw
domain-name xxxxx
enable password k4HlcGX2lC1ypFOm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.75.254 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif DMZ
 security-level 50
 ip address 192.168.75.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name xxxxxxxxxxxxxxxxxxxxxxxx
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq www 
access-list DMZtoInside extended permit tcp host 192.168.75.5 host 192.168.5.xx eq 1433 
access-list DMZtoInside extended deny ip any 192.168.0.0 255.255.255.0 
access-list DMZtoInside extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (management) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp xxx.xxx.xxx.xxx www 192.168.75.5 www netmask 255.255.255.255 
static (DMZ,outside) tcp xxx.xxx.xxx.xxx https 192.168.75.5 https netmask 255.255.255.255 
static (inside,DMZ) 192.168.5.xx 192.168.5.xx netmask 255.255.255.255 
access-group outside_access_in in interface outside
access-group DMZtoInside in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 192.168.5.xx 255.255.255.255 172.16.75.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:e6f986d4427504d675bb1ca51a815345
: end
no asdm history enable

------------------------
Switch port config below
------------------------

interface FastEthernet0/15
 switchport access vlan 15
 switchport mode dynamic desirable <---I need to change to switchport mode access to secure, forgot!


interface Vlan15
 ip address 172.16.75.253 255.255.255.0


ip route 192.168.75.0 255.255.255.0 172.16.75.254

Open in new window

0
Comment
Question by:wayy2be
  • 12
  • 6
  • 2
20 Comments
 
LVL 16

Expert Comment

by:InteraX
Comment Utility
The following commands should suffice. Just put in the relevant public IP you need where I have highlighted and complete the inside IP for the static nat.

static (inside,outside) udp <outside_ip> 5008 192.168.5.xx 5008 netmask 255.255.255.255
access-list outside_access_in extended permit udp any host <outside_ip> eq 5008
0
 

Author Comment

by:wayy2be
Comment Utility
I added the above and it will not connect. I ran packet tracer and from both the outside and inside interface and it said "flow denied by configured rule".
0
 
LVL 16

Expert Comment

by:InteraX
Comment Utility
can you post the result of 'sh xlate' and 'sh access-list outside_access_in'.
0
 

Author Comment

by:wayy2be
Comment Utility
sh xlate
5 in use, 7 most used
Global 192.168.5.15 Local 192.168.5.15
Global 192.168.5.14 Local 192.168.5.14
PAT Global <Public IP>(80) Local 192.168.75.5(80)
PAT Global <Public IP>(443) Local 192.168.75.5(443)
PAT Global <Public IP>(5008) Local 192.168.5.14(5008)
sh access-list outside_access_in
access-list outside_access_in; 2 elements; name hash: 0x6892a938
access-list outside_access_in line 1 remark Permit traffic from Internet
access-list outside_access_in line 2 extended permit tcp any host <Public IP>(eq www (hitcnt=4657) 0xb3e8f076
access-list outside_access_in line 3 extended permit udp any host <Public IP>(eq 5008 (hitcnt=27) 0x422c2ed2
0
 

Author Comment

by:wayy2be
Comment Utility
So for some reason the packet is being dropped?  I noticed that the outside interface IP address is on the same subnet as the DMZ interface, shouldn't these two IP's be completely different?  Or at least like 172.16.65.254 for the outside interface and leave the DMZ as it is?  What is best practice?  Thanks
0
 
LVL 16

Expert Comment

by:InteraX
Comment Utility
The outside and DMZ should be 2 different subnets, otherwise routing will get messed up. Are you NATing this to the interface IP? If so, you should use the interface keyword instead of the IP.
0
 

Author Comment

by:wayy2be
Comment Utility
What I did was change the following:

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.85.254 255.255.255.0

So now the DMZ is at 172.16.75.x and the inside is at 172.16.85.x. But I still cannot connect to the server on the inside on port 5008 even after adding the following:

access-list outside_access_in extended permit udp any host <PUBLIC IP> eq 5008
static (inside,outside) <PUBLIC IP> 192.168.5.14 netmask 255.255.255.255


0
 
LVL 16

Expert Comment

by:InteraX
Comment Utility
Are you trying to connect to an outside IP on the ASA from an internal IP? If so, this is not allowed. Is the traffic coming from an external device?
0
 

Author Comment

by:wayy2be
Comment Utility
The traffic is coming in from the Internet and hits a public IP that has a static to an inside IP, then the traffic should connect on port 5008. But somewhere the packet is getting dropped.
0
 

Author Comment

by:wayy2be
Comment Utility
I am starting to think that this is not a firewall issue and a layer 3 issue. What ip address would a packet have that came in to the ASA from a public IP and connected with the server at 192.168.5.x?  I think the switch does not know where to send the packet back to. But what IP address would that packet have?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 16

Accepted Solution

by:
InteraX earned 250 total points
Comment Utility
The source IP of a packet would the public IP of the originating device. The destination IP will start being your public IP, but once the packet goes through the NAT process, the destination IP changes to the private IP of your server. The switch will only work at layer 2 and should see the source mac after the firewall as that mac of the firewall and the destination mac as the mac of the server. This is assuming ARP is working correctly.
0
 

Author Comment

by:wayy2be
Comment Utility
When I do a sh conn on the ASA I see the public Ip and private IP on port 5008, this is why I believe the traffic is not getting returned.
0
 
LVL 16

Expert Comment

by:InteraX
Comment Utility
Can you post an example of the sh conn entries you are talking about.
0
 

Author Comment

by:wayy2be
Comment Utility
I dont have the actual screenshot of the sh conn, but it looked like this:

udp <PUBLIC IP> in <PRIVATE IP>:5008 idle btyes 4353

I think I found the problem. The traffic in question is coming from remote sales people that are trying to connect via air cards. When they make the connection the VPN software that is sitting on a server inside the LAN behind the ASA  attempts to connect on port 5008, so it contacts the 3550 switch and the packet hits the port but on the return trip the 3550 does not know how to handle the return, since there are multiple gateways and there is no route in place to handle the publi IP range of the air cards. If I put a route in the 3550 telling it to route the ip range of the public IP addresses that the air cards are using and give them the gateway it would probably work. However I see several security issues with that. Is there a work around for this type of issue, assumimg it is the issue?
0
 

Author Comment

by:wayy2be
Comment Utility
The switch is a layer 3 device, Catalyst 3550. I don't think I mentioned that before.
0
 
LVL 15

Expert Comment

by:The_Warlock
Comment Utility
You are missing:
same-security-traffic permit intra-interface
and
same-security-traffic permit inter-interface

Let us know.
0
 

Author Comment

by:wayy2be
Comment Utility
Thanks Warlock!  I am not familar with that command. Do I just enter it as above?  Will it have any negative effects (security wise) on the DMZ?  I wont be able to try it until Monday :S
0
 

Author Comment

by:wayy2be
Comment Utility
The ASA is new to me. I worked on PIXs for years. I need to study up!
0
 
LVL 15

Assisted Solution

by:The_Warlock
The_Warlock earned 250 total points
Comment Utility
FWIW; Heres a description from the Cisco website to help you understand a little better:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1392814



Also Note: All traffic allowed by the "same-security-traffic intra-interface" command is still subject to firewall rules.

Hope this helps.
0
 

Author Closing Comment

by:wayy2be
Comment Utility
Question not answered but since thye problem is not the ASA I am closing this question and awarding points to those that tried to help. I will then repost the question in the correct zone. Thanks
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now