• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 377
  • Last Modified:

Opening Ports on a Cisco ASA 5510

Trying to access a program and our firewall is not allowing us to connect. According to this company's tech support team, I need to open up ports 1550 - 1599 and 7676.

I am pretty inexperienced with firewalls, so any help you can provide would be appreciated.

We are running a Cisco ASA 5510 (Cisco ASDM 6.2)

Thanks!
0
JPBI
Asked:
JPBI
  • 8
  • 5
  • 5
1 Solution
 
MikeKaneCommented:
Are you on the inside trying to get out, or are you on the outside trying to get to an internal host?  

What is the IP of the host?  

If it's an internal host, do you have a block of IPs from your ISP or just 1?   If 1, is it static?  

Can you post a sanitized config form the ASA?    
0
 
JPBIAuthor Commented:
I need to allow an outside program in through our firewall. I do not know the IP of the host, their tech support didn't seem to think that was important.. he just mentioned opening the ports I listed. We have an IP block and I'm not sure what a sanitized config is.

I've created a new TCP Service group for ports 1550-1599 and 7676 and attached them to a rule for the IP address of the user that needs access to the application, but we are still unable to connect.
0
 
Ernie BeekCommented:
Can't add anything to that :)

Though (if it's from the out- to the inside) it would be easier if you had an extra public.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Ernie BeekCommented:
Did you also add the ports to be natted from the outside to the inside?
Depends a bit on what version you have, if it's <8.3 you be using:
static (inside,outside) etc.
0
 
JPBIAuthor Commented:
No, I have not done anything with NAT. I'm a bit over my head here. I was honestly just guessing when creating the service groups.
0
 
Ernie BeekCommented:
What version does the pix have?
0
 
MikeKaneCommented:
The steps to allow inbound traffic:

1) Create a Static NAT or a Port Forward from the public IP to the internal host IP.  
2) Create an Access list on the outside interface to allow the traffic to pass.
3) Apply the Access list to the interface with the Access-group command....  

The exact command are dependent on your ASA version Pre or Post 8.3          A sanitized config would her a lot here.

0
 
JPBIAuthor Commented:
Pix 506E - is that what you are asking?
0
 
JPBIAuthor Commented:
What is a sanitized config and I'll see if I can figure it out...

We are Pre 8.3 ... 8.2(2) is what is says in the About tab, ASDM version 6.2(5) as well
0
 
Ernie BeekCommented:
In the ASDM under tools there is the command line tool. If you issue: 'wr t' (without the ') it should come back with the config. Mask sensitive info like public ip's, usernames, etc. and then post it here.
0
 
JPBIAuthor Commented:
Man that file is huge. I also don't know what needs to be masked and what doesn't. Can you tell me exactly what you are looking for by chance?
0
 
Ernie BeekCommented:
The config of:
-the outside interface
-access list for the outside interface
-'static' commands
Oh, and the inside ip address where it (the program) needs to connect to.
0
 
JPBIAuthor Commented:
I can't really identify those configs enough to feel comfortable posting any information. Sorry about that, thanks for the help though.
0
 
MikeKaneCommented:
This is a pretty old exmaple, but might help you out:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Use that example, just change the port number from 25 to the ports you need.   Then try the connection.    If it fails, you can do a SHOW LOGGING or watch the ASDM log window for Drops.   The log should give you a clue as to what's being dropped and why.   We can help diagnose further.
0
 
JPBIAuthor Commented:
Created a new service and attached it to a new access rule and it worked. Thanks for the input!
0
 
MikeKaneCommented:
Glad its working....   anything else we can answer then?
0
 
JPBIAuthor Commented:
All set - thanks
0
 
MikeKaneCommented:
Then please don't forget to close out the question.    Thanks.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 8
  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now