JPBI
asked on
Opening Ports on a Cisco ASA 5510
Trying to access a program and our firewall is not allowing us to connect. According to this company's tech support team, I need to open up ports 1550 - 1599 and 7676.
I am pretty inexperienced with firewalls, so any help you can provide would be appreciated.
We are running a Cisco ASA 5510 (Cisco ASDM 6.2)
Thanks!
I am pretty inexperienced with firewalls, so any help you can provide would be appreciated.
We are running a Cisco ASA 5510 (Cisco ASDM 6.2)
Thanks!
ASKER
I need to allow an outside program in through our firewall. I do not know the IP of the host, their tech support didn't seem to think that was important.. he just mentioned opening the ports I listed. We have an IP block and I'm not sure what a sanitized config is.
I've created a new TCP Service group for ports 1550-1599 and 7676 and attached them to a rule for the IP address of the user that needs access to the application, but we are still unable to connect.
I've created a new TCP Service group for ports 1550-1599 and 7676 and attached them to a rule for the IP address of the user that needs access to the application, but we are still unable to connect.
Can't add anything to that :)
Though (if it's from the out- to the inside) it would be easier if you had an extra public.
Though (if it's from the out- to the inside) it would be easier if you had an extra public.
Did you also add the ports to be natted from the outside to the inside?
Depends a bit on what version you have, if it's <8.3 you be using:
static (inside,outside) etc.
Depends a bit on what version you have, if it's <8.3 you be using:
static (inside,outside) etc.
ASKER
No, I have not done anything with NAT. I'm a bit over my head here. I was honestly just guessing when creating the service groups.
What version does the pix have?
The steps to allow inbound traffic:
1) Create a Static NAT or a Port Forward from the public IP to the internal host IP.
2) Create an Access list on the outside interface to allow the traffic to pass.
3) Apply the Access list to the interface with the Access-group command....
The exact command are dependent on your ASA version Pre or Post 8.3 A sanitized config would her a lot here.
1) Create a Static NAT or a Port Forward from the public IP to the internal host IP.
2) Create an Access list on the outside interface to allow the traffic to pass.
3) Apply the Access list to the interface with the Access-group command....
The exact command are dependent on your ASA version Pre or Post 8.3 A sanitized config would her a lot here.
ASKER
Pix 506E - is that what you are asking?
ASKER
What is a sanitized config and I'll see if I can figure it out...
We are Pre 8.3 ... 8.2(2) is what is says in the About tab, ASDM version 6.2(5) as well
We are Pre 8.3 ... 8.2(2) is what is says in the About tab, ASDM version 6.2(5) as well
In the ASDM under tools there is the command line tool. If you issue: 'wr t' (without the ') it should come back with the config. Mask sensitive info like public ip's, usernames, etc. and then post it here.
ASKER
Man that file is huge. I also don't know what needs to be masked and what doesn't. Can you tell me exactly what you are looking for by chance?
The config of:
-the outside interface
-access list for the outside interface
-'static' commands
Oh, and the inside ip address where it (the program) needs to connect to.
-the outside interface
-access list for the outside interface
-'static' commands
Oh, and the inside ip address where it (the program) needs to connect to.
ASKER
I can't really identify those configs enough to feel comfortable posting any information. Sorry about that, thanks for the help though.
This is a pretty old exmaple, but might help you out:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml
Use that example, just change the port number from 25 to the ports you need. Then try the connection. If it fails, you can do a SHOW LOGGING or watch the ASDM log window for Drops. The log should give you a clue as to what's being dropped and why. We can help diagnose further.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml
Use that example, just change the port number from 25 to the ports you need. Then try the connection. If it fails, you can do a SHOW LOGGING or watch the ASDM log window for Drops. The log should give you a clue as to what's being dropped and why. We can help diagnose further.
ASKER
Created a new service and attached it to a new access rule and it worked. Thanks for the input!
Glad its working.... anything else we can answer then?
ASKER
All set - thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What is the IP of the host?
If it's an internal host, do you have a block of IPs from your ISP or just 1? If 1, is it static?
Can you post a sanitized config form the ASA?