How do I open ports up on a Cisco ASA 5505

I need certain tcp/udp ports opened up. Where can I do this in the GUI interface?
raffie613Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jjmartineziiiCommented:
This video should show you exactly what to do:

http://www.youtube.com/watch?v=MW2_Rc9vj3o

Of course, if you have multiple IPs, use that in the NAT rule. Otherwise, use the interface.
0
Istvan KalmarHead of IT Security Division Commented:
0
raffie613Author Commented:
ok, I like the you tube video, but there are no instructions with it so I am not sure what I am doing.
I need to open up ports 59002-59006 for an internal ip address to the outside. So where on the NAT rule to I put in those ports?
Also, can  I put tcp and udp or do I have to chose one or the other?
Thanks
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Istvan KalmarHead of IT Security Division Commented:
you need to create static nat for an IP, and after that you need to open the range of ports with ACL
0
jjmartineziiiCommented:
Create the static translation under NAT Rules.

Open the ports under Access Rules.

You can specify UDP or TCP. You will do this under the Service field under Add Access Rule at :49 in the video.

Do you have a block of IPs or only one IP?
0
raffie613Author Commented:
I have a range I guess that is a block. Then I have two other ones that go to single ports.
0
raffie613Author Commented:
so do I need to creat a NAT rule and a SCL?
0
raffie613Author Commented:
What do I select as the source ip address? the one I need the port open to?
0
raffie613Author Commented:
The NAT rule is where I am having the trouble. What port do I put under PAT?
0
jjmartineziiiCommented:
It depends, are you using the IP address of your outside interface or are you using another IP from the pool?

If you use the IP of the interface, put the IP address of your internal host on the Original Source field. Use interface inside. For the Translated section, select your outside interface and select Use Interface IP. Click enable port translation and put in the port you want and select TCP or UDP. Do this for every port you need open.

If you are using another IP in the pool, your original settings stay the same as above but your translated setting will change by entering the IP address you are going to use. In this case, you don't have to put anything for pat.

Next setup your Access Rules. Create ACLs allowing traffic from ANY to the translated IP address you set up in the nat rules.
0
raffie613Author Commented:
jjmartineziii:
Sorry for being so slow on this. But I am lost.
All I know is that I need to open up some ports, for tcp-udp protocols for our new phone system.
I have 3 internal ipaddresses that need to be linked to those opened ports.
I think I got the Access rule part, but still very lost on creating the NAT rule.
I think this is how, please correct me where I am wrong:
Original:
Interface : ( i choose) Inside
Source: (i enter in) the ip address of the internal phone system

Translated
Interface:(i chose) outside
(radio dial button) I chose "use Interface Ip address"

PAT
I click the box "enable PAT"
Protocol: (which one do I choose? I need both TCP and UDP)
Original port: (what do I enter here? just one port, or the block of ports?
Translated port: ( what do I enter here?)


Thanks.
0
jjmartineziiiCommented:
Your original and translated sections are correct. The for the pay section, select tcp, and one port like 59002, then the same under translated port. Make a new rule and select udp, and enter the same port as the previous rule. Create a new rule and select udp and use port 55003. Repeat this until you have 2 rules, one udp one TCP for every port you need open. You should make 10 rules if you are opening 55002-55006
0
raffie613Author Commented:
ok, I think I got it.
Thanks. Let me see if it works.
0
raffie613Author Commented:
Last thing, on creating the ACL
Do I select
source:"any" and
destination: (my internal ipaddress or my outside interface?)
0
jjmartineziiiCommented:
That depends on I'd you want to limit who connects on these ports. If its only one ip put that in for security instead of any
0
raffie613Author Commented:
I don't care on limiting who connects.
So is this what it should look like?
source: any?
Destination: outside? ( or do I leave it as any?)
service-udp-tcp
More options ( do i need to do this?)
Enable rule(check box)
Traffic direction: IN?
Source service: tcp-udp/59002 ??

Thanks.
0
raffie613Author Commented:
You still there?
0
jjmartineziiiCommented:
Interface: Outside
Action: Permit
Source: Any
Destination: Outside (since you are using the interface IP)
Service: Select the button at the end of the Text box. Click Add > TCP-UDP service group. Give it a name and description. Add 59002-59006 under the Port/Range Box and click Add and OK. Back at the Browse Service screen, select the new group you created under TCP-UDP Service Group by double clicking it. Click OK.
Description: Up to you

Click OK, Apply and Save
0
raffie613Author Commented:
Ok, for some reason. I am not even able to ping my phone system internally. Did i do something wrong?
0
jjmartineziiiCommented:
ASA doesn't allow pings by default. You have to allow ICMP.

http://www.t1shopper.com/tools/port-scan/

Try this website to scan you IP to see if that specific port is responding. You can't test UDP ports though.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
raffie613Author Commented:
I have icmp allowed. I am able to ping my server on the network and other devices..
Now where should I look?
It must be the ACL is wrong no?
If I put any in the Destinatin field, would that mess it up?
0
jjmartineziiiCommented:
Yes, you need to have an IP address or Interface.
0
raffie613Author Commented:
"Add 59002-59006 under the Port/Range Box and click Add and OK. Back at the Browse Service screen, select the new group you created under TCP-UDP Service Group by double clicking it. Click OK"
Ther eis no port/range box. Only more options, then enable rule check box, under that, traffic direction(you can choose in or out) I chose in.
Then under that Source service with a text box. I put tcp-udp and the port range.( do I need to do one for each port by itself?
Then loggin interval and time range.
0
raffie613Author Commented:
ok, I changed the destination back to outside and i can now ping it.
0
jjmartineziiiCommented:
You only see that option box after you "Select the button at the end of the Text box." which will popup a new window.

The more options section is on the add access rule window.
0
raffie613Author Commented:
ok, now I can't ping the ip from outside the network.
In the ACL, under more options, Source service there is a text box where I think I am supposed to put in my ports. Is that correct or do I just leave it blank?
Right now it reads un der Source service: tcp-udp/59002-59006
0
jjmartineziiiCommented:
You don't go into more options. There is nothing there to set. The window you put your port is under browse service. you click the button at the end of text box. It has "..."
0
raffie613Author Commented:
ok, I think I understand. at the service, click the ... at the end of the text box.. then click add. then I click tcp-udp, then type in the name and description, then on the bottom type in the port numbers. then make that the service.

ok, now why would I not be able to ping those ports from the outside?
0
jjmartineziiiCommented:
You can't ping ports? Do you mean the IP address?

I can tell you what the problem is.

Goto tools > command line interface.

In the new window, type show run and send.

Copy and paste your configuration here and remove any passwords and remove an octet or two from your public IPs.
0
raffie613Author Commented:
I am trying to ping the external public ip address:port number to reach the phone system

Result of the command: "show run"

: Saved
:
ASA Version 7.2(4)
!
hostname ######ysigfw
domain-name ####nals.local
enable password J#######I encrypted
passwd ######encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.151.223.121 255.255.255.252
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
 domain-name securitysignals.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service Phones tcp-udp
 description Phone ports
 port-object range 59002 59006
object-group service phones2 tcp-udp
 description ports
 port-object eq 59020
object-group service phones3 tcp-udp
 port-object eq 59102
access-list inside_access_in extended permit ip any any
access-list test extended permit icmp any any
access-list test extended permit object-group TCPUDP any interface outside object-group Phones
access-list test extended permit object-group TCPUDP any interface outside object-group phones2
access-list test extended permit object-group TCPUDP any interface outside object-group phones3
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.13.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.13.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 59102 10.0.0.42 59102 netmask 255.255.255.255
static (inside,outside) tcp interface 59020 10.0.0.41 59020 netmask 255.255.255.255
static (inside,outside) tcp interface 59002 10.0.0.40 59002 netmask 255.255.255.255
static (inside,outside) tcp interface 59003 10.0.0.40 59003 netmask 255.255.255.255
static (inside,outside) tcp interface 59004 10.0.0.40 59004 netmask 255.255.255.255
static (inside,outside) tcp interface 59005 10.0.0.40 59005 netmask 255.255.255.255
static (inside,outside) tcp interface 59006 10.0.0.40 59006 netmask 255.255.255.255
static (inside,outside) udp interface 59002 10.0.0.40 59002 netmask 255.255.255.255
static (inside,outside) udp interface 59003 10.0.0.40 59003 netmask 255.255.255.255
static (inside,outside) udp interface 59004 10.0.0.40 59004 netmask 255.255.255.255
static (inside,outside) udp interface 59005 10.0.0.40 59005 netmask 255.255.255.255
static (inside,outside) udp interface 59006 10.0.0.40 59006 netmask 255.255.255.255
static (inside,outside) udp interface 59020 10.0.0.41 59020 netmask 255.255.255.255
static (inside,outside) udp interface 59102 10.0.0.42 59102 netmask 255.255.255.255
access-group test in interface outside
route outside 0.0.0.0 0.0.0.0 75.151.223.122 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 72.151.146.34
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.68.162 68.87.74.162
dhcpd auto_config outside
!
dhcpd address 10.0.0.20-10.0.0.35 inside
dhcpd dns 10.0.0.2 4.2.2.2 interface inside
dhcpd wins 10.0.0.2 interface inside
dhcpd domain securitysignals.local interface inside
dhcpd enable inside
!

username ssioak password ooXXiE05dU.GRjMX encrypted privilege 15
username securas password Qx2vIbDWqaPDJl5O encrypted privilege 15
username super1 password nQHcyCkd1aqdRpso encrypted privilege 15
tunnel-group 72.151.146.34 type ipsec-l2l
tunnel-group 72.151.146.34 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3daffc57e31eb3c09c37ff73850f2481
: end
0
jjmartineziiiCommented:
I don't think pinging works that way.

As for your configuration, it looks correct to me.

Are you using 10.0.0.40 is listening on those ports?

Try to telnet from your computer to:

telnet 10.0.0.40 59002

If you see ..Open, its listening.
0
raffie613Author Commented:
if I am not inside the network, don't I telnet to the external ip then 59002?
0
raffie613Author Commented:
Is telent blocked on my firewall?
I get could not open connection to host on port 59002 when i telenet externali p 59002
0
jjmartineziiiCommented:
Yes that is true but I thought you were testing internally. I want to know if those ports work on the inside because the configuration looks good.
0
raffie613Author Commented:
looks like i can reach one of them internally.
0
raffie613Author Commented:
still can't externally though
0
raffie613Author Commented:
Is there a log file where I can see why external traffic is being blocked ?
0
raffie613Author Commented:
when I run packet tracer, using telnet protocol, It show this implicit built in rule that is causing the packet to be dropped. How do I edit or get rid of that rule? Should the ACL i created allow all tcp/udp traffice to bypass it?
0
raffie613Author Commented:
Are you still there? I could really use some help on this.
0
jjmartineziiiCommented:
Sorry, I was out.

Don't use the telnet protocol for packet tracer--that should be blocked by the ACL as you saw. Use the interface outside, packet type tcp, source ip: 4.2.2.2 destination ip: your public ip, source port and destinationport 59002.

What happens?
0
Istvan KalmarHead of IT Security Division Commented:
Hi,

The config seems to be good, what show the log?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.