We help IT Professionals succeed at work.

How do I open ports up on a Cisco ASA 5505

raffie613 asked
I need certain tcp/udp ports opened up. Where can I do this in the GUI interface?
Watch Question

This video should show you exactly what to do:


Of course, if you have multiple IPs, use that in the NAT rule. Otherwise, use the interface.
Istvan KalmarHead of IT Security Division
Top Expert 2010



ok, I like the you tube video, but there are no instructions with it so I am not sure what I am doing.
I need to open up ports 59002-59006 for an internal ip address to the outside. So where on the NAT rule to I put in those ports?
Also, can  I put tcp and udp or do I have to chose one or the other?
Istvan KalmarHead of IT Security Division
Top Expert 2010

you need to create static nat for an IP, and after that you need to open the range of ports with ACL
Create the static translation under NAT Rules.

Open the ports under Access Rules.

You can specify UDP or TCP. You will do this under the Service field under Add Access Rule at :49 in the video.

Do you have a block of IPs or only one IP?


I have a range I guess that is a block. Then I have two other ones that go to single ports.


so do I need to creat a NAT rule and a SCL?


What do I select as the source ip address? the one I need the port open to?


The NAT rule is where I am having the trouble. What port do I put under PAT?
It depends, are you using the IP address of your outside interface or are you using another IP from the pool?

If you use the IP of the interface, put the IP address of your internal host on the Original Source field. Use interface inside. For the Translated section, select your outside interface and select Use Interface IP. Click enable port translation and put in the port you want and select TCP or UDP. Do this for every port you need open.

If you are using another IP in the pool, your original settings stay the same as above but your translated setting will change by entering the IP address you are going to use. In this case, you don't have to put anything for pat.

Next setup your Access Rules. Create ACLs allowing traffic from ANY to the translated IP address you set up in the nat rules.


Sorry for being so slow on this. But I am lost.
All I know is that I need to open up some ports, for tcp-udp protocols for our new phone system.
I have 3 internal ipaddresses that need to be linked to those opened ports.
I think I got the Access rule part, but still very lost on creating the NAT rule.
I think this is how, please correct me where I am wrong:
Interface : ( i choose) Inside
Source: (i enter in) the ip address of the internal phone system

Interface:(i chose) outside
(radio dial button) I chose "use Interface Ip address"

I click the box "enable PAT"
Protocol: (which one do I choose? I need both TCP and UDP)
Original port: (what do I enter here? just one port, or the block of ports?
Translated port: ( what do I enter here?)

Your original and translated sections are correct. The for the pay section, select tcp, and one port like 59002, then the same under translated port. Make a new rule and select udp, and enter the same port as the previous rule. Create a new rule and select udp and use port 55003. Repeat this until you have 2 rules, one udp one TCP for every port you need open. You should make 10 rules if you are opening 55002-55006


ok, I think I got it.
Thanks. Let me see if it works.


Last thing, on creating the ACL
Do I select
source:"any" and
destination: (my internal ipaddress or my outside interface?)
That depends on I'd you want to limit who connects on these ports. If its only one ip put that in for security instead of any


I don't care on limiting who connects.
So is this what it should look like?
source: any?
Destination: outside? ( or do I leave it as any?)
More options ( do i need to do this?)
Enable rule(check box)
Traffic direction: IN?
Source service: tcp-udp/59002 ??



You still there?
Interface: Outside
Action: Permit
Source: Any
Destination: Outside (since you are using the interface IP)
Service: Select the button at the end of the Text box. Click Add > TCP-UDP service group. Give it a name and description. Add 59002-59006 under the Port/Range Box and click Add and OK. Back at the Browse Service screen, select the new group you created under TCP-UDP Service Group by double clicking it. Click OK.
Description: Up to you

Click OK, Apply and Save


Ok, for some reason. I am not even able to ping my phone system internally. Did i do something wrong?
ASA doesn't allow pings by default. You have to allow ICMP.


Try this website to scan you IP to see if that specific port is responding. You can't test UDP ports though.


I have icmp allowed. I am able to ping my server on the network and other devices..
Now where should I look?
It must be the ACL is wrong no?
If I put any in the Destinatin field, would that mess it up?
Yes, you need to have an IP address or Interface.


"Add 59002-59006 under the Port/Range Box and click Add and OK. Back at the Browse Service screen, select the new group you created under TCP-UDP Service Group by double clicking it. Click OK"
Ther eis no port/range box. Only more options, then enable rule check box, under that, traffic direction(you can choose in or out) I chose in.
Then under that Source service with a text box. I put tcp-udp and the port range.( do I need to do one for each port by itself?
Then loggin interval and time range.


ok, I changed the destination back to outside and i can now ping it.
You only see that option box after you "Select the button at the end of the Text box." which will popup a new window.

The more options section is on the add access rule window.


ok, now I can't ping the ip from outside the network.
In the ACL, under more options, Source service there is a text box where I think I am supposed to put in my ports. Is that correct or do I just leave it blank?
Right now it reads un der Source service: tcp-udp/59002-59006
You don't go into more options. There is nothing there to set. The window you put your port is under browse service. you click the button at the end of text box. It has "..."


ok, I think I understand. at the service, click the ... at the end of the text box.. then click add. then I click tcp-udp, then type in the name and description, then on the bottom type in the port numbers. then make that the service.

ok, now why would I not be able to ping those ports from the outside?
You can't ping ports? Do you mean the IP address?

I can tell you what the problem is.

Goto tools > command line interface.

In the new window, type show run and send.

Copy and paste your configuration here and remove any passwords and remove an octet or two from your public IPs.


I am trying to ping the external public ip address:port number to reach the phone system

Result of the command: "show run"

: Saved
ASA Version 7.2(4)
hostname ######ysigfw
domain-name ####nals.local
enable password J#######I encrypted
passwd ######encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Vlan2
 nameif outside
 security-level 0
 ip address
 ospf cost 10
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
 switchport access vlan 3
ftp mode passive
dns server-group DefaultDNS
 domain-name securitysignals.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service Phones tcp-udp
 description Phone ports
 port-object range 59002 59006
object-group service phones2 tcp-udp
 description ports
 port-object eq 59020
object-group service phones3 tcp-udp
 port-object eq 59102
access-list inside_access_in extended permit ip any any
access-list test extended permit icmp any any
access-list test extended permit object-group TCPUDP any interface outside object-group Phones
access-list test extended permit object-group TCPUDP any interface outside object-group phones2
access-list test extended permit object-group TCPUDP any interface outside object-group phones3
access-list outside_1_cryptomap extended permit ip
access-list inside_nat0_outbound extended permit ip
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface 59102 59102 netmask
static (inside,outside) tcp interface 59020 59020 netmask
static (inside,outside) tcp interface 59002 59002 netmask
static (inside,outside) tcp interface 59003 59003 netmask
static (inside,outside) tcp interface 59004 59004 netmask
static (inside,outside) tcp interface 59005 59005 netmask
static (inside,outside) tcp interface 59006 59006 netmask
static (inside,outside) udp interface 59002 59002 netmask
static (inside,outside) udp interface 59003 59003 netmask
static (inside,outside) udp interface 59004 59004 netmask
static (inside,outside) udp interface 59005 59005 netmask
static (inside,outside) udp interface 59006 59006 netmask
static (inside,outside) udp interface 59020 59020 netmask
static (inside,outside) udp interface 59102 59102 netmask
access-group test in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http inside
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd wins interface inside
dhcpd domain securitysignals.local interface inside
dhcpd enable inside

username ssioak password ooXXiE05dU.GRjMX encrypted privilege 15
username securas password Qx2vIbDWqaPDJl5O encrypted privilege 15
username super1 password nQHcyCkd1aqdRpso encrypted privilege 15
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end
I don't think pinging works that way.

As for your configuration, it looks correct to me.

Are you using is listening on those ports?

Try to telnet from your computer to:

telnet 59002

If you see ..Open, its listening.


if I am not inside the network, don't I telnet to the external ip then 59002?


Is telent blocked on my firewall?
I get could not open connection to host on port 59002 when i telenet externali p 59002
Yes that is true but I thought you were testing internally. I want to know if those ports work on the inside because the configuration looks good.


looks like i can reach one of them internally.


still can't externally though


Is there a log file where I can see why external traffic is being blocked ?


when I run packet tracer, using telnet protocol, It show this implicit built in rule that is causing the packet to be dropped. How do I edit or get rid of that rule? Should the ACL i created allow all tcp/udp traffice to bypass it?


Are you still there? I could really use some help on this.
Sorry, I was out.

Don't use the telnet protocol for packet tracer--that should be blocked by the ACL as you saw. Use the interface outside, packet type tcp, source ip: destination ip: your public ip, source port and destinationport 59002.

What happens?
Istvan KalmarHead of IT Security Division
Top Expert 2010


The config seems to be good, what show the log?