?
Solved

Open port range Cisco ASA5505

Posted on 2012-04-03
5
Medium Priority
?
1,076 Views
Last Modified: 2013-02-13
Hi I have some problems opening udp ports 6000-6003 to a computer on the inside.. I think the problem is my NAT because I dont get how to make it for the range 6000-6003. I will just post most of the running config and see if you can tell me where im failing.
ASA ver: 8.4(2)
ASDM: 6.4(5)


Result of the command: "sh ru"

: Saved
:
ASA Version 8.4(2) 
!
hostname HOST1
enable password ********************* encrypted
passwd ******************** encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 22
!
interface Ethernet0/4
 switchport access vlan 32
!
interface Ethernet0/5
 switchport access vlan 42
!
interface Ethernet0/6
 switchport access vlan 52
!
interface Ethernet0/7
 switchport access vlan 62
!
interface Vlan1
 nameif HOST1
 security-level 100
 ip address 192.168.101.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ***.***.***.211 255.255.255.248 
!
interface Vlan12
 nameif Naive
 security-level 100
 ip address 192.168.121.1 255.255.255.0 
!
interface Vlan22
 nameif Inside3
 security-level 100
 ip address 192.168.131.1 255.255.255.0 
!
interface Vlan32
 nameif Inside4
 security-level 100
 ip address 192.168.141.1 255.255.255.0 
!
interface Vlan42
 nameif Inside5
 security-level 100
 ip address 192.168.151.1 255.255.255.0 
!
interface Vlan52
 nameif Inside6
 security-level 100
 ip address 192.168.161.1 255.255.255.0 
!
interface Vlan62
 nameif Inside7
 security-level 100
 ip address 192.168.171.1 255.255.255.0 
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network outside212
 host ***.***.***.212
 description ***.***.***.212
object network outside213
 host ***.***.***.213
 description ***.***.***.213
object network outside214
 host ***.***.***.214
 description ***.***.***.214
object network FTP_mot_servern
 host 192.168.101.50
 description Server
object network HTTP_mot_servern
 host 192.168.101.50
object network VNC_mot_servern
 host 192.168.101.50
object network Server
 host 192.168.101.50
object network Studio1
 host 192.168.101.11
object network Studio2
 host 192.168.101.12
object network Studio3
 host 192.168.101.13
object network Studio4
 host 192.168.101.14
object network Studio5
 host 192.168.101.15
object network Studio6
 host 192.168.101.16
access-list outside_access_in remark VNC mot servern
access-list outside_access_in extended permit tcp any object Server eq 5900 
access-list outside_access_in remark HTTP mot servern
access-list outside_access_in extended permit tcp any object Server eq www 
access-list outside_access_in remark FTP mot servern
access-list outside_access_in extended permit tcp any object Server eq ftp 
access-list outside_access_in extended permit udp any object Studio1 range 6000 6003 
access-list outside_access_in extended permit udp any object Studio2 range 8000 8003 
access-list outside_access_in extended permit udp any object Studio3 range 7000 7003 
pager lines 24
logging enable
logging asdm informational
mtu HOST1 1500
mtu outside 1500
mtu Naive 1500
mtu Inside3 1500
mtu Inside4 1500
mtu Inside5 1500
mtu Inside6 1500
mtu Inside7 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (HOST1,outside) dynamic interface
object network FTP_mot_servern
 nat (any,outside) static interface service tcp ftp ftp 
object network HTTP_mot_servern
 nat (any,outside) static interface service tcp www www 
object network VNC_mot_servern
 nat (any,outside) static interface service tcp 5900 5900 
object network Studio1
 nat (any,outside) static interface service udp 6000 6000 
object network Studio2
 nat (any,outside) static interface service udp 8000 8000 
object network Studio3
 nat (any,outside) static interface service udp 7000 7000 
!
nat (HOST1,outside) after-auto source dynamic any interface
nat (Naive,outside) after-auto source dynamic any outside212
nat (Inside3,outside) after-auto source dynamic any outside213
nat (Inside4,outside) after-auto source dynamic any outside213
nat (Inside5,outside) after-auto source dynamic any outside213
nat (Inside6,outside) after-auto source dynamic any outside213
nat (Inside7,outside) after-auto source dynamic any outside213
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.101.0 255.255.255.0 HOST1
http ***.***.***.*** 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

Open in new window


See where it says:
object network Studio1
 nat (any,outside) static interface service udp 6000 6000

If I change that to udp/6000-6003 it says "any" so I guess im doing something wrong there.
0
Comment
Question by:anvendarnamn
  • 3
5 Comments
 
LVL 11

Expert Comment

by:DIPRAJ
ID: 37800368
i am providing the help in general utm/firewall

for other UTM( i think asa consider as firewall).....

create udp service for port 6000-6003 means source port should be 1024:65535 and destination port would be 6000-6003
if you want perform the activity for a particular system..then create host for that system..means..create a name with ip address

create policy or from host( that you have created) to internet or host to any and allow the udp service you have created.

you can create to and fro( means vice-versa) policy.

just have a try....
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 37800962
Hi,
i do not understand why did you name VLAN1 interface as "HOST1", with security 100, which you'd rather name "inside" as default and common practice.
You may want to change that, although the error may be in the nat statement:


object network Studio1
host 192.168.101.11
nat (HOST1,outside) static interface service udp 6000 6000
nat (HOST1,outside) static interface service udp 6001 6001
nat (HOST1,outside) static interface service udp 6002 6002
nat (HOST1,outside) static interface service udp 6003 6003

in place of :

object network Studio1
 nat (any,outside) static interface service udp 6000 6000

should you want to change the name of interface, do it before the nat command

int vlan1
no nameif HOST1
nameif inside

 and change the above nat statements accordingly (inside in place of HOST1)

hope this helps
max
0
 

Author Comment

by:anvendarnamn
ID: 37801603
This is solved.. dont put any more energy into this... will come back about the points soon..
0
 

Accepted Solution

by:
anvendarnamn earned 0 total points
ID: 37860810
I ended up doing it without using a range of ports and made one at a time. Thanks for your answers though.
Not sure if I should remove this question or give out points...?
0
 

Author Closing Comment

by:anvendarnamn
ID: 38883759
Dont know if its possible to open a range of ports but as I didnt have time to look for a way to do this I just made a rule for every port.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question