Solved

Open port range Cisco ASA5505

Posted on 2012-04-03
5
1,029 Views
Last Modified: 2013-02-13
Hi I have some problems opening udp ports 6000-6003 to a computer on the inside.. I think the problem is my NAT because I dont get how to make it for the range 6000-6003. I will just post most of the running config and see if you can tell me where im failing.
ASA ver: 8.4(2)
ASDM: 6.4(5)


Result of the command: "sh ru"

: Saved
:
ASA Version 8.4(2) 
!
hostname HOST1
enable password ********************* encrypted
passwd ******************** encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 22
!
interface Ethernet0/4
 switchport access vlan 32
!
interface Ethernet0/5
 switchport access vlan 42
!
interface Ethernet0/6
 switchport access vlan 52
!
interface Ethernet0/7
 switchport access vlan 62
!
interface Vlan1
 nameif HOST1
 security-level 100
 ip address 192.168.101.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ***.***.***.211 255.255.255.248 
!
interface Vlan12
 nameif Naive
 security-level 100
 ip address 192.168.121.1 255.255.255.0 
!
interface Vlan22
 nameif Inside3
 security-level 100
 ip address 192.168.131.1 255.255.255.0 
!
interface Vlan32
 nameif Inside4
 security-level 100
 ip address 192.168.141.1 255.255.255.0 
!
interface Vlan42
 nameif Inside5
 security-level 100
 ip address 192.168.151.1 255.255.255.0 
!
interface Vlan52
 nameif Inside6
 security-level 100
 ip address 192.168.161.1 255.255.255.0 
!
interface Vlan62
 nameif Inside7
 security-level 100
 ip address 192.168.171.1 255.255.255.0 
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network outside212
 host ***.***.***.212
 description ***.***.***.212
object network outside213
 host ***.***.***.213
 description ***.***.***.213
object network outside214
 host ***.***.***.214
 description ***.***.***.214
object network FTP_mot_servern
 host 192.168.101.50
 description Server
object network HTTP_mot_servern
 host 192.168.101.50
object network VNC_mot_servern
 host 192.168.101.50
object network Server
 host 192.168.101.50
object network Studio1
 host 192.168.101.11
object network Studio2
 host 192.168.101.12
object network Studio3
 host 192.168.101.13
object network Studio4
 host 192.168.101.14
object network Studio5
 host 192.168.101.15
object network Studio6
 host 192.168.101.16
access-list outside_access_in remark VNC mot servern
access-list outside_access_in extended permit tcp any object Server eq 5900 
access-list outside_access_in remark HTTP mot servern
access-list outside_access_in extended permit tcp any object Server eq www 
access-list outside_access_in remark FTP mot servern
access-list outside_access_in extended permit tcp any object Server eq ftp 
access-list outside_access_in extended permit udp any object Studio1 range 6000 6003 
access-list outside_access_in extended permit udp any object Studio2 range 8000 8003 
access-list outside_access_in extended permit udp any object Studio3 range 7000 7003 
pager lines 24
logging enable
logging asdm informational
mtu HOST1 1500
mtu outside 1500
mtu Naive 1500
mtu Inside3 1500
mtu Inside4 1500
mtu Inside5 1500
mtu Inside6 1500
mtu Inside7 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (HOST1,outside) dynamic interface
object network FTP_mot_servern
 nat (any,outside) static interface service tcp ftp ftp 
object network HTTP_mot_servern
 nat (any,outside) static interface service tcp www www 
object network VNC_mot_servern
 nat (any,outside) static interface service tcp 5900 5900 
object network Studio1
 nat (any,outside) static interface service udp 6000 6000 
object network Studio2
 nat (any,outside) static interface service udp 8000 8000 
object network Studio3
 nat (any,outside) static interface service udp 7000 7000 
!
nat (HOST1,outside) after-auto source dynamic any interface
nat (Naive,outside) after-auto source dynamic any outside212
nat (Inside3,outside) after-auto source dynamic any outside213
nat (Inside4,outside) after-auto source dynamic any outside213
nat (Inside5,outside) after-auto source dynamic any outside213
nat (Inside6,outside) after-auto source dynamic any outside213
nat (Inside7,outside) after-auto source dynamic any outside213
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.101.0 255.255.255.0 HOST1
http ***.***.***.*** 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

Open in new window


See where it says:
object network Studio1
 nat (any,outside) static interface service udp 6000 6000

If I change that to udp/6000-6003 it says "any" so I guess im doing something wrong there.
0
Comment
Question by:anvendarnamn
  • 3
5 Comments
 
LVL 11

Expert Comment

by:diprajbasu
ID: 37800368
i am providing the help in general utm/firewall

for other UTM( i think asa consider as firewall).....

create udp service for port 6000-6003 means source port should be 1024:65535 and destination port would be 6000-6003
if you want perform the activity for a particular system..then create host for that system..means..create a name with ip address

create policy or from host( that you have created) to internet or host to any and allow the udp service you have created.

you can create to and fro( means vice-versa) policy.

just have a try....
0
 
LVL 15

Expert Comment

by:max_the_king
ID: 37800962
Hi,
i do not understand why did you name VLAN1 interface as "HOST1", with security 100, which you'd rather name "inside" as default and common practice.
You may want to change that, although the error may be in the nat statement:


object network Studio1
host 192.168.101.11
nat (HOST1,outside) static interface service udp 6000 6000
nat (HOST1,outside) static interface service udp 6001 6001
nat (HOST1,outside) static interface service udp 6002 6002
nat (HOST1,outside) static interface service udp 6003 6003

in place of :

object network Studio1
 nat (any,outside) static interface service udp 6000 6000

should you want to change the name of interface, do it before the nat command

int vlan1
no nameif HOST1
nameif inside

 and change the above nat statements accordingly (inside in place of HOST1)

hope this helps
max
0
 

Author Comment

by:anvendarnamn
ID: 37801603
This is solved.. dont put any more energy into this... will come back about the points soon..
0
 

Accepted Solution

by:
anvendarnamn earned 0 total points
ID: 37860810
I ended up doing it without using a range of ports and made one at a time. Thanks for your answers though.
Not sure if I should remove this question or give out points...?
0
 

Author Closing Comment

by:anvendarnamn
ID: 38883759
Dont know if its possible to open a range of ports but as I didnt have time to look for a way to do this I just made a rule for every port.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now