Open port range Cisco ASA5505
Hi I have some problems opening udp ports 6000-6003 to a computer on the inside.. I think the problem is my NAT because I dont get how to make it for the range 6000-6003. I will just post most of the running config and see if you can tell me where im failing.
ASA ver: 8.4(2)
ASDM: 6.4(5)
See where it says:
object network Studio1
nat (any,outside) static interface service udp 6000 6000
If I change that to udp/6000-6003 it says "any" so I guess im doing something wrong there.
ASA ver: 8.4(2)
ASDM: 6.4(5)
Result of the command: "sh ru"
: Saved
:
ASA Version 8.4(2)
!
hostname HOST1
enable password ********************* encrypted
passwd ******************** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 22
!
interface Ethernet0/4
switchport access vlan 32
!
interface Ethernet0/5
switchport access vlan 42
!
interface Ethernet0/6
switchport access vlan 52
!
interface Ethernet0/7
switchport access vlan 62
!
interface Vlan1
nameif HOST1
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ***.***.***.211 255.255.255.248
!
interface Vlan12
nameif Naive
security-level 100
ip address 192.168.121.1 255.255.255.0
!
interface Vlan22
nameif Inside3
security-level 100
ip address 192.168.131.1 255.255.255.0
!
interface Vlan32
nameif Inside4
security-level 100
ip address 192.168.141.1 255.255.255.0
!
interface Vlan42
nameif Inside5
security-level 100
ip address 192.168.151.1 255.255.255.0
!
interface Vlan52
nameif Inside6
security-level 100
ip address 192.168.161.1 255.255.255.0
!
interface Vlan62
nameif Inside7
security-level 100
ip address 192.168.171.1 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network outside212
host ***.***.***.212
description ***.***.***.212
object network outside213
host ***.***.***.213
description ***.***.***.213
object network outside214
host ***.***.***.214
description ***.***.***.214
object network FTP_mot_servern
host 192.168.101.50
description Server
object network HTTP_mot_servern
host 192.168.101.50
object network VNC_mot_servern
host 192.168.101.50
object network Server
host 192.168.101.50
object network Studio1
host 192.168.101.11
object network Studio2
host 192.168.101.12
object network Studio3
host 192.168.101.13
object network Studio4
host 192.168.101.14
object network Studio5
host 192.168.101.15
object network Studio6
host 192.168.101.16
access-list outside_access_in remark VNC mot servern
access-list outside_access_in extended permit tcp any object Server eq 5900
access-list outside_access_in remark HTTP mot servern
access-list outside_access_in extended permit tcp any object Server eq www
access-list outside_access_in remark FTP mot servern
access-list outside_access_in extended permit tcp any object Server eq ftp
access-list outside_access_in extended permit udp any object Studio1 range 6000 6003
access-list outside_access_in extended permit udp any object Studio2 range 8000 8003
access-list outside_access_in extended permit udp any object Studio3 range 7000 7003
pager lines 24
logging enable
logging asdm informational
mtu HOST1 1500
mtu outside 1500
mtu Naive 1500
mtu Inside3 1500
mtu Inside4 1500
mtu Inside5 1500
mtu Inside6 1500
mtu Inside7 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (HOST1,outside) dynamic interface
object network FTP_mot_servern
nat (any,outside) static interface service tcp ftp ftp
object network HTTP_mot_servern
nat (any,outside) static interface service tcp www www
object network VNC_mot_servern
nat (any,outside) static interface service tcp 5900 5900
object network Studio1
nat (any,outside) static interface service udp 6000 6000
object network Studio2
nat (any,outside) static interface service udp 8000 8000
object network Studio3
nat (any,outside) static interface service udp 7000 7000
!
nat (HOST1,outside) after-auto source dynamic any interface
nat (Naive,outside) after-auto source dynamic any outside212
nat (Inside3,outside) after-auto source dynamic any outside213
nat (Inside4,outside) after-auto source dynamic any outside213
nat (Inside5,outside) after-auto source dynamic any outside213
nat (Inside6,outside) after-auto source dynamic any outside213
nat (Inside7,outside) after-auto source dynamic any outside213
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.209 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.101.0 255.255.255.0 HOST1
http ***.***.***.*** 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstartSee where it says:
object network Studio1
nat (any,outside) static interface service udp 6000 6000
If I change that to udp/6000-6003 it says "any" so I guess im doing something wrong there.
Hi,
i do not understand why did you name VLAN1 interface as "HOST1", with security 100, which you'd rather name "inside" as default and common practice.
You may want to change that, although the error may be in the nat statement:
object network Studio1
host 192.168.101.11
nat (HOST1,outside) static interface service udp 6000 6000
nat (HOST1,outside) static interface service udp 6001 6001
nat (HOST1,outside) static interface service udp 6002 6002
nat (HOST1,outside) static interface service udp 6003 6003
in place of :
object network Studio1
nat (any,outside) static interface service udp 6000 6000
should you want to change the name of interface, do it before the nat command
int vlan1
no nameif HOST1
nameif inside
and change the above nat statements accordingly (inside in place of HOST1)
hope this helps
max
i do not understand why did you name VLAN1 interface as "HOST1", with security 100, which you'd rather name "inside" as default and common practice.
You may want to change that, although the error may be in the nat statement:
object network Studio1
host 192.168.101.11
nat (HOST1,outside) static interface service udp 6000 6000
nat (HOST1,outside) static interface service udp 6001 6001
nat (HOST1,outside) static interface service udp 6002 6002
nat (HOST1,outside) static interface service udp 6003 6003
in place of :
object network Studio1
nat (any,outside) static interface service udp 6000 6000
should you want to change the name of interface, do it before the nat command
int vlan1
no nameif HOST1
nameif inside
and change the above nat statements accordingly (inside in place of HOST1)
hope this helps
max
ASKER
This is solved.. dont put any more energy into this... will come back about the points soon..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dont know if its possible to open a range of ports but as I didnt have time to look for a way to do this I just made a rule for every port.
for other UTM( i think asa consider as firewall).....
create udp service for port 6000-6003 means source port should be 1024:65535 and destination port would be 6000-6003
if you want perform the activity for a particular system..then create host for that system..means..create a name with ip address
create policy or from host( that you have created) to internet or host to any and allow the udp service you have created.
you can create to and fro( means vice-versa) policy.
just have a try....