• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 935
  • Last Modified:

cisco asa open ports

I got this to open ports but I get errors.

ip nat inside source list 101 interface BVI1 overload

error :
ip nat inside source list 101 interface BVI1 overload
   ^
ERROR: % Invalid input detected at '^' marker.

And this way the rest does not work either :

ip nat inside source static udp 10.0.0.15 5060 interface BVI1 5060
ip nat inside source static udp 10.0.0.15 5001 interface BVI1 5001
ip nat inside source static tcp 10.0.0.15 2222 interface BVI1 2222
ip nat inside source static udp 10.0.0.15 1194 interface BVI1 1194
access-list 101 permit udp any host 10.0.0.15 range 49152 53246
0
troosters
Asked:
troosters
  • 15
  • 14
1 Solution
 
Ernie BeekCommented:
You are on an ASA?
These are IOS commands.......
0
 
troostersAuthor Commented:
What is IOS ? And can you maybe help me translate them then to be able to be used on a ASA (5505)
0
 
troostersAuthor Commented:
The idea is to do this :

forward qos for ip 10.0.0.15

Udp 5060 -> 10.0.0.15:5060
Udp 49152 - 53246 -> 10.0.0.15( same ports)
Udp 5001 -> 10.0.0.15:5001
Tcp 2222 -> 10.0.0.15:2222
UDP 1194 ->10.0.0.15:1194
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Ernie BeekCommented:
IOS is used on most Cisco switches and routers, ASAs us a different OS.

On an you need something like:

Static (inside,outside) tcp interface 5060 10.9.0.15 5060 netmask 255.255.255.255

Also an access list to allow these ports through. You might want to have a look at:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

The configuration depends on the version you have of the ASA.
0
 
troostersAuthor Commented:
Ah ok
I did it like this :
access-list outside_access_in extended permit udp any interface outside eq 5060
static (inside,outside) udp interface 5060 10.0.0.15 5060 netmask 255.255.255.255
access-group outside_access_in in interface outside

, so that was ok then ?

But how can I open the port RANGE ? That I cannot find anymore ?
0
 
Ernie BeekCommented:
Ah, port range you can only use with the access list. With the static you have to create one for every port:-~
BTW, sorry if I sound a bit blunt, doing this from my mobile.......
0
 
Ernie BeekCommented:
Only if you have more than one public, you could assign a public 1:1 to the 10.0.0.15 address. Then you don't need to create a static for every port.
0
 
troostersAuthor Commented:
I tried this :

access-list outside_access_in extended permit udp any host 192.168.254.2 range 49152 53246
static (inside, outside) 192.168.254.2 10.0.0.15 netmask 255.255.255.255
access-group outside_access_in in interface outside

but I got an error :

, outside  ?
0
 
Ernie BeekCommented:
Is that the complete error?
0
 
troostersAuthor Commented:
no :

Result of the command: "access-list outside_access_in extended permit udp any host 192.168.254.2 range 49152 53246"

The command has been sent to the device


Result of the command: "static (inside, outside) 192.168.254.2 10.0.0.15 netmask 255.255.255.255"

static (inside, outside) 192.168.254.2 10.0.0.15 netmask 255.255.255.255
                        ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "access-group outside_access_in in interface outside"

The command has been sent to the device
0
 
Ernie BeekCommented:
There's a space between the comma and `outside`. Remove that and give it another try.
0
 
troostersAuthor Commented:
then I get
Result of the command: "static (inside,outside) 192.168.254.2 10.0.0.15 netmask 255.255.255.255"

ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

so I change it to interface and got the warning :

Result of the command: "static (inside,outside) interface 10.0.0.15 netmask 255.255.255.255"

WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users will not be able to access any service enabled on the outside interface.
0
 
troostersAuthor Commented:
I changed the 192.168.254.2 manually in the access rules to 10.0.0.15
0
 
Ernie BeekCommented:
Well, your still using the IP of the outside interface  and you now redirecting all traffic to that one inside machine.
What I meant was, use a secondary outside address if you have any. Have a look at the subnet mask on the outside interface to see.

You're also using a private IP on the outside. Is this a test setup or do you have a natting device in front of the ASA?
0
 
troostersAuthor Commented:
No I only have one public ip address.
The setup is a live one;
There is a adsl modem with a fixed public ip adres. Behind this is the CISCO ASA 5505 and behind that is a VOIP central.

It is now as in the screenshot.
screenshot.png
0
 
Ernie BeekCommented:
Ok, if you only have one outside address than you'll need to add a:

Static (inside,outside) tcp interface 5060 10.9.0.15 5060 netmask 255.255.255.255 etc
line for every port you want to forward :-~
0
 
troostersAuthor Commented:
I checkec out another cisco which I set up, for LYNC, and I saw there I had set it up on Destination : Outside.
For ports 50000-59999 .

Would that be better ?

It would not be logically to set up 10000 rules for every port ??
0
 
Ernie BeekCommented:
Was that other cisco an ASA as well? Or was it a router?
0
 
troostersAuthor Commented:
same ASA
and I can see hits on these ports as well
0
 
Ernie BeekCommented:
Could you show me the config (sanitized)?
0
 
troostersAuthor Commented:
how can I best get it to show you
0
 
Ernie BeekCommented:
From a command promt: wr t
0
 
troostersAuthor Commented:
Result of the command: "wr t"

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasayounity
enable password 4 encrypted
passwd 2 encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 mac-address 9999.11fd.9999
 nameif outside
 security-level 0
 ip address dhcp setroute
!
ftp mode passive
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any inactive
access-list outside_access_in extended permit udp any host 10.0.0.15 eq 5001
access-list outside_access_in extended permit udp any host 10.0.0.15 eq sip
access-list outside_access_in extended permit udp any host 10.0.0.15 eq 1194
access-list outside_access_in extended permit udp any interface outside eq sip
access-list outside_access_in extended permit udp any interface outside eq 1194
access-list outside_access_in extended permit udp any interface outside eq 5001
access-list outside_access_in extended permit tcp any interface outside eq 2222
access-list outside_access_in extended permit udp any interface outside range 49152 53246
access-list 101 extended permit udp any host 10.0.0.15 range 49152 53246
access-list 101 extended permit udp host 10.0.0.15 range 49152 53246 any
access-list cap extended permit tcp any any eq 5001
access-list cap extended permit tcp any any eq 1194
access-list cap extended permit tcp any any eq 2222
access-list cap extended permit tcp any any eq sip
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) udp interface 5001 10.0.0.15 5001 netmask 255.255.255.255
static (inside,outside) udp interface sip 10.0.0.15 sip netmask 255.255.255.255
static (inside,inside) tcp interface 2222 10.0.0.15 2222 netmask 255.255.255.255
static (inside,inside) udp interface 1194 10.0.0.15 1194 netmask 255.255.255.255
static (inside,outside) tcp interface sip 10.0.0.15 sip netmask 255.255.255.255
static (outside,inside) udp interface sip 10.0.0.15 sip netmask 255.255.255.255
static (inside,outside) udp interface 1194 10.0.0.15 1194 netmask 255.255.255.255
static (inside,outside) tcp interface 2222 10.0.0.15 2222 netmask 255.255.255.255
static (inside,outside) interface 10.0.0.15 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 10.0.0.100-10.0.0.200 inside
dhcpd dns 195.238.2.21 195.238.2.22 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
 contact-email-addr test@test.be
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1e4792eb2381d3220ec0e312619eb52e
: end
[OK]
0
 
Ernie BeekCommented:
I'm a bit confused. You said: I checkec out another cisco which I set up, for LYNC but then you said it was on the same firewall?
0
 
troostersAuthor Commented:
No it is the same model.

And apparently all ports are ok now and they can Phone now as well
0
 
Ernie BeekCommented:
That is correct. Only due to: static (inside,outside) interface 10.0.0.15 netmask 255.255.255.255 other clients can't connect to the internet anymore.
Like the warning you got said:
WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users will not be able to access any service enabled on the outside interface.
0
 
troostersAuthor Commented:
yes but I changed the 10.0.0.15 to OUTSIDE

access-list outside_access_in extended permit udp any interface outside range 49152 53246
0
 
Ernie BeekCommented:
Then my previous comment still stands.
If you use this ASA only for VOIP connections to the 10.0.0.15, this shouldn't be a problem. But if you want other clients on the network to connect to the internet through this ASA, that's not going to work this way.
0
 
troostersAuthor Commented:
It was a problem on the modem
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 15
  • 14
Tackle projects and never again get stuck behind a technical roadblock.
Join Now