Cisco ASA 5510 - Open port 5223

We are working with a vendor and have installed a program that needs to be able to talk to their server and have the server talk back. To do this, I need to open port 5223 on our firewall and allow the vendors IP access on 5223 to an entire subnet 10.1.20.0/24.

I created an access rule in the ASA (from the GUI as that's what I am familair with) with the Source of the Vendors IP on the Outside Interface and a destination of the 10.1.20.0/24 network and a service of TCP 5223. I must either have this wrong or be missing something because it is not working. If I run the packet tracer it says the packet is dropped. Any help?
LVL 2
Kevin LitmanNetwork AdministratorAsked:
Who is Participating?
 
smckeown777Connect With a Mentor Commented:
Generally I create nat like this(note this is 8.2 code - not sure what version you are on)

static (inside,outside) tcp interface 5223 192.168.1.3 5223 netmask 255.255.255.255

Where 192.168.1.3 is my inside host...that works for me on port 5223 with my acl setup like I said before...
0
 
smckeown777Commented:
Destination needs to be ANY on the ACL...not 10.1.20.0/24

Then you setup a NAT rule to forward the 5223 to your internal host server...
0
 
Kevin LitmanNetwork AdministratorAuthor Commented:
Fixed the ACL but for the NAT would I create a Static NAT with the Source of my inside host and the translated the vendor server IP on the outside interface?
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
fgasimzadeCommented:
You would also need to configure an access list on outside interface to permit traffic from outside to inside host

If you could post your config, it would be more helpful
0
 
Kevin LitmanNetwork AdministratorAuthor Commented:
This is what I have:

ACL
access-list Outside-ISP1_access_in extended permit tcp host RemoteServerIP any 5223

NAT
static (Inside,Outside-ISP1) tcp interface 5223 10.1.12.55 5223 netmask 255.255.255.255

10.1.12.55 is the inside address the remote server needs to communicate with on 5223
0
 
fgasimzadeCommented:
Silly question - did you apply this access list to your outside interface?
0
 
smckeown777Commented:
I assume that isn't working then?
What version have you?

sh run - run this command on the asa, at the top of the output it will show 8.2/8.4 or something...
0
 
fgasimzadeCommented:
You can also try packet tracer to see which stage is blocking connection

packet-tracer input outside tcp ipaddress_remote_host 5223 10.1.12.55 5223
0
 
Kevin LitmanNetwork AdministratorAuthor Commented:
We are running 8.2. Yes, it's applied to the outside interface.

Attached is the result of the Packet Tracer.
PacketTracker.JPG
0
 
smckeown777Commented:
Have you that ACL entry typed correctly?

access-list Outside-ISP1_access_in extended permit tcp host RemoteServerIP any 5223

Should be
access-list Outside-ISP1_access_in extended permit tcp host RemoteServerIP any eq 5223

Check your config, maybe its a typo but only thing i see that might be wrong(course if its accepted the command like that I'm not sure)
0
 
fgasimzadeCommented:
Can you post your config then pls
0
 
Kevin LitmanNetwork AdministratorAuthor Commented:
Sorry, I have an object defined for the server and the port. Below is the actual command that was entered.

access-list Outside-ISP1_access_in extended permit tcp host Geotrax_Jabber any object-group jabber_ssl

I cannot post the config, sorry.
0
 
fgasimzadeCommented:
Well, everything looks fine here

If you post your sanitized config, we will get the whole picture. Do you want us to help you?
0
 
Kevin LitmanNetwork AdministratorAuthor Commented:
Let me see what I can do about the config.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.