Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco ASA 5510 - Open port 5223

Posted on 2013-05-21
14
Medium Priority
?
617 Views
Last Modified: 2013-06-12
We are working with a vendor and have installed a program that needs to be able to talk to their server and have the server talk back. To do this, I need to open port 5223 on our firewall and allow the vendors IP access on 5223 to an entire subnet 10.1.20.0/24.

I created an access rule in the ASA (from the GUI as that's what I am familair with) with the Source of the Vendors IP on the Outside Interface and a destination of the 10.1.20.0/24 network and a service of TCP 5223. I must either have this wrong or be missing something because it is not working. If I run the packet tracer it says the packet is dropped. Any help?
0
Comment
Question by:Kevin Litman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 4
14 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 39185537
Destination needs to be ANY on the ACL...not 10.1.20.0/24

Then you setup a NAT rule to forward the 5223 to your internal host server...
0
 
LVL 2

Author Comment

by:Kevin Litman
ID: 39185559
Fixed the ACL but for the NAT would I create a Static NAT with the Source of my inside host and the translated the vendor server IP on the outside interface?
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 2000 total points
ID: 39185570
Generally I create nat like this(note this is 8.2 code - not sure what version you are on)

static (inside,outside) tcp interface 5223 192.168.1.3 5223 netmask 255.255.255.255

Where 192.168.1.3 is my inside host...that works for me on port 5223 with my acl setup like I said before...
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187130
You would also need to configure an access list on outside interface to permit traffic from outside to inside host

If you could post your config, it would be more helpful
0
 
LVL 2

Author Comment

by:Kevin Litman
ID: 39187191
This is what I have:

ACL
access-list Outside-ISP1_access_in extended permit tcp host RemoteServerIP any 5223

NAT
static (Inside,Outside-ISP1) tcp interface 5223 10.1.12.55 5223 netmask 255.255.255.255

10.1.12.55 is the inside address the remote server needs to communicate with on 5223
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187199
Silly question - did you apply this access list to your outside interface?
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39187200
I assume that isn't working then?
What version have you?

sh run - run this command on the asa, at the top of the output it will show 8.2/8.4 or something...
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187204
You can also try packet tracer to see which stage is blocking connection

packet-tracer input outside tcp ipaddress_remote_host 5223 10.1.12.55 5223
0
 
LVL 2

Author Comment

by:Kevin Litman
ID: 39187221
We are running 8.2. Yes, it's applied to the outside interface.

Attached is the result of the Packet Tracer.
PacketTracker.JPG
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39187271
Have you that ACL entry typed correctly?

access-list Outside-ISP1_access_in extended permit tcp host RemoteServerIP any 5223

Should be
access-list Outside-ISP1_access_in extended permit tcp host RemoteServerIP any eq 5223

Check your config, maybe its a typo but only thing i see that might be wrong(course if its accepted the command like that I'm not sure)
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187293
Can you post your config then pls
0
 
LVL 2

Author Comment

by:Kevin Litman
ID: 39187297
Sorry, I have an object defined for the server and the port. Below is the actual command that was entered.

access-list Outside-ISP1_access_in extended permit tcp host Geotrax_Jabber any object-group jabber_ssl

I cannot post the config, sorry.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 39187366
Well, everything looks fine here

If you post your sanitized config, we will get the whole picture. Do you want us to help you?
0
 
LVL 2

Author Comment

by:Kevin Litman
ID: 39187427
Let me see what I can do about the config.
0

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question