Solved

Unable to forward port 443 on Cisco ASA 5510

Posted on 2013-06-20
9
1,171 Views
Last Modified: 2013-06-21
I have a client with an ASA 5510. He has a range of public IP numbers and previously had his Exchange configured for one of them (155). The ASA 5510 has a static IP on the outside interface (153). He had some issues with emails being rejected due to the reverse lookup not matching, so he changed his MX record to point to 153. We can bind port 25 on the outside interface, but we cannot bind port 443 - it gives an error that the port is already bound. But I cannot locate where it is bound. There is no ASDM access configured for the outside.

We are hoping to resolve this issue as soon as possible. Thanks in advance for your help.
0
Comment
Question by:fisher_king
9 Comments
 
LVL 8

Assisted Solution

by:TMekeel
TMekeel earned 100 total points
ID: 39264827
Can you post a sanitized sh run?
Or, if you just do a sh run, is 443 there in an acl or anywhere else?
0
 

Author Comment

by:fisher_king
ID: 39264843
I don't have access ot the config right now. The only thing I saw for 443 in the config was related to ssl. I assume they used to use SSL when they had the asdm open to the outside for access. There is definitely not anything in an ACL.

Thanks
0
 
LVL 17

Expert Comment

by:lruiz52
ID: 39265061
The issue is that under Management access, ASDM access is granted on the Outside interface. Since ASDM runs over HTTPS it gives you the error that the port is already bound. As soon as you removed that rule you should be able to create your NAT without issues.
0
 

Author Comment

by:fisher_king
ID: 39265137
I have already disbaled ASDM access on the outside interface.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 400 total points
ID: 39265593
If you have CLI access, try a packet-tracer:

Example:

packet-tracer input outside tcp 4.4.4.4 1024 1.2.3.153 443 detailed

switche out 1.2.3.153 with the IP  you want to use.  This simulates a packet going into the outside interface with those IP/port values.  It displays the results of each phase of evaluation the packet goes thru.  If there is a NAT rule that already uses 443 then this will tell you which rule it is.
0
 

Author Comment

by:fisher_king
ID: 39266978
My client accessed https on the interface IP and got to SSL VPN Service. I assume they have webvpn set up, but I missed it in the config. He is going to run the packet tracer and let me know.

I do not think the webvpn is currently in use, but also wonder about configuring the exchange server to use a different IP for outgoing traffic. I started a new question here:

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_28164279.html

I'll post back after the packet trace. Thanks
0
 

Author Comment

by:fisher_king
ID: 39266995
Result of packet trace
Phase: 1
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   XX.XXX.165.153  255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x6a2020e0, priority=119, domain=permit, deny=false
                hits=655, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0

Phase: 4
Type: MGMT-TCP-INTERCEPT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x69dc47b0, priority=0, domain=mgmt-tcp-intercept, deny=false
                hits=660, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=6
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x69dc51b0, priority=0, domain=permit-ip-option, deny=true
                hits=121882, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop XX.XXX.165.129 using egress ifc outside
adjacency Active
next-hop mac address 0000.5e00.0173 hits 324474

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

Open in new window

0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 400 total points
ID: 39267006
if it came up with the web vpn page, you have your answer as to why you can't static pat that port
0
 

Author Comment

by:fisher_king
ID: 39267021
I figured that out also. Thanks
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now