• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1249
  • Last Modified:

Unable to forward port 443 on Cisco ASA 5510

I have a client with an ASA 5510. He has a range of public IP numbers and previously had his Exchange configured for one of them (155). The ASA 5510 has a static IP on the outside interface (153). He had some issues with emails being rejected due to the reverse lookup not matching, so he changed his MX record to point to 153. We can bind port 25 on the outside interface, but we cannot bind port 443 - it gives an error that the port is already bound. But I cannot locate where it is bound. There is no ASDM access configured for the outside.

We are hoping to resolve this issue as soon as possible. Thanks in advance for your help.
0
fisher_king
Asked:
fisher_king
3 Solutions
 
TMekeelCommented:
Can you post a sanitized sh run?
Or, if you just do a sh run, is 443 there in an acl or anywhere else?
0
 
fisher_kingAuthor Commented:
I don't have access ot the config right now. The only thing I saw for 443 in the config was related to ssl. I assume they used to use SSL when they had the asdm open to the outside for access. There is definitely not anything in an ACL.

Thanks
0
 
lruiz52Commented:
The issue is that under Management access, ASDM access is granted on the Outside interface. Since ASDM runs over HTTPS it gives you the error that the port is already bound. As soon as you removed that rule you should be able to create your NAT without issues.
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
fisher_kingAuthor Commented:
I have already disbaled ASDM access on the outside interface.
0
 
Cyclops3590Commented:
If you have CLI access, try a packet-tracer:

Example:

packet-tracer input outside tcp 4.4.4.4 1024 1.2.3.153 443 detailed

switche out 1.2.3.153 with the IP  you want to use.  This simulates a packet going into the outside interface with those IP/port values.  It displays the results of each phase of evaluation the packet goes thru.  If there is a NAT rule that already uses 443 then this will tell you which rule it is.
0
 
fisher_kingAuthor Commented:
My client accessed https on the interface IP and got to SSL VPN Service. I assume they have webvpn set up, but I missed it in the config. He is going to run the packet tracer and let me know.

I do not think the webvpn is currently in use, but also wonder about configuring the exchange server to use a different IP for outgoing traffic. I started a new question here:

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_28164279.html

I'll post back after the packet trace. Thanks
0
 
fisher_kingAuthor Commented:
Result of packet trace
Phase: 1
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   XX.XXX.165.153  255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x6a2020e0, priority=119, domain=permit, deny=false
                hits=655, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0

Phase: 4
Type: MGMT-TCP-INTERCEPT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x69dc47b0, priority=0, domain=mgmt-tcp-intercept, deny=false
                hits=660, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=6
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x69dc51b0, priority=0, domain=permit-ip-option, deny=true
                hits=121882, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop XX.XXX.165.129 using egress ifc outside
adjacency Active
next-hop mac address 0000.5e00.0173 hits 324474

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

Open in new window

0
 
Cyclops3590Commented:
if it came up with the web vpn page, you have your answer as to why you can't static pat that port
0
 
fisher_kingAuthor Commented:
I figured that out also. Thanks
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now