Solved

Unable to forward port 443 on Cisco ASA 5510

Posted on 2013-06-20
9
1,156 Views
Last Modified: 2013-06-21
I have a client with an ASA 5510. He has a range of public IP numbers and previously had his Exchange configured for one of them (155). The ASA 5510 has a static IP on the outside interface (153). He had some issues with emails being rejected due to the reverse lookup not matching, so he changed his MX record to point to 153. We can bind port 25 on the outside interface, but we cannot bind port 443 - it gives an error that the port is already bound. But I cannot locate where it is bound. There is no ASDM access configured for the outside.

We are hoping to resolve this issue as soon as possible. Thanks in advance for your help.
0
Comment
Question by:fisher_king
9 Comments
 
LVL 8

Assisted Solution

by:TMekeel
TMekeel earned 100 total points
ID: 39264827
Can you post a sanitized sh run?
Or, if you just do a sh run, is 443 there in an acl or anywhere else?
0
 

Author Comment

by:fisher_king
ID: 39264843
I don't have access ot the config right now. The only thing I saw for 443 in the config was related to ssl. I assume they used to use SSL when they had the asdm open to the outside for access. There is definitely not anything in an ACL.

Thanks
0
 
LVL 17

Expert Comment

by:lruiz52
ID: 39265061
The issue is that under Management access, ASDM access is granted on the Outside interface. Since ASDM runs over HTTPS it gives you the error that the port is already bound. As soon as you removed that rule you should be able to create your NAT without issues.
0
 

Author Comment

by:fisher_king
ID: 39265137
I have already disbaled ASDM access on the outside interface.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 400 total points
ID: 39265593
If you have CLI access, try a packet-tracer:

Example:

packet-tracer input outside tcp 4.4.4.4 1024 1.2.3.153 443 detailed

switche out 1.2.3.153 with the IP  you want to use.  This simulates a packet going into the outside interface with those IP/port values.  It displays the results of each phase of evaluation the packet goes thru.  If there is a NAT rule that already uses 443 then this will tell you which rule it is.
0
 

Author Comment

by:fisher_king
ID: 39266978
My client accessed https on the interface IP and got to SSL VPN Service. I assume they have webvpn set up, but I missed it in the config. He is going to run the packet tracer and let me know.

I do not think the webvpn is currently in use, but also wonder about configuring the exchange server to use a different IP for outgoing traffic. I started a new question here:

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_28164279.html

I'll post back after the packet trace. Thanks
0
 

Author Comment

by:fisher_king
ID: 39266995
Result of packet trace
Phase: 1
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   XX.XXX.165.153  255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x6a2020e0, priority=119, domain=permit, deny=false
                hits=655, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0

Phase: 4
Type: MGMT-TCP-INTERCEPT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x69dc47b0, priority=0, domain=mgmt-tcp-intercept, deny=false
                hits=660, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=6
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x69dc51b0, priority=0, domain=permit-ip-option, deny=true
                hits=121882, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop XX.XXX.165.129 using egress ifc outside
adjacency Active
next-hop mac address 0000.5e00.0173 hits 324474

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

Open in new window

0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 400 total points
ID: 39267006
if it came up with the web vpn page, you have your answer as to why you can't static pat that port
0
 

Author Comment

by:fisher_king
ID: 39267021
I figured that out also. Thanks
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now