Solved

Unable to forward port 443 on Cisco ASA 5510

Posted on 2013-06-20
9
1,192 Views
Last Modified: 2013-06-21
I have a client with an ASA 5510. He has a range of public IP numbers and previously had his Exchange configured for one of them (155). The ASA 5510 has a static IP on the outside interface (153). He had some issues with emails being rejected due to the reverse lookup not matching, so he changed his MX record to point to 153. We can bind port 25 on the outside interface, but we cannot bind port 443 - it gives an error that the port is already bound. But I cannot locate where it is bound. There is no ASDM access configured for the outside.

We are hoping to resolve this issue as soon as possible. Thanks in advance for your help.
0
Comment
Question by:fisher_king
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 8

Assisted Solution

by:TMekeel
TMekeel earned 100 total points
ID: 39264827
Can you post a sanitized sh run?
Or, if you just do a sh run, is 443 there in an acl or anywhere else?
0
 

Author Comment

by:fisher_king
ID: 39264843
I don't have access ot the config right now. The only thing I saw for 443 in the config was related to ssl. I assume they used to use SSL when they had the asdm open to the outside for access. There is definitely not anything in an ACL.

Thanks
0
 
LVL 17

Expert Comment

by:lruiz52
ID: 39265061
The issue is that under Management access, ASDM access is granted on the Outside interface. Since ASDM runs over HTTPS it gives you the error that the port is already bound. As soon as you removed that rule you should be able to create your NAT without issues.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:fisher_king
ID: 39265137
I have already disbaled ASDM access on the outside interface.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 400 total points
ID: 39265593
If you have CLI access, try a packet-tracer:

Example:

packet-tracer input outside tcp 4.4.4.4 1024 1.2.3.153 443 detailed

switche out 1.2.3.153 with the IP  you want to use.  This simulates a packet going into the outside interface with those IP/port values.  It displays the results of each phase of evaluation the packet goes thru.  If there is a NAT rule that already uses 443 then this will tell you which rule it is.
0
 

Author Comment

by:fisher_king
ID: 39266978
My client accessed https on the interface IP and got to SSL VPN Service. I assume they have webvpn set up, but I missed it in the config. He is going to run the packet tracer and let me know.

I do not think the webvpn is currently in use, but also wonder about configuring the exchange server to use a different IP for outgoing traffic. I started a new question here:

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_28164279.html

I'll post back after the packet trace. Thanks
0
 

Author Comment

by:fisher_king
ID: 39266995
Result of packet trace
Phase: 1
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   XX.XXX.165.153  255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x6a2020e0, priority=119, domain=permit, deny=false
                hits=655, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0

Phase: 4
Type: MGMT-TCP-INTERCEPT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x69dc47b0, priority=0, domain=mgmt-tcp-intercept, deny=false
                hits=660, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=6
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x69dc51b0, priority=0, domain=permit-ip-option, deny=true
                hits=121882, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop XX.XXX.165.129 using egress ifc outside
adjacency Active
next-hop mac address 0000.5e00.0173 hits 324474

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

Open in new window

0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 400 total points
ID: 39267006
if it came up with the web vpn page, you have your answer as to why you can't static pat that port
0
 

Author Comment

by:fisher_king
ID: 39267021
I figured that out also. Thanks
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Palo Alto Networks Global Protect 2 162
Website Issue 10 88
VPN tunnel between Watchguard and OpenVPN? 1 134
Failover VPN Question Sonicwall 5 64
In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question