?
Solved

Unable to forward port 443 on Cisco ASA 5510

Posted on 2013-06-20
9
Medium Priority
?
1,214 Views
Last Modified: 2013-06-21
I have a client with an ASA 5510. He has a range of public IP numbers and previously had his Exchange configured for one of them (155). The ASA 5510 has a static IP on the outside interface (153). He had some issues with emails being rejected due to the reverse lookup not matching, so he changed his MX record to point to 153. We can bind port 25 on the outside interface, but we cannot bind port 443 - it gives an error that the port is already bound. But I cannot locate where it is bound. There is no ASDM access configured for the outside.

We are hoping to resolve this issue as soon as possible. Thanks in advance for your help.
0
Comment
Question by:fisher_king
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 8

Assisted Solution

by:TMekeel
TMekeel earned 400 total points
ID: 39264827
Can you post a sanitized sh run?
Or, if you just do a sh run, is 443 there in an acl or anywhere else?
0
 

Author Comment

by:fisher_king
ID: 39264843
I don't have access ot the config right now. The only thing I saw for 443 in the config was related to ssl. I assume they used to use SSL when they had the asdm open to the outside for access. There is definitely not anything in an ACL.

Thanks
0
 
LVL 17

Expert Comment

by:lruiz52
ID: 39265061
The issue is that under Management access, ASDM access is granted on the Outside interface. Since ASDM runs over HTTPS it gives you the error that the port is already bound. As soon as you removed that rule you should be able to create your NAT without issues.
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 

Author Comment

by:fisher_king
ID: 39265137
I have already disbaled ASDM access on the outside interface.
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 1600 total points
ID: 39265593
If you have CLI access, try a packet-tracer:

Example:

packet-tracer input outside tcp 4.4.4.4 1024 1.2.3.153 443 detailed

switche out 1.2.3.153 with the IP  you want to use.  This simulates a packet going into the outside interface with those IP/port values.  It displays the results of each phase of evaluation the packet goes thru.  If there is a NAT rule that already uses 443 then this will tell you which rule it is.
0
 

Author Comment

by:fisher_king
ID: 39266978
My client accessed https on the interface IP and got to SSL VPN Service. I assume they have webvpn set up, but I missed it in the config. He is going to run the packet tracer and let me know.

I do not think the webvpn is currently in use, but also wonder about configuring the exchange server to use a different IP for outgoing traffic. I started a new question here:

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_28164279.html

I'll post back after the packet trace. Thanks
0
 

Author Comment

by:fisher_king
ID: 39266995
Result of packet trace
Phase: 1
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   XX.XXX.165.153  255.255.255.255 identity

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x6a2020e0, priority=119, domain=permit, deny=false
                hits=655, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0

Phase: 4
Type: MGMT-TCP-INTERCEPT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x69dc47b0, priority=0, domain=mgmt-tcp-intercept, deny=false
                hits=660, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=6
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x69dc51b0, priority=0, domain=permit-ip-option, deny=true
                hits=121882, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
                src ip=0.0.0.0, mask=0.0.0.0, port=0
                dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop XX.XXX.165.129 using egress ifc outside
adjacency Active
next-hop mac address 0000.5e00.0173 hits 324474

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

Open in new window

0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 1600 total points
ID: 39267006
if it came up with the web vpn page, you have your answer as to why you can't static pat that port
0
 

Author Comment

by:fisher_king
ID: 39267021
I figured that out also. Thanks
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses
Course of the Month14 days, 16 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question