Solved

What is wrong with this ASA 5505 route statement?

Posted on 2015-01-14
12
165 Views
Last Modified: 2015-01-19
I am trying to allow outside access to a piece of equipment behind our ASA 5505. The equipment has an internal IP like 10.x.x.x. I have placed the following in the ASA but it does not appear to work correctly. I am checking by Telnet to the public IP and port number (10001).

(x.x.x.x) is a static public address

name 10.0.x.x VEEDER
access-list outside_access_in extended permit tcp any host x.x.x.x eq www
access-list outside_access_in extended permit tcp any host x.x.x.x eq https
access-list outside_access_in extended permit tcp any host x.x.x.x eq 10001
access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh
access-list outside_access_in extended permit udp any host x.x.x.x eq 10001
access-list outside_cryptomap extended permit ip 10.x.x.x 255.255.255.0 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface www VEEDER www netmask 255.255.255.255
static (inside,outside) tcp interface https VEEDER https netmask 255.255.255.255
static (inside,outside) tcp interface ssh VEEDER ssh netmask 255.255.255.255
static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255
static (inside,outside) udp interface 10001 VEEDER 10001 netmask 255.255.255.255

Thanks for any help and let me know if you need more info. I am somewhat good at inputting these statements just don't thoroughly understand what they mean.

Chris
0
Comment
Question by:lilthrift
  • 6
  • 3
  • 3
12 Comments
 
LVL 15

Expert Comment

by:max_the_king
ID: 40550783
Hi,
you need to check 2 things:

1. the VEEDER server has the ASA IP as default gateway.
2. i don't know if you just forgot to post the following statement, but it is really necessary
access-group outside_access_in in interface outside

besides make sure that when you telnet (FROM INTERNET, not local LAN !) the public IP on the desired port, you have free access to internet, e.g. not filtrated by any firewall or proxy

hope this helps
max
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40551272
What version of OS on the ASA are you running?

And are the "x.x.x.x" in the access list VEEDER?
0
 

Author Comment

by:lilthrift
ID: 40551398
Max,

Tried the access-group outside_access_in in interface outside and still wont allow telnet in. I am telnet from an outside internet not on LAN.

Jan,

Ver 8.0.3 and the x.x.x.x in the access list our public static IP not the internal private IP assigned to the device (which is 10.0.43.225)

Thanks for the suggestions. Maybe there is an easier way to make this connection that I am unaware of. I am not schooled in Cisco programming just trying something a friend recommended.
0
 

Author Comment

by:lilthrift
ID: 40551408
Basically I need a statement that does this.......

Allow out side access to hit a device plugged into Cisco ASA with a private IP assigned to it. Outside connection would put in X.X.X.X :10001 (static public IP) then it would hit our ASA and route it to the private assigned IP.

I could be making this more complicated than it needs to be with my route statements above.

Thank you!
0
 
LVL 15

Expert Comment

by:max_the_king
ID: 40551461
Hi,
of course you're trying to telnet the public ip from outside ...

telnet <public_ip> 10001

and of course your host is responding on that port (you can try, from inside, telnet <private_ip> 10001)

max
0
 

Author Comment

by:lilthrift
ID: 40551480
Max,

I can telnet from inside the <private IP> 10001 with no problems but cant from outside.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 40551528
When you attempt an outside telnet, pull the log data for both the inside and outside IP for that port number and post the log data, please.
0
 

Author Comment

by:lilthrift
ID: 40551552
Thanks Jan but I don't know how to do that. Can you post how and I would be glad to try?

Thank you!
0
 

Author Comment

by:lilthrift
ID: 40551561
A user in the Cisco forum asked that I post a packet trace so this may help show the traffic.

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255

  match tcp inside host VEEDER eq 10001 outside any
    static translation to X.X.X.X/10001
    translate_hits = 0, untranslate_hits = 4
Additional Information:
NAT divert to egress interface inside
Untranslate X.X.X.X/10001 to VEEDER/10001 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any host X.X.X.X eq 10001

Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255

  match tcp inside host VEEDER eq 10001 outside any
    static translation to X.X.X.X/10001
    translate_hits = 0, untranslate_hits = 4
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface www VEEDER www netmask 255.255.255.255
  match tcp inside host VEEDER eq 80 outside any
    static translation to X.X.X.X/80
    translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 46155, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
0
 
LVL 15

Accepted Solution

by:
max_the_king earned 500 total points
ID: 40551565
ok,
did you set default gateway for ASA ?
route outside 0.0.0.0 0.0.0.0 <IP_OF_YOUR_ROUTER>

it is fair simple, let's do it from scratch, assuming interface has ip 1.2.3.4 and private ip is 10.0.0.1, name VEEDER:

static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255
static (inside,outside) tcp interface 80 VEEDER 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 VEEDER 443 netmask 255.255.255.255

name 10.0.0.1 VEEDER

access-list outside_access_in extended permit tcp any host 1.2.3.4 eq www
access-list outside_access_in extended permit tcp any host 1.2.3.4 eq https
access-list outside_access_in extended permit tcp any host1.2.3.4 eq 10001

access-group outside_access_in in interface outside

now just try and telnet 1.2.3.4 from outside:
telnet 1.2.3.4 10001
and then as well try to open webpage from browser http://1.2.3.4

max
0
 

Author Comment

by:lilthrift
ID: 40551883
Ok I still get could not open port on 10001 to connect to site when using Telnet...
1.2.3.4 is the public static IP at location

This is in the router....

name 10.0.43.225 VEEDER
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside (also have this in there)
route outside 0.0.0.0 0.0.0.0 <gateway> 1 (not IP of router)

static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255
 static (inside,outside) tcp interface 80 VEEDER 80 netmask 255.255.255.255
 static (inside,outside) tcp interface 443 VEEDER 443 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 1.2.3.4 eq www
 access-list outside_access_in extended permit tcp any host 1.2.3.4 eq https
 access-list outside_access_in extended permit tcp any host1.2.3.4 eq 10001

I am grateful for all your suggestions! Maybe we will get it soon. Should I post the whole route statement?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40551889
Your packet-tracer shows it going across the VPN.

I would not expect to see that.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now