Solved

What is wrong with this ASA 5505 route statement?

Posted on 2015-01-14
12
159 Views
Last Modified: 2015-01-19
I am trying to allow outside access to a piece of equipment behind our ASA 5505. The equipment has an internal IP like 10.x.x.x. I have placed the following in the ASA but it does not appear to work correctly. I am checking by Telnet to the public IP and port number (10001).

(x.x.x.x) is a static public address

name 10.0.x.x VEEDER
access-list outside_access_in extended permit tcp any host x.x.x.x eq www
access-list outside_access_in extended permit tcp any host x.x.x.x eq https
access-list outside_access_in extended permit tcp any host x.x.x.x eq 10001
access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh
access-list outside_access_in extended permit udp any host x.x.x.x eq 10001
access-list outside_cryptomap extended permit ip 10.x.x.x 255.255.255.0 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface www VEEDER www netmask 255.255.255.255
static (inside,outside) tcp interface https VEEDER https netmask 255.255.255.255
static (inside,outside) tcp interface ssh VEEDER ssh netmask 255.255.255.255
static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255
static (inside,outside) udp interface 10001 VEEDER 10001 netmask 255.255.255.255

Thanks for any help and let me know if you need more info. I am somewhat good at inputting these statements just don't thoroughly understand what they mean.

Chris
0
Comment
Question by:lilthrift
  • 6
  • 3
  • 3
12 Comments
 
LVL 15

Expert Comment

by:max_the_king
ID: 40550783
Hi,
you need to check 2 things:

1. the VEEDER server has the ASA IP as default gateway.
2. i don't know if you just forgot to post the following statement, but it is really necessary
access-group outside_access_in in interface outside

besides make sure that when you telnet (FROM INTERNET, not local LAN !) the public IP on the desired port, you have free access to internet, e.g. not filtrated by any firewall or proxy

hope this helps
max
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40551272
What version of OS on the ASA are you running?

And are the "x.x.x.x" in the access list VEEDER?
0
 

Author Comment

by:lilthrift
ID: 40551398
Max,

Tried the access-group outside_access_in in interface outside and still wont allow telnet in. I am telnet from an outside internet not on LAN.

Jan,

Ver 8.0.3 and the x.x.x.x in the access list our public static IP not the internal private IP assigned to the device (which is 10.0.43.225)

Thanks for the suggestions. Maybe there is an easier way to make this connection that I am unaware of. I am not schooled in Cisco programming just trying something a friend recommended.
0
 

Author Comment

by:lilthrift
ID: 40551408
Basically I need a statement that does this.......

Allow out side access to hit a device plugged into Cisco ASA with a private IP assigned to it. Outside connection would put in X.X.X.X :10001 (static public IP) then it would hit our ASA and route it to the private assigned IP.

I could be making this more complicated than it needs to be with my route statements above.

Thank you!
0
 
LVL 15

Expert Comment

by:max_the_king
ID: 40551461
Hi,
of course you're trying to telnet the public ip from outside ...

telnet <public_ip> 10001

and of course your host is responding on that port (you can try, from inside, telnet <private_ip> 10001)

max
0
 

Author Comment

by:lilthrift
ID: 40551480
Max,

I can telnet from inside the <private IP> 10001 with no problems but cant from outside.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 28

Expert Comment

by:Jan Springer
ID: 40551528
When you attempt an outside telnet, pull the log data for both the inside and outside IP for that port number and post the log data, please.
0
 

Author Comment

by:lilthrift
ID: 40551552
Thanks Jan but I don't know how to do that. Can you post how and I would be glad to try?

Thank you!
0
 

Author Comment

by:lilthrift
ID: 40551561
A user in the Cisco forum asked that I post a packet trace so this may help show the traffic.

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255

  match tcp inside host VEEDER eq 10001 outside any
    static translation to X.X.X.X/10001
    translate_hits = 0, untranslate_hits = 4
Additional Information:
NAT divert to egress interface inside
Untranslate X.X.X.X/10001 to VEEDER/10001 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any host X.X.X.X eq 10001

Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255

  match tcp inside host VEEDER eq 10001 outside any
    static translation to X.X.X.X/10001
    translate_hits = 0, untranslate_hits = 4
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface www VEEDER www netmask 255.255.255.255
  match tcp inside host VEEDER eq 80 outside any
    static translation to X.X.X.X/80
    translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 46155, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
0
 
LVL 15

Accepted Solution

by:
max_the_king earned 500 total points
ID: 40551565
ok,
did you set default gateway for ASA ?
route outside 0.0.0.0 0.0.0.0 <IP_OF_YOUR_ROUTER>

it is fair simple, let's do it from scratch, assuming interface has ip 1.2.3.4 and private ip is 10.0.0.1, name VEEDER:

static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255
static (inside,outside) tcp interface 80 VEEDER 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 VEEDER 443 netmask 255.255.255.255

name 10.0.0.1 VEEDER

access-list outside_access_in extended permit tcp any host 1.2.3.4 eq www
access-list outside_access_in extended permit tcp any host 1.2.3.4 eq https
access-list outside_access_in extended permit tcp any host1.2.3.4 eq 10001

access-group outside_access_in in interface outside

now just try and telnet 1.2.3.4 from outside:
telnet 1.2.3.4 10001
and then as well try to open webpage from browser http://1.2.3.4

max
0
 

Author Comment

by:lilthrift
ID: 40551883
Ok I still get could not open port on 10001 to connect to site when using Telnet...
1.2.3.4 is the public static IP at location

This is in the router....

name 10.0.43.225 VEEDER
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside (also have this in there)
route outside 0.0.0.0 0.0.0.0 <gateway> 1 (not IP of router)

static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255
 static (inside,outside) tcp interface 80 VEEDER 80 netmask 255.255.255.255
 static (inside,outside) tcp interface 443 VEEDER 443 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 1.2.3.4 eq www
 access-list outside_access_in extended permit tcp any host 1.2.3.4 eq https
 access-list outside_access_in extended permit tcp any host1.2.3.4 eq 10001

I am grateful for all your suggestions! Maybe we will get it soon. Should I post the whole route statement?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40551889
Your packet-tracer shows it going across the VPN.

I would not expect to see that.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now