?
Solved

cisco firewall asdm  - need to allow a port on an IP address

Posted on 2015-02-02
6
Medium Priority
?
365 Views
Last Modified: 2015-02-04
Hi there.
I'm using the asdm (version 5) of a Cisco ASA 5520 firewall.
I am trying to allow access from any external IP address to access a server on port 8172.
I already have a NAT rule to translate from external IP address (1.2.3.4) to internal (192.168.1.10) this works fine for accessing port 80 etc from the outside world.
What steps do I need to take as I have tried adding access rules to allow to this port but i still cant telnet there.
Also, do I need to do anything with port forwarding or is this not relevant for the above?
0
Comment
Question by:jamiegf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 40584608
Kinda depends on whether you're performing Port Address Translation (translating individual ports) or Network Address Translation (translating the IP address, which includes all ports).

If your NAT rules specify port numbers, then you need to add a NAT rule for the new port in addition to editing the ACL.

If your NAT rules only specify IP addresses, then editing the ACL should be enough to allow the traffic.


And make sure that the port is actually active on the server, and is not blocked by a local firewall.  If it's a Windows box, run "netstat -ano | find ":<port>" to see if the server is listening on the correct port.  Then check the Windows firewall.
0
 

Author Comment

by:jamiegf
ID: 40586937
NAT rules only specify IP addresses.

I have tried adding security policies and also editing pre exisiting Service Groups to include my port number but i still cannot telnet to the port.
I have tested the other ports which work and do not work - these are behaving correctly.
I have also tried adding different protocols / ports but anything i add doesnt seem to come into effect .
0
 
LVL 28

Expert Comment

by:asavener
ID: 40587175
Did you check that the port is open on the server?
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:jamiegf
ID: 40588172
Hi Asavener. Yes, i forgot to mention that. Windows firewall is turned off.
0
 
LVL 28

Accepted Solution

by:
asavener earned 2000 total points
ID: 40588546
Can you successfully telnet to the port when you're inside the network?



Suggest the next step is to use the packet tracer feature in ASDM to simulate the traffic.  The ASA will test the traffic against all of its rules and tell you whether it will pass the traffic or deny it.
0
 

Author Closing Comment

by:jamiegf
ID: 40588811
"Can you successfully telnet to the port when you're inside the network?"
No - i couldnt, which told me the app is not working as it should.

I set up a website and gave it port 8172 to test my firewall rules; it works fine.

Thanks for your help Asavener :)
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month10 days, 16 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question