how do I configure the cisco ASA 5505 to allow access to a host on a network
Hello Experts,
Our company just fired the I.T guy that handled this request, and I have been tasked to enable or create an access rule which will allow one of our contracted Air conditioning guys so that he will be using something call LonWork interface tool to tunneling into our firewall to access the Echelon AC system internet Server that is connected to our network.
Our goal is to allow him to connect from outside to our network which will ultimate reach the destination device. I've created access rules on the firewall to permit traffic from the outside (see pic 1)
just about to scratching my hair off but unable to figure it out. any help would greatly appreciated.
Our company just fired the I.T guy that handled this request, and I have been tasked to enable or create an access rule which will allow one of our contracted Air conditioning guys so that he will be using something call LonWork interface tool to tunneling into our firewall to access the Echelon AC system internet Server that is connected to our network.
Our goal is to allow him to connect from outside to our network which will ultimate reach the destination device. I've created access rules on the firewall to permit traffic from the outside (see pic 1)
just about to scratching my hair off but unable to figure it out. any help would greatly appreciated.
ASKER
Hi Jan,
Thank you for the quick respond! I do know the ip of the machine and the tcp port for that tool that they going to use. we are currently running ASA version 8.4(7)26. I am not too familiar with the CISCO CLI. will there be a GUI instruction which I can go about to see that?
Thank you for the quick respond! I do know the ip of the machine and the tcp port for that tool that they going to use. we are currently running ASA version 8.4(7)26. I am not too familiar with the CISCO CLI. will there be a GUI instruction which I can go about to see that?
you can use ASDM to update that access-list. i'm not of much help here since i don't use it. if you need, i can find out, though.
ASKER
Me neither I am not too familiar with this device and a little bit of worry of poking another hole in the firewall. Could you please find out and let me know. Thanks !
what is the name of the outside access list?
here is the document you need:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112925-acl-asdm-00.html
you'll use the outside access list, define the source (IP or IPs of those allowed to reach your internal host or hosts), specify the TCP port and use the *internal* IP as the destination. this is where the departure between 8.4 and 8.2 and prior handled the access-lists with regard to the natted hosts.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112925-acl-asdm-00.html
you'll use the outside access list, define the source (IP or IPs of those allowed to reach your internal host or hosts), specify the TCP port and use the *internal* IP as the destination. this is where the departure between 8.4 and 8.2 and prior handled the access-lists with regard to the natted hosts.
ASKER
Jan,
Thanks for the instruction so I was able to create the access list, upon using a Packet Tracer I get the NAT error. Can you tell me what is this mean and how do I resolve this?
Untitled-1.jpg
Thanks for the instruction so I was able to create the access list, upon using a Packet Tracer I get the NAT error. Can you tell me what is this mean and how do I resolve this?
Untitled-1.jpg
it looks like your outside access-list is not letting the packets in.
can you do a:
sh run nat
sh run | i access-list
can you do a:
sh run nat
sh run | i access-list
ASKER
Result of the command: "sh run nat"
!
object network obj-192.168.1.2-01
nat (inside,outside) static 66.96.160.149
object network obj_any-02
nat (inside,outside) dynamic interface
object network obj_any-03
nat (DMZ,outside) dynamic 66.96.160.149
Result of the command: "sh run | i access-list"
access-list LAPPL_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPL_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list LAPPLVPN_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPLVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VPN_Filter extended deny ip any host 192.168.1.11
access-list VPN_Filter extended permit ip any any
access-list LAPPLDMZ_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPLDMZ_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list LAPPLDMZ_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended deny ip 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any host 192.168.1.21
access-list outside_access_in extended permit tcp any host 192.168.1.2 object-group MAIL-SERVER
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https
access-list acl-conn-param-tcp-01 extended permit tcp host 192.168.1.2 any inactive
access-list DMZ_access_out extended deny ip any 192.168.1.0 255.255.255.0
match access-list acl-conn-param-tcp-01
!
object network obj-192.168.1.2-01
nat (inside,outside) static 66.96.160.149
object network obj_any-02
nat (inside,outside) dynamic interface
object network obj_any-03
nat (DMZ,outside) dynamic 66.96.160.149
Result of the command: "sh run | i access-list"
access-list LAPPL_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPL_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list LAPPLVPN_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPLVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VPN_Filter extended deny ip any host 192.168.1.11
access-list VPN_Filter extended permit ip any any
access-list LAPPLDMZ_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPLDMZ_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list LAPPLDMZ_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended deny ip 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any host 192.168.1.21
access-list outside_access_in extended permit tcp any host 192.168.1.2 object-group MAIL-SERVER
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https
access-list acl-conn-param-tcp-01 extended permit tcp host 192.168.1.2 any inactive
access-list DMZ_access_out extended deny ip any 192.168.1.0 255.255.255.0
match access-list acl-conn-param-tcp-01
This is contradictory:
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended deny ip 192.168.1.0 255.255.255.0 any
But, both access lists allow the incoming and return traffic.
Have your remote test a connection while you're monitoring logs and do a "show log | i 192.168.1.21"
Also do a packet-tracer and post the results:
packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 80 detail
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended deny ip 192.168.1.0 255.255.255.0 any
But, both access lists allow the incoming and return traffic.
Have your remote test a connection while you're monitoring logs and do a "show log | i 192.168.1.21"
Also do a packet-tracer and post the results:
packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 80 detail
ASKER
just a recap port 1628 is what the tool use to connect to the host 192.168.1.21. I've tried port 80 as well same result.
Untitled2.jpg
Untitled2.jpg
packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 1628 detail
Would you please post the results?
Also, do you see the connection being Built or Deny in the logs?
Would you please post the results?
Also, do you see the connection being Built or Deny in the logs?
ASKER
5|Mar 31 2015|12:04:36|111010|||||U
5|Mar 31 2015|12:04:36|111010|||||U
5|Mar 31 2015|12:04:36|111008|||||U
5|Mar 31 2015|12:04:36|111008|||||U
5|Mar 31 2015|12:04:36|305013|166.1
5|Mar 31 2015|12:04:36|305013|166.1
5|Mar 31 2015|12:04:36|111007|||||B
5|Mar 31 2015|12:04:36|111007|||||B
5|Mar 31 2015|12:04:36|111010|||||U
5|Mar 31 2015|12:04:36|111008|||||U
5|Mar 31 2015|12:04:36|111008|||||U
5|Mar 31 2015|12:04:36|305013|166.1
5|Mar 31 2015|12:04:36|305013|166.1
5|Mar 31 2015|12:04:36|111007|||||B
5|Mar 31 2015|12:04:36|111007|||||B
Why do you have the same static IP listed for an inside and DMZ interface: 66.96.160.149?
ASKER
I apologize for the typo. it should be 66.96.160.149 and 66.96.160.148. these are my public ISP ip addr.
*** this is if 66.96.160.149 is _not_ your outside IP address or you do want 1:1 NAT.
object network obj-192.168.1.2
host 192.168.1.2
nat (inside,outside) static 66.96.160.149
object network obj-66.96.160.149
host 66.96.160.149
nat (outside,inside) static 192.168.1.2
object network obj-192.168.1.2
host 192.168.1.2
nat (inside,outside) static 66.96.160.149
object network obj-66.96.160.149
host 66.96.160.149
nat (outside,inside) static 192.168.1.2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was able to figure it out.
you need to know the IP or IPs of the machines on the inside that he needs to access and the destination TCP port.
you also need to know whether you're running 8.2 or earlier or 8.3 or later.
! find the access-list applied to the outside interface
sh run | i access-group
! display that access list
sh run | i access-list NAME
where NAME = the access-list name