We help IT Professionals succeed at work.

how do I configure the cisco ASA 5505 to allow access to a host on a network

lappladmin
lappladmin asked
on
Hello Experts,

Our company just fired the I.T guy that handled this request, and I have been tasked to enable or create an access rule which will allow one of our contracted Air conditioning guys so that he will be using something call LonWork interface tool to tunneling into our firewall to access the Echelon AC system internet Server that is connected to our network.

Our goal is to allow him to connect from outside to our network which will ultimate reach the destination device. I've created access rules on the firewall to permit traffic from the outside (see pic 1)

just about to scratching my hair off but unable to figure it out. any help would greatly appreciated.
Comment
Watch Question

Most Valuable Expert 2015

Commented:
you most likely have an access list applied to the outside interface.

you need to know the IP or IPs of the machines on the inside that he needs to access and the destination TCP port.  

you also need to know whether you're running 8.2 or earlier or 8.3 or later.

! find the access-list applied to the outside interface
sh run | i access-group

! display that access list
sh run | i access-list NAME

where NAME = the access-list name

Author

Commented:
Hi Jan,

Thank you for the quick respond! I do know the ip of the machine and the tcp port for that tool that they going to use. we are currently running ASA version 8.4(7)26. I am not too familiar with the CISCO CLI. will there be a GUI instruction which I can go about to see that?
Most Valuable Expert 2015

Commented:
you can use ASDM to update that access-list.  i'm not of much help here since i don't use it.  if you need, i can find out, though.

Author

Commented:
Me neither I am not too familiar with this device and a little bit of worry of poking another hole in the firewall. Could you please find out and let me know. Thanks !
Most Valuable Expert 2015

Commented:
what is the name of the outside access list?
Most Valuable Expert 2015

Commented:
here is the document you need:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112925-acl-asdm-00.html

you'll use the outside access list, define the source (IP or IPs of those allowed to reach your internal host or hosts), specify the TCP port and use the *internal* IP as the destination.  this is where the departure between 8.4 and 8.2 and prior handled the access-lists with regard to the natted hosts.

Author

Commented:
Jan,

Thanks for the instruction so I was able to create the access list, upon using a Packet Tracer I get the NAT error. Can you tell me what is this mean and how do I resolve this?
Untitled-1.jpg
Most Valuable Expert 2015

Commented:
it looks like your outside access-list is not letting the packets in.

can you do a:

sh run nat
sh run | i access-list

Author

Commented:
Result of the command: "sh run nat"

!
object network obj-192.168.1.2-01
 nat (inside,outside) static 66.96.160.149
object network obj_any-02
 nat (inside,outside) dynamic interface
object network obj_any-03
 nat (DMZ,outside) dynamic 66.96.160.149



Result of the command: "sh run | i access-list"

access-list LAPPL_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPL_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list LAPPLVPN_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPLVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VPN_Filter extended deny ip any host 192.168.1.11
access-list VPN_Filter extended permit ip any any
access-list LAPPLDMZ_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPLDMZ_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list LAPPLDMZ_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended deny ip 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any host 192.168.1.21
access-list outside_access_in extended permit tcp any host 192.168.1.2 object-group MAIL-SERVER
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https
access-list acl-conn-param-tcp-01 extended permit tcp host 192.168.1.2 any inactive
access-list DMZ_access_out extended deny ip any 192.168.1.0 255.255.255.0
 match access-list acl-conn-param-tcp-01
Most Valuable Expert 2015

Commented:
This is contradictory:
  access-list DMZ_access_in extended permit ip any any
  access-list DMZ_access_in extended deny ip 192.168.1.0 255.255.255.0 any

But, both access lists allow the incoming and return traffic.

Have your remote test a connection while you're monitoring logs and do a "show log | i 192.168.1.21"

Also do a packet-tracer and post the results:

   packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 80 detail

Author

Commented:
just a recap port 1628 is what the tool use to connect to the host 192.168.1.21.   I've tried port 80 as well same result.
Untitled2.jpg
Most Valuable Expert 2015

Commented:
packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 1628 detail

Would you please post the results?

Also, do you see the connection being Built or Deny in the logs?

Author

Commented:
5|Mar 31 2015|12:04:36|111010|||||User 'fwadmin', running 'N/A' from IP 192.168.1.50, executed 'packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 1628 xml'
5|Mar 31 2015|12:04:36|111010|||||User 'fwadmin', running 'N/A' from IP 192.168.1.50, executed 'packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 1628 xml'
5|Mar 31 2015|12:04:36|111008|||||User 'fwadmin' executed the 'packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 1628 xml' command.
5|Mar 31 2015|12:04:36|111008|||||User 'fwadmin' executed the 'packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 1628 xml' command.
5|Mar 31 2015|12:04:36|305013|166.170.5.28|65535|192.168.1.21|1628|Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:166.170.5.28/65535 dst inside:192.168.1.21/1628 denied due to NAT reverse path failure
5|Mar 31 2015|12:04:36|305013|166.170.5.28|65535|192.168.1.21|1628|Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:166.170.5.28/65535 dst inside:192.168.1.21/1628 denied due to NAT reverse path failure
5|Mar 31 2015|12:04:36|111007|||||Begin configuration: 192.168.1.50 reading from http [POST]
5|Mar 31 2015|12:04:36|111007|||||Begin configuration: 192.168.1.50 reading from http [POST]
Most Valuable Expert 2015

Commented:
Why do you have the same static IP listed for an inside and DMZ interface: 66.96.160.149?

Author

Commented:
I apologize for the typo. it should be 66.96.160.149 and 66.96.160.148. these are my public ISP ip addr.
Most Valuable Expert 2015

Commented:
*** this is if 66.96.160.149 is _not_ your outside IP address or you do want 1:1 NAT.

object network obj-192.168.1.2
  host 192.168.1.2
  nat (inside,outside) static 66.96.160.149

object network obj-66.96.160.149
 host 66.96.160.149
 nat (outside,inside) static 192.168.1.2
Thanks for the effort but I was able to figure it out.

Author

Commented:
I was able to figure it out.