how do I configure the cisco ASA 5505 to allow access to a host on a network

Hello Experts,

Our company just fired the I.T guy that handled this request, and I have been tasked to enable or create an access rule which will allow one of our contracted Air conditioning guys so that he will be using something call LonWork interface tool to tunneling into our firewall to access the Echelon AC system internet Server that is connected to our network.

Our goal is to allow him to connect from outside to our network which will ultimate reach the destination device. I've created access rules on the firewall to permit traffic from the outside (see pic 1)

just about to scratching my hair off but unable to figure it out. any help would greatly appreciated.
lappladminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
you most likely have an access list applied to the outside interface.

you need to know the IP or IPs of the machines on the inside that he needs to access and the destination TCP port.  

you also need to know whether you're running 8.2 or earlier or 8.3 or later.

! find the access-list applied to the outside interface
sh run | i access-group

! display that access list
sh run | i access-list NAME

where NAME = the access-list name
0
lappladminAuthor Commented:
Hi Jan,

Thank you for the quick respond! I do know the ip of the machine and the tcp port for that tool that they going to use. we are currently running ASA version 8.4(7)26. I am not too familiar with the CISCO CLI. will there be a GUI instruction which I can go about to see that?
0
Jan SpringerCommented:
you can use ASDM to update that access-list.  i'm not of much help here since i don't use it.  if you need, i can find out, though.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lappladminAuthor Commented:
Me neither I am not too familiar with this device and a little bit of worry of poking another hole in the firewall. Could you please find out and let me know. Thanks !
0
Jan SpringerCommented:
what is the name of the outside access list?
0
Jan SpringerCommented:
here is the document you need:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112925-acl-asdm-00.html

you'll use the outside access list, define the source (IP or IPs of those allowed to reach your internal host or hosts), specify the TCP port and use the *internal* IP as the destination.  this is where the departure between 8.4 and 8.2 and prior handled the access-lists with regard to the natted hosts.
0
lappladminAuthor Commented:
Jan,

Thanks for the instruction so I was able to create the access list, upon using a Packet Tracer I get the NAT error. Can you tell me what is this mean and how do I resolve this?
Untitled-1.jpg
0
Jan SpringerCommented:
it looks like your outside access-list is not letting the packets in.

can you do a:

sh run nat
sh run | i access-list
0
lappladminAuthor Commented:
Result of the command: "sh run nat"

!
object network obj-192.168.1.2-01
 nat (inside,outside) static 66.96.160.149
object network obj_any-02
 nat (inside,outside) dynamic interface
object network obj_any-03
 nat (DMZ,outside) dynamic 66.96.160.149



Result of the command: "sh run | i access-list"

access-list LAPPL_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPL_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list LAPPLVPN_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPLVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VPN_Filter extended deny ip any host 192.168.1.11
access-list VPN_Filter extended permit ip any any
access-list LAPPLDMZ_splitTunnelAcl standard deny host 223.255.131.50
access-list LAPPLDMZ_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list LAPPLDMZ_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended deny ip 192.168.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any host 192.168.1.21
access-list outside_access_in extended permit tcp any host 192.168.1.2 object-group MAIL-SERVER
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https
access-list acl-conn-param-tcp-01 extended permit tcp host 192.168.1.2 any inactive
access-list DMZ_access_out extended deny ip any 192.168.1.0 255.255.255.0
 match access-list acl-conn-param-tcp-01
0
Jan SpringerCommented:
This is contradictory:
  access-list DMZ_access_in extended permit ip any any
  access-list DMZ_access_in extended deny ip 192.168.1.0 255.255.255.0 any

But, both access lists allow the incoming and return traffic.

Have your remote test a connection while you're monitoring logs and do a "show log | i 192.168.1.21"

Also do a packet-tracer and post the results:

   packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 80 detail
0
lappladminAuthor Commented:
just a recap port 1628 is what the tool use to connect to the host 192.168.1.21.   I've tried port 80 as well same result.
Untitled2.jpg
0
Jan SpringerCommented:
packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 1628 detail

Would you please post the results?

Also, do you see the connection being Built or Deny in the logs?
0
lappladminAuthor Commented:
5|Mar 31 2015|12:04:36|111010|||||User 'fwadmin', running 'N/A' from IP 192.168.1.50, executed 'packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 1628 xml'
5|Mar 31 2015|12:04:36|111010|||||User 'fwadmin', running 'N/A' from IP 192.168.1.50, executed 'packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 1628 xml'
5|Mar 31 2015|12:04:36|111008|||||User 'fwadmin' executed the 'packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 1628 xml' command.
5|Mar 31 2015|12:04:36|111008|||||User 'fwadmin' executed the 'packet-tracer input outside tcp 166.170.5.28 65535 192.168.1.21 1628 xml' command.
5|Mar 31 2015|12:04:36|305013|166.170.5.28|65535|192.168.1.21|1628|Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:166.170.5.28/65535 dst inside:192.168.1.21/1628 denied due to NAT reverse path failure
5|Mar 31 2015|12:04:36|305013|166.170.5.28|65535|192.168.1.21|1628|Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:166.170.5.28/65535 dst inside:192.168.1.21/1628 denied due to NAT reverse path failure
5|Mar 31 2015|12:04:36|111007|||||Begin configuration: 192.168.1.50 reading from http [POST]
5|Mar 31 2015|12:04:36|111007|||||Begin configuration: 192.168.1.50 reading from http [POST]
0
Jan SpringerCommented:
Why do you have the same static IP listed for an inside and DMZ interface: 66.96.160.149?
0
lappladminAuthor Commented:
I apologize for the typo. it should be 66.96.160.149 and 66.96.160.148. these are my public ISP ip addr.
0
Jan SpringerCommented:
*** this is if 66.96.160.149 is _not_ your outside IP address or you do want 1:1 NAT.

object network obj-192.168.1.2
  host 192.168.1.2
  nat (inside,outside) static 66.96.160.149

object network obj-66.96.160.149
 host 66.96.160.149
 nat (outside,inside) static 192.168.1.2
0
lappladminAuthor Commented:
Thanks for the effort but I was able to figure it out.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lappladminAuthor Commented:
I was able to figure it out.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.