topic Re: open port and forrwarding? in Network Security

open port and forrwarding?

Maurizio Caloro — Mon, 03 May 2021 06:14:10 GMT

hello
Please try to open on me firewall 5506-x the OpenVPN UDP port 1194, but without success.

Define the machine and port, also double check the udp port, no chance.

access-list outside_access_in line 1 extended permit udp any host 192.168.16.9 eq 1194 (hitcnt=8) 0x998cb704
access-list outside_access_in line 1 extended permit tcp any host 192.168.16.9 eq https (hitcnt=0) 0xe13c63c8

object network OpenVPN-Server
          host 192.168.16.9
object service OpenVPN-Service-IN
          service udp destination eq 1194
object service OpenVPN-Service-OUT
          service udp source eq 1194

nat (inside_6,outside) source static OpenVPN-Server interface service any OpenVPN-Service-OUT

openvpn Server settings

local 192.168.16.9
port 1194
proto udp

thanks for any possible update

regards

Mauri

Re: open port and forrwarding?

balaji.bandi — Mon, 03 May 2021 07:08:02 GMT

Just to clarify you looking to setup Open VPN Server inside your network need to port-forward outside to inside correct?

or you looking you Lan user to connect outside Open VPN Server ?

If the inside your environment as Open VPN Server

As per the document, you need to open TCP and UDP both 1194 along with 80 and 443

Re: open port and forrwarding?

Maurizio Caloro — Mon, 03 May 2021 07:43:24 GMT

thanks for your answer!

yes i will, that all me external Users from (WAN) can connect to me internal (LAN) to connect with running openvpn server.

After read the openvpn document i found the following information, please see the attached picture.

i the meantime founding meny near same answers/questions

yes access-list still create, but without success.

Re: open port and forrwarding?

balaji.bandi — Mon, 03 May 2021 08:22:10 GMT

After changing the config, can you post the full config? You can use a packet tracer to test it and post the outcome.

what is the Logs show when the connection coming in ? are you using ASDM, so you can view the real-time logs when the connection coming to ASA ? what status is this DROP or ?

Re: open port and forrwarding?

Maurizio Caloro — Mon, 03 May 2021 11:01:50 GMT

now changing meny settings safe and back, restrart from configuration and restart firewall, but iam not shure it's this the right way.

if checking from any tools, local or online, still the port are closed. thanks for possible help.

Re: open port and forrwarding?

Maurizio Caloro — Mon, 03 May 2021 13:45:48 GMT

i would by happy for any more information, thanks

Re: open port and forrwarding?

Maurizio Caloro — Tue, 04 May 2021 07:27:11 GMT

hello

the interface whith BVI1 have the NameIf "inside"

interface BVI1
nameif inside
security-level 10

why i dont see this here?

ASA(config)# nat (?

configure mode commands/options:
Current available interface(s):

     any Global address space
          inside_1 Name of interface GigabitEthernet1/2
          inside_2 Name of interface GigabitEthernet1/3
          inside_3 Name of interface GigabitEthernet1/4
          inside_4 Name of interface GigabitEthernet1/5
          inside_5 Name of interface GigabitEthernet1/6
          inside_6 Name of interface GigabitEthernet1/7
          inside_7 Name of interface GigabitEthernet1/8
outside Name of interface GigabitEthernet1/1

if reading the on cisco site, everytime mentioned "Inside"

ASA(config)# nat (inside,outside) static outside
^
ERROR: % Invalid input detected at '^' marker.

thanks

Re: open port and forrwarding?

rschlayer — Tue, 04 May 2021 08:47:25 GMT

On 5506-X BVI interfaces cannot be used for NAT translations, you have to specify the physical interface or go with "any"

BR
Rick

Re: open port and forrwarding?

Maurizio Caloro — Tue, 04 May 2021 09:17:27 GMT

thanks,

Define now Inside_5, this is the VPN Server inside me LAN Network TCP-UDP are open Any Any

But no connection will by build!? thanks

if define the picture you will see <--> ASA <--> and the OpenVPN Server will run, and when i will plug

back to Soho this will also run.

thanks

Re: open port and forrwarding?

Maurizio Caloro — Tue, 04 May 2021 11:30:31 GMT

sorry if I bother you, after check now with packet-tracer command i see "Phase 5" that will by drop,
its possible here to receive any information?

Phase: 1
Type: CP-PUNT
Subtype: l2-selective
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efc6c2dfcc0, priority=13, domain=punt, deny=false
hits=295678, user_data=0x7efc68213520, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efc6ca10e30, priority=1, domain=permit, deny=false
hits=8576488, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.1.9 using egress ifc inside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efc6b7a83e0, priority=0, domain=nat-per-session, deny=false
hits=753111, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7efc6ca12260, priority=0, domain=permit, deny=true
hits=55455, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000560b7ecd294d flow (NA)/NA

ASA#

Re: open port and forrwarding?

Maurizio Caloro — Wed, 05 May 2021 06:11:40 GMT

iam using both, ADSM and CLI

Phase 5, its drop, but i dont see why. the Log are here, please scroll down.