topic Accessing a client maching with port forwarding ASA 5505 in Network Security

Accessing a client maching with port forwarding ASA 5505

Phobernomicon — Tue, 12 Mar 2019 03:07:28 GMT

We are implementing a program on mobile phones that access port 2439 for syncing files from a computer within the domain. I'm new to cisco routers, and am having a hard time wrapping my head around how to set this up. I'm using an ASA 5505 with ASDM 6.2. I'm just trying to use port forwarding to access the files. Any help would be appreciated.

Accessing a client maching with port forwarding ASA 5505

Jon Marshall — Wed, 20 Nov 2013 21:58:59 GMT

Jeremy

Can you post current ASA config and remove any public IPs for secuirty.

Jon

Accessing a client maching with port forwarding ASA 5505

Phobernomicon — Wed, 20 Nov 2013 22:31:58 GMT

I'm assuming this is what you are looking for.

ASA Version 8.2(3)

hostname ****-asa

domain-name default.domain.invalid

enable password encrypted

passwd encrypted

no names

name **.**.***.** Cox-Static-IP

name ***.***.*.* Site-*****-Subnet

name ***.***.*.* Site-**********-Subnet

name **.*.*.*** Video-Camera-DVR

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.100 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address **.**.***.** 255.255.255.240

interface Vlan5

no forward interface Vlan1

nameif dmz

security-level 50

ip address dhcp

boot system disk0:/asa823-k8.bin

ftp mode passive

clock timezone MST -7

dns domain-lookup outside

dns server-group DefaultDNS

name-server 68.105.28.16

name-server 68.105.29.16

name-server 8.8.8.8

domain-name default.domain.invalid

object-group network MarvPc

object-group service 2439

service-object tcp source eq 2439

access-list outside_access_in extended permit ip any any

access-list outside_access_in remark Swann Security Camera TCP Admin Access

access-list outside_access_in extended permit tcp any host **.**.***.** eq 9000

access-list outside_access_in remark Swann Security Camera HTTP Access

access-list outside_access_in extended permit tcp any host **.**.***.** eq www

access-list outside_access_in remark Swann Security Camera

access-list outside_access_in extended permit tcp any host **.**.***.** eq 18004

access-list outside_access_in extended permit tcp any any eq 2439

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 9000 10.0.0.125 9000 netmask 255.255.255.255

static (inside,outside) tcp interface www 10.0.0.125 www netmask 255.255.255.255

static (inside,outside) tcp interface 18004 10.0.0.125 18004 netmask 255.255.255.255

static (inside,outside) tcp interface 2439 10.0.0.110 2439 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 **.**.***.** 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer **.***.**.**

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer **.***.**.***

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 20

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns **.***.**.** **.***.**.**

dhcpd auto_config outside

dhcpd address 10.0.0.131-10.0.0.150 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec

username aljoasatech password .fUia4yjsvpgYe4v encrypted privilege 15

tunnel-group **.***.**.** type ipsec-l2l

tunnel-group **.***.**.** ipsec-attributes

pre-shared-key *****

tunnel-group **.***.**.*** type ipsec-l2l

tunnel-group **.***.**.*** ipsec-attributes

pre-shared-key *****

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:b0c3b7b7db62ba5122feede6a72a65f8

: end

Accessing a client maching with port forwarding ASA 5505

Jon Marshall — Wed, 20 Nov 2013 22:58:24 GMT

Your config looks fine assuming the internal machine is 10.0.0.110.

So is the port definitely TCP and are you sure there are no other ports needed for this connection ?

Jon

Accessing a client maching with port forwarding ASA 5505

jumora — Thu, 21 Nov 2013 01:46:55 GMT

Well, I would change the next ACE due to security reasons:

enable

config t

no access-list outside_access_in extended permit tcp any any eq 2439

access-list outside_access_in extended permit tcp any interface outside eq 2439

But as Jon stated the connection should go through.

Accessing a client maching with port forwarding ASA 5505

Phobernomicon — Thu, 21 Nov 2013 18:06:28 GMT

The computer I am trying to reach is 10.0.0.110, the server on the other hand is 10.0.0.115 Is there an issue with that? I just don't understand why this isn't working, maybe a setting I've overlooked? I have the ports open on 10.0.0.110 and a firewall exception on the server.

Re: Accessing a client maching with port forwarding ASA 5505

Jon Marshall — Thu, 21 Nov 2013 19:50:09 GMT

Jeremy

I'm not sure i understand. What is the difference between the computer 10.0.0.110 and the server 10.0.0.115. Which one are you trying to sync the phones with ?

Jon

Accessing a client maching with port forwarding ASA 5505

jumora — Thu, 21 Nov 2013 21:00:27 GMT

If they are on the same subnet traffic does not even reach the ASA so I am bit confused on what you are asking

Value our effort and rate the assistance!

Accessing a client maching with port forwarding ASA 5505

Phobernomicon — Thu, 21 Nov 2013 21:16:40 GMT

The mobile phones need to sync with a client computer @10.0.0.110. The server is 10.0.0.115. I added this info because the router seems to be set up properly yet I still cannot connect to sync the phones. I'm thinking I have something setup wrong somewhere, just not sure how to diagnose it. The phones sync fine while connected to the companies wifi using 10.0.0.110. But unreachable when I use the outside IP address. Sorry for being confusing, I was more trying to clarify the setup.

Accessing a client maching with port forwarding ASA 5505

Jon Marshall — Thu, 21 Nov 2013 21:20:29 GMT

Jeremy

Still can't see anything wrong with your config. Is there a specific application name for the syncing of the phones ? It may be there is some issue with them using NAT.

Jon

Accessing a client maching with port forwarding ASA 5505

Phobernomicon — Thu, 21 Nov 2013 21:32:21 GMT

It's a program called HandiFox, it's installed on the phones, and within quickbooks. It tracks inventory and sales. Supposedly it just needs port 2439 to be forwarded. They haven't had this problem before, is there any more info you guys would like to look at? Nic setting, firewall settings? My head is spinning like Linda Blair. It has to be a rookie mistake on my part somewhere.

Accessing a client maching with port forwarding ASA 5505

Phobernomicon — Fri, 22 Nov 2013 18:56:39 GMT

After pooring over it a couple more times I realized Jumora mentioned the subnet. Finally noticed this in the log file

static (inside,outside) tcp interface 2439 10.0.0.110 2439 netmask 255.255.255.255

The subnet mask of that address is 255.255.255.0 Looks like this is the problem. Unfortunately I haven't found how to change the subnet of that forwarding. How can I correct this?

Accessing a client maching with port forwarding ASA 5505

jumora — Sun, 24 Nov 2013 03:21:38 GMT

Oh my friend I believe that you are confused. Please call me juanmh84 through skype today or tomorrow or at my phone number that is posted on Monday after 11 am CST.

Value our effort and rate the assistance!