topic Port access to inside in Network Security

Port access to inside

Thomas Summers — Tue, 12 Mar 2019 03:07:02 GMT

I am trying to allow access to my inside users on port 5222 for a new phone system application on a ASA5505. All of my inside users are using DHCP from a Domain Controller. If I connect to another network that does not have a ASA 5505 in place I am able to open the application that uses port 5222, but from the network behind the ASA I am not able to.

Port access to inside

stevechege — Tue, 19 Nov 2013 20:29:16 GMT

Hello,

What kind of application is it?

It could be an ACL on the inside interface. Maybe the "inside" subnet is not allowed or is blocked by the firewall .

Do you have a ACL on the inside interface?

Port access to inside

jumora — Tue, 19 Nov 2013 20:41:18 GMT

Things taht we need to help you out and understand your problem:

source IP

destination IP

application

ASA configuration

How does the application work????

Port access to inside

Thomas Summers — Wed, 20 Nov 2013 11:59:56 GMT

The Source IP is 74.43.254.162

The Destination IP will be 10.10.10.0/24 Internal subnet

This applications allows the users to see how many calls are the in queue, if they have voice mail, who is in or away

ASA configuration;

!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 216.255.166.36 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
!
time-range Close_Portol
!
boot system disk0:/asa804-28-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name tvcconnect.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network FTPHosts
description Those that are allowed to use FTP
network-object 216.255.166.7 255.255.255.255
network-object 63.161.147.154 255.255.255.255
network-object 63.161.147.10 255.255.255.255
network-object host 216.255.162.47
network-object host 64.161.190.116
network-object host 208.85.128.5
network-object host 208.85.128.2
network-object host 75.13.65.241
network-object host 10.10.10.151
network-object host 10.10.10.8
object-group network PeakViewSolutions
network-object host 10.10.10.21
object-group network TVCBlackBerryIPs

*object-group network TVCDroidsIPs

object-group network TVC_GLDS_External_Hosts
*

*
object-group network BLUE_MOON
*

access-list 100 extended permit ip 10.10.10.0 255.255.255.0 172.16.205.0 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 host 172.16.205.15
access-list nonat extended permit ip any 192.168.250.0 255.255.255.0
access-list nonat extended permit ip any 10.7.7.0 255.255.255.248
access-list nonat extended permit ip 172.16.208.0 255.255.255.0 host 172.16.205.10
access-list nonat extended permit ip 172.16.208.0 255.255.255.0 host 172.16.205.20
access-list nonat extended permit ip host 10.10.10.101 172.16.205.0 255.255.255.0
access-list TVC_In extended permit tcp object-group FTPHosts host 216.255.166.41 eq ftp
access-list TVC_In extended permit ip 74.62.190.0 255.255.255.0 host 216.255.166.40
access-list TVC_In extended permit icmp host 216.255.162.36 host 216.255.166.37
access-list TVC_In extended permit ip host 216.255.162.37 host 216.255.166.37
access-list TVC_In extended permit tcp host 216.255.162.36 host 216.255.166.37 eq 15802
access-list TVC_In extended permit udp host 216.255.162.36 host 216.255.166.37 eq 15802
access-list TVC_In extended permit tcp host 216.255.162.36 host 216.255.166.37 eq 15803
access-list TVC_In extended permit udp host 216.255.162.36 host 216.255.166.37 eq 15803
access-list TVC_In extended permit tcp host 216.255.162.36 host 216.255.166.40 eq 15802
access-list TVC_In extended permit udp host 216.255.162.36 host 216.255.166.40 eq 15802
access-list TVC_In extended permit tcp host 216.255.162.36 host 216.255.166.40 eq 15803
access-list TVC_In extended permit udp host 216.255.162.36 host 216.255.166.40 eq 15803
access-list TVC_In extended permit tcp host 216.255.162.37 host 216.255.166.40 eq 15802
access-list TVC_In extended permit udp host 216.255.162.37 host 216.255.166.40 eq 15802
access-list TVC_In extended permit tcp host 216.255.162.37 host 216.255.166.40 eq 15803
access-list TVC_In extended permit udp host 216.255.162.37 host 216.255.166.40 eq 15803
access-list TVC_In extended permit tcp object-group TVCBlackBerryIPs host 216.255.166.42 eq www log
access-list TVC_In extended permit tcp object-group TVCBlackBerryIPs host 216.255.166.42 eq https log
access-list TVC_In extended permit tcp object-group TVCDroidsIPs host 216.255.166.42 eq www log
access-list TVC_In extended permit tcp object-group TVCDroidsIPs host 216.255.166.42 eq https log
access-list TVC_In extended permit ip object-group TVC_GLDS_External_Hosts host 216.255.166.40
access-list TVC_In extended permit udp any any eq sip
access-list TVC_In extended permit udp any any range 10000 20000
access-list TVC_In extended permit udp any any eq 5061
access-list TVC_In permit tcp any any eq 5222

access-list TVC_In extended permit tcp any any range 10000 20000
access-list Split_Tunnel standard permit 10.10.10.0 255.255.255.0
!
!Lines removed
!
logging enable
logging timestamp
logging buffered debugging
logging trap errors
logging asdm informational
logging host inside 10.10.10.9
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.250.1-192.168.250.50 mask 255.255.255.0
ip local pool TVC&GU_VPN_Pool 192.168.250.51
ip local pool MIR_VPN_Pool 10.7.7.1-10.7.7.2 mask 255.255.255.248
ip local pool TVC_3Cs_VPN_Pool 192.168.250.60-192.168.250.62 mask 255.255.255.0
ip local pool BLUE_MOON_VPN_Pool 192.168.250.55-192.168.250.58 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 216.255.162.36 outside
icmp permit host 216.255.166.7 outside
icmp permit host 216.255.166.37 outside
icmp deny any outside
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 216.255.166.37 netmask 255.255.255.255
global (outside) 3 216.255.166.38 netmask 255.255.255.255
global (outside) 4 216.255.166.40 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 3 10.10.10.11 255.255.255.255
nat (inside) 2 10.10.10.12 255.255.255.255
nat (inside) 4 10.10.10.15 255.255.255.255
nat (inside) 1 10.10.10.0 255.255.255.0
static (inside,outside) 216.255.166.37 10.10.10.12 netmask 255.255.255.255
static (inside,outside) 216.255.166.39 10.10.10.50 netmask 255.255.255.255
static (inside,outside) 216.255.166.40 10.10.10.15 netmask 255.255.255.255
static (inside,outside) 216.255.166.41 10.10.10.11 netmask 255.255.255.255
static (inside,outside) 216.255.166.42 10.10.10.21 netmask 255.255.255.255
access-group TVC_In in interface outside
route outside 0.0.0.0 0.0.0.0 216.255.166.33 1
route outside 172.16.205.0 255.255.255.0 216.255.166.9 1
route inside 172.16.208.0 255.255.255.0 10.10.10.4 1
route outside 192.168.0.0 255.255.255.0 216.255.166.9 1
route inside 0.0.0.0 0.0.0.0 10.10.10.2 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record TVC_VPN_DAP
description "Non TVC 3Cs access"
priority 1
dynamic-access-policy-record TVC_3Cs_DAP
description "TVC 3Cs DAP"
priority 10
dynamic-access-policy-record DfltAccessPolicy
aaa-server TVC-DC-01 protocol ldap
aaa-server TVC-DC-01 (inside) host 10.10.10.30
ldap-base-dn dc=tvcconnect, dc=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=ASA ASA,CN=Users,DC=tvcconnect,DC=net
server-type microsoft
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.8 255.255.255.255 inside
http 10.10.10.9 255.255.255.255 inside
http 10.10.10.7 255.255.255.255 inside
http 10.10.10.6 255.255.255.255 inside
http 10.10.10.163 255.255.255.255 inside
http 10.10.10.151 255.255.255.255 inside
http 10.10.10.38 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address GU
crypto map outside_map 1 set peer 216.255.166.9
crypto map outside_map 1 set transform-set myset
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 216.255.166.7
crypto map outside_map 20 set transform-set myset
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
*

*
ssh timeout 60
ssh version 2
console timeout 0
management-access inside

priority-queue inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy TVC_GLDS internal
group-policy TVC_GLDS attributes
dns-server value 10.10.10.30 10.10.10.31
vpn-tunnel-protocol IPSec
default-domain value tvcconnect.net
group-policy TVC_ACCESS internal
group-policy TVC_ACCESS attributes
dns-server value 10.10.10.30 10.10.10.31
vpn-access-hours none
vpn-tunnel-protocol IPSec
default-domain value tvcconnect.net
group-policy TVC_3Cs_GP internal
group-policy TVC_3Cs_GP attributes
vpn-tunnel-protocol IPSec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy TVC&GU_VPN internal
group-policy TVC&GU_VPN attributes
dns-server value 10.10.10.30 10.10.10.31
vpn-tunnel-protocol IPSec
default-domain value tvcconnect.net
group-policy TVC_BLUE_MOON internal
group-policy TVC_BLUE_MOON attributes
dns-server value 10.10.10.30 10.10.10.31
vpn-tunnel-protocol IPSec
default-domain value tvcconnect.net
group-policy PeakView_Solutions internal
group-policy PeakView_Solutions attributes
dns-server value 10.10.10.30 10.10.10.31
vpn-tunnel-protocol IPSec
default-domain value tvcconnect.net
username raufm password ******************* encrypted privilege 15
username koschmiederv password ********************** encrypted
username koschmiederv attributes
vpn-group-policy TVC_ACCESS
username PeakViewSolutions password ******************* encrypted privilege 0
username PeakViewSolutions attributes
vpn-group-policy PeakView_Solutions
username danielles password ************************* encrypted privilege 0
username danielles attributes
vpn-group-policy TVC_ACCESS
username summerst password ************************** encrypted privilege 15
username summerst attributes
vpn-group-policy TVC_ACCESS
username GLDS password ********************* encrypted privilege 0
username GLDS attributes
vpn-group-policy TVC_GLDS
username zawackij password ********************* encrypted privilege 0
username zawackij attributes
vpn-group-policy TVC_ACCESS
username kennistonh password ***************** encrypted privilege 0
username bluemoon password ******************* encrypted
username bluemoon attributes
vpn-group-policy TVC_BLUE_MOON
tunnel-group TVC&GU_VPN type remote-access
tunnel-group TVC&GU_VPN general-attributes
address-pool TVC&GU_VPN_Pool
tunnel-group TVC&GU_VPN ipsec-attributes
pre-shared-key *
tunnel-group TVC_GLDS type remote-access
tunnel-group TVC_GLDS general-attributes
address-pool VPN_Pool
default-group-policy TVC_GLDS
tunnel-group TVC_GLDS ipsec-attributes
pre-shared-key *
tunnel-group TVC_ACCESS type remote-access
tunnel-group TVC_ACCESS general-attributes
address-pool VPN_Pool
default-group-policy TVC_ACCESS
tunnel-group TVC_ACCESS ipsec-attributes
pre-shared-key *
tunnel-group 216.255.166.9 type ipsec-l2l
tunnel-group 216.255.166.9 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 10
tunnel-group GU_Information_Technology type remote-access
tunnel-group GU_Information_Technology general-attributes
address-pool MIR_VPN_Pool
tunnel-group GU_Information_Technology ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 15 retry 10
tunnel-group PeakView_Solutions type remote-access
tunnel-group PeakView_Solutions general-attributes
address-pool VPN_Pool
default-group-policy TVC_GLDS
tunnel-group PeakView_Solutions ipsec-attributes
pre-shared-key *
tunnel-group TVC_BLUE_MOON type remote-access
tunnel-group TVC_BLUE_MOON general-attributes
address-pool BLUE_MOON_VPN_Pool
tunnel-group TVC_BLUE_MOON ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3667be2845ce3329b1bf61a9e260d350

Port access to inside

Eddy Duran — Wed, 20 Nov 2013 14:16:42 GMT

Hello Thomas,

Is this an outbound or inbound connection?

If the traffic is generated from Inside to Outside, the traffic should be permitted with the current configuration that you have.

If the traffic is initiated from the IP address: 74.43.254.162 to the Inside, it will be a good idea to determine if the connection is destined to the ASA Public Interface IP, if this is the case, it will be complicated because since the traffic is coming from a low to a high security level, there needs to be a NAT for passing the traffic and if the destination is one IP there is no way to perform a redirection for the whole Inside Subnet.

Now if the packet gets to the Outside Interface with the destination that you mentioned:

10.10.10.0/24

Then you can apply the following commands:

nat (outside) 105 74.43.254.162 255.255.255.255

global (inside) 105 interface

Let me know how it goes.

-Eddy Duran

Port access to inside

jumora — Wed, 20 Nov 2013 14:33:03 GMT

My thoughts are that this is an outgoing connection from local PC to that destination server. There is no possible way that an application establishes connections to local PC without these initiating a connection to it.

Port access to inside

Thomas Summers — Wed, 20 Nov 2013 15:06:36 GMT

Each PC will have the application installed on it and they will each then communicate with the server at 74.43.254.162.

Port access to inside

jumora — Wed, 20 Nov 2013 17:05:01 GMT

Please run a packet tracer on the ASA and send us the output, in most cases from higher to lower security interfaces you don't place an ACE.

packet-tracer input inside tcp 10.10.10.100 1025 74.43.254.162 5122

I think that was the destination port I just can't find the post that you defined it.

Port access to inside

Thomas Summers — Mon, 25 Nov 2013 16:56:17 GMT

This traffic is coming from the inside network of 10.10.10.0/24 to the host IP of 74.43.254.162. below are the results of a packet-tracer;

TVCASA# packet-tracer input inside tcp 10.10.10.38 1025 74.43.254.162 5222

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.10.10.0 255.255.255.0
match ip inside 10.10.10.0 255.255.255.0 outside any
dynamic translation to pool 1 (216.255.166.36 [Interface PAT])
translate_hits = 8640664, untranslate_hits = 618131
Additional Information:
Dynamic translate 10.10.10.38/1025 to 216.255.166.36/60543 using netmask 255.255.255.255

Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.10.10.0 255.255.255.0
match ip inside 10.10.10.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10756988, packet dispatched to next module

Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 216.255.166.33 using egress ifc outside
adjacency Active
next-hop mac address 000a.f330.5000 hits 9850

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Port access to inside

jumora — Mon, 25 Nov 2013 17:30:06 GMT

It's allowed so it is not a configuration issue.

Value our effort and rate the assistance!

Re: Port access to inside

Thomas Summers — Mon, 25 Nov 2013 17:37:18 GMT

It appears to be stopped in the inbound side. Please take a look at the attachment.