https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315250#M311131 <P>Hi everyone.</P><P></P><P>I'm trying to open ports on a specific host but I can't make it work.</P><P></P><P>I tried to make it clear as possible,</P><P></P><P><SPAN style="font-size: 10pt;">Thanks for helping.</SPAN></P><P></P><P></P><P>There is my config:</P><P></P><P>Result of the command: "show run"</P><P></P><P></P><P>: Saved</P><P>:</P><P>ASA Version 9.1(3) </P><P>!</P><P>hostname ciscoasa</P><P>enable password *** encrypted</P><P>xlate per-session deny tcp any4 any4</P><P>xlate per-session deny tcp any4 any6</P><P>xlate per-session deny tcp any6 any4</P><P>xlate per-session deny tcp any6 any6</P><P>xlate per-session deny udp any4 any4 eq domain</P><P>xlate per-session deny udp any4 any6 eq domain</P><P>xlate per-session deny udp any6 any4 eq domain</P><P>xlate per-session deny udp any6 any6 eq domain</P><P>passwd *** encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 1.1.1.1 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address <STRONG>MY-FIREWALL-IP</STRONG> 255.255.255.240 </P><P>!</P><P>boot system disk0:/asa913-k8.bin</P><P>ftp mode passive</P><P>object network obj_any</P><P> subnet 0.0.0.0 0.0.0.0</P><P>object network LAN-SITE-B</P><P> subnet 1.1.2.0 255.255.255.0</P><P>object network LAN-SITE-A</P><P> subnet 1.1.1.0 255.255.255.0</P><P>object network Firewall-SITE-B</P><P> host VPN-SITE-B-IP</P><P><STRONG>object network SERVER01</STRONG></P><P><STRONG> host 1.1.1.2 (MY SERVER THAT I WANT TO ACCESS FROM OUTSIDE)</STRONG></P><P><STRONG>object-group service ALL-IP tcp-udp</STRONG></P><P><STRONG> description ALL-IP</STRONG></P><P><STRONG> port-object range 1 65535 (FOR TESTING PURPOSE, I'M TRYING TO OPEN ALL PORTS ON THIS HOST)</STRONG></P><P>object-group protocol TCPUDP</P><P> protocol-object udp</P><P> protocol-object tcp</P><P>access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B</P><P><STRONG>access-list outside_access_in extended permit object-group TCPUDP any host MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE) object-group ALL-IP</STRONG> </P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>no arp permit-nonconnected</P><P>nat (inside,outside) source static LAN-SITE-A LAN-SITE-B destination static LAN-SITE-B LAN-SITE-A <SPAN style="font-size: 10pt;">no-proxy-arp route-lookup</SPAN></P><P>!</P><P>object network obj_any</P><P> nat (inside,outside) dynamic interface</P><P><STRONG>object network SERVER01</STRONG></P><P><STRONG> nat (inside,outside) static <STRONG>MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE)</STRONG><BR /></STRONG></P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 MY-GATEWAY 1</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>no user-identity enable</P><P>user-identity default-domain LOCAL</P><P>aaa authentication ssh console LOCAL </P><P>http server enable</P><P>http 1.1.1.0 255.255.255.0 inside</P><P>http 0.0.0.0 0.0.0.0 outside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec ikev2 ipsec-proposal DES</P><P> protocol esp encryption des</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal 3DES</P><P> protocol esp encryption 3des</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES</P><P> protocol esp encryption aes</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES192</P><P> protocol esp encryption aes-192</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES256</P><P> protocol esp encryption aes-256</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec security-association pmtu-aging infinite</P><P>crypto map outside_map 1 match address outside_cryptomap</P><P>crypto map outside_map 1 set pfs </P><P>crypto map outside_map 1 set peer SITE-B</P><P>crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES</P><P>crypto map outside_map interface outside</P><P>crypto ca trustpool policy</P><P>crypto ikev2 policy 1</P><P> encryption aes-256</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 10</P><P> encryption aes-192</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 20</P><P> encryption aes</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 30</P><P> encryption 3des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 40</P><P> encryption des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 enable outside</P><P>crypto ikev1 enable outside</P><P>crypto ikev1 policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 inside</P><P>ssh timeout 5</P><P>ssh key-exchange group dh-group1-sha1</P><P>console timeout 0</P><P></P><P></P><P>dhcpd auto_config outside</P><P>!</P><P>dhcpd address 1.1.1.100-1.1.1.125 inside</P><P>dhcpd dns 24.200.241.37 24.201.245.77 interface inside</P><P>dhcpd enable inside</P><P>!</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>group-policy GroupPolicy_SITE-B internal</P><P>group-policy GroupPolicy_SITE-B attributes</P><P> vpn-tunnel-protocol ikev1 ikev2 </P><P>username MY-USER password *** encrypted privilege 15</P><P>tunnel-group SITE-B type ipsec-l2l</P><P>tunnel-group SITE-B general-attributes</P><P> default-group-policy GroupPolicy_SITE-B</P><P>tunnel-group SITE-B ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P> ikev2 remote-authentication pre-shared-key *****</P><P> ikev2 local-authentication pre-shared-key *****</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect ip-options </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>no call-home reporting anonymous</P><P>call-home</P><P> profile CiscoTAC-1</P><P>&nbsp; no active</P><P><SPAN>&nbsp; destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN>&nbsp; destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com" target="_blank">callhome@cisco.com</A></P><P>&nbsp; destination transport-method http</P><P>&nbsp; subscribe-to-alert-group diagnostic</P><P>&nbsp; subscribe-to-alert-group environment</P><P>&nbsp; subscribe-to-alert-group inventory periodic monthly</P><P>&nbsp; subscribe-to-alert-group configuration periodic monthly</P><P>&nbsp; subscribe-to-alert-group telemetry periodic daily</P><P>Cryptochecksum:f5d698f2b08e98028f2d487a42c7187e</P><P>: end</P> Tue, 12 Mar 2019 02:50:50 GMT pl.mailloux 2019-03-12T02:50:50Z https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315250#M311131 <P>Hi everyone.</P><P></P><P>I'm trying to open ports on a specific host but I can't make it work.</P><P></P><P>I tried to make it clear as possible,</P><P></P><P><SPAN style="font-size: 10pt;">Thanks for helping.</SPAN></P><P></P><P></P><P>There is my config:</P><P></P><P>Result of the command: "show run"</P><P></P><P></P><P>: Saved</P><P>:</P><P>ASA Version 9.1(3) </P><P>!</P><P>hostname ciscoasa</P><P>enable password *** encrypted</P><P>xlate per-session deny tcp any4 any4</P><P>xlate per-session deny tcp any4 any6</P><P>xlate per-session deny tcp any6 any4</P><P>xlate per-session deny tcp any6 any6</P><P>xlate per-session deny udp any4 any4 eq domain</P><P>xlate per-session deny udp any4 any6 eq domain</P><P>xlate per-session deny udp any6 any4 eq domain</P><P>xlate per-session deny udp any6 any6 eq domain</P><P>passwd *** encrypted</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> switchport access vlan 2</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!</P><P>interface Vlan1</P><P> nameif inside</P><P> security-level 100</P><P> ip address 1.1.1.1 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P> nameif outside</P><P> security-level 0</P><P> ip address <STRONG>MY-FIREWALL-IP</STRONG> 255.255.255.240 </P><P>!</P><P>boot system disk0:/asa913-k8.bin</P><P>ftp mode passive</P><P>object network obj_any</P><P> subnet 0.0.0.0 0.0.0.0</P><P>object network LAN-SITE-B</P><P> subnet 1.1.2.0 255.255.255.0</P><P>object network LAN-SITE-A</P><P> subnet 1.1.1.0 255.255.255.0</P><P>object network Firewall-SITE-B</P><P> host VPN-SITE-B-IP</P><P><STRONG>object network SERVER01</STRONG></P><P><STRONG> host 1.1.1.2 (MY SERVER THAT I WANT TO ACCESS FROM OUTSIDE)</STRONG></P><P><STRONG>object-group service ALL-IP tcp-udp</STRONG></P><P><STRONG> description ALL-IP</STRONG></P><P><STRONG> port-object range 1 65535 (FOR TESTING PURPOSE, I'M TRYING TO OPEN ALL PORTS ON THIS HOST)</STRONG></P><P>object-group protocol TCPUDP</P><P> protocol-object udp</P><P> protocol-object tcp</P><P>access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B</P><P><STRONG>access-list outside_access_in extended permit object-group TCPUDP any host MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE) object-group ALL-IP</STRONG> </P><P>pager lines 24</P><P>logging enable</P><P>logging asdm informational</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>no arp permit-nonconnected</P><P>nat (inside,outside) source static LAN-SITE-A LAN-SITE-B destination static LAN-SITE-B LAN-SITE-A <SPAN style="font-size: 10pt;">no-proxy-arp route-lookup</SPAN></P><P>!</P><P>object network obj_any</P><P> nat (inside,outside) dynamic interface</P><P><STRONG>object network SERVER01</STRONG></P><P><STRONG> nat (inside,outside) static <STRONG>MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE)</STRONG><BR /></STRONG></P><P>access-group outside_access_in in interface outside</P><P>route outside 0.0.0.0 0.0.0.0 MY-GATEWAY 1</P><P>timeout xlate 3:00:00</P><P>timeout pat-xlate 0:00:30</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>timeout floating-conn 0:00:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>no user-identity enable</P><P>user-identity default-domain LOCAL</P><P>aaa authentication ssh console LOCAL </P><P>http server enable</P><P>http 1.1.1.0 255.255.255.0 inside</P><P>http 0.0.0.0 0.0.0.0 outside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac </P><P>crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac </P><P>crypto ipsec ikev2 ipsec-proposal DES</P><P> protocol esp encryption des</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal 3DES</P><P> protocol esp encryption 3des</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES</P><P> protocol esp encryption aes</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES192</P><P> protocol esp encryption aes-192</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec ikev2 ipsec-proposal AES256</P><P> protocol esp encryption aes-256</P><P> protocol esp integrity sha-1 md5</P><P>crypto ipsec security-association pmtu-aging infinite</P><P>crypto map outside_map 1 match address outside_cryptomap</P><P>crypto map outside_map 1 set pfs </P><P>crypto map outside_map 1 set peer SITE-B</P><P>crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5</P><P>crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES</P><P>crypto map outside_map interface outside</P><P>crypto ca trustpool policy</P><P>crypto ikev2 policy 1</P><P> encryption aes-256</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 10</P><P> encryption aes-192</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 20</P><P> encryption aes</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 30</P><P> encryption 3des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 policy 40</P><P> encryption des</P><P> integrity sha</P><P> group 5 2</P><P> prf sha</P><P> lifetime seconds 86400</P><P>crypto ikev2 enable outside</P><P>crypto ikev1 enable outside</P><P>crypto ikev1 policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>telnet timeout 5</P><P>ssh 0.0.0.0 0.0.0.0 inside</P><P>ssh timeout 5</P><P>ssh key-exchange group dh-group1-sha1</P><P>console timeout 0</P><P></P><P></P><P>dhcpd auto_config outside</P><P>!</P><P>dhcpd address 1.1.1.100-1.1.1.125 inside</P><P>dhcpd dns 24.200.241.37 24.201.245.77 interface inside</P><P>dhcpd enable inside</P><P>!</P><P>threat-detection basic-threat</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>group-policy GroupPolicy_SITE-B internal</P><P>group-policy GroupPolicy_SITE-B attributes</P><P> vpn-tunnel-protocol ikev1 ikev2 </P><P>username MY-USER password *** encrypted privilege 15</P><P>tunnel-group SITE-B type ipsec-l2l</P><P>tunnel-group SITE-B general-attributes</P><P> default-group-policy GroupPolicy_SITE-B</P><P>tunnel-group SITE-B ipsec-attributes</P><P> ikev1 pre-shared-key *****</P><P> ikev2 remote-authentication pre-shared-key *****</P><P> ikev2 local-authentication pre-shared-key *****</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P>&nbsp; message-length maximum client auto</P><P>&nbsp; message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P>&nbsp; inspect dns preset_dns_map </P><P>&nbsp; inspect ftp </P><P>&nbsp; inspect h323 h225 </P><P>&nbsp; inspect h323 ras </P><P>&nbsp; inspect rsh </P><P>&nbsp; inspect rtsp </P><P>&nbsp; inspect esmtp </P><P>&nbsp; inspect sqlnet </P><P>&nbsp; inspect skinny&nbsp; </P><P>&nbsp; inspect sunrpc </P><P>&nbsp; inspect xdmcp </P><P>&nbsp; inspect sip&nbsp; </P><P>&nbsp; inspect netbios </P><P>&nbsp; inspect tftp </P><P>&nbsp; inspect ip-options </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>no call-home reporting anonymous</P><P>call-home</P><P> profile CiscoTAC-1</P><P>&nbsp; no active</P><P><SPAN>&nbsp; destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN>&nbsp; destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com" target="_blank">callhome@cisco.com</A></P><P>&nbsp; destination transport-method http</P><P>&nbsp; subscribe-to-alert-group diagnostic</P><P>&nbsp; subscribe-to-alert-group environment</P><P>&nbsp; subscribe-to-alert-group inventory periodic monthly</P><P>&nbsp; subscribe-to-alert-group configuration periodic monthly</P><P>&nbsp; subscribe-to-alert-group telemetry periodic daily</P><P>Cryptochecksum:f5d698f2b08e98028f2d487a42c7187e</P><P>: end</P> Tue, 12 Mar 2019 02:50:50 GMT https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315250#M311131 pl.mailloux 2019-03-12T02:50:50Z https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315251#M311133 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Make sure that you allow the traffic to the local IP address of the server rather then the public IP address</P><P></P><P>The general format for Static NAT and the ACL you should use is</P><P></P><P><STRONG>object network SERVER01</STRONG></P><P><STRONG> host <INTERNAL ip=""></INTERNAL></STRONG></P><P><STRONG> nat (inside,outside) static <PUBLIC ip=""></PUBLIC></STRONG></P><P></P><P><STRONG>access-list <ACL name=""> permit ip any object SERVER01</ACL></STRONG></P><P></P><P>The ACL in this situation reflects your need to allow everything in the testing phase. This is a lot simpler ACL than the one above because this essentially allows all TCP/UDP and for example also ICMP</P><P></P><P>After this you can test the rules with</P><P></P><P><STRONG>packet-tracer input outside tcp 1.1.1.1 12345 <PUBLIC ip=""> <PORT></PORT></PUBLIC></STRONG></P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Please&nbsp; do remember to mark a reply as the correct answer if it answered your question</P><P></P><P>Feel free to ask more if needed</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 11 Oct 2013 12:09:41 GMT https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315251#M311133 Jouni Forss 2013-10-11T12:09:41Z https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315252#M311134 <HTML><HEAD></HEAD><BODY><P>Hi JouniForss,</P><P></P><P>Thanks for your help.</P><P></P><P>Still no access, there is the reply from packet-tracer</P><P></P><P>ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 <STRONG>MY-SERVER01-PUBLIC-IP</STRONG> 12345</P><P></P><P></P><P>Phase: 1</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: ALLOW</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P>MAC Access list</P><P></P><P></P><P>Phase: 2</P><P>Type: UN-NAT</P><P>Subtype: static</P><P>Result: ALLOW</P><P>Config:</P><P>object network SERVER01</P><P> nat (inside,outside) static <STRONG>MY-SERVER01-PUBLIC-IP</STRONG></P><P>Additional Information:</P><P>NAT divert to egress interface inside</P><P>Untranslate <STRONG>MY-SERVER01-PUBLIC-IP</STRONG><SPAN style="font-size: 10pt;">/12345 to 1.1.1.2/12345</SPAN></P><P></P><P></P><P>Phase: 3</P><P>Type: NAT</P><P>Subtype: per-session</P><P>Result: ALLOW</P><P>Config:</P><P>Additional Information:</P><P></P><P></P><P>Phase: 4</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P></P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P></BODY></HTML> Fri, 11 Oct 2013 12:23:12 GMT https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315252#M311134 pl.mailloux 2013-10-11T12:23:12Z https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315253#M311135 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can you provide the output of</P><P></P><P><STRONG>show run access-list</STRONG></P><P></P><P><STRONG>show run access-group</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 11 Oct 2013 12:27:12 GMT https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315253#M311135 Jouni Forss 2013-10-11T12:27:12Z https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315254#M311136 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10pt;">There is the info your requested :</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">ciscoasa# show run access-list</SPAN></P><P>access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B</P><P>access-list SERVER01 extended permit ip any object SERVER01</P><P></P><P><SPAN style="font-size: 10pt;">ciscoasa# show run access-group</SPAN></P><P>ciscoasa#</P><P></P><P></P><P>Thanks</P></BODY></HTML> Fri, 11 Oct 2013 12:41:35 GMT https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315254#M311136 pl.mailloux 2013-10-11T12:41:35Z https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315255#M311137 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You have no ACL attached to the <STRONG>"outside"</STRONG> interface</P><P></P><P>You would have to add</P><P></P><P><STRONG>access-group SERVER01 in interface outside</STRONG></P><P></P><P>Do notice that the ACL might be good to be named a bit more generally rather referencing the inteface to which its attached since any other future ACL rules would have to use this ACL</P><P></P><P>So you could for example instead do (WITHOUT adding the above<STRONG> "access-group"</STRONG> command)</P><P></P><P><STRONG>access-list OUTSIDE-IN extended permit ip any object SERVER01</STRONG></P><P></P><P><STRONG>access-group OUTSIDE-IN in interface outside</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 11 Oct 2013 12:55:44 GMT https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315255#M311137 Jouni Forss 2013-10-11T12:55:44Z https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315256#M311138 <HTML><HEAD></HEAD><BODY><P>Hi Jouni,</P><P></P><P>Thanks for helping again,</P><P></P><P>Looks like i'm getting the same problem.</P><P></P><P></P><P>ciscoasa# show run access-list</P><P>access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B</P><P>access-list OUTSIDE-IN extended permit ip any object SERVER01</P><P>ciscoasa#</P><P></P><P>ciscoasa# show run access-group</P><P>access-group OUTSIDE-IN in interface outside</P><P>ciscoasa#</P><P></P><P></P><P></P><P>ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 <STRONG style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">MY-SERVER01-PUBLIC-IP </STRONG>12345</P><P></P><P></P><P>Phase: 1</P><P>Type: UN-NAT</P><P>Subtype: static</P><P>Result: ALLOW</P><P>Config:</P><P>object network SERVER01</P><P> nat (inside,outside) static <STRONG style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">MY-SERVER01-PUBLIC-IP</STRONG></P><P>Additional Information:</P><P>NAT divert to egress interface inside</P><P>Untranslate <STRONG style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">MY-SERVER01-PUBLIC-IP</STRONG>/12345 to 1.1.1.2/12345</P><P></P><P></P><P>Phase: 2</P><P>Type: ACCESS-LIST</P><P>Subtype:</P><P>Result: DROP</P><P>Config:</P><P>Implicit Rule</P><P>Additional Information:</P><P></P><P></P><P>Result:</P><P>input-interface: outside</P><P>input-status: up</P><P>input-line-status: up</P><P>output-interface: inside</P><P>output-status: up</P><P>output-line-status: up</P><P>Action: drop</P><P>Drop-reason: (acl-drop) Flow is denied by configured rule</P></BODY></HTML> Fri, 11 Oct 2013 13:45:21 GMT https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315256#M311138 pl.mailloux 2013-10-11T13:45:21Z https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315257#M311139 <HTML><HEAD></HEAD><BODY><P>After a system reload on the ASA, I'm now able to access the server from outside.</P><P></P><P>Thanks <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Fri, 11 Oct 2013 14:49:23 GMT https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315257#M311139 pl.mailloux 2013-10-11T14:49:23Z https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315258#M311140 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Glad to hear its working. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>I was scratching my head here wondering what I am missing since I see no reason for it to block the traffic.</P><P></P><P>- Jouni</P></BODY></HTML> Fri, 11 Oct 2013 14:51:29 GMT https://community.cisco.com/t5/network-security/open-ports-problem-asa5505/m-p/2315258#M311140 Jouni Forss 2013-10-11T14:51:29Z