topic Re: Simple Port Forwarding / ACL Question in Network Security

Simple Port Forwarding / ACL Question

macdady843 — Tue, 12 Mar 2019 00:28:49 GMT

Hi Everyone,

I'm kind of a novice when it comes to Cisco configuration. I went to college for networking but haven't used it enough since graduating and I'm having some trouble with opening some ports for email to my home PC.

Specifically i'm trying to set up IMAP with Gmail to be downloaded to my Mozilla Thunderbird client. I'm using a similar syntax for other ports that i've opened but it isn't working. I also did a "show access list" and saw that one of my rules had hit counts on it but i'm not sure what this means as far as troubleshooting goes.

Can someone lend a hand and explain what i'm doing wrong? If you're feeling extra nice could you let me know what I would need to do to open some Xbox Live ports as well? The rules aren't set up yet but the ports are present in my config. I've bolded the relevant ports below.

*** Config ****

ASA Version 8.2(5)

hostname RyansFirewall

enable password C5OQraC02mISnP8p encrypted

passwd 3mBdM08UO1apR0bB encrypted

names

name 192.168.1.130 theking

name 192.168.1.240 wap

name 192.168.1.252 cam

name 192.168.1.253 switch

name 192.168.1.150 xbox

name x.x.x.x vpnreactor

name x.x.x.x HSoftware

name x.x.x.x Mom_and_Dad

interface Ethernet0/0

description Connection_to_Cable_Modem

switchport access vlan 10

interface Ethernet0/1

description Cisco_Catalyst_2960

interface Ethernet0/2

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

interface Ethernet0/5

description Guest_Wireless

switchport access vlan 20

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

description Private_Internal_Lan

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

interface Vlan10

description WOW_Internet

nameif outside

security-level 0

ip address dhcp setroute

interface Vlan20

description Guest_Wireless

no forward interface Vlan1

nameif dmz

security-level 30

ip address 172.16.1.254 255.255.255.0

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone Eastern -5

object-group network outside_ip_group

description This group contains a list of allowed public IP Addresses

network-object HSoftware 255.255.255.255

network-object Mom_and_Dad 255.255.255.255

object-group service Xbox_Ports tcp-udp

description Ports needed for Xbox Live

port-object eq www

port-object eq 88

port-object eq domain

port-object eq 3074

object-group service Email_Ports tcp-udp

description Ports needed for Email

port-object eq 143

port-object eq 465

port-object eq 587

port-object eq 993

access-list outside_access_in extended permit tcp object-group outside_ip_group any eq 1024

access-list outside_access_in extended permit tcp any any eq 3389

access-list outside_access_in extended permit tcp any any eq ftp

access-list outside_access_in extended permit gre host vpnreactor host theking

access-list outside_access_in extended permit tcp host vpnreactor host theking eq pptp

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit tcp object-group outside_ip_group any eq 5900

access-list outside_access_in extended permit tcp any any object-group Email_Ports

access-list outside_access_in extended permit udp any any object-group Email_Ports

pager lines 24

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 access-list outside_access_in

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 theking 3389 netmask 255.255.255.255

static (inside,outside) tcp interface ftp theking ftp netmask 255.255.255.255

static (inside,outside) tcp interface 1024 cam 1024 netmask 255.255.255.255

static (inside,outside) tcp interface 5900 theking 5900 netmask 255.255.255.255

static (inside,outside) tcp interface 143 theking 143 netmask 255.255.255.255

static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255

static (inside,outside) tcp interface 587 theking 587 netmask 255.255.255.255

static (inside,outside) tcp interface 993 theking 993 netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh Mom_and_Dad 255.255.255.255 outside

ssh HSoftware 255.255.255.255 outside

ssh timeout 10

console timeout 10

dhcpd address 192.168.1.2-192.168.1.25 inside

dhcpd dns x.x.x.x x.x.x.x interface inside

dhcpd lease 10800 interface inside

dhcpd domain RyanJohn interface inside

dhcpd enable inside

dhcpd address 172.16.1.2-172.16.1.25 dmz

dhcpd dns 8.8.8.8 8.8.4.4 interface dmz

dhcpd domain RyanJohnGuest interface dmz

dhcpd enable dmz

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username XXXXX password ZpRIy72StEDDpdfG encrypted

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect pptp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3c7abf7d5d55aba0e19d5da340132000

: end

*** Show Access List ****

RyansFirewall# show access-list outside_access_in

access-list outside_access_in; 19 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit tcp object-group outside_ip_group any eq 1024 0xf13a69fb

access-list outside_access_in line 1 extended permit tcp host HSoftware any eq 1024 (hitcnt=0) 0xc8c42900

access-list outside_access_in line 1 extended permit tcp host Mom_and_Dad any eq 1024 (hitcnt=0) 0x7e777675

access-list outside_access_in line 2 extended permit tcp any any eq 3389 (hitcnt=7451) 0x51a647d7

access-list outside_access_in line 3 extended permit tcp any any eq ftp (hitcnt=11) 0x8d0d5aac

access-list outside_access_in line 4 extended permit gre host vpnreactor host theking (hitcnt=0) 0x894a4bbb

access-list outside_access_in line 5 extended permit tcp host vpnreactor host theking eq pptp (hitcnt=0) 0xcb0322a8

access-list outside_access_in line 6 extended permit icmp any any echo-reply (hitcnt=563) 0x54b872f3

access-list outside_access_in line 7 extended permit icmp any any time-exceeded (hitcnt=703) 0x03690eb3

access-list outside_access_in line 8 extended permit icmp any any unreachable (hitcnt=7408) 0x5c2fa603

access-list outside_access_in line 9 extended permit tcp object-group outside_ip_group any eq 5900 0xe88875b2

access-list outside_access_in line 9 extended permit tcp host HSoftware any eq 5900 (hitcnt=0) 0x2208e16f

access-list outside_access_in line 9 extended permit tcp host Mom_and_Dad any eq 5900 (hitcnt=0) 0xa3aaaedd

access-list outside_access_in line 10 extended permit tcp any any object-group Email_Ports 0x91529965

access-list outside_access_in line 10 extended permit tcp any any eq imap4 (hitcnt=17) 0x53d153bd

access-list outside_access_in line 10 extended permit tcp any any eq 465 (hitcnt=0) 0x4d992f5e

access-list outside_access_in line 10 extended permit tcp any any eq 587 (hitcnt=0) 0x734d200d

access-list outside_access_in line 10 extended permit tcp any any eq 993 (hitcnt=0) 0xb91930a9

access-list outside_access_in line 11 extended permit udp any any object-group Email_Ports 0xe12dbb9d

access-list outside_access_in line 11 extended permit udp any any eq 143 (hitcnt=0) 0x34d1c49d

access-list outside_access_in line 11 extended permit udp any any eq 465 (hitcnt=0) 0x5cc4b908

access-list outside_access_in line 11 extended permit udp any any eq 587 (hitcnt=0) 0x6e3b53a3

access-list outside_access_in line 11 extended permit udp any any eq 993 (hitcnt=0) 0x7f9dd9b7

Simple Port Forwarding / ACL Question

cadet alain — Tue, 27 Nov 2012 17:52:00 GMT

Hi,

post output of following:

packet-tracer input tcp 8.8.8.8 1024 192.168.1.130 143 detailed

Regards.

Alain

Don't forget to rate helpful posts.

Simple Port Forwarding / ACL Question

macdady843 — Wed, 28 Nov 2012 00:23:09 GMT

Hi, the command you posted didn't exactly work so I entered what seemed correct.

RyansFirewall(config): packet-tracer input outside tcp 8.8.8.8 465 192.168.1.130 465 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.1.0 255.255.255.0 inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit object-group Email_Ports any any

object-group service Email_Ports

service-object tcp-udp source eq 143

service-object tcp-udp source eq 465

service-object tcp-udp source eq 587

service-object tcp-udp source eq 993

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7e826e8, priority=12, domain=permit, deny=false

hits=1, user_data=0xd613bf50, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=465

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7de9018, priority=0, domain=inspect-ip-options, deny=true

hits=635, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (outside) 1 access-list outside_access_in

match tcp outside any outside any eq 3389

dynamic translation to pool 1 (Public IP Address [Interface PAT])

translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7e62278, priority=2, domain=host, deny=false

hits=835, user_data=0xd7e61e60, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7debf90, priority=0, domain=host-limit, deny=false

hits=12, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255

match tcp inside host theking eq 465 outside any

static translation to 0.0.0.0/465

translate_hits = 0, untranslate_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd7e79600, priority=5, domain=nat-reverse, deny=false

hits=2, user_data=0xd7e79160, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=theking, mask=255.255.255.255, port=465, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Re: Simple Port Forwarding / ACL Question

Riyasat Ali — Wed, 28 Nov 2012 12:25:55 GMT

paste the output for the following :-

packet-tracer input outside tcp 8.8.8.8 465 465 detailed

note: outside interface ip you can get via , "sh int ip brief"

Re: Simple Port Forwarding / ACL Question

macdady843 — Wed, 28 Nov 2012 15:14:53 GMT

Hi Riyasat,

Here is the result of the command. I'm a little confused though as it said it passed through although this port is still not open to my inside host.

RyansFirewall# packet-tracer input outside tcp 8.8.8.8 465 Outside_IP 465 detailed

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255

match tcp inside host theking eq 465 outside any

static translation to Outside_IP/465

translate_hits = 0, untranslate_hits = 2

Additional Information:

NAT divert to egress interface inside

Untranslate Outside_IP/465 to theking/465 using netmask 255.255.255.255

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any any eq 465

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd863ac20, priority=12, domain=permit, deny=false

hits=9, user_data=0xd613bd70, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=465, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7de9018, priority=0, domain=inspect-ip-options, deny=true

hits=20003, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (outside) 1 access-list outside_access_in

match tcp outside any outside any eq 3389

dynamic translation to pool 1 (Outside_IP [Interface PAT])

translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7e62278, priority=2, domain=host, deny=false

hits=25913, user_data=0xd7e61e60, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7debf90, priority=0, domain=host-limit, deny=false

hits=143, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255

match tcp inside host theking eq 465 outside any

static translation to Outside_IP/465

translate_hits = 0, untranslate_hits = 2

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd7e84380, priority=5, domain=nat-reverse, deny=false

hits=3, user_data=0xd7e58b08, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=theking, mask=255.255.255.255, port=465, dscp=0x0

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp interface 3389 theking 3389 netmask 255.255.255.255

match tcp inside host theking eq 3389 outside any

static translation to 0.0.0.0/3389

translate_hits = 0, untranslate_hits = 107

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xd7e70e30, priority=5, domain=host, deny=false

hits=1642, user_data=0xd7e6c678, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=theking, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xd7d9e160, priority=0, domain=inspect-ip-options, deny=true

hits=30929, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 31012, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Simple Port Forwarding / ACL Question

Jouni Forss — Wed, 28 Nov 2012 15:32:06 GMT

Hi,

The Packet Tracer only test the firewall portion. It shows what happens to different traffic based on what you enter after the "packet-tracer" command.

It doesnt tell anything about the actual host behind the firewall.

One phase of the test states that it matches a permit rule on your firewalls outside interface access-list and shows the access-list rule also.

- Jouni

Re: Simple Port Forwarding / ACL Question

macdady843 — Wed, 28 Nov 2012 16:05:23 GMT

This seems like a simple problem and that something is just being overlooked. I have opened other ports on this PC using the same commands. I don't see why this one is any different. For instance, I have opened RDP access to this computer using:

access-list outside_access_in extended permit tcp any any eq 3389

static (inside,outside) tcp interface 3389 theking 3389 netmask 255.255.255.255

So why doesn't the same thing work for port 465? This is my confusion / frustration.

Simple Port Forwarding / ACL Question

lanbrown — Wed, 28 Nov 2012 16:22:13 GMT

Ryan,

For the email portion, you do not use port forwarding. You are trying to access Gmail and the ports required are in use at the far end, the source port that you are coming from is dynamic. If you were hosting an email sever, you would need to use port forwarding.

Issue the following command and past the output:

packet-tracer input inside tcp 192.168.1.10 65532 173.194.69.83 465

Also, do you have WOW Ultra service or just a standard cable modem?

Xbox Live will require port forwarding, but let’s work on one issue at a time here.

Simple Port Forwarding / ACL Question

macdady843 — Wed, 28 Nov 2012 16:53:24 GMT

Thanks for the reply lanbrown,

I am using a regular WOW cable modem with a dynamic ip address. It makes sense what you said about the email part not needing port forwarding, however what do I need to do to get it to communicate? Here is the result of the command that you gave me:

RyansFirewall# packet-tracer input inside tcp 192.168.1.10 65532 173.194.69.83$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 1 (WOWPublicIP [Interface PAT])

translate_hits = 20557, untranslate_hits = 3331

Additional Information:

Dynamic translate 192.168.1.10/65532 to WOWPublicIP/38166 using netmask 255.255.255.255

Phase: 4

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (outside) 1 access-list outside_access_in

match tcp outside any outside any eq 3389

dynamic translation to pool 1 (WOWPublicIP [Interface PAT])

translate_hits = 0, untranslate_hits = 0

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 33056, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Simple Port Forwarding / ACL Question

macdady843 — Wed, 28 Nov 2012 16:55:30 GMT

Also on a side note, I have been messing around with xbox live ports but haven't really been able to get them to work either. I am trying to remedy the fact that when I do a network test on my xbox I get a "moderate NAT" rating. We can deal with this after the email though like you said.

Simple Port Forwarding / ACL Question

lanbrown — Wed, 28 Nov 2012 17:38:50 GMT

According to the output, it works. Do you have a telnet client on the PC in question? If so, open a telnet session to 173.194.69.83 but instead of port 23 used port 465. If you can create a session (it doesn’t close immediately or you don’t get a timeout) then you did connect to the Gmail server on port 465. That would tell me you have a config issue with the email client.

Do you just have the default permit for the inside access list? To see what is going on, let’s do a capture, you might need to modify to fit your setup.

cap IMAP interface inside match tcp any any eq 465

cap IMAP interface inside real-time match tcp any any eq 465

To see the capture do a show capture IMAP except for the bottom one, it will display the packets as they come in. If you see packets then we need to perform a similar setup but this time on the outside interface. You can also use ASDM to do the capture. I think you are going to find that the issue is with the email client. If you can access the Internet and you have the implicit permit for the inside access-list, then the firewall is going to pass the traffic.

The reason I asked about if you had the Ultra service from WOW, the firmware on the RG is horrendous and has several glaring bugs; ARP and in how the RG handles DMZ mode. Arris who produces it should leave the market if that is what they are going to produce.

Re: Simple Port Forwarding / ACL Question

macdady843 — Wed, 28 Nov 2012 17:54:12 GMT

My capture did not get anything. Also when I telnet I get a timeout. --- scratch that just got the capture to work. The result and result in the command prompt is below:

RyansFirewall# cap IMAP interface inside real-time match tcp any any eq 465

Warning: using this option with a slow console connection may

result in an excessive amount of non-displayed packets

due to performance limitations.

Use ctrl-c to terminate real-time capture

1: 12:53:27.075084 802.1Q vlan#1 P0 192.168.1.130.1192 > 173.194.69.83.465: S 3177691729:3177691729(0) win 64512

2: 12:53:30.121926 802.1Q vlan#1 P0 192.168.1.130.1192 > 173.194.69.83.465: S 3177691729:3177691729(0) win 64512

3: 12:53:36.109705 802.1Q vlan#1 P0 192.168.1.130.1192 > 173.194.69.83.465: S 3177691729:3177691729(0) win 64512

3 packets shown.

0 packets not shown due to performance limitations.

RyansFirewall#

C:\Documents and Settings\Ryan>telnet 173.194.69.83 465

Connecting To 173.194.69.83...Could not open connection to the host, on port 465

: Connect failed

Could you explain what allows an inside port to be open? I'm not well versed in NAT and I thought the static command was allowing it to be open?

Simple Port Forwarding / ACL Question

lanbrown — Wed, 28 Nov 2012 18:28:41 GMT

If you needed to create a NAT for every connection, you would need one for HTTP (80) one for HTTPS (443), etc. On the inside you are masking 192.168.1.0/24 as the egress interface which in this case is the Internet interface IP. The static NAT’s you created are there to take a port on the Internet interface IP and direct it towards an internal host. So that is from outside in, inside out a dynamic NAT would be used; this is the nat (inside) 1 0.0.0.0 0.0.0.0 command you have listed. What allows the port to be opened is a combination of the ACL and the NAT rules (there are others that play a factor, like routing, etc.)

You are trying to connect to port 465 at a remote server, so a static NAT is not needed. Unless you are trying to host an email server, then a static NAT is not necessary.

The packet tracer showed the traffic was allowed but you received a timeout when using a telnet client. Did you specify to use port 465?

Any reason why you have 3389 and ftp wide open to the entire Internet? That is a standard port that gets probed.

Simple Port Forwarding / ACL Question

macdady843 — Wed, 28 Nov 2012 18:35:53 GMT

Yes I did specify to use port 465. I used the command "telnet ipaddress 465". The reason that 3389 and FTP are wide open is that I travel for work and I never know what public IP I will be coming in on when I want to connect to my home PC.

Simple Port Forwarding / ACL Question

macdady843 — Wed, 28 Nov 2012 18:41:19 GMT

I'm pretty much ready to give up at this point. Like you said there's no reason it shouldn't be working and yet I still can't telnet to the ports I desire. Maybe we could switch gears and figure out why my NAT is being rated moderate in xbox live? 🙂

Simple Port Forwarding / ACL Question

lanbrown — Wed, 28 Nov 2012 18:44:36 GMT

I wouldn’t trust certain regions in the world; I would at least use different ports. You could keep them the same on the inside, but on the outside you wouldn’t be connecting to 3389. Ideally you would use different ports (unless you can’t) but also create a list of subnets that can use that service and deny the rest.

From the capture, we did see traffic. Was that traffic from the telnet command? Try the packet tracer command again but instead of 192.168.1.10 use the machine you are trying to get the e-mail client to work on.

Simple Port Forwarding / ACL Question

macdady843 — Wed, 28 Nov 2012 19:00:32 GMT

Yes the capture was from the telnet command. I re-ran the packet tracer to my machine IP address and got the same success result.

Simple Port Forwarding / ACL Question

lanbrown — Wed, 28 Nov 2012 19:09:16 GMT

What OS are you using? Is a software firewall being used on the local machine?

Simple Port Forwarding / ACL Question

macdady843 — Thu, 29 Nov 2012 14:35:22 GMT

I'm using Windows XP and I do have a Zone Alarm software firewall but i've disabled it for purposes of this testing.

Simple Port Forwarding / ACL Question

lanbrown — Thu, 29 Nov 2012 15:19:08 GMT

If the firewall is dropping the traffic for any reason, then this will show us:

cap IMAP type asp-drop all real-time

Perform your IMAP test with your mail client and post the results.