topic Allowing Netbios 137/138 through ASA in Network Security

Allowing Netbios 137/138 through ASA

jonesm111 — Mon, 11 Mar 2019 23:52:47 GMT

Hello,

I've recently had to move an AS400 system behind an internal ASA firewall and now users are unable to browse to it.

The ASA is running Version 8.2(5)

I get these messages:

Sep 11 2012 17:09:59: %ASA-7-710005: UDP request discarded from 172.19.241.35/137 to outside:172.19.241.255/137

Is there a way to enable these ports without enabling NAT?

No VPN's involved, just an inside and outside eth interfaces

--Mike

Allowing Netbios 137/138 through ASA

Julio Carvajal — Tue, 11 Sep 2012 17:41:29 GMT

Hello Mike,

Can you share your configuration please,

Regards,

Julio

Allowing Netbios 137/138 through ASA

gurpsin2 — Tue, 11 Sep 2012 17:57:06 GMT

Hey Mike,

NetBIOS is supported by performing NAT of the packets for NBNS UDP port 137 and NBDS UDP port 138.

Link-

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/inspect_overview.html

Have you enabled "inspect netbios" on ASA?

Regards

Gurpreet

Allowing Netbios 137/138 through ASA

jonesm111 — Tue, 11 Sep 2012 18:09:10 GMT

Hi Julio,

Config pasted below..

@Gurpreet - I see that:

NetBIOS is supported by performing NAT of the packets for NBNS UDP port 137 and NBDS UDP port 138.

I do not know how to Nat these ports though, is it through the fixup protocol?

ASA Version 8.2(5)

hostname fw-us-leb-001

domain-name na.lan

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 172.19.241.250 255.255.255.0

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 172.19.242.1 255.255.255.224

interface Ethernet0/2

no nameif

no security-level

interface Ethernet0/3

shutdown

no nameif

no security-level

interface Management0/0

speed 100

duplex full

nameif management

security-level 100

ip address 172.30.240.51 255.255.255.248

management-only

ftp mode passive

dns server-group DefaultDNS

domain-name na.lan

access-list OUTSIDE-inbound extended permit ip any host 172.19.242.2

access-list OUTSIDE-inbound extended permit ip any any

access-list OUTSIDE-inbound extended permit icmp any host 172.19.242.5 echo

access-list OUTSIDE-outbound extended permit ip any any

access-list OUTSIDE-outbound extended permit tcp any any eq 3389

access-list OUTSIDE-outbound extended permit tcp any any eq www

access-list OUTSIDE-outbound extended permit tcp any any eq https

access-list OUTSIDE-outbound extended permit tcp any any eq ftp-data

access-list OUTSIDE-outbound extended permit udp host 172.19.242.5 any eq 50

access-list OUTSIDE-outbound extended permit udp any any eq ntp

access-list OUTSIDE-outbound extended permit udp any any eq tftp

access-list OUTSIDE-outbound extended permit tcp any any eq ftp

access-list OUTSIDE-outbound extended permit tcp any any eq domain

access-list OUTSIDE-outbound extended permit tcp any any eq ssh

access-list OUTSIDE-outbound extended permit tcp any any eq smtp

access-list OUTSIDE-outbound extended permit ip any host 172.19.156.137

access-list OUTSIDE-outbound extended permit ip any host 172.19.156.138

access-list OUTSIDE-outbound extended permit ip any host 172.19.157.4

access-list OUTSIDE-outbound extended permit ip any host 172.19.157.5

access-list OUTSIDE-outbound extended permit ip any host 172.19.157.12

access-list OUTSIDE-outbound extended permit ip any host 172.19.157.128

access-list OUTSIDE-outbound extended permit ip any host 172.19.157.194

access-list OUTSIDE-outbound extended permit udp any host 172.19.157.9 eq 12345

access-list OUTSIDE-outbound extended permit tcp any host 172.19.157.9 eq 12345

access-list OUTSIDE-outbound extended permit icmp any any time-exceeded

access-list OUTSIDE-outbound extended permit icmp any any unreachable

access-list OUTSIDE-outbound extended permit icmp any any source-quench

access-list OUTSIDE-outbound extended permit icmp any any echo-reply

access-list OUTSIDE-outbound extended deny ip any any

access-list testcap extended permit tcp any any

access-list testcap extended permit udp any any

access-list testcapinside extended permit tcp any any

access-list testcapinside extended permit udp any any

access-list testcapinside extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging monitor informational

logging buffered debugging

logging trap informational

logging history errors

logging facility 22

logging host management 172.30.240.253

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any echo-reply outside

icmp permit any unreachable outside

icmp permit any echo-reply management

icmp permit any management

no asdm history enable

arp timeout 14400

access-group OUTSIDE-inbound in interface outside

access-group OUTSIDE-outbound out interface outside

route outside 0.0.0.0 0.0.0.0 172.19.241.254 1

route management 172.30.0.0 255.255.0.0 172.30.240.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (management) host 172.30.36.200

timeout 15

key *****

aaa-server TACACS+ (management) host 172.30.36.10

timeout 15

key *****

aaa-server RADIUS protocol radius

aaa authentication enable console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication serial console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authorization command LOCAL

snmp-server host management 172.30.240.158 community *****

snmp-server host management 172.30.36.12 community *****

snmp-server host management 172.30.36.195 community *****

snmp-server host management 172.30.36.201 community *****

snmp-server host management 172.30.36.9 poll community *****

snmp-server host management 172.30.38.5 community *****

snmp-server host management 172.30.38.6 community *****

snmp-server host management 172.30.38.7 community *****

snmp-server location Infineon Technologies NA Corp., Milpitas CA 95035 640 N McCarthy Blvd

snmp-server contact Infineon NOC-KLU, Phone +43-51777-4444, email NOC-KLU@infineon.com

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 172.30.0.0 255.255.0.0 management

ssh timeout 30

console timeout 0

management-access management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 172.30.240.253 key 3725 source management

ntp server 172.30.36.125 source management

tftp-server management 172.30.240.158 /

ssl encryption des-sha1 rc4-md5

username nocna password k63UhvskWqNEcomX encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:18b6d78f5aa4d43bc28ff101ecdc5c1c

: end

[OK]

fw-us-leb-001(config)#

Allowing Netbios 137/138 through ASA

Julio Carvajal — Tue, 11 Sep 2012 19:05:49 GMT

Hello Jones,

You already have the netbios protocol inspection,

What you are missing is the NAT.

Sep 11 2012 17:09:59: %ASA-7-710005: UDP request discarded from 172.19.241.35/137 to outside:172.19.241.255/137

In this log both of the users are on the same subnet and actually the traffic is going to the broadcast address of the outside interface.

My question is, what is the traffic that is supposed to be allowed ( I know is Netbios) but will the traffic only be innitiatted from the inside interface to the outside interface?

Remember to rate all the post, for us that is more important that a thanks

Re: Allowing Netbios 137/138 through ASA

jonesm111 — Tue, 11 Sep 2012 19:42:41 GMT

The traffic is initiated from the outside

If I turn off Netbios inspection, will that allow the netbios traffic through the firewall? If so, how do I do that.

If Nat will resolve this, what do I have to NAT? My server ip address ? because that could complicate things much more..

Allowing Netbios 137/138 through ASA

gurpsin2 — Tue, 11 Sep 2012 20:04:52 GMT

Hi Jones,

NetBIOS inspection is enabled by default. The NetBios inspection engine translates IP addresses in the NetBios name service (NBNS) packets according to the ASA NAT configuration.

If you do not wish to configure nat for server to prevent further issues, you can try to play with the layer 7 inspection map on ASA for netbios inspection and allow it to just log the packest instead of dropping them(since, they will be dropped by default if there is no nat configured):

policy-map type inspect netbios NBS

paramaters

protocol-violation action log

policy-map global-policy

class inspection_default

no inspect netbios

inspect netbios NBS

Link-

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html

Let me know if it works

Regards

Gurpreet

Re: Allowing Netbios 137/138 through ASA

jonesm111 — Tue, 11 Sep 2012 20:19:34 GMT

That didnt work..

fw-us-leb-001(config-pmap)# parameters

fw-us-leb-001(config-pmap-p)# protocol-violation action log

fw-us-leb-001(config-pmap-p)# exi

fw-us-leb-001(config-pmap)# exi

fw-us-leb-001(config)# policy-map global-policy

fw-us-leb-001(config-pmap)# class inspection_default

fw-us-leb-001(config-pmap-c)# no inspect netbios

ERROR: Inspection not installed or parameters do not match <--- didnt like this

fw-us-leb-001(config-pmap-c)# inspect netbios NBS

fw-us-leb-001(config-pmap-c)#

Still getting:

Sep 11 2012 20:18:51: %ASA-7-710005: UDP request discarded from 172.19.241.246/1230 to outside:255.255.255.255/123

Sep 11 2012 20:19:04: %ASA-7-710005: UDP request discarded from 172.19.241.39/138 to outside:172.19.241.255/138

Allowing Netbios 137/138 through ASA

gurpsin2 — Tue, 11 Sep 2012 20:31:37 GMT

hey Jones,

Without removing "inspect netbios" from inspection_default class, we cannot add "inspect netbios NBS" under global-policy.

Make sure, following config is used:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

no inspect netbios

inspect netbios NBS

Let me know if you still face any issues.

Regards

Gurpreet

Re: Allowing Netbios 137/138 through ASA

jonesm111 — Tue, 11 Sep 2012 20:45:16 GMT

Ok, the commands took but looks like its still discarding netbios packets..

Sep 11 2012 20:42:57: %ASA-7-710005: UDP request discarded from 172.19.241.1/137 to outside:172.19.241.255/137

Sep 11 2012 20:42:58: %ASA-7-710005: UDP request discarded from 172.19.241.1/137 to outside:172.19.241.255/137

Sep 11 2012 20:42:59: %ASA-7-710005: UDP request discarded from 172.19.241.246/1230 to outside:255.255.255.255/123

Sep 11 2012 20:43:06: %ASA-7-710005: UDP request discarded from 172.19.241.39/138 to outside:172.19.241.255/138

Allowing Netbios 137/138 through ASA

Julio Carvajal — Tue, 11 Sep 2012 20:49:34 GMT

Hello Jones,

Do you have nat control enabled????

If yes you will need a NAT, if not the only thing you need is an ACL as traffic is comming from a lower security level interface to a higher.

Regards,

Julio

Allowing Netbios 137/138 through ASA

jonesm111 — Wed, 12 Sep 2012 20:34:35 GMT

I do not think "Nat Control" is enabled, how can I check?

Allowing Netbios 137/138 through ASA

Julio Carvajal — Wed, 12 Sep 2012 20:46:32 GMT

Hello Jones,

Show run nat-control

Also If traffic is going from out to in it needs to be allow on the outside ACL....

Any other question.... Let me Know.. Just remember to rate all of my answers.

Julio