topic Can't open port on ASA! in Network Security

Can't open port on ASA!

pgmccullough — Mon, 11 Mar 2019 22:51:39 GMT

If anyone thinks they can help, please do, I'm desperately trying to help a company with a short term deadline. Just doing it to help out a friend in a rural area where every CISCO tech contact they had seems to be unavailable (For the last and next week) all at once. I'm tearing my hair out! Here's the current ASA configuration:

------------------------------------------------------------------------

ASA Version 7.2(3)

hostname [top secret!]

domain-name [top secret!]

enable password [top secret!] encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address [top secret!].140 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address [top secret!].11 255.255.255.248

interface Vlan3

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd [top secret!] encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name [top secret!]

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip [top secret!] 255.255.255.0 10.0.

8.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.0.50.0 255.255.255.24

access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.

6.0 255.255.255.0 – Not in your configuration

access-list outside_1_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.0.8

.0 255.255.255.0

access-list tr-remote_splitTunnelAcl standard permit any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit esp any any

access-list outside_access_in extended permit tcp [top secret!] 255.255.255.0 any eq

smtp

access-list outside_2_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.0.6

.0 255.255.255.0 – Not in your configuration

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool remote-vpn 10.0.50.0-10.0.50.7 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 10.0.1.201 smtp netmask 255.255.255.2

access-group outside_access_in in interface outside – Not in your configuration

route outside 0.0.0.0 0.0.0.0 [top secret!].9 1 – was [top secret!].194 in you config

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.0.6.0 255.255.255.0 inside – Not in your configuration

http 10.0.8.0 255.255.255.0 inside – Outside in your configuration

http 10.0.1.0 255.255.255.0 inside

http 10.0.50.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac – Not in your configuration

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA – Not in your configuration

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer [top secret!].194

crypto map outside_map 1 set transform-set ESP-DES-MD5

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer [top secret!].162

crypto map outside_map 2 set transform-set ESP-3DES-SHA – Not in your configuration

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.0.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application Access

sso-server none

deny-message value Login was successful, but because certain criteria have not

been met or due to some specific group policy, you do not have permission to us

e any of the VPN features. Contact your IT administrator for more information

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate – Not in your configuration

group-policy tr-remote internal

group-policy tr-remote attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value tr-remote_splitTunnelAcl

group-policy staff-remote internal

group-policy staff-remote attributes

dns-server value 10.0.1.200

vpn-tunnel-protocol IPSec

username remote password [top secret!] encrypted privilege 0

username remote attributes

vpn-group-policy [top secret!]

username [top secret!] password [top secret!] encrypted privilege 0

username [top secret!] attributes

vpn-group-policy tr-remote

tunnel-group [top secret!].194 type ipsec-l2l

tunnel-group [top secret!].194 ipsec-attributes

pre-shared-key *

tunnel-group tr-remote type ipsec-ra

tunnel-group tr-remote general-attributes

address-pool remote-vpn

default-group-policy tr-remote

tunnel-group tr-remote ipsec-attributes

pre-shared-key *

tunnel-group [top secret!].162 type ipsec-l2l

tunnel-group [top secret!].162 ipsec-attributes

pre-shared-key *

tunnel-group staff-remote type ipsec-ra

tunnel-group staff-remote general-attributes

address-pool remote-vpn

default-group-policy [top secret!]

tunnel-group [top secret!] ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:[top secret!]

------------------------------------------------------------------------

an epic thin client is being set up and the company was simply told to (on their Cisco ASA) enable NAT, with external ip xxx.xxx.xxx.14, internal ip 10.0.xx.xx, and open port 8222.

I went in and added this:

static (inside,outside) xxx.xxx.xxx.58 xxx.xxx.xxx.14 netmask 255.255.255.255

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.14 eq 8222

access-group inbound in interface outside

But when we try and run the thin client install, we get an error saying invalid ip/port xxx.xxx.xxx.14/8222.

Please help if you can. I'd be so appreciative. Have already been so thankful for earlier responses.

Can't open port on ASA!

Roman Rodichev — Sat, 07 Apr 2012 15:36:56 GMT

reverse IPs in the static statement

Can't open port on ASA!

pgmccullough — Sat, 07 Apr 2012 15:51:40 GMT

Thanks so much for the quick reply!

Okay, I switched it to

static (inside,outside) xxx.xxx.xxx.14 xxx.xxx.xxx.58 netmask 255.255.255.255

but it didn't appear to make a difference.

Do I need to also change all of the access-list lines to define the xxxxxxx.58 (internal) ip instead of the xxxxxxxxxxxx.14 (external)?

Can't open port on ASA!

pgmccullough — Sat, 07 Apr 2012 17:41:54 GMT

Okay--so the ASA's ip is xxxxxxxxx.11. The external ip that needs to be set up for this is xxxxxxxxxx.14 and point to internal ip xxx.xxx.xxx.58 with port 8222 open.

So originally I had:

static (inside,outside) xxx.xxx.xxx.58 xxx.xxx.xxx.14 netmask 255.255.255.255

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.11 eq 8222

access-group inbound in interface outside

but a commenter on another discussion said that the 14 and 11 needed to match. So I changed to

static (inside,outside) xxx.xxx.xxx.58 xxx.xxx.xxx.14 netmask 255.255.255.255

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.14 eq 8222

access-group inbound in interface outside

Above poster pointed out that static statement needed to be swapped, so it became:

static (inside,outside) xxx.xxx.xxx.14 xxx.xxx.xxx.58 netmask 255.255.255.255

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.14 eq 8222

access-group inbound in interface outside

I am certain that the swapping statics was correct, but it didn't make a difference. I went back and tried to run the epic thin client set up, and still got an invalid ip/port error.

So I went back to having the original instance of pointing from the public IP the thin client will connect to, to the ASA ip. And I went nuclear with permissions: