topic Re: Plex Help in Network Security

Plex Help

jjizzle1985 — Fri, 21 Feb 2020 16:38:09 GMT

Hey Guys;

My friend and i wanna get our plex up and running; but seems to be having an issue with me connecting to my friends plex. Even with all services allows on all interfaces; I'm constantly keep getting this error "Inbound tcp connection denied from ISP/xxxxx to my FriendsWan/23097 flags SYN on interface OUT; and i really don't know why this connection is not allowed on the outside interface when i have all services allowed to just test.

Any idea

%ASA-2-106001: Inbound TCP connection denied from IP_address/port to 
IP_address/port flags tcp_flags on interface interface_name"

Re: Plex Help

Sheraz.Salim — Sun, 06 Jan 2019 20:03:13 GMT

what is plex?

what is setup look like. you try to set up a vpn between friend and you? give us more information in order to help you.

Re: Plex Help

jjizzle1985 — Sun, 06 Jan 2019 20:28:51 GMT

Hello;

Plex is a client-server media player system and software suite comprising two main components. The Plex Media Server desktop application runs on Windows, macOS and Linux-compatibles including some types of NAS devices.

Please see my attachment on my setup and yes tried vpn setup and getting the same issue; figure i would try plex to see if im getting the same response which i am and i don't know why.

Here is my Cisco 1900 router setup

version 15.1
service telnet-zeroidle
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
service sequence-numbers
service counters max age 15
no service dhcp
!
hostname R21
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause rootguard
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
!
no ipv6 cef
ip source-route
ip arp gratuitous local
ip arp incomplete retry 1
ip arp incomplete entries 1
ip options drop
ip cef
!
!
!
!
!
no ip bootp server
ip domain lookup source-interface GigabitEthernet0/0
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FTX153581PG
!
!
!
spanning-tree portfast bpduguard
!
redundancy
!
!
!
!
ip tcp ecn
ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 5
ip tcp path-mtu-discovery
ip telnet hidden addresses
ip ssh logging events
ip ssh version 2
!
crypto logging session
crypto logging ikev2
!
crypto isakmp policy 30
encr aes 256
hash sha256
authentication pre-share
group 2
lifetime 15000
crypto isakmp key test123 address 24.211.211.241
!
!
crypto ipsec transform-set D@Link esp-aes esp-sha-hmac
!
!
crypto map ZebJJ 20 ipsec-isakmp
description Zeb 2 In-VPN
set peer 24.211.211.241
set security-association lifetime seconds 3644
set transform-set D@Link
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ISP/WAN
ip address dhcp
ip access-group Inbound in
ip helper-address x.x.x.1
ip nat outside
ip nat enable
no ip virtual-reassembly in
ip virtual-reassembly out
duplex full
speed auto
crypto map ZebJJ
!
interface GigabitEthernet0/1
description OUT
ip address x.x.x.5 255.255.255.252
ip access-group Inbound in
ip helper-address 1.1.8.6
ip nat inside
ip nat enable
ip virtual-reassembly in
duplex full
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat log translations syslog
ip nat source list 50 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x 254
ip route 24.211.211.241 255.255.255.255 x.x.x.6

!
ip access-list extended filiter-Inbound
permit icmp any any
permit ip any any
permit udp any any
permit tcp any any
!
access-list 40 permit x.x.x.6
access-list 50 permit x.x.x.6
access-list 100 permit ip any host x.x.x.6
access-list 100 remark VPN
!
no cdp run
!
!
!
!
!
control-plane
!
!
alias exec sa show aliases
alias exec sir show ip route
alias exec s show running-config
alias exec sarp show arp
alias exec stcp show tcp
alias exec sinnt show ip nat nvi translations
alias exec sinns show ip nat nvi statistics
alias exec ssh show ssh
alias exec scisa show crypto isakmp sa
alias exec sl show logging
alias exec sdc show data-corruption
alias exec si show interfaces
alias exec sc show clock
alias exec sp show protocols
alias exec sivr show ip virtual-reassembly
alias exec sii show ip interface
alias exec scm show crypto map
alias exec scipsec show crypto ipsec sa
alias exec scrule show crypto ruleset
alias exec scs show crypto session
alias exec sit show ip traffic
alias exec sis show interfaces summary
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
session-timeout 30
access-class 40 in
exec-timeout 15 0
session-limit 3
login local
transport input ssh
line vty 5 14
session-timeout 30
access-class 40 in
exec-timeout 15 0
session-limit 3
login local
transport input ssh
!
scheduler allocate 20000 1000
end

Here is also my Cisco Asa 5510 setup

ASA Version 8.2(5)58
!
hostname JFW
names
name 69.69.69.0 VpnNet description VpnNet
name 69.69.69.2 VpnRouter description VpnRouter
name 69.69.69.3 VpnSw description VpnSw
name 69.69.69.1 VpnGW description VpnGW
name 24.211.211.241 Zebulon description Zebulon

!
interface Ethernet0/0
description OUT
duplex full
nameif OUT
security-level 0
ip address OutFW 255.255.255.252
!
interface Ethernet0/1
description IN
duplex full
nameif IN
security-level 100
ip address InFw 255.255.255.0
!
interface Ethernet0/2
description Vpn
duplex full
nameif Vpn
security-level 100
ip address VpnGW 255.255.255.248
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
banner exec Welcome 2 Da Wall !!!!!!
banner login Welcome 2 Da Wall !!!!!!
banner motd Knowledge Is Power ND Power Is Money !!!!!
banner asdm Welcome 2 Da Wall !!!!!!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup OUT
dns server-group DefaultDNS
name-server InWin
object-group service Domain udp
port-object eq domain
object-group service Mail tcp
port-object eq 993
port-object eq pop2
port-object eq pop3
port-object eq smtp
port-object eq 465
port-object eq imap4
object-group service Net tcp
port-object eq www
port-object eq https
port-object eq 8080
port-object eq 8008
object-group service Time udp
port-object eq ntp
port-object eq time
object-group service Domain2 tcp
port-object eq domain
object-group service Kerberos tcp
port-object eq kerberos
object-group service Addme tcp
port-object eq 8888
object-group service VPN tcp
port-object eq 1194
port-object eq 1701
port-object eq pptp
port-object eq 88
port-object eq 500
object-group service VPN2 udp
port-object eq isakmp
port-object eq 1194
port-object eq 4500
object-group service Mail2 udp
port-object eq 465
port-object eq 587
port-object eq 995
object-group service Phone tcp
port-object eq 5223
port-object eq 5222
port-object eq 5228
object-group service Phone2 udp
port-object eq 16384
port-object eq 16385
port-object eq 16386
object-group service Plex tcp
port-object eq 32400
port-object eq 23097
object-group service FireStick tcp
port-object eq 60000
object-group service PS4 udp
port-object eq 3478
port-object eq 3479
port-object eq 3074
port-object eq 2053
port-object eq 6015
port-object eq 12000
port-object eq 11020
port-object eq 11025
port-object eq 11021
port-object eq 9307
port-object eq 3658
port-object eq 9308
object-group service Playstation tcp
port-object eq 3074
object-group service Tagged tcp
port-object eq 8000
object-group service Tagged2 udp
port-object eq 4001
port-object eq 4002
port-object eq 4004
port-object eq 4007
port-object eq 4009
port-object eq 4010
port-object eq 4003
port-object eq 4005
port-object eq 4006
port-object eq 4008
port-object eq 8000
port-object eq 9700
port-object eq 8913
object-group service Net2 udp
port-object eq 443
port-object eq www
port-object eq 8008
port-object eq 8080
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service Micro udp
port-object eq 3544
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network Internal
description Internal
network-object InNet 255.255.255.0
network-object host InMedia
network-object host InSuSe
network-object host InLinux
network-object host InWin
network-object host InPS4
network-object host InLGTV
network-object host InFw
network-object host InAP
network-object host InSW
network-object host InViso
object-group network Vpn_In
network-object VpnNet 255.255.255.248
network-object host VpnRouter
network-object host VpnSw
network-object host VpnGW
object-group network PplWan
network-object host Zebulon
network-object host CiahWan
network-object host JasonWan
network-object host ReeWan
network-object host MarquitaWan
network-object host DomMaWan
network-object host ParentsWan
network-object host GabrielleWan
network-object host DreWan
object-group service Viso tcp
port-object eq 8883
object-group network DM_INLINE_NETWORK_2
network-object host InLGTV
network-object host InViso
object-group network In-Servers
network-object host InSuSe
network-object host InLinux
network-object host InWin
object-group network DM_INLINE_NETWORK_3
network-object host OUTR21
network-object host OutFW
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object OutNet 255.255.255.252
network-object host OUTR21
network-object host OutFW
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_6
network-object 0.0.0.0 0.0.0.0
network-object InNet 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_4
network-object OutNet 255.255.255.252
network-object host OutFW
object-group network OUT
network-object 0.0.0.0 0.0.0.0
network-object OutNet 255.255.255.252
network-object host OUTR21
network-object host OutFW
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network DNSServers
network-object host Level3.Resolve2
network-object host Level3.Resolve
network-object host Google2
network-object host Google
object-group service Time2 tcp
port-object eq daytime
access-list IN_access_in extended permit tcp InNet 255.255.255.0 object-group DM_INLINE_NETWORK_3 eq ssh
access-list IN_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any
access-list Out_access_in extended permit icmp any any
access-list Out_access_in extended permit object-group TCPUDP any any
access-list Out_access_in extended permit ip any any
access-list VPN_Internal standard permit VpnNet 255.255.255.248
access-list Vpn_access_in extended deny object-group DM_INLINE_PROTOCOL_4 VpnNet 255.255.255.248 object-group DM_INLINE_NETWORK_6

access-list IN_nat0_outbound_1 extended permit ip host ISP host Zebulon
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging asdm-buffer-size 512
logging console debugging
logging monitor debugging
logging buffered debugging
logging asdm debugging
logging facility 23
logging message 106015 level alerts
logging message 106023 level emergencies
logging message 305006 level informational
logging message 305013 level errors
logging message 305012 level warnings
logging message 305011 level notifications
logging message 400010 level notifications
logging message 400014 level notifications
logging message 302015 level notifications
logging message 302014 level warnings
logging message 302013 level notifications
logging message 304001 level errors
logging message 302016 level warnings
logging message 302021 level warnings
logging message 302020 level notifications
mtu OUT 1500
mtu IN 1500
mtu Vpn 1500
ip local pool Vpn_Internal 69.69.69.4-69.69.69.6 mask 255.255.255.248
ip verify reverse-path interface OUT
ip verify reverse-path interface IN
ip verify reverse-path interface Vpn
ip audit name Info info action alarm
ip audit name Drop attack action drop
ip audit interface OUT Info
ip audit interface OUT Drop
ip audit interface IN Info
ip audit interface IN Drop
ip audit interface Vpn Info
ip audit interface Vpn Drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit InNet 255.255.255.0 IN
asdm history enable
arp timeout 14400
nat-control
global (OUT) 8 interface
nat (IN) 0 access-list IN_nat0_outbound_1
nat (IN) 8 InNet 255.255.255.0
access-group Out_access_in in interface OUT
access-group IN_access_in in interface IN
access-group Vpn_access_in in interface Vpn
route OUT 0.0.0.0 0.0.0.0 OUTR21 1
route OUT Zebulon 255.255.255.255 VpnGW 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server idle-timeout 999
http InNet 255.255.255.0 IN
http redirect IN 80
http redirect OUT 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss minimum 48
service resetoutside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 1
ssh scopy enable
ssh InNet 255.255.255.0 IN
ssh timeout 15
console timeout 0
!
dhcpd address 69.69.69.4-69.69.69.6 Vpn
dhcpd lease 21200 interface Vpn
dhcpd domain J-Vpn.Internal.com interface Vpn
dhcpd option 3 ip VpnRouter interface Vpn
dhcpd option 20 hex 01 interface Vpn
dhcpd option 29 hex 01 interface Vpn
dhcpd option 30 hex 01 interface Vpn
dhcpd option 31 hex 01 interface Vpn
dhcpd enable Vpn
!
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address OutNet 255.255.255.252
threat-detection scanning-threat shun except ip-address InNet 255.255.255.0
threat-detection scanning-threat shun except ip-address VpnNet 255.255.255.248
threat-detection scanning-threat shun duration 300
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 1 burst-rate 214783647 average-rate 214783647
ntp authenticate
ntp server InSuSe source IN prefer
ntp server InLinux source IN
ssl encryption aes128-sha1 aes256-sha1 des-sha1 3des-sha1 rc4-sha1 rc4-md5
webvpn
svc image disk0:/Anyconnect/anyconnect-win-3.1.04072-k9.pkg 1
!
class-map IN-class
match access-list IN_mpc
match default-inspection-traffic
class-map type inspect http match-all asdm_medium_security_methods
match not request method post
match not request method get
match not request method head
class-map type inspect http match-all asdm_high_security_methods
match not request method get
match not request method head
!
!
policy-map type inspect ftp FTP
description FTP
parameters
mask-banner
mask-syst-reply
policy-map type inspect http HTTP
description HTTP
parameters
protocol-violation action drop-connection
class asdm_medium_security_methods
drop-connection
policy-map type inspect dns DNS
parameters
message-length maximum 512
id-randomization
id-mismatch action log
tsig enforced action log
policy-map type inspect netbios Net
parameters
protocol-violation action drop log
policy-map Internal
description Internal
class IN-class
inspect dns DNS
inspect ftp strict FTP
inspect http HTTP
inspect icmp
inspect icmp error
inspect netbios Net
inspect pptp
inspect rsh
inspect tftp
inspect ctiqbe
inspect esmtp
inspect ils
inspect sqlnet
inspect sunrpc
inspect waas
inspect xdmcp
!
service-policy Internal interface IN
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5027b8ea3f81d1d7b770779d78cc51a1
: end

Re: Plex Help

Sheraz.Salim — Sun, 06 Jan 2019 20:54:13 GMT

oh dear. that hell of the config you give us. hold on will take time to look into this.

I only see a vpn config on router nothing on wireless. i guess you firewall is behind this router?

what are the config of your friend router/firewall

Re: Plex Help

jjizzle1985 — Sun, 06 Jan 2019 21:25:46 GMT

Hello;

Yes the config is a bit much; correct only vpn config on router; nothing wireless; and yes my firewall sit behind my router and my friend is just using a standard ISP equipment; nothing cisco like i got it.

Thanks

Re: Plex Help

Sheraz.Salim — Sun, 06 Jan 2019 21:57:05 GMT

your trying to build a site-to-site vpn with your friend. does his router is configured with VPN setting?

Re: Plex Help

jjizzle1985 — Sun, 06 Jan 2019 22:15:30 GMT

Hello;

yes from what i know its enable on his end; but that doesn't make sense on how i can't connect to his plex since that doesn't need vpn. This is weird and strange when i have the correct ports open to use Plex.

Can you see on why i get the same message when connections to plex are trying to be made; please see screen shot

Re: Plex Help

Sheraz.Salim — Sun, 06 Jan 2019 22:36:45 GMT

you need to define a access-list to get this connection permit. as nothing is define in regards to this rule that is why traffic is drop/denied. I see DomMaWan is part of PplWan.

object-group network PplWan
network-object host Zebulon
network-object host CiahWan
network-object host JasonWan
network-object host ReeWan
network-object host MarquitaWan
network-object host DomMaWan
network-object host ParentsWan
network-object host GabrielleWan
network-object host DreWan

Re: Plex Help

jjizzle1985 — Sun, 06 Jan 2019 23:08:41 GMT

Hello;

I have that already define on both interfaces OUT and IN to allow IP, udp, and TCp to pass thru; please see my screen shot on what i have enable on my FW right now

Thanks

Re: Plex Help

Sheraz.Salim — Tue, 08 Jan 2019 16:55:04 GMT

Run a packet tracer command and show us the output. This will let us where is the packet drop.

Thanks