topic ASA5505 "outside_access_in" blocking UDP in Network Security

ASA5505 "outside_access_in" blocking UDP

interknox — Mon, 11 Mar 2019 11:50:32 GMT

Greetings all! This is sort of elementary for everyone (and may be silly, once you hear what I'm doing...) but I'm stumped.

Here's what I've got:

- ASA5505

- Xbox LIVE service: 88 UDP & 3074 TCP-UDP

I've searched around these forums and found help, but they were geared more towards the PIX 501. Anyways, here's what I've done:

- setup my xbox to a static IP (192.168.1.200)

- entered a service group with the above mentioned ports for both UDP and TCP

- created 3 NAT rules for those ports to go straight to the Xbox.

- added the xbox to a ACL so that those ports come into the Xbox

What I get, when testing, is this:

4 Jan 18 2008 20:01:18 106023 65.59.234.162 72.12.119.218 Deny udp src outside:65.59.234.162/55619 dst inside:72.12.119.218/3074 by access-group "outside_access_in" [0x0, 0x0]

In the "outside_access_in" group, I have:

1 True any Xbox360 Xbox_LIVE Permit Default

I'm not sure why, but the packets, when coming back inside, are being denied. I'm using ASDM to set this up and I know a lot of you like the command line. If any of you can offer any help, I can run a command using command line and give you any outputs.

Thanks for any help my friends.

Re: ASA5505 "outside_access_in" blocking UDP

acomiskey — Sat, 19 Jan 2008 02:22:00 GMT

post a...

show run nat

show run access-list outside_access_in

Re: ASA5505 "outside_access_in" blocking UDP

interknox — Sat, 19 Jan 2008 02:40:17 GMT

show run nat:

"nat (inside) 1 0.0.0.0 0.0.0.0"

show run access-list outside_access_in:

"access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360"

Thanks!

Re: ASA5505 "outside_access_in" blocking UDP

acomiskey — Sat, 19 Jan 2008 13:55:41 GMT

Sorry I meant show run static. Why don't you just post a sanitized/cleaned config.

show run

Re: ASA5505 "outside_access_in" blocking UDP

interknox — Sat, 19 Jan 2008 14:21:28 GMT

show run static:

static (inside,outside) tcp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 88 Xbox360 88 netmask 255.255.255.255 dns

show run:

: Saved

ASA Version 8.0(3)

hostname greylock

domain-name ch.local

enable password RONX1BXdqaFcKwP9 encrypted

names

name 192.168.1.200 Xbox360

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.169 255.255.255.0

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group DSL

ip address pppoe setroute

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/newstuff/asa803.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.220.220

domain-name interknox.net

object-group service Xbox_LIVE

service-object udp source eq 88 eq 88

service-object tcp-udp source eq 3074 eq 3074

access-list inside_access_in extended permit ip host Xbox360 any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360

pager lines 24

logging enable

logging asdm warnings

logging from-address email@interknox.net

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/newstuff/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 3074 Xbox360 3074 netmask 255.255.255.255

static (inside,outside) udp interface 88 Xbox360 88 netmask 255.255.255.255 dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 68.152.211.86 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

vpdn group DSL request dialout pppoe

vpdn group DSL localname my dsl email

vpdn group DSL ppp authentication pap

vpdn username my email password *********

dhcpd auto_config outside

dhcpd address 192.168.1.125-192.168.1.150 inside

dhcpd dns 208.67.222.222 208.67.220.220 interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

ntp server 131.107.13.100 source outside

ntp server 129.6.15.29 source outside

ntp server 129.6.15.28 source outside prefer

username chris password TYGBt4.L24KH1.mU encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:1d79690fe1b4b7246c3a87153b23040b

: end

NOTE: I cut out some of the "interfaces" because of message length restrictions on the forums. Other interfaces aren't in use, FYI.

Thanks again.

Re: ASA5505 "outside_access_in" blocking UDP

acomiskey — Sat, 19 Jan 2008 14:42:09 GMT

Your access list is not correct.

access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360

should be...

access-list outside_access_in extended permit object-group Xbox_LIVE any interface outside

access-list outside_access_in extended permit object-group Xbox_LIVE any host

Re: ASA5505 "outside_access_in" blocking UDP

interknox — Sat, 19 Jan 2008 14:57:53 GMT

Okay, using ASDM, it went from this:

access-list outside_access_in extended permit object-group Xbox_LIVE any host Xbox360

to...

access-list outside_access_in extended permit object-group Xbox_LIVE any any

and it still blocks UDP ports (from log):

4 Jan 19 2008 09:48:27 106023 65.59.234.162 72.12.119.28 Deny udp src outside:65.59.234.162/43971 dst inside:72.12.119.28/3074 by access-group "outside_access_in" [0x0, 0x0]

Re: ASA5505 "outside_access_in" blocking UDP

acomiskey — Sat, 19 Jan 2008 15:07:02 GMT

Do you have the source ip's of xbox live?

Sorry, the Xbox_LIVE object group needs to be the destination port.

access-list outside_access_in extended permit udp any interface outside eq 88

access-list outside_access_in extended permit udp any interface outside eq 3074

access-list outside_access_in extended permit tcp any interface outside eq 3074

Re: ASA5505 "outside_access_in" blocking UDP

interknox — Sat, 19 Jan 2008 15:52:23 GMT

Okay, it's working now and I found that there were 2 problems. One problem ended up being that the Xbox_Live group's ports had the source/destination as the same thing, instead of "default" for the source. For instance, I had:

destination: udp 3074

source: udp 3074

When in fact, Xbox LIVE service doesn't use those ports at the source, so the ACL was blocking it. I changed it do:

destination: udp 3074

source: default

Second, like you said, my outside_access_in group listed my destination as my Xbox360, when in fact that won't work, as that device is using a private IP, behind the firewall.

I changed both these things and it now works like a champ!!!

Thanks again for all your help. I'll be sure to rate/vote whatever for you anytime.

Re: ASA5505 "outside_access_in" blocking UDP

acomiskey — Sat, 19 Jan 2008 17:58:03 GMT

Happy gaming!~