ACL and NAT for traffic coming -ASA 5506-X - need help

justkarl80 · ‎09-10-2016

Trying to allow traffic from external IPs into the network using certain ports. Requirements are,

555 TCP - Forward traffic to static private IP address (Transmitter)

2001 TCP - Forward traffic to static private IP address (Transmitter)

3000 UDP - Forward traffic to static private IP address (Transmitter)

10000 TCP – Outbound port to be left open

External IPs to be allowed in

86.47.219.23

78.137.179.212

185.5.240.176

185.5.240.177

I am clearly missing something as this isn't working. Any help appreciated.

interface GigabitEthernet1/1
description to WAN
nameif outside
security-level 0
ip address pppoe setroute
!
interface GigabitEthernet1/2
description to LAN
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet1/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa961-lfbff-k8.SPA
ftp mode passive
clock timezone gmt 0
clock summer-time gmt recurring
dns server-group DefaultDNS
domain-name ecbake.lan
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-subnet
subnet 192.168.1.0 255.255.255.0
object service Netwatch
service tcp source eq 555 destination eq 555
object-group network netwatch
network-object host 86.47.219.23
network-object host 78.138.179.212
network-object host 185.5.240.176
network-object host 185.5.240.177
object-group network haas
description bakery equipment
network-object host 193.242.155.112
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp object-group netwatch any eq 555
access-list outside_access_in extended permit tcp object-group netwatch any eq 2001
access-list outside_access_in extended permit udp object-group netwatch any eq 3000
access-list outside_access_in extended permit tcp object-group netwatch any eq 2222
access-list outside_access_in extended permit tcp object-group haas any eq https
access-list outside_access_in extended permit tcp object-group haas any eq www
access-list outside_access_in extended permit udp object-group haas any eq 11444
access-list outside_access_in extended permit tcp object-group haas any eq 11444
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any object-group netwatch
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit object-group TCPUDP object-group netwatch 192.168.1.0 255.255.255.0
access-list inside_access_out remark bakery equipment
access-list inside_access_out extended permit object-group TCPUDP object-group haas 192.168.1.0 255.255.255.0
access-list inside_access_out extended permit tcp object-group netwatch object inside-subnet
access-list inside_access_out extended permit object-group DM_INLINE_PROTOCOL_1 object-group netwatch 192.168.1.0 255.255.255.0
access-list inside_access_out_1 extended permit ip object-group netwatch 192.168.1.0 255.255.255.0
access-list inside_access_out_1 extended permit ip any object-group netwatch
pager lines 24
logging enable
logging timestamp
logging buffer-size 512000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
object network inside-subnet
nat (inside,outside) dynamic interface
access-group inside_access_out in interface outside
access-group inside_access_out_1 out interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication secure-http-client
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ecbh
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 4048d257
    308201d5 3082013e a0030201 02020440 48d25730 0d06092a 864886f7 0d010105
    0500302f 310d300b 06035504 03130465 63626831 1e301c06 092a8648 86f70d01
    0902160f 65636268 2e656362 616b652e 6c616e30 1e170d31 36303930 39313834
    3033385a 170d3236 30393037 31383430 33385a30 2f310d30 0b060355 04031304
    65636268 311e301c 06092a86 4886f70d 01090216 0f656362 682e6563 62616b65
    2e6c616e 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181
    00ab4552 1b54df1b b9601fb3 8703618d b24af04d 277c4a97 abfec345 a942499c
    6ad5d823 d4c6eb50 3a5a27d5 33e38c1c e3f83ab8 5c12e388 ed806e0d 6941d605
    27444184 1a9dfe3b b34aaeaf e5309fab db6487bc 14ba6484 4f6632df ad59a6f9
    8de234ff f1624109 f862f601 13e28ac1 7a522432 f0e76c33 23707e05 a4d01fb4
    13020301 0001300d 06092a86 4886f70d 01010505 00038181 009e525d 8917352e
    959b77f6 4daf935f 1ff96950 e4932d0b 61c3a08b f15391a0 9e563f13 d9053e40
    6ea2c8ab f5a95501 fb09326c 0a5a2e31 5c758ba9 a3f37fec 78f22ce9 7f4a5a90
    73caf149 c37e49bd 07c42118 32e4416f acdfc6b6 558a1f65 79678290 d2779491
    1b7cb9a6 c2822ba3 cf8b3240 ec9b43a2 2662b734 803e5d97 8b
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 83.70.80.39 255.255.255.255 outside
ssh 192.168.1.254 255.255.255.255 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group Eircom request dialout pppoe
vpdn group Eircom localname eircome@eircom.net
vpdn group Eircom ppp authentication pap
vpdn group Eircome ppp authentication chap
vpdn username 041-9846006 password *****

dhcpd auto_config outside
!
dynamic-access-policy-record DfltAccessPolicy
username admin password HJY5VxYVxHWFQgxd encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:987afef49c1f6dd6a6695c527b3f006c
: end
asdm image disk0:/asdm-761.bin
no asdm history enable

Pawan Raut · ‎09-12-2016

Inside interface has security level 100 and outside has 0 by default low security level to high security level traffic is not allowed in ASA. Kidnly add below command in ASA so that traffic from outside to inside will work

same-security-traffic permit inter-interface

Kindly rate the post and mark as Correct answer if you found this as useful