Solved: I am assuming the you want to

Mitchell Tuckness · ‎05-31-2014

Hi all. I have a Cisco 5510 I am learning, but I need some assistance. I have a laptop behind a router behind the ASA5510 that I am trying to allow an application to accept requests on TCP port 11350. I just don't get enough time to bash this stuff into my head (Too many hats). I appreciate the help!

I am using

Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.1(5)

Can someone point out the steps to allow Port 11350 access to a specific IP? That LAPTOP is IP 192.168.1.20 Subnet 255.255.255.0

Here is my existing config:

ASA5510# show running-config
: Saved
:
ASA Version 9.1(4)
!
hostname ASA5510
domain-name maladomini.int
enable password REDACTED encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd REDACTED encrypted
names
dns-guard
!
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
!
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.XXX.XXX 255.255.255.240
!
interface Ethernet0/2
description DMZ
nameif DMZ
security-level 100
ip address 10.10.0.1 255.255.255.252
!
interface Ethernet0/3
description VOIP
nameif VOIP
security-level 100
ip address 10.10.2.1 255.255.255.252
!
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
!
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Inside
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.XXX.X
name-server 205.171.2.65
name-server 205.171.3.65
name-server 8.8.8.8
name-server 8.8.4.4
domain-name maladomini.int
same-security-traffic permit inter-interface
object network ROUTER-2811
host 10.10.1.2
object network ROUTER-2821
host 10.10.0.2
object network WEBCAM-01
host 192.168.1.5
object network DNS-SERVER
host 192.168.1.2
object network ROUTER-3745
host 10.10.2.2
object network RDP-DC1
host 192.168.1.2
object network BLUE
host 192.168.1.2
description Blue Iris Server
object-group network PAT-SOURCE
network-object 10.10.1.0 255.255.255.252
network-object 10.10.0.0 255.255.255.252
network-object 10.10.2.0 255.255.255.252
network-object 192.168.0.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 128.162.1.0 255.255.255.0
network-object 128.162.10.0 255.255.255.0
network-object 128.162.20.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.20.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
network-object 162.128.1.0 255.255.255.0
network-object 162.128.10.0 255.255.255.0
network-object 162.128.20.0 255.255.255.0
network-object 142.16.1.0 255.255.255.0
network-object 142.16.10.0 255.255.255.0
network-object 142.16.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 98.22.xxx.x
object-group network Outside_access_in
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.xxx.x object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.x object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.x interface Outside eq https
access-list Outside_access_in extended permit tcp host 98.22.xxx.x object WEBCAM-01 eq www
access-list Outside_access_in extended permit tcp host 98.22.xxx.x object RDP-DC1 eq xxxx
access-list Outside_access_in extended permit tcp host 98.22.xxx.x object BLUE eq xxxx
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu DMZ 1500
mtu VOIP 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh XXX
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh XXXX
object network WEBCAM-01
nat (Inside,Outside) static interface service tcp www xxxx
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh XXXX
object network RDP-DC1
nat (Inside,Outside) static interface service tcp xxxx xxxx
object network BLUE
nat (Inside,Outside) static interface service tcp xxxx xxxx
!
nat (any,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 199.195.XXX.XXX 1
route DMZ 128.162.1.0 255.255.255.0 10.10.0.2 1
route DMZ 128.162.10.0 255.255.255.0 10.10.0.2 1
route DMZ 128.162.20.0 255.255.255.0 10.10.0.2 1
route VOIP 142.16.1.0 255.255.255.0 10.10.2.2 1
route VOIP 142.16.10.0 255.255.255.0 10.10.2.2 1
route VOIP 142.16.20.0 255.255.255.0 10.10.2.2 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.10.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.20.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 98.22.xxx.x 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh 98.22.xxx.x 255.255.255.255 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 24.56.178.140 source Outside prefer
username REDACTED password vj4PdtfGNFrB.Ksz encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect pptp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
hpm topN enable
Cryptochecksum:8b44b8e0616a87bd31026b1c6ec06c41
: end

Marius Gunnerud · ‎06-02-2014

I am assuming the you want to allow access from the outside interface to the inside interface (where 1.2.3.4 is the address on the outside interface you want to access 192.168.1.20 from):

access-list Outside_access_in extended permit tcp any host 192.168.1.20 any eq 11350

object network PC
host 192.168.1.20
nat (inside,outside) static 1.2.3.4 service tcp 11350 11350

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎06-02-2014

I am assuming the you want to allow access from the outside interface to the inside interface (where 1.2.3.4 is the address on the outside interface you want to access 192.168.1.20 from):

access-list Outside_access_in extended permit tcp any host 192.168.1.20 any eq 11350

object network PC
host 192.168.1.20
nat (inside,outside) static 1.2.3.4 service tcp 11350 11350

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Mitchell Tuckness · ‎06-02-2014

Thanks, I did everything except use service for the object network! Thanks! Would it be different is I wanted it any to 11350?

Marius Gunnerud · ‎06-02-2014

If you are refering to the second any in the ACL i posted, that is a typo. -- Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Allow TCP Port from outside in