ā09-11-2012 10:35 AM - edited ā03-11-2019 04:52 PM
Hello,
I've recently had to move an AS400 system behind an internal ASA firewall and now users are unable to browse to it.
The ASA is running Version 8.2(5)
I get these messages:
Sep 11 2012 17:09:59: %ASA-7-710005: UDP request discarded from 172.19.241.35/137 to outside:172.19.241.255/137
Is there a way to enable these ports without enabling NAT?
No VPN's involved, just an inside and outside eth interfaces
--Mike
ā09-11-2012 10:41 AM
Hello Mike,
Can you share your configuration please,
Regards,
Julio
ā09-11-2012 10:57 AM
Hey Mike,
NetBIOS is supported by performing NAT of the packets for NBNS UDP port 137 and NBDS UDP port 138.
Link-
http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/inspect_overview.html
Have you enabled "inspect netbios" on ASA?
Regards
Gurpreet
ā09-11-2012 11:09 AM
Hi Julio,
Config pasted below..
@Gurpreet - I see that:
NetBIOS is supported by performing NAT of the packets for NBNS UDP port 137 and NBDS UDP port 138.
I do not know how to Nat these ports though, is it through the fixup protocol?
ASA Version 8.2(5)
!
hostname fw-us-leb-001
domain-name na.lan
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 172.19.241.250 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 172.19.242.1 255.255.255.224
!
interface Ethernet0/2
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
speed 100
duplex full
nameif management
security-level 100
ip address 172.30.240.51 255.255.255.248
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name na.lan
access-list OUTSIDE-inbound extended permit ip any host 172.19.242.2
access-list OUTSIDE-inbound extended permit ip any any
access-list OUTSIDE-inbound extended permit icmp any host 172.19.242.5 echo
access-list OUTSIDE-outbound extended permit ip any any
access-list OUTSIDE-outbound extended permit tcp any any eq 3389
access-list OUTSIDE-outbound extended permit tcp any any eq www
access-list OUTSIDE-outbound extended permit tcp any any eq https
access-list OUTSIDE-outbound extended permit tcp any any eq ftp-data
access-list OUTSIDE-outbound extended permit udp host 172.19.242.5 any eq 50
access-list OUTSIDE-outbound extended permit udp any any eq ntp
access-list OUTSIDE-outbound extended permit udp any any eq tftp
access-list OUTSIDE-outbound extended permit tcp any any eq ftp
access-list OUTSIDE-outbound extended permit tcp any any eq domain
access-list OUTSIDE-outbound extended permit tcp any any eq ssh
access-list OUTSIDE-outbound extended permit tcp any any eq smtp
access-list OUTSIDE-outbound extended permit ip any host 172.19.156.137
access-list OUTSIDE-outbound extended permit ip any host 172.19.156.138
access-list OUTSIDE-outbound extended permit ip any host 172.19.157.4
access-list OUTSIDE-outbound extended permit ip any host 172.19.157.5
access-list OUTSIDE-outbound extended permit ip any host 172.19.157.12
access-list OUTSIDE-outbound extended permit ip any host 172.19.157.128
access-list OUTSIDE-outbound extended permit ip any host 172.19.157.194
access-list OUTSIDE-outbound extended permit udp any host 172.19.157.9 eq 12345
access-list OUTSIDE-outbound extended permit tcp any host 172.19.157.9 eq 12345
access-list OUTSIDE-outbound extended permit icmp any any time-exceeded
access-list OUTSIDE-outbound extended permit icmp any any unreachable
access-list OUTSIDE-outbound extended permit icmp any any source-quench
access-list OUTSIDE-outbound extended permit icmp any any echo-reply
access-list OUTSIDE-outbound extended deny ip any any
access-list testcap extended permit tcp any any
access-list testcap extended permit udp any any
access-list testcapinside extended permit tcp any any
access-list testcapinside extended permit udp any any
access-list testcapinside extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging monitor informational
logging buffered debugging
logging trap informational
logging history errors
logging facility 22
logging host management 172.30.240.253
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo-reply management
icmp permit any management
no asdm history enable
arp timeout 14400
access-group OUTSIDE-inbound in interface outside
access-group OUTSIDE-outbound out interface outside
route outside 0.0.0.0 0.0.0.0 172.19.241.254 1
route management 172.30.0.0 255.255.0.0 172.30.240.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 172.30.36.200
timeout 15
key *****
aaa-server TACACS+ (management) host 172.30.36.10
timeout 15
key *****
aaa-server RADIUS protocol radius
aaa authentication enable console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authorization command LOCAL
snmp-server host management 172.30.240.158 community *****
snmp-server host management 172.30.36.12 community *****
snmp-server host management 172.30.36.195 community *****
snmp-server host management 172.30.36.201 community *****
snmp-server host management 172.30.36.9 poll community *****
snmp-server host management 172.30.38.5 community *****
snmp-server host management 172.30.38.6 community *****
snmp-server host management 172.30.38.7 community *****
snmp-server location Infineon Technologies NA Corp., Milpitas CA 95035 640 N McCarthy Blvd
snmp-server contact Infineon NOC-KLU, Phone +43-51777-4444, email NOC-KLU@infineon.com
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 172.30.0.0 255.255.0.0 management
ssh timeout 30
console timeout 0
management-access management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.30.240.253 key 3725 source management
ntp server 172.30.36.125 source management
tftp-server management 172.30.240.158 /
ssl encryption des-sha1 rc4-md5
username nocna password k63UhvskWqNEcomX encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:18b6d78f5aa4d43bc28ff101ecdc5c1c
: end
[OK]
fw-us-leb-001(config)#
ā09-11-2012 12:05 PM
Hello Jones,
You already have the netbios protocol inspection,
What you are missing is the NAT.
Sep 11 2012 17:09:59: %ASA-7-710005: UDP request discarded from 172.19.241.35/137 to outside:172.19.241.255/137
In this log both of the users are on the same subnet and actually the traffic is going to the broadcast address of the outside interface.
My question is, what is the traffic that is supposed to be allowed ( I know is Netbios) but will the traffic only be innitiatted from the inside interface to the outside interface?
Remember to rate all the post, for us that is more important that a thanks
ā09-11-2012 12:42 PM
The traffic is initiated from the outside
If I turn off Netbios inspection, will that allow the netbios traffic through the firewall? If so, how do I do that.
If Nat will resolve this, what do I have to NAT? My server ip address ? because that could complicate things much more..
ā09-11-2012 01:04 PM
Hi Jones,
NetBIOS inspection is enabled by default. The NetBios inspection engine translates IP addresses in the NetBios name service (NBNS) packets according to the ASA NAT configuration.
If you do not wish to configure nat for server to prevent further issues, you can try to play with the layer 7 inspection map on ASA for netbios inspection and allow it to just log the packest instead of dropping them(since, they will be dropped by default if there is no nat configured):
policy-map type inspect netbios NBS
paramaters
protocol-violation action log
!
policy-map global-policy
class inspection_default
no inspect netbios
inspect netbios NBS
Link-
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html
Let me know if it works
Regards
Gurpreet
ā09-11-2012 01:19 PM
That didnt work..
fw-us-leb-001(config-pmap)# parameters
fw-us-leb-001(config-pmap-p)# protocol-violation action log
fw-us-leb-001(config-pmap-p)# exi
fw-us-leb-001(config-pmap)# exi
fw-us-leb-001(config)# policy-map global-policy
fw-us-leb-001(config-pmap)# class inspection_default
fw-us-leb-001(config-pmap-c)# no inspect netbios
ERROR: Inspection not installed or parameters do not match <--- didnt like this
fw-us-leb-001(config-pmap-c)# inspect netbios NBS
fw-us-leb-001(config-pmap-c)#
Still getting:
Sep 11 2012 20:18:51: %ASA-7-710005: UDP request discarded from 172.19.241.246/1230 to outside:255.255.255.255/123
Sep 11 2012 20:19:04: %ASA-7-710005: UDP request discarded from 172.19.241.39/138 to outside:172.19.241.255/138
ā09-11-2012 01:31 PM
hey Jones,
Without removing "inspect netbios" from inspection_default class, we cannot add "inspect netbios NBS" under global-policy.
Make sure, following config is used:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
no inspect netbios
inspect netbios NBS
Let me know if you still face any issues.
Regards
Gurpreet
ā09-11-2012 01:45 PM
Ok, the commands took but looks like its still discarding netbios packets..
Sep 11 2012 20:42:57: %ASA-7-710005: UDP request discarded from 172.19.241.1/137 to outside:172.19.241.255/137
Sep 11 2012 20:42:58: %ASA-7-710005: UDP request discarded from 172.19.241.1/137 to outside:172.19.241.255/137
Sep 11 2012 20:42:59: %ASA-7-710005: UDP request discarded from 172.19.241.246/1230 to outside:255.255.255.255/123
Sep 11 2012 20:43:06: %ASA-7-710005: UDP request discarded from 172.19.241.39/138 to outside:172.19.241.255/138
ā09-11-2012 01:49 PM
Hello Jones,
Do you have nat control enabled????
If yes you will need a NAT, if not the only thing you need is an ACL as traffic is comming from a lower security level interface to a higher.
Regards,
Julio
ā09-12-2012 01:34 PM
I do not think "Nat Control" is enabled, how can I check?
ā09-12-2012 01:46 PM
Hello Jones,
Show run nat-control
Also If traffic is going from out to in it needs to be allow on the outside ACL....
Any other question.... Let me Know.. Just remember to rate all of my answers.
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide