ASA 5505 access statement

Chris Neal · ‎01-14-2015

I am trying to allow outside access to a piece of equipment behind our ASA 5505. The equipment has an internal IP like 10.x.x.x. I have placed the following in the ASA but it does not appear to work correctly. I am checking by Telnet to the public IP and port number (10001).

(x.x.x.x) is a static public address

name 10.0.x.x VEEDER
access-list outside_access_in extended permit tcp any host x.x.x.x eq www
access-list outside_access_in extended permit tcp any host x.x.x.x eq https
access-list outside_access_in extended permit tcp any host x.x.x.x eq 10001
access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh
access-list outside_access_in extended permit udp any host x.x.x.x eq 10001
access-list outside_cryptomap extended permit ip 10.x.x.x 255.255.255.0 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface www VEEDER www netmask 255.255.255.255
static (inside,outside) tcp interface https VEEDER https netmask 255.255.255.255
static (inside,outside) tcp interface ssh VEEDER ssh netmask 255.255.255.255
static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255
static (inside,outside) udp interface 10001 VEEDER 10001 netmask 255.255.255.255

Thanks for any help and let me know if you need more info. I am somewhat good at inputting these statements just don't thoroughly understand what they mean.

Chris

Jouni Forss · ‎01-15-2015

Hi,

Sometimes I always forget the ACL portion in the older software. What I mean is that since you are using the actual interface IP address of "outside" as your public IP address in the NAT configurations then you might need to change the "host x.x.x.x" portion in the ACL "outside_access_in" to "interface outside". And try the connections again.

Just to be on the safe side you could also check that the ACL is actually attached to the interface "outside" with this command

show run access-group

You could also use the "packet-tracer" command to test if all the configurations are correct on the ASA.

packet-tracer input outside tcp 8.8.8.8 12345 <public ip> 10001

And copy/paste the full output here. Remember to change the public IP address(es) before you post though.

Hope this helps :)

- Jouni

Chris Neal · ‎01-15-2015

Jouni,

Thanks for responding. I have tried changing the "host x.x.x.x" portion in the ACL "outside_access_in" to "interface outside" and it did not connect. It would say invalid marker.

I have posted the packet tester below based on my statements above in the ASA. Maybe you can see an issue.

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255

match tcp inside host VEEDER eq 10001 outside any
static translation to X.X.X.X/10001
translate_hits = 0, untranslate_hits = 4
Additional Information:
NAT divert to egress interface inside
Untranslate X.X.X.X/10001 to VEEDER/10001 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any host X.X.X.X eq 10001

Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface 10001 VEEDER 10001 netmask 255.255.255.255

match tcp inside host VEEDER eq 10001 outside any
static translation to X.X.X.X/10001
translate_hits = 0, untranslate_hits = 4
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface www VEEDER www netmask 255.255.255.255
match tcp inside host VEEDER eq 80 outside any
static translation to X.X.X.X/80
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 46155, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow