ASA 5505 Open ports are keep closing after some interval.

nescody · ‎01-23-2020

I configured the ports as below. This will allow connection for some time and then ports will be closed without any change in configuration. Ports might be open after reboot and then they will be closed again...Please Help !!

object network 192.168.4.71-SSH
host 192.168.4.71
object network 192.168.4.71-443
host 192.168.4.71

access-list Outside-in extended permit tcp any host 192.168.4.71 eq www
access-list Outside-in extended permit tcp any host 192.168.4.71 eq ssh
access-list Outside-in extended permit tcp any host 192.168.4.71 eq https

object network INSIDE-LAN
nat (inside,outside) dynamic interface
object network 192.168.4.71-80
nat (inside,outside) static interface service tcp www www
object network 192.168.4.71-SSH
nat (inside,outside) static interface service tcp ssh 6008
object network 192.168.4.71-443
nat (inside,outside) static interface service tcp https https
access-group Outside-in in interface outside

ASA# packet-tracer input outside tcp 8.8.8.8 12345 XX.XX.XX.XX 80

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network 192.168.4.71-80
nat (inside,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate XX.XX.XX.XX/80 to 192.168.4.71/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside-in in interface outside
access-list Outside-in extended permit tcp any host 192.168.4.71 eq www
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network 192.168.4.71-80
nat (inside,outside) static interface service tcp www www
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16624, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Muhammad Awais Khan · ‎01-23-2020

Hi,

How you identify that ports are closed, your NAT rules stopped working or you get different output in packet tracer ?

nescody · ‎01-24-2020

When I check opened port on from my site, it showed that ports are closed.

Marius Gunnerud · ‎01-26-2020

Connections through the firewall close after an Idle time of 1 hour by default. You can change this if you need to keep the connection open lenger or indefinately.

lets say you want to have a connection open indefinately for http between your inside subnet and a particular pubic IP.

(Remember to change the names and IPs as necessary)

access-list http-notimeout permit tcp 172.16.1.0 255.255.255.0 8.8.8.8 er 80

class-map http-cmap

match access-list http-notimeout

policy-map default-policy

class http-cmap

set connection time-out idle 0

--
Please remember to select a correct answer and rate helpful posts