ASA 5505: passing port through

lawrencemthompson · ‎08-09-2013

I have an ASA 5505 I am wanting to use in lieu of a tired old MS ISA Server. I have as a public address 10.1.1.210 for network 10.1.1.0/24.

I have on the private side 10.150.8.4 255.255.255.248 with network DG 10.150.8.254. I need to allow TCP Port 300 in and out and UDC Port 300 in and out.

I can ping both the default gateway and the host on the public side (10.1.1.200), but the application program ( a financial app) which requires port 300 at both sides of the interface will not work.

I feel I am missing something fundamental here. I set up the ISA server (on Windows 2000 no less about 8 years ago - but I can't set up the ASA 5505 even though I have eight VPN using same running to a ASA 5510 all of which I set up)

My IPV4 (that is all thats used here) 1, 2, and 3 inside are: (using the graphic firewall rules section)

any outside-network/24 tcp Permit

any outside-network/24 udp Permit

any outside-network/24 ip Permit

any any ip Deny

and outside

any any tcp Permit

any any udp Permit

any inside-network/21 ip Permit

any any ip Deny

The CLI reads (for the ACL)

access-list TCP_300 extended permit tcp any eq 300 any

access-list UDP_300 extended permit udp any eq 300 any

access-list outside_access_in extended permit tcp any any

access-list outside_access_in extended permit udp any any

access-list outside_access_in extended permit ip any 10.15.8.0 255.255.248.0

access-list inside_access_in extended permit tcp any 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit udp any 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit ip any 10.1.1.0 255.255.255.0

I would thinnk this would render the firewall absolutely wide-open, but apparently not.

Any help would be appreciated.

Larry Thompson

Jouni Forss · ‎08-09-2013

Hi,

I would first need to clarify a few things.

Is there some server/host on your LAN that needs to be accessed on port TCP/300 and UDP/300 or is it rather that some host on your LAN uses this as the destination port towards some external host?

Is this firewall directly on the edge of the Internet and have a public IP address itself?

What is the software level of the ASA?

- Jouni

lawrencemthompson · ‎08-09-2013

The ASA version is 8.2(5)

The host is a SAMBA/AIX machine (works fine with present firewall) at adress 10.1.1.200 they are the only two devices on the "PUBLIC" side.

The PRIVATE side goes into a CISCO VPN router (10.150.8.254) and to IP addresses it routes to.

Basically it is a Home Banking program where intial contact is made (from the Private Side) some questions are answered at the Private Side host and then it is to pull up the data from the SAMBA/AIX device. This is where it fails. Because I am not altogether sure that there isn't another port or set of ports required.

I have examined my ISA server and most ports opened are typicals. I should think that the NetBIOS stuff would be irrelevant (shows what I get for thinking). The rules are basically allow all. If I could get the ASA to do that then I could winnow it down (perhaps).

Hope this helps, thanks for your time.

Larry Thompson

Jouni Forss · ‎08-09-2013

Hi,

Would it be possible to see the current ASA configurations?

Is there any need to perform NAT between these 2 ASA interfaces (Private / Public) ?

- Jouni

lawrencemthompson · ‎08-09-2013

Here is the config:

Result of the command: "sho config"

: Saved

: Written by enable_15 at 19:32:30.659 CDT Wed Aug 27 2008

!

ASA Version 8.2(5)

!

hostname Home-Banking

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.150.8.4 255.255.248.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.1.1.210 255.255.255.0

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

access-list TCP_300 extended permit tcp any eq 300 any

access-list UDP_300 extended permit udp any eq 300 any

access-list outside_access_in extended permit tcp any any

access-list outside_access_in extended permit udp any any

access-list outside_access_in extended permit ip any 10.150.8.0 255.255.248.0

access-list inside_access_in extended permit tcp any 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit udp any 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit ip any 10.1.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route inside 0.0.0.0 0.0.0.0 10.150.8.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.1.1.0 255.255.255.0 outside

http 10.150.8.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:2c2400e3cbcf5bc18a273f4ef46942d9

They do NAT (so does the ISA server I believe), perhaps it just routes? It is dual homed as is the ASA

Jouni Forss · ‎08-09-2013

Hi,

So the next thing to determine is that is there ANY connections that need to be opened specifically from the "outside" network towards the "inside" OR are ALL connections initiated formed from the "inside"?

At the moment the NAT configurations only holds a Dynamic PAT from "inside" to "outside". Together with ACL configurations it means that any connections can be formed from "inside" to "outside" without any problems (or should be).

On the other hand, if there was to be some need to form a connection from "outside" to "inside", I mean initiated from "outside" to "inside" this would fail. This is because the Dynamic PAT configuration only enables one way connection initiation.

The best way to monitor what happens would probably be in your case to use ASDM and use its Monitor window to see what connections are getting blocked.

Naturally if you can say right away that there is some connection that need to be initiated through "outside" to "inside" it might be as easy as configuration a couple of Static PAT configurations.

By the way,

Which one is the correct mask. You have different masks on the "inside" network in your post. One has 10.150.8.0/29 and the other one has 10.150.8.0/21. The bigger network being in the actual configuration. In that case if the source of the connection were to fall into that network segment the connections would naturally fail because of the return traffic would never make it back.

EDIT: Some typos

- Jouni