Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
1
Replies

ASA with UMI

carchey
Level 1
Level 1

‎10-16-2011 08:53 PM - last edited on ‎03-25-2019 05:47 PM by Community Manager

Hello, I've got an ASA5505 and a Cisco UMI on my home network. I've been told I need to open the following ports:

3478 - UDP

443 - TCP

16384-32766 UDP

123 NTP

5222 TCP/UDP

5111 TCP/UDP

I'm no security wizard. I used the example of port forwarding to the web server in the DMZ as the foundation of my configuration.

I realize in the DMZ port forward example the request are initiated from the outside and in my case the request are initiated from the inside.

So I'm guessing this is a bit off.

I created a Service Group called UMI_Ports with all the ports listed above and a network object Cisco-UMI using the static address is assigned, 192.168.1.121.

I created an Access Rule on the outside interface, source any, destination Cisco-UMI permit. and a NAT Rule UMI-Server, Host, IP 192.3168.1.121, type Static, on the outside. I didn't know what to do in the advanced screen so I left it blank. The Web DMZ example only has one protocol (80) so it doesn't exactly fit my case.

Then I created a static route, but I didn't know the ISP GW. What do I out there?

Here's the diagram

UMI (192.168.1.121) --> layer 2 switch ----> ASA inside interface (192.168.1.1) --> ASA outside interface DHCP address provided by ISP.

Any help would be appriciated.

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-16-2011 10:22 PM

Hello Carchey,

Ok so you are going to do port-forwarding with the outside interface of the ASA.

Now you will need to create a static one to one for each of those services and one for the range of ports.

And finally you will need to create some ACL rules on the outside allowing the connection on those ports to the internal Server (UMI-Server)

The range Static nat would look like this

object-group service Allow_ UDP

port-object range 16384 32766

Static (inside,outside) tcp interface  Allow_ UDP 192.168.1.121 Allow_ UDP

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card