Solved: ASA5505 Blocking Port 3101 for Blackberry Server

techinneed · ‎11-01-2012

Hello all,

I thought I had the configuration to allow bi-directional traffic for my Blackberry server. I have a second fw with the same config and it worked on that one. But right now, my blackberry server is down, and all the users are upset. :-(

Below is my config, can someone help me here. Please.

ASA Version 8.2(2)

!

hostname asa5505

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.0

!

interface Vlan3

shutdown

no forward interface Vlan2

nameif dmz

security-level 50

ip address dhcp

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

speed 100

duplex full

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_in extended permit tcp any host X.X.X.X eq smtp

access-list outside_in extended permit tcp any host X.X.X.X eq https

access-list outside_in extended permit tcp any host X.X.X.X eq 3101

access-list outside_in extended permit tcp any host Y.Y.Y.Y eq 3101

access-list nonfat extended permit ip any 10.10.10.0 255.255.255.0

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 192.168.1.8 smtp netmask 255.255.255.255

static (inside,outside) tcp X.X.X.X https 192.168.1.8 https netmask 255.255.255.255

static (inside,outside) tcp Y.Y.Y.Y 3101 192.168.1.7 3101 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.Z 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-sha1

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global-policy

class inspection_default

inspect icmp

class class-default

!

Julio Carvajal · ‎11-01-2012

Hello,

Can you check this lines and make sure they are good ( making reference to the right public ip adress of that server)

Access-list outside_in extended permit tcp any host X.X.X.X eq 3101

access-list outside_in extended permit tcp any host Y.Y.Y.Y eq 3101

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎11-01-2012

Hello,

static (inside,outside) tcp Y.Y.Y.Y 3101 192.168.1.7 3101 netmask 255.255.255.255

If 192.168.1.7 is the ip address of the blackberry server your configuration is good.

Lets do a packet tracer just to confirm that

packet-tracer output outside tcp 4.2.2.2 1025 Y.Y.Y.Y 3101

Share the full output

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

techinneed · ‎11-01-2012

Thank you sir. here you go:

pack input outs tcp 4.2.2.2 1025 'OUTSIDE-If' 3101

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in "Outside-If" 255.255.255.255 identity

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

#

Harish Balakrishnan · ‎11-01-2012

Hello,

what is the ACL configured for inside_access

can you do a 'show access-list inside_access_in'

regards

Harish

Julio Carvajal · ‎11-01-2012

Hello,

Can you check this lines and make sure they are good ( making reference to the right public ip adress of that server)

Access-list outside_in extended permit tcp any host X.X.X.X eq 3101

access-list outside_in extended permit tcp any host Y.Y.Y.Y eq 3101

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC