Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2180
Views
11
Helpful
20
Replies

ASA5505 Opening Ports

gmcclana
Level 1
Level 1

‎06-30-2016 11:55 AM - edited ‎03-12-2019 12:58 AM

I have attempted to open three ports on our firewall.  Only when I test the ports using an open port checker tool online, I get a response that the ports are closed.  I'm not understanding why these ports are not getting hits or showing open.  Can someone please tell me what I am missing?

My current configuration is as follows:

: Saved
:
ASA Version 8.2(5) 
!
hostname PC
domain-name .com
enable password XXXXXXX encrypted
passwd XXXXXXX encrypted
names
name 192.168.1.3 Server
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 000.000.000.000 255.255.255.252 
!
regex url4 "twitter.com"
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name  .com
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group network NAS
object-group service Practice-Perfct tcp-udp
 port-object eq 8100
object-group service Practice-Perfect tcp-udp
 port-object eq 8099
object-group service Practice-Perfet tcp-udp
 port-object eq 8102
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.254.254.0 255.255.255.0 
access-list split standard permit 192.168.1.0 255.255.255.0 
access-list http extended permit tcp any any eq www 
access-list http extended permit tcp any host Server eq 3389 
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host Server object-group Practice-Perfet 
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host Server object-group Practice-Perfct 
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host Server object-group Practice-Perfect 
access-list outside extended permit udp any host Server range 8099 8100 
access-list outside extended permit tcp any host Server range 8099 8100 
access-list outside extended permit tcp any host Server eq 8102 
access-list outside extended permit udp any host Server eq 8102 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteAccess 10.254.254.1-10.254.254.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) udp interface 8102 Server 8102 netmask 255.255.255.255 
static (inside,outside) tcp interface 8102 Server 8102 netmask 255.255.255.255 
static (inside,outside) tcp interface 8099 Server 8099 netmask 255.255.255.255 
static (inside,outside) udp interface 8099 Server 8099 netmask 255.255.255.255 
static (inside,outside) tcp interface 8100 Server 8100 netmask 255.255.255.255 
static (inside,outside) udp interface 8100 Server 8100 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 23.25.105.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca server 
 shutdown
 cdp-url http://PRFC.default.domain.invalid/+CSCOCA+/asa_ca.crl
 issuer-name CN=PRFC.default.domain.invalid
 smtp from-address admin@PRFC.default.domain.invalid
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 000.000.000.000 255.255.255.255 outside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.100-192.168.1.199 inside
dhcpd dns 4.2.2.2 8.8.8.8 interface inside
dhcpd lease 28800 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 67.159.5.90 source outside
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
 dns-server value 75.75.75.75 75.75.76.76
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
username PRFC password TGRLBheRPU8ynGyC encrypted privilege 15
username NetInnov password 5v5Z3XEBY7affMrB encrypted privilege 15
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
 address-pool RemoteAccess
 default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key *****
!
class-map type regex match-any urlreg
 match regex url4
class-map inspection_default
 match default-inspection-traffic
class-map acl
 match access-list http
class-map type inspect http match-all http_url_policy
 match request header host regex class urlreg
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map type inspect http http_policy
 parameters
 class http_url_policy
  drop-connection
policy-map httpdrop
 class acl
  inspect http http_policy 
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
service-policy httpdrop interface outside
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum
Labels:
0 Helpful
20 Replies 20

Simrid123
Level 1
Level 1
In response to gmcclana

‎07-05-2016 07:35 AM

I would recommend mapping outside_access_in to your outside interface and then try re-running the packet tracer command to see if that helps.

0 Helpful

gmcclana
Level 1
Level 1
In response to Simrid123

‎07-05-2016 07:45 AM

just applied.

access-group outside_access_in in interface outside

No change in port test though.

0 Helpful

gmcclana
Level 1
Level 1
In response to Simrid123

‎07-05-2016 08:47 AM

Simrid,

I changed the access-list outside-access-in to:

access-list outside_access_in line 8 extended permit tcp any any eq 8099 (hitcnt=1) 
access-list outside_access_in line 9 extended permit tcp any any eq 8100 (hitcnt=1) 
access-list outside_access_in line 10 extended permit tcp any any eq 8102 (hitcnt=1) 

As you can see I now am allowing traffic into the network.  I don't however, understand why it would not allow it when the destination was defined as Host 192.168.1.3.

0 Helpful

Simrid123
Level 1
Level 1
In response to gmcclana

‎07-05-2016 08:54 AM

It will be an issue most likely with your NAT's.  In pre-8.4 configuration you need to specify the NAT'd IP address in the ACL, rather than the real IP.  

gmcclana
Level 1
Level 1
In response to Simrid123

‎07-05-2016 07:37 AM

just applied.

access-group outside_access_in in interface outside

No change in port test though.

0 Helpful

gmcclana
Level 1
Level 1

‎07-05-2016 06:37 AM

I also ran the 'sh nat' command and this is the result:

match tcp inside host Server eq 8102 outside any
static translation to xxx.xxx.xxx.xxx/8102
translate_hits = 0, untranslate_hits = 72
match tcp inside host Server eq 8099 outside any
static translation to xxx.xxx.xxx.xxx/8099
translate_hits = 0, untranslate_hits = 40
match udp inside host Server eq 8099 outside any
static translation to xxx.xxx.xxx.xxx/8099
translate_hits = 0, untranslate_hits = 0
match tcp inside host Server eq 8100 outside any
static translation to xxx.xxx.xxx.xxx/8100
translate_hits = 0, untranslate_hits = 42

So, the traffic is making it to the firewall, it's just not getting translated to allow it to pass.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card