cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3445
Views
0
Helpful
25
Replies

ASA5510 Port Question

smitty0375
Level 1
Level 1

Hey guys, I am using an ASA5510 for internal firewalling in my QA environment. How do I allow RDP from one subnet to those protected by the firewall? Preferably using the ASDM. Thanks!!

25 Replies 25

I guess we might have nailed it, you would need to add this acl:

access-list 48_access_out extended permit ip any any

in your config, it is inactive at the moment and that is why the traffic is dropping.

Let me know if we are going in right direction, otherwise another output of packet-tracer

Thanks,

Varun

Thanks,
Varun Rao

Here's another output. So far no worky. Thanks!

Result of the command: "packet-tracer input inside tcp 10.30.0.23 2345 10.16.48.170 3389 detailed"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.16.48.0      255.255.255.0   48

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd66fe6c8, priority=12, domain=permit, deny=false

    hits=2, user_data=0xd66f6f48, cs_id=0x0, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd6bbd568, priority=0, domain=permit-ip-option, deny=true

    hits=3053, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

  match ip inside any 48 any

    dynamic translation to pool 101 (10.16.48.1 [Interface PAT])

    translate_hits = 3, untranslate_hits = 0

Additional Information:

Dynamic translate 10.30.0.23/2345 to 10.16.48.1/48931 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in  id=0xd6c179c0, priority=1, domain=nat, deny=false

    hits=3, user_data=0xd67b8f60, cs_id=0x0, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 101 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd6b5b340, priority=1, domain=host, deny=false

    hits=1639, user_data=0xd6b5b020, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 48_access_out out interface 48

access-list 48_access_out extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd6b93850, priority=12, domain=permit, deny=false

    hits=1, user_data=0xd6b93810, cs_id=0x0, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xd6c0fe10, priority=0, domain=permit-ip-option, deny=true

    hits=4974, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 11525, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 10

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 10.16.48.170 using egress ifc 48

adjacency Active

next-hop mac address 0050.569d.2bfd hits 0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: 48

output-status: up

output-line-status: up

Action: allow

Hello. Success on part of it! I can now remote into a 10.16.48.x machine. Now can someone assist me in adding 10.16.100 and 10.16.101?

Here's my config.

Result of the command: "sh run"

: Saved

:

ASA Version 8.0(5)

!

dns-guard

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.0.0.199 255.255.255.0

!

interface Ethernet0/1

nameif 48

security-level 100

ip address 10.16.48.1 255.255.255.0

!

interface Ethernet0/2

nameif 100

security-level 100

ip address 10.16.100.1 255.255.255.0

!

interface Ethernet0/3

nameif 101

security-level 100

ip address 10.16.101.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa805-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name daxko

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any

access-list 100_access_in extended permit icmp any any

access-list 100_access_in extended permit ip any any

access-list 100_access_in extended permit tcp any any

access-list 100_access_in extended permit udp any any

access-list 48_access_in extended permit icmp any any

access-list 48_access_in extended permit ip any any

access-list 48_access_in extended permit tcp any any

access-list 48_access_in extended permit udp any any

access-list 101_access_in extended permit ip any any

access-list 48_access_out extended permit icmp any any

access-list 48_access_out extended permit ip any any

access-list 48_access_out extended permit tcp any any inactive

access-list 48_access_out extended permit udp any any inactive

access-list 100_access_out extended permit icmp any any

access-list 100_access_out extended permit tcp any any inactive

access-list 100_access_out extended permit udp any any inactive

access-list 100_access_out extended permit ip any any inactive

access-list inside_access_out extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu 48 1500

mtu 100 1500

mtu 101 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

global (48) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

static (48,inside) 10.16.48.0 10.16.48.0 netmask 255.255.255.255

static (100,inside) 10.16.100.0 10.16.100.0 netmask 255.255.255.255

static (101,inside) 10.16.101.0 10.16.101.0 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group 48_access_in in interface 48

access-group 48_access_out out interface 48

access-group 100_access_in in interface 100

access-group 100_access_out out interface 100

access-group 101_access_in in interface 101

route inside 0.0.0.0 0.0.0.0 10.0.0.199 1

route inside 10.2.0.0 255.255.255.0 Gateway 1

route inside 10.10.0.0 255.255.255.0 Gateway 1

route inside 10.30.0.0 255.255.255.0 Gateway 1

route inside 10.31.0.0 255.255.255.0 Gateway 1

route inside 10.32.0.0 255.255.255.0 Gateway 1

route inside 10.33.0.0 255.255.255.0 Gateway 1

route inside 10.34.0.0 255.255.255.0 Gateway 1

route inside 10.252.252.0 255.255.255.0 Gateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.32.0.0 255.255.255.0 inside

http 10.30.0.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

client-update enable

telnet 10.30.0.0 255.255.255.0 inside

telnet 10.32.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

  message-length maximum client auto

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d08113f8d49b927b3a0777acae8c1f45

: end

When I do a packet trace, this is what I get.

Result of the command: "packet-tracer input inside tcp 10.30.0.23 2345 10.16.100.167 3389 detailed"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.16.100.0     255.255.255.0   100

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd66fe6c8, priority=12, domain=permit, deny=false

    hits=31, user_data=0xd66f6f48, cs_id=0x0, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd6bbd568, priority=0, domain=permit-ip-option, deny=true

    hits=4070, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype:

Result: DROP

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

  match ip inside any 100 any

    dynamic translation to pool 101 (No matching global)

    translate_hits = 4, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd6b5cbd0, priority=1, domain=nat, deny=false

    hits=4, user_data=0xd68b28c8, cs_id=0x0, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: 100

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi Jerry,

Really happy, its worked, you now just need to asdd these:

global (100) 101 interface

global (101) 101 interface

and add these well:

access-list 100_access_out extended permit ip any any

and we should be good.

Let me know if this works.

Thanks,

Varun

Thanks,
Varun Rao

Thanks for all the help.

It didn't work. Here's the output of the packet tracer from my ip address to one on the 100 subnet.

Result of the command: "packet-tracer input inside tcp 10.30.0.23 2345 10.16.100.167 3389 detailed"

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.16.100.0     255.255.255.0   100

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd66fe6c8, priority=12, domain=permit, deny=false

    hits=38, user_data=0xd66f6f48, cs_id=0x0, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd6bbd568, priority=0, domain=permit-ip-option, deny=true

    hits=4363, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

  match ip inside any 100 any

    dynamic translation to pool 101 (10.16.100.1 [Interface PAT])

    translate_hits = 7, untranslate_hits = 0

Additional Information:

Dynamic translate 10.30.0.23/2345 to 10.16.100.1/58999 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in  id=0xd6b5cbd0, priority=1, domain=nat, deny=false

    hits=7, user_data=0xd68b28c8, cs_id=0x0, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 101 0.0.0.0 0.0.0.0

  match ip inside any inside any

    dynamic translation to pool 101 (No matching global)

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xd6b5b340, priority=1, domain=host, deny=false

    hits=3014, user_data=0xd6b5b020, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 100_access_out out interface 100

access-list 100_access_out extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd6882398, priority=12, domain=permit, deny=false

    hits=36, user_data=0xd6d2cb90, cs_id=0x0, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xd683b890, priority=0, domain=permit-ip-option, deny=true

    hits=572, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 13981, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 10

Type: ROUTE-LOOKUP

Subtype: output and adjacency

Result: ALLOW

Config:

Additional Information:

found next-hop 10.16.100.167 using egress ifc 100

adjacency Active

next-hop mac address 0050.569d.4ea7 hits 0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: 100

output-status: up

output-line-status: up

Action: allow

Hi Jerry,

How did the 10.16.48.x subnet work?? We have the same config for the other two as well, right?? can we check if we have the RDP port open on those machines. If this doesn't work we'll take captures on ASA.

-Varun

Thanks,
Varun Rao

Remote is enabled, ping trace route etc doesn't travel either. I'm totally lost on why one interface works but not another.

No issues, don't worry, we'll nail it.

Lets take captures now:

access-list cap permit ip host 10.30.0.23 host 10.16.100.167

access-list cap permit ip host 10.16.100.167 host 10.30.0.23

access-list cap permit ip host 10.16.100.167 host 10.16.100.1

access-list cap permit ip host 10.16.100.1 host 10.16.100.167

cap capin access-list cap interface inside

cap capo access-list cap  interface 100

Generate some traffic and then collect the captures by:

show cap capin

show cap capo

Collect the logs as well, when traffic gets denied.

It has to be something. Can you also just paste the config after making the changes.

-Varun

Thanks,
Varun Rao

Varun I really appreciate all the help I finally figured it out. It was a combination of the things you helped me with and a small routing issue as well. Thanks so much!!

Glad I could help you on this

-Varun

Thanks,
Varun Rao
Review Cisco Networking for a $25 gift card