Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1983
Views
0
Helpful
6
Replies

ASDM 6.4 for ASA 5505

Go to solution
sunbeltadmin
Level 1
Level 1

‎07-28-2017 11:29 AM - edited ‎03-12-2019 02:45 AM

Created a STATIC NAT and Filter rule for a remote connection to our new phone system but can't seem to get it to work. any suggestions.

Labels:
Preview file
50 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to sunbeltadmin

‎07-28-2017 12:30 PM

The only static rule that I see is this:

static (inside,outside) tcp interface 35400 10.1.2.150 35400 netmask 255.255.255.255 

You also have the ACL allowing traffic to the server from the outside:

access-list outside_access_in extended permit tcp any host 10.1.2.150 eq 35400 log disable 

You have a pre-8.3 configuration. That means, you have to have the translated ip address on your ACL. Reference this guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html#allowuntrusted

Your ACL should look like:

access-list outside_access_in extended permit tcp any host <outside-interface-ip> eq 35400 log disable 

After making this change, run the packet-tracer from the CLI using the following command:

packet-tracer input outside tcp 1.1.1.1 12345 <outside-ip address> 35400 detail

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎07-28-2017 12:14 PM

Seems to be failing NAT. Can you paste what you have added as config?

0 Helpful

Go to solution
sunbeltadmin
Level 1
Level 1
In response to Rahul Govindan

‎07-28-2017 12:20 PM

I masked the outside interface IP

: Saved
:
ASA Version 8.2(5)
!
hostname 
domain-name 
enable password 
passwd 
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XXX.XX 255.255.255.252
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name sunbeltmachineworks.com
access-list outside_access_in remark Phone System Remote
access-list outside_access_in extended permit tcp any host 10.1.2.150 eq 35400 log disable
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 35400 10.1.2.150 35400 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.79.252.110 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
url-server (inside) vendor websense host 10.1.1.3 timeout 30 protocol TCP version 4 connections 5
url-cache dst 100
filter url except 0.0.0.0 0.0.0.0 10.1.2.150 255.255.255.255 allow proxy-block
filter url except 10.1.2.114 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.2.105 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.2.100 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.1.3 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.2.106 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.2.128 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.2.111 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter https except 10.1.2.114 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.2.106 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.2.128 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.2.111 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.2.100 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.2.105 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.1.3 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
url-block url-mempool 1500
url-block url-size 4
url-block block 128
ntp server 65.55.21.23 source outside prefer
webvpn
username 
username

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:457787e6bc4e4c23ff280569133dc663
: end
no asdm history enable

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to sunbeltadmin

‎07-28-2017 12:30 PM

The only static rule that I see is this:

static (inside,outside) tcp interface 35400 10.1.2.150 35400 netmask 255.255.255.255 

You also have the ACL allowing traffic to the server from the outside:

access-list outside_access_in extended permit tcp any host 10.1.2.150 eq 35400 log disable 

You have a pre-8.3 configuration. That means, you have to have the translated ip address on your ACL. Reference this guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113024-asa-82-port-forward-00.html#allowuntrusted

Your ACL should look like:

access-list outside_access_in extended permit tcp any host <outside-interface-ip> eq 35400 log disable 

After making this change, run the packet-tracer from the CLI using the following command:

packet-tracer input outside tcp 1.1.1.1 12345 <outside-ip address> 35400 detail
0 Helpful

Go to solution
sunbeltadmin
Level 1
Level 1
In response to Rahul Govindan

‎07-28-2017 01:22 PM

i'm going to assume this worked...

Result of the command: "packet-tracer input outside tcp 1.1.1.1 12345 xx.xx.xxx.xx 35400 detail"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 35400 10.1.2.150 35400 netmask 255.255.255.255
match tcp inside host 10.1.2.150 eq 35400 outside any
static translation to xx.xx.xxx.xx/35400
translate_hits = 3, untranslate_hits = 10
Additional Information:
NAT divert to egress interface inside
Untranslate xx.xx.xxx.xx/35400 to 10.1.2.150/35400 using netmask 255.255.255.255

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any xx.xx.xxx.xx 255.255.255.252 eq 35400
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcb151820, priority=12, domain=permit, deny=false
hits=1, user_data=0xc7959810, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=xx.xx.xxx.xx, mask=255.255.255.252, port=35400, dscp=0x0

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc96f26e8, priority=0, domain=inspect-ip-options, deny=true
hits=741392, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface 35400 10.1.2.150 35400 netmask 255.255.255.255
match tcp inside host 10.1.2.150 eq 35400 outside any
static translation to xx.xx.xxx.xx
translate_hits = 3, untranslate_hits = 10
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcbcc3698, priority=5, domain=nat-reverse, deny=false
hits=9, user_data=0xcaba7f70, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.1.2.150, mask=255.255.255.255, port=35400, dscp=0x0

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface 35400 10.1.2.150 35400 netmask 255.255.255.255
match tcp inside host 10.1.2.150 eq 35400 outside any
static translation to xx.xx.xxx.xx/35400
translate_hits = 3, untranslate_hits = 10
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc9702160, priority=5, domain=host, deny=false
hits=17, user_data=0xcaba7f70, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.1.2.150, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc96a8a68, priority=0, domain=inspect-ip-options, deny=true
hits=914402, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 913210, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

0 Helpful

Go to solution
sunbeltadmin
Level 1
Level 1
In response to sunbeltadmin

‎07-28-2017 01:31 PM

New Running Config

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(5)
!
hostname 
domain-name 
enable password 
passwd 
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xxx.xx 255.255.255.252
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name sunbeltmachineworks.com
access-list outside_access_in extended permit tcp any xx.xx.xxx.xx 255.255.255.252 eq 35400
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 35400 10.1.2.150 35400 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
url-server (inside) vendor websense host 10.1.1.3 timeout 30 protocol TCP version 4 connections 5
url-cache dst 100
filter url except 10.1.2.114 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.2.105 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.2.100 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.1.3 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.2.106 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.2.128 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter url except 10.1.2.111 255.255.255.255 0.0.0.0 0.0.0.0 allow proxy-block
filter https except 10.1.2.114 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.2.106 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.2.128 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.2.111 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.2.100 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.2.105 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter https except 10.1.1.3 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow proxy-block
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
url-block url-mempool 1500
url-block url-size 4
url-block block 128
ntp server 65.55.21.23 source outside prefer
webvpn

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f721ee753888731f1bfdf950095a7909
: end

0 Helpful

Go to solution
sunbeltadmin
Level 1
Level 1
In response to Rahul Govindan

‎07-28-2017 01:49 PM

If we use a Cable Modem for our internet do i need to port forward on the modem to point to my outside interface? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card