Solved: Cisco ASA 5505 doesn't forware incoming connection to LAN

Jose Pena · ‎06-14-2012

Hello everybody.

I just got a Cisco asa 5505 with the next OS and ASDM info

ASA 5505 OS 8.4(3) ASDM 6.47

I configured and enter all rules to allow incoming traffic to LAN but it's not working also, I have one host inside that is configured in a second IP and create the rule to allow traffic to it but it doesn't work too.

Problem 1

I have VNC running in port 5900 tcp and I want to connect from Internet using port 6001 and this has to forware the connection to the real VNC port. In the configuration I have a few host with the same configuration but I use different outside port to get it.

Problem 2.

I have a second IP with services: SMTP, HTTP, HTTPS and port 444 all TCP forwarding to a server in the LAN.

Facts:

SMTP.

Every time that I do telnet to the second IP looking for the SMTP port, the firewall doesn't let the incoming connection goes through and the LOGGING screen doesn't how that connection.

PORT 6001 (outside)

this port is configured to work with the IP in the outside internface and it was to send the incoming connection to a host inside to the real port 5900.

Can any one check my configuration if I'm missing anything? for sure I'm but I didn't find it. Bellow is the configuration, I masked the Public IPs just left the last number in the IP, also I left the LAN network to see better the configuration.

I will appreciate any help.

Thanks a lot..

CONFIGURATION.

: Saved

:

ASA Version 8.4(3)

!

hostname saturn1

domain-name mydominio.com

enable password SOMEPASS encrypted

passwd SOMEPASS encrypted

names

name 192.168.250.11 CAPITOLA-LAN

name 192.168.250.15 OBIi110-LAN

name 192.168.250.21 DRP1260-LAN

name 192.168.250.22 HPOJ8500-LAN

name 192.168.250.30 AP-W77-NG-LAN

name 192.168.250.97 AJ-DTOP-PC-LAN

name 192.168.250.96 SWEETHEART-PC-LAN

name 192.168.250.94 KIDS-PC-LAN

name XX.YY.ZZ.250 EXTERNALIP

name XX.YY.ZZ.251 EXTERNALIP2

name XX.YY.ZZ.1 GTWAY

dns-guard

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.250.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address EXTERNALIP 255.255.255.0

!

boot system disk0:/asa843-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name mydominio.com

object network CAPITOLA-LAN

host 192.168.250.11

object network EXTERNALIP

host XX.YY.ZZ.250

description Created during name migration

object network CAPITOLA-PUBLIC

host XX.YY.ZZ.251

object network capitola-int

host 192.168.250.11

object network capitola-int-vnc

host 192.168.250.11

object network aj-dtop-int-vnc

host 192.168.250.97

object network sweetheart-int-vnc

host 192.168.250.96

object network kids-int-vnc

host 192.168.250.94

object network VPNNetwork

subnet 10.10.20.0 255.255.255.0

object network InsideNetwork

subnet 192.168.250.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network capitola-int-smtp

host 192.168.250.11

object-group service capitola-int-smtp-service tcp

port-object eq smtp

object-group service capitola-int-services tcp

port-object eq smtp

port-object eq https

port-object eq www

port-object eq 444

object-group service capitola-int-vnc-service tcp

port-object eq 6001

object-group service aj-dtop-int-vnc-service tcp

port-object eq 6002

object-group service sweetheart-int-vnc-service tcp

port-object eq 6003

object-group service kids-int-vnc-service tcp

port-object eq 6004

access-list incoming extended permit icmp any any

access-list incoming extended permit tcp any object capitola-int object-group capitola-int-services

access-list incoming extended permit tcp any object capitola-int-vnc object-group capitola-int-vnc-service

access-list incoming extended permit tcp any object aj-dtop-int-vnc object-group aj-dtop-int-vnc-service

access-list incoming extended permit tcp any object sweetheart-int-vnc object-group sweetheart-int-vnc-service

access-list incoming extended permit tcp any object kids-int-vnc object-group kids-int-vnc-service

access-list incoming extended permit tcp any object capitola-int-smtp object-group capitola-int-smtp-service

access-list split-tunnel standard permit 192.168.250.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any object VPNNetwork

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 10.10.20.1-10.10.20.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (inside,any) source static any any destination static VPNNetwork VPNNetwork no-proxy-arp

!

object network capitola-int

nat (any,any) static XX.YY.ZZ.251

object network capitola-int-vnc

nat (inside,outside) static interface service tcp 5900 6001

object network aj-dtop-int-vnc

nat (inside,outside) static interface service tcp 5900 6002

object network sweetheart-int-vnc

nat (inside,outside) static interface service tcp 5900 6003

object network kids-int-vnc

nat (inside,outside) static interface service tcp 5900 6004

object network obj_any

nat (inside,outside) dynamic interface

object network capitola-int-smtp

nat (any,outside) static interface service tcp smtp smtp

access-group incoming in interface outside

route outside 0.0.0.0 0.0.0.0 GTWAY 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http server idle-timeout 2

http server session-timeout 1

http 192.168.1.0 255.255.255.0 inside

http CAPITOLA-LAN 255.255.255.255 inside

http AJ-DTOP-PC-LAN 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh CAPITOLA-LAN 255.255.255.255 inside

ssh AJ-DTOP-PC-LAN 255.255.255.255 inside

ssh timeout 15

console timeout 0

vpn-addr-assign local reuse-delay 2

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password SOMEPASS encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:036b82d3eb5cffc1c65a3b381246d043

: end

asdm image disk0:/asdm-647.bin

no asdm history enable

justinfarmer · ‎06-15-2012

Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):

access list rule:

access-list outside_access_in extended permit udp any object server range 9000 9049 log errors

nat rule:

nat (inside,outside) source static server interface service voip-range voip-range

- 'server' is a network object *

- 'voip-range' is a service group range

I'd assume you can do something similar here in combination with my earlier comment:

access-list incoming extended permit tcp any any eq 5900

Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?

View solution in original post

justinfarmer · ‎06-14-2012

If I understand you right, this sounds like a nat routing issue, you have the static nat lines, but they don't know where to forward to. Try something like:

nat (inside,outside) source static interface service

Good Luck!

Jose Pena · ‎06-14-2012

Justin,

I tried but it doesn't work, any other suggestion.

I had reviewed the configuration 5 times. I configured other device and I did the same configuration except with my IPs and nothing works.

Do you know if there is any other firmware update apart of the OS and ASMD version for this firewall?

Thanks for your help.

Jos.

Jose Pena · ‎06-14-2012

Problem 1 Solution

Found a solution for the incoming connections to the Interface, I added the next line

access-list incoming extended permit ip any any

and all open port forward the incoming connection to the respective host in LAN

Can anyone confirm if I'm not opening more port of what I allowed traffic? Thanks.

Problem 2:

I didn't find the solution yet but I'm still looking.

Problem 3

With the same configuration, I don't have LAN traffic to Internet. I can do ping and I can go direct to the IP of the server to see a website but not to the FQDN,

a) How can I allow all LAN traffic goes to Internet?

b) Apparently, when I do nslookup the software doesn't resolve even when I have the server working and the service running. If I install an old router that i'm replacing, all traffic works well but not with current ASA configuration.

Any suggestion.

Have a good nite/day.

Jos P

Now, 2 questions more

justinfarmer · ‎06-15-2012

Jose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):

access list rule:

access-list outside_access_in extended permit udp any object server range 9000 9049 log errors

nat rule:

nat (inside,outside) source static server interface service voip-range voip-range

- 'server' is a network object *

- 'voip-range' is a service group range

I'd assume you can do something similar here in combination with my earlier comment:

access-list incoming extended permit tcp any any eq 5900

Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ?