Forwarding ports on ASA 5510 with ADSM 6.4

unrealone1 · ‎12-17-2012

Hi all,

Trying to get port forwarding going using ASDM 6.4 on a Cisco 5510

I want to forward port 25/Smtp to 192.168.1.10

I have added all the rules as outlined in the link below.

http://blog.lan-tech.ca/2012/01/22/configure-cisco-asa-for-sbs-20082011-network/

But when running an open port checker on http://www.yougetsignal.com/tools/open-ports/

It says the port is closed, I have noticed that under Access Rules under the Hits columns it says 52 ?

Any ideas?

Jouni Forss · ‎12-17-2012

Hi,

I can't remember for sure if ASDM 6.4 could be used for both the OS version 8.2 below and 8.3 and above.

What is your firewalls actual software version?

Can you post some screen captures of your current configuration related to NAT and ACL?

You can also find the CLI window from the ASDM toolbar that lets you insert command to the CLI through ASDM.

Like taking the firewall running configuration with "show run"

- Jouni

unrealone1 · ‎12-17-2012

Hi,

ASA: 8.2(5)

ASDM: 6.4 (5)

ASA Version 8.2(5)

ASDM 6.4(5)

Ran the "show run"

ASA Version 8.2(5)

!

hostname ASA5510

enable password Ob5kyzIdS/XRB9vR encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.1.202 RDP_ACCOUNTS

name 192.168.1.250 RDP_SERVER

name 192.168.1.10 test_smtp

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 87.215.45.162 255.255.255.252

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup Outside

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 87.215.61.255

object-group service RDP tcp

port-object eq 3389

access-list WAN_access_in extended permit tcp any interface Inside eq www

access-list WAN_access_in remark Allow smtp traffic

access-list WAN_access_in extended permit tcp any interface Outside eq smtp

access-list WAN_cryptomap extended permit ip 192.168.1.0 255.255.255.0 host 192.168.100.0

pager lines 24

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

global (Inside) 101 interface

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (management) 101 0.0.0.0 0.0.0.0

static (Inside,Outside) tcp interface smtp test_smtp smtp netmask 255.255.255.255

access-group WAN_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 87.215.45.161 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server dns-01 protocol ldap

aaa-server dns-01 (Inside) host RDP_SERVER

ldap-naming-attribute CN=users,DC=test,DC=com

ldap-login-password *****

ldap-login-dn administrator

server-type microsoft

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map WAN_map0 1 match address WAN_cryptomap

crypto map WAN_map0 1 set peer 78.136.29.23

crypto map WAN_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN_map0 interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd dns 87.215.61.255

dhcpd update dns

!

dhcpd address test_smtp-192.168.1.25 Inside

dhcpd dns 87.215.61.255 interface Inside

dhcpd update dns interface Inside

dhcpd enable Inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec

username admin password cMV3rrtQ19q0KVRH encrypted privilege 15

tunnel-group 87.136.29.23 type ipsec-l2l

tunnel-group 87.136.29.23 general-attributes

default-group-policy GroupPolicy1

tunnel-group 87.136.29.23 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:7fa0b2287164705815b069804c9ec666

: end

Jouni Forss · ‎12-17-2012

Hi,

Can you replace the access-list statement to use the actual IP address of you "Outside" interface?

Change

access-list WAN_access_in extended permit tcp any interface Outside eq smtp

to

access-list WAN_access_in extended permit tcp any host 87.215.45.162 eq smtp

To my eye the Static PAT configurations looks fine.

- Jouni

Jouni Forss · ‎12-17-2012

Also,

You could try to check the ASDM real time logging monitor while testing to see what happens to connection attempts.

If they are perhaps being terminated with the reason "SYN Timeout" which would indicate the LAN host isnt responding.

- Jouni

unrealone1 · ‎12-17-2012

Getting a message in the real time log viewer which says "Teardown TCP translation from Inside test_smtp/1078 to outside 87.215.45.162/51133"

Jouni Forss · ‎12-17-2012

Hi,

That translation mentioned in the log is for a connection that the LAN host had formed to outside network and is no being removed from the firewall translations. This is not the translation related to an connection from the Internet to the LAN server.

Could you try the run the Packet Tracer from either ASDM or CLI of the ASA?

The CLI example is the following

packet-tracer input Outside tcp 1.2.3.4 1025 87.215.45.162 25

On the ASDM side you can enter all the port and IP information to their own fields

Can you copy paste the output of the Packet Tracer here?

- Jouni

Everton de Paula S Pinto · ‎12-17-2012

192.168.1.10 is a internal address. Do you have a NAT for him?

Run the test and see if the requests are coming and being denied in the firewall.

Regards
---
Everton