Re: Help open port on ASA5510 (version 8.3)

jerrybu01 · ‎01-30-2013

Hi all,

I configured ASA to open port 21, 3389, 5900 (outside access in) but when i check port just success : 21 and 3389, Error: 5900

If i configured with only one port 5900 or 3389, is't ok, i don't undesrtand what 's the problem?

ASA5510>

ASA5510> ena

Password: ***********************

ASA5510# show run

: Saved

:

ASA Version 8.3(1)

!

hostname ASA5510

domain-name lohoi.local

enable password *********************** encrypted

passwd *********************** encrypted

names

!

interface Ethernet0/0

description Connect_to_Modem

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.0

!

interface Ethernet0/1

description Connect_to_Router2911

nameif inside

security-level 100

ip address 172.16.17.2 255.255.255.240

!

interface Ethernet0/2

shutdown

no na

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Management

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

clock timezone ICT 7

dns server-group DefaultDNS

domain-name lohoi.local

object network obj-any

subnet 0.0.0.0 0.0.0.0

object network ftpserver

host 192.168.88.90

description FTP server

object network Remote_Desktop

host 192.168.100.29

object network VNC

host 192.168.100.4

access-list 101 extended permit icmp any any

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit tcp any any

access-list outside_access_in extended permit tcp any object ftpserver eq ftp

access-list outside_in extended permit tcp any host 192.168.100.29

access-list outside_in extended permit tcp any host 192.168.100.4

pager lines 24

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst

asdm image disk0:/asdm-631.bin

asdm history enable

arp timeout 14400

!

object network obj-any

nat (inside,outside) dynamic interface

object network ftpserver

nat (inside,outside) static interface service tcp ftp ftp

object network Remote_Desktop

nat (inside,outside) static interface service tcp 3389 3389

object network VNC

nat (inside,outside) static interface service tcp 5900 5900

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

route inside 192.168.88.64 255.255.255.224 1

route inside 192.168.100.0 255.255.255.0 172.16.17.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http authentication-certificate inside

http authentication-certificate management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password *********************** encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:667cb3ec729681c78ccab9a57abd89df

: end

ASA5510#

Julio Carvajal · ‎01-30-2013

Hello,

Sorry but I do not understand what you mean,

SO 2 different servers,

Is the problem that you cannot access the VNC server??

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Karsten Iwen · ‎01-30-2013

at least your actual config is wrong. Try that config:

access-list outside_in extended permit tcp any object ftpserver eq ftp

no access-list outside_access_in extended permit tcp any object ftpserver eq ftp

outside_in is the ACL that is bound to the outside interface. The NAT is in place for all three servers, so that should be ok.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jerrybu01 · ‎01-31-2013

ASA5510# show run

: Saved

:

ASA Version 8.3(1)

!

hostname ASA5510

domain-name lohoi.local

enable password ****************** encrypted

passwd ****************** encrypted

names

!

interface Ethernet0/0

description Connect_to_Modem

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.0

!

interface Ethernet0/1

description Connect_to_Router2911

nameif inside

security-level 100

ip address 172.16.17.2 255.255.255.240

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Management

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

clock timezone ICT 7

dns server-group DefaultDNS

domain-name lohoi.local

object network obj-any

subnet 0.0.0.0 0.0.0.0

object network ftpserver

host 192.168.88.90

description FTP server

object network remote_desktop

host 192.168.100.2

object network remote_vnc

host 192.168.100.4

access-list 101 extended permit icmp any any

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit tcp any any

access-list outside_access_in extended permit tcp any object ftpserver eq ftp

access-list outside_access_in extended permit tcp any host 192.168.100.4 eq 5900

access-list outside_access_in extended permit tcp any host 192.168.100.2 eq 3389

pager lines 24

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asd

asdm history enable

arp timeout 14400

!

object network obj-any

nat (inside,outside) dynamic interface

object network ftpserver

nat (inside,outside) static interface service tcp ftp ftp

object network remote_desktop

nat (inside,outside) static interface service tcp 3389 3389

object network remote_vnc

nat (inside,outside) static interface service tcp 5900 5900

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

route inside 192.168.88.64 255.255.255.224 172.16.17.1 1

route inside 192.168.100.0 255.255.255.0 172.16.17.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http authentication-certificate inside

http authentication-certificate management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.100.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password ****************** encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4f061a213185354518601f754e41494c

: end

ASA5510#

So i configured again, but i'm not to access to 5900 port

Karsten Iwen · ‎01-31-2013

please paste the output of the following commands:

ping tcp 10.10.50.97 5900

packet-tracer input outside tcp 1.2.3.4 1234 10.0.0.2 5900

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jerrybu01 · ‎01-31-2013

It's OK, great!

But when i use i have problem with port 21 when i build ftp server.

i try to use a computer inside connect to my ftp --> OK

But when i use a PC in inside i can't connect ftp server when i use domain or ip Public. If i use IP private, it's ok.

By the way, i want to use tightvnc remote have ssh authentication, i have to open port 22 on ASA, what can i do?

Karsten Iwen · ‎01-31-2013

But when i use a PC in inside i can't connect ftp server when i use domain or ip Public. If i use IP private, it's ok.

The easiest is to just use the inside IP. It's by design that you can't access it on the public IP. There are some workarounds, but they are more complex.

By the way, i want to use tightvnc remote have ssh authentication, i have to open port 22 on ASA, what can i do?

Just change the Port 5900 to 22 in your ASA-config.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

jerrybu01 · ‎01-31-2013

Thank you so much!