Solved: How to open a port on ASA5520 version 8.31

Lakeram Harrypersaud · ‎02-14-2011

Can someone please tell me how to open a port on the ASA 5520 Version 8.31?

Private IP Address - 10.1.1.5 255.255.255.0

Public Ip Address 1.1.1.2

TCP Port 25

Any help will be much appreciated

Thanks

Lake

Jennifer Halim · ‎02-14-2011

Object-group is only used to group object together. For the static NAT entry, you still need to configure object NAT individually.

For the access-list, you can create object-group with all the real ip in the object-group and match it in the access-list with the object-group.

Example:

object-group network servers

network-object host 10.1.1.5

network-object host 10.1.1.8

network-object host 10.1.1.67

access-list permit tcp any object-group server eq 80

There are 2 types of object now in version 8.3 if you get confused with the older version:

1) object-group: which is still the same as the previous version, ie: grouping all the object together

2) object: which is the new NAT (object NAT)

Here is the object NAT command reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1778544

View solution in original post

Jennifer Halim · ‎02-14-2011

Do you mean how to create the NAT port address redirection OR/ how to create the access-list that you applied to the outside interface OR/ both?

Also, do you want to create static 1:1 NAT and 1.1.1.2 is the spare public IP, or you want to configure static PAT and 1.1.1.2 is the spare IP, or 1.1.1.2 is actually the outside interface ip address?

Sorry for all the questions as config is different depending on what it is.

Lakeram Harrypersaud · ‎02-14-2011

I just need to create a static one to one nat and open a port. I am not sure what you mean by spare ip?

Thanks

Regards,

Lake Harrypersaud

Future 2000 Systems Inc.

905.405.8844

Sent from my BlackBerry device on the Rogers Wireless Network

Jennifer Halim · ‎02-14-2011

OK, assuming that 1.1.1.2 is not the ASA outside interface ip address and is just another unique IP that you can use, ie: has not been assigned to anything else, then here is the config:

object network obj-10.1.1.5

host 10.1.1.5

nat (inside,outside) static 1.1.1.2

If you already have access-list applied to the outside interface, you just need to add the following to your existing access-list:

access-list permit tcp any object obj-10.1.1.5 eq 25

Lakeram Harrypersaud · ‎02-14-2011

Do I still have to create an access group?

Thanks

Regards,

Lake Harrypersaud

Future 2000 Systems Inc.

905.405.8844

Sent from my BlackBerry device on the Rogers Wireless Network

Jennifer Halim · ‎02-14-2011

If you already have access-list applied to the outside interface, then no, you don't need access-group. Just make sure you use the same access-list name.

But if you haven't had one applied to the outside interface through the access-group command, then yes, you will have to apply it.

"sh run access-group" will show you whether or not it has been applied.

Lakeram Harrypersaud · ‎02-14-2011

I assume the access list has not changed?

Thanks

Regards,

Lake Harrypersaud

Future 2000 Systems Inc.

905.405.8844

Sent from my BlackBerry device on the Rogers Wireless Network

Jennifer Halim · ‎02-14-2011

Assuming what you mean by different compared to the previous version of ASA, then the answer is yes, it has slightly changed.

With the previous version, you will match it against the translated/NATed IP when you apply it on the outside interface, but from version 8.3 onwards, you will need to match it against the real IP or the objectID.

Lakeram Harrypersaud · ‎02-14-2011

Can you please give me an example?

Thanks

Regards,

Lake Harrypersaud

Future 2000 Systems Inc.

905.405.8844

Sent from my BlackBerry device on the Rogers Wireless Network

Jennifer Halim · ‎02-14-2011

From your example,server real IP: 10.1.1.5, translated IP: 1.1.1.2

On the earlier version, your access-list applied to the outside interface will say:

access-list permit tcp any host 1.1.1.2 eq 25

On version 8.3 and onwards, your access-list will say:

access-list permit tcp any host 10.1.1.5 eq 25

OR/ alternatively, with the NAT object that we created earlier, it can say:

access-list permit tcp any object obj-10.1.1.5 eq 25

Lakeram Harrypersaud · ‎02-14-2011

Thank you very much

Regards,

Lake Harrypersaud

Future 2000 Systems Inc.

905.405.8844

Sent from my BlackBerry device on the Rogers Wireless Network

Jennifer Halim · ‎02-14-2011

No problem. Please kindly mark the post as answered if you have no further question. Thank you.

Lakeram Harrypersaud · ‎02-14-2011

Will do

Regards,

Lake Harrypersaud

Future 2000 Systems Inc.

905.405.8844

Sent from my BlackBerry device on the Rogers Wireless Network

Lakeram Harrypersaud · ‎02-14-2011

I am sorry i have one more question. In this scenerio

we created an object group but how can we use this same example to create a static mapping and then create an access list instead of an object group?

Thanks,

Lake

Jennifer Halim · ‎02-14-2011

Object-group is only used to group object together. For the static NAT entry, you still need to configure object NAT individually.

For the access-list, you can create object-group with all the real ip in the object-group and match it in the access-list with the object-group.

Example:

object-group network servers

network-object host 10.1.1.5

network-object host 10.1.1.8

network-object host 10.1.1.67

access-list permit tcp any object-group server eq 80

There are 2 types of object now in version 8.3 if you get confused with the older version:

1) object-group: which is still the same as the previous version, ie: grouping all the object together

2) object: which is the new NAT (object NAT)

Here is the object NAT command reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/no.html#wp1778544