Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2703
Views
8
Helpful
8
Replies

NAT/Opening a Port on ASA 5505

pgmccullough
Level 1
Level 1

‎04-06-2012 02:03 AM - edited ‎03-11-2019 03:51 PM

Hi everyone--I'm very green, but my friend was against a wall trying to update her office's system, and it seems like every Cisco person in the region has gone on vacation.

For some sort of new system her office is getting, she was told that she needed to enable NAT with external IP xxx.xxx.xxx.14 (The ASA's IP is xxx.xxx.xxx.11) and internal IP xxx.xxx.xxx.58 and that port 8222 needs to be open.  I know this is sort of vague, but it's what she was given, and I know the 8222 port is very specific in function, so hoping that makes obvious to experts what the point of this is?

At any rate, the best I could come up with was to run:

static (inside,outside) xxx.xxx.xxx.58 xxx.xxx.xxx.14 netmask 255.255.255.255

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.11 eq 8222

access-group inbound in interface outside

But after I inserted this, she did what she was supposed to be able to do (went home and tried to run some sort of remote installation file) and it didn't work...  can anyone shed any light on this?

Thanks a million in advance.

Labels:
0 Helpful
8 Replies 8

llamaw0rksE
Level 1
Level 1

‎04-06-2012 07:08 AM

Okay going to make some assumptions here.

An external user or external corporate IP (many users) of IP xx.xx.xx.14 needs access via port 8222, to an internal private IP behind the ASA of xx.xx.xx.58.   Furthemore the WANIP of the ASA is xx.xx.xx.11

Also will assume the router already has dynamic pat setup, routing for traffic to the next hop (IP address of gateway of ISP) and ACL rules identified with outside interface.

For version firmware 8.43

object network extuser

host xx.xx.xx.xx.14

object service specialfunction

service tcp destination eq 8222

object network PC-serving-IP

host xx.xx.xx.58

object network Nat4specfunction

host xx.xx.xx.xx.14

------------------------------------------------------

access-list outside_access_in extended permit object specialfunction object extuser object PC-serving-IP

------------------------------------------------------

object network Nat4specfunction

nat(inside,outside) static interface service tcp 8222 8222

-----------------------------------------------------------------------------------------------------

If the outside interface is not .11, and its simply another of a group of public IP associated to the ASA then make an object definition for later use.

object network anotherextIP

host xx.xx.xx.11

object network Nat4specfunction

nat(inside,outside) static anotherextIP service tcp 8222 8222

pgmccullough
Level 1
Level 1
In response to llamaw0rksE

‎04-06-2012 10:24 AM

Thanks so so much for taking time to give me this.  Really do appreciate it.

I could be wrong, but I believe all of your assumptions are accurate.  I'm going in to the friend's office tomorrow to try and get it running.  Hopefully I can come back and mark "correct answer" tomorrow afternoon!

In the meantime, just in case, I guess I'll attach the configuration.  Maybe a quick glance can confirm your assumptions for you regarding router already having dynamic pat setup, routing for traffic to the next hop (IP address of gateway of ISP) and ACL rules identified with outside interface.

Thanks again.  I never would have gotten this on my own, obviously.

ASA Version 7.2(3)

!

hostname [top secret!]

domain-name [top secret!]

enable password [top secret!] encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address [top secret!].140 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address [top secret!].11 255.255.255.248

!

interface Vlan3

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd [top secret!] encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name [top secret!]

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip [top secret!] 255.255.255.0 10.0.

8.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.0.50.0 255.255.255.24

8

access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.

6.0 255.255.255.0 – Not in your configuration

access-list outside_1_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.0.8

.0 255.255.255.0

access-list tr-remote_splitTunnelAcl standard permit any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit esp any any

access-list outside_access_in extended permit tcp [top secret!] 255.255.255.0 any eq

smtp

access-list outside_2_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.0.6

.0 255.255.255.0 – Not in your configuration

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool remote-vpn 10.0.50.0-10.0.50.7 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 10.0.1.201 smtp netmask 255.255.255.2

55 

access-group outside_access_in in interface outside – Not in your configuration

route outside 0.0.0.0 0.0.0.0 [top secret!].9 1 – was [top secret!].194 in you config

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.0.6.0 255.255.255.0 inside – Not in your configuration

http 10.0.8.0 255.255.255.0 inside – Outside in your configuration

http 10.0.1.0 255.255.255.0 inside

http 10.0.50.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac – Not in your configuration

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA – Not in your configuration

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer [top secret!].194

crypto map outside_map 1 set transform-set ESP-DES-MD5

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer [top secret!].162

crypto map outside_map 2 set transform-set ESP-3DES-SHA – Not in your configuration

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.0.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not

been met or due to some specific group policy, you do not have permission to us

e any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate – Not in your configuration

group-policy tr-remote internal

group-policy tr-remote attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value tr-remote_splitTunnelAcl

group-policy staff-remote internal

group-policy staff-remote attributes

dns-server value 10.0.1.200

vpn-tunnel-protocol IPSec

username remote password [top secret!] encrypted privilege 0

username remote attributes

vpn-group-policy [top secret!]

username [top secret!] password [top secret!] encrypted privilege 0

username [top secret!] attributes

vpn-group-policy tr-remote

tunnel-group [top secret!].194 type ipsec-l2l

tunnel-group [top secret!].194 ipsec-attributes

pre-shared-key *

tunnel-group tr-remote type ipsec-ra

tunnel-group tr-remote general-attributes

address-pool remote-vpn

default-group-policy tr-remote

tunnel-group tr-remote ipsec-attributes

pre-shared-key *

tunnel-group [top secret!].162 type ipsec-l2l

tunnel-group [top secret!].162 ipsec-attributes

pre-shared-key *

tunnel-group staff-remote type ipsec-ra

tunnel-group staff-remote general-attributes

address-pool remote-vpn

default-group-policy [top secret!]

tunnel-group [top secret!] ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:[top secret!]

0 Helpful

andrew.prince
Level 10
Level 10

‎04-06-2012 07:09 AM

static (inside,outside) xxx.xxx.xxx.58 xxx.xxx.xxx.14 netmask 255.255.255.255

access-list inbound extended permit tcp any host 24.105.143.11 eq 8222

access-list inbound extended permit udp any host 24.105.143.11 eq 8222

The NAT and the ACL last octet do not match!

pgmccullough
Level 1
Level 1
In response to andrew.prince

‎04-06-2012 10:28 AM

Yeah, all I knew was that the asa ip was xxxxxxx.11 and that the actual external ip was xxxxxxxxxxx.14, so I just thought they needed to be pointed at each other and that was the way to do it.

Thanks so much for replying.

Message was edited by: Patrick McCullough

0 Helpful

pgmccullough
Level 1
Level 1
In response to andrew.prince

‎04-06-2012 05:45 PM

Thanks again for spotting the flaw--do you have any idea whether the code ought to work if altered to make the nat and acl match?

0 Helpful

andrew.prince
Level 10
Level 10
In response to pgmccullough

‎04-07-2012 01:28 AM

Yes - it would have worked.

0 Helpful

llamaw0rksE
Level 1
Level 1

‎04-06-2012 10:42 AM

My input is only valid for 8.43, it wont help you for the older version. My apologies.

0 Helpful

pgmccullough
Level 1
Level 1
In response to llamaw0rksE

‎04-06-2012 11:27 AM

Oops!  Oh well--no need to apologize certainly!  Not only have you helped clarify my question for other experts, but if worse comes to worse, I could probably Google the older equivalent of each command in your code?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card