Solved: Re: Need help opening up some ports for access to internal serve

a.grussner · ‎04-03-2007

I have 3 internal MS Server 2003 that need to be accessible from the the outside. The server IP's are 192.168.0.237 needs ports 21095-21096, 192.168.0.240 needs ports 21093-21094 and 192.168.0.242 needs ports 21097-21098. I need to allow all traffic through to those servers on those ports. Here's my config:

ASA Version 7.2(2)

!

hostname asa5510

domain-name xxxxxxx.com

enable password xxx

names

dns-guard

!

interface Ethernet0/0

nameif External

security-level 0

ip address 111111111111 255.255.255.248

!

interface Ethernet0/1

nameif Internal

security-level 100

ip address 11111111111 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 80

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

passwd xxxxxxxxxxxxxx encrypted

boot system disk0:/asa722-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name xxxxxxxxx.com

access-list External_access_in extended permit tcp any interface External eq 21093

access-list External_access_in extended permit tcp any interface External eq 21094

access-list External_access_in extended permit tcp any eq 21095 interface External eq 21095

access-list External_access_in extended permit tcp any eq 21096 interface External eq 21096

access-list External_access_in extended permit tcp any eq 21097 interface External eq 21097

access-list External_access_in extended permit tcp any eq 21098 interface External eq 21098

access-list External_access_in extended permit tcp any interface External eq smtp

access-list External_access_in extended permit tcp any host 11111111111 eq ftp

access-list External_access_in extended permit tcp any host 11111111111 eq www

access-list External_access_in extended permit tcp any host 11111111111 eq https

access-list External_access_in extended permit tcp any host 11111111111 eq www

access-list External_access_in extended permit tcp any host 11111111111 eq https

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list DefaultRAGroup_splitTunnelAcl_1 standard permit any

access-list xxxxxxxx_splitTunnelAcl standard permit any

access-list dmz_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list dmz_in extended permit icmp any any

access-list dmz_in extended permit ip 192.168.2.0 255.255.255.0 host 192.168.0.201

access-list dmz_in extended permit ip 192.168.2.0 255.255.255.0 host 192.168.0.200

access-list dmz_in extended permit ip 192.168.2.0 255.255.255.0 host 192.168.0.202

access-list dmz_in extended deny ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list dmz_in extended permit ip any any

access-list winter_splitTunnelAcl standard permit any

access-list Internal_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.

255.0

access-list yyyyyyyVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list hhhhhhVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

access-list External_cryptomap_65535.40 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255

.255.255.0

access-list External_cryptomap_65535.60 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255

.255.255.0

access-list Internal_access_in extended permit icmp any any

access-list Internal_access_in extended permit ip any any

acomiskey · ‎04-03-2007

Did you mean to specify source ports in your acl? Without source ports would look like this...

access-list External_access_in extended permit tcp any interface External eq 21093

access-list External_access_in extended permit tcp any interface External eq 21094

access-list External_access_in extended permit tcp any interface External eq 21095

access-list External_access_in extended permit tcp any interface External eq 21096

access-list External_access_in extended permit tcp any interface External eq 21097

access-list External_access_in extended permit tcp any interface External eq 21098

View solution in original post

a.grussner · ‎04-03-2007

pager lines 24

logging enable

logging asdm informational

mtu External 1500

mtu Internal 1500

mtu DMZ 1500

ip local pool VPN 192.168.3.1-192.168.3.254 mask 255.255.255.0

ip verify reverse-path interface External

ip verify reverse-path interface DMZ

icmp unreachable rate-limit 1 burst-size 1

icmp permit any External

icmp permit any Internal

icmp permit any DMZ

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (External) 1 interface

nat (Internal) 0 access-list Internal_nat0_outbound

nat (Internal) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list dmz_nat0_outbound

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (Internal,External) tcp interface smtp 192.168.0.202 smtp netmask 255.255.255.255

static (Internal,External) tcp interface 21093 192.168.0.240 21093 netmask 255.255.255.255

static (Internal,External) tcp interface 21094 192.168.0.240 21094 netmask 255.255.255.255

static (Internal,External) tcp interface 21095 192.168.0.237 21095 netmask 255.255.255.255

static (Internal,External) tcp interface 21096 192.168.0.237 21096 netmask 255.255.255.255

static (Internal,External) tcp interface 21097 192.168.0.242 21097 netmask 255.255.255.255

static (Internal,External) tcp interface 21098 192.168.0.242 21098 netmask 255.255.255.255

static (Internal,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (DMZ,External) 11111111111 192.168.2.4 netmask 255.255.255.255

static (DMZ,External) 11111111111 192.168.2.3 netmask 255.255.255.255

static (DMZ,External) 11111111111 192.168.2.2 netmask 255.255.255.255

access-group External_access_in in interface External

access-group Internal_access_in in interface Internal

access-group dmz_in in interface DMZ

route External 0.0.0.0 0.0.0.0 1111111111111 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

client-firewall none

client-access-rule none

webvpn

functions url-entry

html-content-filter none

homepage none

keep-alive-ignore 4

http-comp gzip

filter none

url-list none

customization value DfltCustomization

port-forward none

port-forward-name value Application Access

sso-server none

deny-message value Login was successful, but because certain criteria have not been met or due to

some specific group policy, you do not have permission to use any of the VPN features. Contact your

IT administrator for more information

svc none

svc keep-installer installed

svc keepalive none

svc rekey time none

svc rekey method none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

group-policy radical internal

group-policy radical attributes

dns-server value 192.168.0.15

vpn-tunnel-protocol IPSec

a.grussner · ‎04-03-2007

default-domain value xxxxxxxxx

group-policy yyyyyyyVPN internal

group-policy yyyyyyyVPN attributes

dns-server value 192.168.0.201

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

default-domain value xxxxxxxxx.com

username user1 password sv.wwwwwwwwwww encrypted privilege 15

username user1 attributes

vpn-group-policy yyyyyyyyVPN

vpn-simultaneous-logins 50

username user2 password sv.xxxxxxxxxxxx encrypted privilege 15

username user2 attributes

vpn-group-policy yyyyyyyVPN

http server enable

http 192.168.0.0 255.255.255.0 Internal

http 192.168.2.0 255.255.255.0 DMZ

http 192.168.3.0 255.255.255.0 Internal

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map External_dyn_map 20 set pfs

crypto dynamic-map External_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map External_dyn_map 40 match address External_cryptomap_65535.40

crypto dynamic-map External_dyn_map 40 set pfs

crypto dynamic-map External_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map External_dyn_map 60 match address External_cryptomap_65535.60

crypto dynamic-map External_dyn_map 60 set pfs

crypto dynamic-map External_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map

crypto map External_map interface External

crypto isakmp enable External

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

crypto isakmp ipsec-over-tcp port 10000

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group radical type ipsec-ra

tunnel-group radical general-attributes

address-pool VPN

default-group-policy radical

tunnel-group radical ipsec-attributes

pre-shared-key *

tunnel-group new type ipsec-ra

tunnel-group new general-attributes

address-pool VPN

tunnel-group new ipsec-attributes

pre-shared-key *

tunnel-group yyyyyyyVPN type ipsec-ra

tunnel-group yyyyyyyVPN general-attributes

address-pool VPN

default-group-policy yyyyyyyVPN

tunnel-group yyyyyyyVPN ipsec-attributes

pre-shared-key *

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 192.168.3.0 255.255.255.0 Internal

telnet 192.168.2.0 255.255.255.0 DMZ

telnet timeout 30

ssh timeout 5

console timeout 30

management-access Internal

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 2048

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

inspect ipsec-pass-thru

inspect pptp

!

service-policy global_policy global

ntp server 192.5.41.41 source External

prompt hostname context

What am I missing? Thanks.

acomiskey · ‎04-03-2007

Did you mean to specify source ports in your acl? Without source ports would look like this...

access-list External_access_in extended permit tcp any interface External eq 21093

access-list External_access_in extended permit tcp any interface External eq 21094

access-list External_access_in extended permit tcp any interface External eq 21095

access-list External_access_in extended permit tcp any interface External eq 21096

access-list External_access_in extended permit tcp any interface External eq 21097

access-list External_access_in extended permit tcp any interface External eq 21098

a.grussner · ‎04-03-2007

I guess I'm not totally clear on what I need to do so I allow all traffic in from the External interface on those ports to the specified server IP's. I guess I'm confused on exactly what source ports is referring too. Could you give me a little schooling on it? Thanks for your help.

a.grussner · ‎04-03-2007

Would I need to make any other changes since this is a Windows mobile device that is accessing these servers? They had this working with an old Firebox firewall by just opening those ports to those server IP's. I screwed up the setting and put those source ports in on some settings so I removed them now. Anything else that might prevent the connection? Thanks

a.grussner · ‎04-04-2007

Once I removed the ports from the ACL it fixed my problem. Thanks.

r.bell · ‎04-04-2007

Source ports are typically random ports > 1023 and you would rarely specify those. For example, to permit Internet users to reach your web server, you'd allow tcp/any (all source ports) to host ip eq 80.

Need help opening up some ports for access to internal servers