Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4489
Views
0
Helpful
8
Replies

Opening outbound ports on ASA5505

Andrew Duffield
Level 1
Level 1

‎10-03-2012 01:59 AM - edited ‎03-11-2019 05:03 PM

Hi all

I need to open some outbound ports in order for our CCTV company to receive alarms from our internal CCTV Machine.

The ip addresses of the company who access the CCTV are as follows:

213.130.134.56

81.130.198.97

The above are fixed IP addresses.

The internal machine is on 192.168.204.170

The outbound ports that I need to open are the following:

TCP

21

23

80

5201

UDP

1025

2074

2075

Is there anyone who can help me with the config.

I have access to the current config if needs be.

Thanks

Andy

Labels:
0 Helpful
8 Replies 8

Harish Balakrishnan
Spotlight
Spotlight

‎10-03-2012 02:14 AM

Hello Andrew,

Can you post the current config so that i  make the new config for you to accomodate the above requirements

regards

Harish.

0 Helpful

Andrew Duffield
Level 1
Level 1
In response to Harish Balakrishnan

‎10-03-2012 03:25 AM

Hi Harish,

I have added the current config to the bottom of this reply.

The same ports also need to be opened inbound.

I have part configured with inbound ports but not touched the outbound configuration.

Kind regards

Andrew

!

hostname mfm-bol-fw

domain-name marlboroughfunds.com

enable password **************. encrypted

names

name 217.206.78.200 met-bir

name 217.10.137.194 met-hc1

name 212.36.44.46 LondonPix

dns-guard

!

interface Ethernet0/0

description Outside Internet Connection

nameif outside

security-level 0

ip address 82.109.238.2 255.255.255.248 standby 82.109.238.3

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.204.1 255.255.255.0 standby 192.168.204.2

!

interface Ethernet0/2

description LAN/STATE Failover Interface

!

interface Ethernet0/3

nameif GUEST

security-level 90

ip address 192.168.77.1 255.255.255.0 standby 192.168.77.2

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd *************** encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00

dns server-group DefaultDNS

domain-name marlboroughfunds.com

object-group network MET-BACKUP

network-object host 192.168.253.10

network-object host 192.168.253.12

object-group network MFM-BACKUP

network-object host 192.168.204.10

network-object host 192.168.204.11

network-object host 192.168.204.12

object-group network mimecast

network-object 135.196.24.192 255.255.255.240

network-object 212.2.3.128 255.255.255.192

network-object 212.188.232.144 255.255.255.248

network-object 217.206.78.192 255.255.255.240

network-object 213.235.63.64 255.255.255.192

network-object 195.130.217.0 255.255.255.0

network-object 195.130.217.44 255.255.255.255

network-object 91.220.42.0 255.255.255.0

network-object 94.185.244.0 255.255.255.0

network-object 94.185.240.0 255.255.255.0

network-object 83.166.172.26 255.255.255.255

object-group network mimecas

object-group network CCTVGroupdescription CCTV External IP's

network-object host 213.130.134.56

network-object host 81.130.198.97

access-list guest extended permit ip 192.168.77.0 255.255.255.0 any

access-list guest extended permit tcp 192.168.77.0 255.255.255.248 any eq www

access-list guest extended permit tcp 192.168.77.0 255.255.255.248 any eq https

access-list guest extended permit udp 192.168.77.0 255.255.255.248 any eq domain

access-list guest extended deny ip any any

access-list inbound extended permit icmp any any

access-list inbound extended permit tcp object-group mimecast host 82.109.238.5 eq ldap

access-list inbound extended permit tcp object-group mimecast host 82.109.238.4 eq smtp

access-list inbound extended permit tcp object-group mimecast host 82.109.238.4 eq pop3

access-list inbound extended deny tcp any host 82.109.238.4 eq smtp log

access-list inbound extended permit tcp any host 82.109.238.6 eq 3389

access-list inbound extended permit tcp any host 82.109.238.4 eq https

access-list inbound extended permit tcp any host 82.109.238.6 eq ftp

access-list inbound extended permit tcp any host 82.109.238.6 eq telnet

access-list inbound extended permit tcp any host 82.109.238.6 eq www

access-list inbound extended permit tcp any host 82.109.238.6 eq 5201

access-list inbound extended permit udp any host 82.109.238.6 eq 1025

access-list inbound extended permit udp any host 82.109.238.6 eq 2074

access-list inbound extended permit udp any host 82.109.238.6 eq 2075

access-list inbound extended deny ip any any

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.205.0 255.255.255.192

access-list metvpn extended permit ip 192.168.204.0 255.255.255.0 192.168.255.0 255.255.255.0

access-list metvpn remark address 24-09-08 for access to unity express

access-list metvpn extended permit ip host 192.168.205.100 192.168.255.0 255.255.255.0

access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.255.0 255.255.255.0

access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.205.48 255.255.255.240

access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.205.0 255.255.255.192

access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.203.0 255.255.255.0

access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.253.0 255.255.255.0

access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.100.0 255.255.255.240

access-list nonat extended permit ip host 192.168.205.100 192.168.255.0 255.255.255.0

access-list nonat extended permit ip 192.168.205.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list inside_access_in extended permit tcp any any

access-list 101 extended permit ip 192.168.204.0 255.255.255.0 192.168.205.0 255.255.255.192

access-list Londonvpn extended permit ip 192.168.204.0 255.255.255.0 192.168.203.0 255.255.255.0

access-list vpn-met-backup extended permit ip 192.168.204.0 255.255.255.0 192.168.253.0 255.255.255.0

access-list outbound extended permit udp any any eq ntp

access-list outbound extended permit tcp host 192.168.204.24 any eq smtp log

access-list outbound extended permit tcp host 192.168.204.24 any eq https log

access-list outbound extended permit ip object-group MFM-BACKUP object-group MET-BACKUP

access-list outbound extended deny ip any 192.168.253.0 255.255.255.0

access-list outbound extended permit ip 192.168.205.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list outbound extended permit ip any any

access-list marl-client-vpn_splitTunnelAcl standard permit 192.168.204.0 255.255.255.0

access-list marl-client-vpn_splitTunnelAcl standard permit 192.168.205.0 255.255.255.0

access-list extended extended deny ip any any

pager lines 24

logging enable

logging buffer-size 65536

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu GUEST 1500

mtu management 1500

ip local pool Clinet-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0

failover

failover lan unit secondary

failover lan interface Failover Ethernet0/2

failover key *****

failover link Failover Ethernet0/2

failover interface ip Failover 192.168.215.1 255.255.255.0 standby 192.168.215.2

no monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (outside) 2 82.109.238.4

nat (inside) 0 access-list nonat

nat (inside) 2 192.168.204.11 255.255.255.255

nat (inside) 2 192.168.204.12 255.255.255.255

nat (inside) 1 192.168.204.0 255.255.255.0

nat (GUEST) 1 192.168.77.0 255.255.255.0

static (inside,outside) tcp 82.109.238.4 https 192.168.204.24 https netmask 255.255.255.255

static (inside,outside) tcp 82.109.238.4 smtp 192.168.204.24 smtp netmask 255.255.255.255

static (inside,outside) tcp 82.109.238.4 pop3 192.168.204.15 pop3 netmask 255.255.255.255

static (inside,outside) tcp 82.109.238.5 ldap 192.168.204.10 ldap netmask 255.255.255.255

static (inside,outside) tcp 82.109.238.6 3389 192.168.204.26 3389 netmask 255.255.255.255

static (inside,outside) tcp 82.109.238.6 telnet 192.168.204.170 telnet netmask 255.255.255.255

static (inside,outside) tcp 82.109.238.6 www 192.168.204.170 www netmask 255.255.255.255

static (inside,outside) tcp 82.109.238.6 5201 192.168.204.170 5201 netmask 255.255.255.255

static (inside,outside) udp 82.109.238.6 1025 192.168.204.170 1025 netmask 255.255.255.255

static (inside,outside) udp 82.109.238.6 2074 192.168.204.170 2074 netmask 255.255.255.255

static (inside,outside) udp 82.109.238.6 2075 192.168.204.170 2075 netmask 255.255.255.255

static (inside,outside) tcp 82.109.238.6 ftp 192.168.204.170 ftp netmask 255.255.255.255

access-group inbound in interface outside

access-group outbound in interface inside

access-group guest in interface GUEST

route outside 0.0.0.0 0.0.0.0 82.109.238.1 1

route inside 192.168.205.0 255.255.255.0 192.168.204.4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.204.0 255.255.255.0 inside

http 217.206.78.192 255.255.255.240 outside

no snmp-server location

no snmp-server contact

snmp-server community MFM

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 20 match address metvpn

crypto map outside_map 20 set peer met-bir

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 30 match address Londonvpn

crypto map outside_map 30 set peer LondonPix

crypto map outside_map 30 set transform-set ESP-3DES-MD5

crypto map outside_map 101 match address vpn-met-backup

crypto map outside_map 101 set peer met-hc1

crypto map outside_map 101 set transform-set ESP-3DES-SHA

crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 25

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh 192.168.204.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns 212.135.1.36 195.40.1.36

!

dhcpd address 192.168.77.10-192.168.77.20 GUEST

dhcpd enable GUEST

!

threat-detection basic-threat

threat-detection statistics

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

ntp server 158.43.128.33

ntp server 158.43.128.66

group-policy marl-client-vpn internal

group-policy marl-client-vpn attributes

wins-server value 192.168.204.10 192.168.204.10

dns-server value 192.168.204.10 192.168.204.10

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value marl-client-vpn_splitTunnelAcl

default-domain value marlboroughfunds.com

username nowcomm password 6mgDBpf35tTgyYjf encrypted

username johnh password 1mirC13Epno6tdfv encrypted

username dannyl password 75jgebLSkEqwZCZ1 encrypted

username lindawf password 6KL7J1G4dMOJQHyt encrypted

username wayneg password JXN3V52DZrjIQ7mr encrypted

username metadmin password 0yBgZqK5ICOwSlT9 encrypted

username leanp password WJ8NfGczYwBJWvQ. encrypted

username leand password bWH.fO2xC9kW2nuz encrypted

username krisn password lx.q1jZwDSbcCcqu encrypted

username chawkes password TCaQ94hHk6NnozTW encrypted

username mfmsoftology password k5aBRfpOqBPVeSbG encrypted

username orchid password 4moL6SrGT0qiojn6 encrypted

username heleng password lNZRORt1GtQ/Oi02 encrypted

username allanhamer password nNZaF7j95Wy.ZQCw encrypted

username keith password gKCJhFSvHtbNEz8k encrypted

username [username]heleng password pGsY06jc.k/KOIh6 encrypted

username keitho password Qes/.8qABLFujmT4 encrypted

username andrewa password tfu6b029ItYA3sMo encrypted

username justind password mMGEasUsRr998h3a encrypted

tunnel-group 81.171.227.12 type ipsec-l2l

tunnel-group 81.171.227.12 ipsec-attributes

pre-shared-key *

tunnel-group 217.206.78.200 type ipsec-l2l

tunnel-group 217.206.78.200 ipsec-attributes

pre-shared-key *

tunnel-group 217.10.137.194 type ipsec-l2l

tunnel-group 217.10.137.194 ipsec-attributes

pre-shared-key *

tunnel-group marl-client-vpn type remote-access

tunnel-group marl-client-vpn general-attributes

address-pool Clinet-Pool

default-group-policy marl-client-vpn

tunnel-group marl-client-vpn ipsec-attributes

pre-shared-key *

tunnel-group 212.36.44.46 type ipsec-l2l

tunnel-group 212.36.44.46 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:d3760b3c23e2cee9f5e420734811cb5f

: end

mfm-bol-fw#

0 Helpful

Harish Balakrishnan
Spotlight
Spotlight
In response to Andrew Duffield

‎10-03-2012 04:43 AM

Hello Andrew,

just to confirm, the requirement is you have an inside cctv station with ip address of 192.168.204.170  and that PC wants to access  213.130.134.56 & 81.130.198.97  on the menioned ud&tcp ports.  or  it is the other way around ?

harish.

0 Helpful

Andrew Duffield
Level 1
Level 1
In response to Harish Balakrishnan

‎10-03-2012 05:05 AM

Hi Harish,

Its actually both way round. The CCTV company has requested that the ports be opened inbound AND outbound.

Thanks

Andrew

0 Helpful

Harish Balakrishnan
Spotlight
Spotlight
In response to Andrew Duffield

‎10-03-2012 05:22 AM

Hello Andrew,

ok. for inside --> outside connection, it is already permitted and should be working but for outside-inside connection, you need a static public IP address where you NAT your server and allow the ports

Regards

harish

0 Helpful

Andrew Duffield
Level 1
Level 1
In response to Harish Balakrishnan

‎10-03-2012 05:54 AM

Yeah, I can ftp no problem onto the server using the external IP of 82.109.238.6:

static (inside,outside) tcp 82.109.238.6 telnet 192.168.204.170 telnet netmask 255.255.255.255

That is the IP that the CCTV people use.

I need to allow traffic from those ports outbound (alarms etc) to the CCTV companies monitoring software.

Andrew

0 Helpful

markeelen
Level 1
Level 1
In response to Andrew Duffield

‎10-17-2012 02:19 PM

Hi Andrew,

     I work in the CCTV industry, and have a fair bit of experience on the ASA5510 and 5550.

Out of the box, once nat has been set up, an ASA will allow any inside address to initiate either a TCP or UDP session to the outside (think of it punching a hole through the firewall) and will look for the corresponding return traffic and allow it back in.

Where the firewall does what it should do, is when you want to allow the session to be initiated from the outside... out of the box, the ASA will block all traffic from the outside (untrusted) to the inside (trusted).

We have a application that will set up a udp session from the inside to the remote device on port 15000(allowed by default), when the remote device sees this, it then tries to initiate a TCP connection back into the ASA from the outside on the port range 15000 - 15007(blocked by default)

I have configured the ASA with object groups and network objects, at present we have around 40 sites that connect back this way, using two different flavours of this (this one is the old version, the newer one uses RTP - so I have another object group for this.

By configuring this way, as you add more sites, all you need to do is add network objects with the sites IP address into your object group and the ASA does the rest for you. Makes life very easy.

The relevent parts of my config is pasted below (my client has a single device that is used for viewing all of these remote DVRs, but you could set up another object group for the allowed inside hosts that can connect to the outside devices, or a range) - dont forget to make sure that you have nat translation sorted for the device / devices you are trying to connect from - ask me how I know.....

object-group service AdproTCP tcp

description Adpro TCP Ports 15001 to 15007

port-object range 15001 15007

object-group network FASTTRACE_NETWORKS

network-object x.x.x.x 255.255.255.255

network-object x.x.x.x 255.255.255.255

network-object x.x.x.x 255.255.255.255

access-list Outside_access_in extended permit tcp object-group FASTTRACE_NETWORKS host x.x.x.x object-group AdproTCP

Cheers

Mark

0 Helpful

saurabhgoel169
Level 1
Level 1
In response to markeelen

‎10-19-2012 12:46 AM

Hello Andrew,

try the following configuration...

It will surely help you to solve the problem, Instead of Static PAT , you need to do the NAt, as you have already allowed the traffic on particular ports through the access list

no static (inside,outside) tcp 82.109.238.6 telnet 192.168.204.170 telnet netmask 255.255.255.255
no static (inside,outside) tcp 82.109.238.6 www 192.168.204.170 www netmask 255.255.255.255
no static (inside,outside) tcp 82.109.238.6 5201 192.168.204.170 5201 netmask 255.255.255.255
no static (inside,outside) udp 82.109.238.6 1025 192.168.204.170 1025 netmask 255.255.255.255
no static (inside,outside) udp 82.109.238.6 2074 192.168.204.170 2074 netmask 255.255.255.255
no static (inside,outside) udp 82.109.238.6 2075 192.168.204.170 2075 netmask 255.255.255.255
no static (inside,outside) tcp 82.109.238.6 ftp 192.168.204.170 ftp netmask 255.255.255.255

static(inside,outside) 82.109.238.6 192.168.204.170 netmask 255.255.255.255

Do this configuration and let me know if you have any problem.

Cheers

Saurabh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card