10-03-2012 01:59 AM - edited 03-11-2019 05:03 PM
Hi all
I need to open some outbound ports in order for our CCTV company to receive alarms from our internal CCTV Machine.
The ip addresses of the company who access the CCTV are as follows:
213.130.134.56
81.130.198.97
The above are fixed IP addresses.
The internal machine is on 192.168.204.170
The outbound ports that I need to open are the following:
TCP
21
23
80
5201
UDP
1025
2074
2075
Is there anyone who can help me with the config.
I have access to the current config if needs be.
Thanks
Andy
10-03-2012 02:14 AM
Hello Andrew,
Can you post the current config so that i make the new config for you to accomodate the above requirements
regards
Harish.
10-03-2012 03:25 AM
Hi Harish,
I have added the current config to the bottom of this reply.
The same ports also need to be opened inbound.
I have part configured with inbound ports but not touched the outbound configuration.
Kind regards
Andrew
!
hostname mfm-bol-fw
domain-name marlboroughfunds.com
enable password **************. encrypted
names
name 217.206.78.200 met-bir
name 217.10.137.194 met-hc1
name 212.36.44.46 LondonPix
dns-guard
!
interface Ethernet0/0
description Outside Internet Connection
nameif outside
security-level 0
ip address 82.109.238.2 255.255.255.248 standby 82.109.238.3
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.204.1 255.255.255.0 standby 192.168.204.2
!
interface Ethernet0/2
description LAN/STATE Failover Interface
!
interface Ethernet0/3
nameif GUEST
security-level 90
ip address 192.168.77.1 255.255.255.0 standby 192.168.77.2
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd *************** encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
dns server-group DefaultDNS
domain-name marlboroughfunds.com
object-group network MET-BACKUP
network-object host 192.168.253.10
network-object host 192.168.253.12
object-group network MFM-BACKUP
network-object host 192.168.204.10
network-object host 192.168.204.11
network-object host 192.168.204.12
object-group network mimecast
network-object 135.196.24.192 255.255.255.240
network-object 212.2.3.128 255.255.255.192
network-object 212.188.232.144 255.255.255.248
network-object 217.206.78.192 255.255.255.240
network-object 213.235.63.64 255.255.255.192
network-object 195.130.217.0 255.255.255.0
network-object 195.130.217.44 255.255.255.255
network-object 91.220.42.0 255.255.255.0
network-object 94.185.244.0 255.255.255.0
network-object 94.185.240.0 255.255.255.0
network-object 83.166.172.26 255.255.255.255
object-group network mimecas
object-group network CCTVGroupdescription CCTV External IP's
network-object host 213.130.134.56
network-object host 81.130.198.97
access-list guest extended permit ip 192.168.77.0 255.255.255.0 any
access-list guest extended permit tcp 192.168.77.0 255.255.255.248 any eq www
access-list guest extended permit tcp 192.168.77.0 255.255.255.248 any eq https
access-list guest extended permit udp 192.168.77.0 255.255.255.248 any eq domain
access-list guest extended deny ip any any
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp object-group mimecast host 82.109.238.5 eq ldap
access-list inbound extended permit tcp object-group mimecast host 82.109.238.4 eq smtp
access-list inbound extended permit tcp object-group mimecast host 82.109.238.4 eq pop3
access-list inbound extended deny tcp any host 82.109.238.4 eq smtp log
access-list inbound extended permit tcp any host 82.109.238.6 eq 3389
access-list inbound extended permit tcp any host 82.109.238.4 eq https
access-list inbound extended permit tcp any host 82.109.238.6 eq ftp
access-list inbound extended permit tcp any host 82.109.238.6 eq telnet
access-list inbound extended permit tcp any host 82.109.238.6 eq www
access-list inbound extended permit tcp any host 82.109.238.6 eq 5201
access-list inbound extended permit udp any host 82.109.238.6 eq 1025
access-list inbound extended permit udp any host 82.109.238.6 eq 2074
access-list inbound extended permit udp any host 82.109.238.6 eq 2075
access-list inbound extended deny ip any any
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.205.0 255.255.255.192
access-list metvpn extended permit ip 192.168.204.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list metvpn remark address 24-09-08 for access to unity express
access-list metvpn extended permit ip host 192.168.205.100 192.168.255.0 255.255.255.0
access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.255.0 255.255.255.0
access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.205.48 255.255.255.240
access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.205.0 255.255.255.192
access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.203.0 255.255.255.0
access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list nonat extended permit ip 192.168.204.0 255.255.255.0 192.168.100.0 255.255.255.240
access-list nonat extended permit ip host 192.168.205.100 192.168.255.0 255.255.255.0
access-list nonat extended permit ip 192.168.205.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_access_in extended permit tcp any any
access-list 101 extended permit ip 192.168.204.0 255.255.255.0 192.168.205.0 255.255.255.192
access-list Londonvpn extended permit ip 192.168.204.0 255.255.255.0 192.168.203.0 255.255.255.0
access-list vpn-met-backup extended permit ip 192.168.204.0 255.255.255.0 192.168.253.0 255.255.255.0
access-list outbound extended permit udp any any eq ntp
access-list outbound extended permit tcp host 192.168.204.24 any eq smtp log
access-list outbound extended permit tcp host 192.168.204.24 any eq https log
access-list outbound extended permit ip object-group MFM-BACKUP object-group MET-BACKUP
access-list outbound extended deny ip any 192.168.253.0 255.255.255.0
access-list outbound extended permit ip 192.168.205.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outbound extended permit ip any any
access-list marl-client-vpn_splitTunnelAcl standard permit 192.168.204.0 255.255.255.0
access-list marl-client-vpn_splitTunnelAcl standard permit 192.168.205.0 255.255.255.0
access-list extended extended deny ip any any
pager lines 24
logging enable
logging buffer-size 65536
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu GUEST 1500
mtu management 1500
ip local pool Clinet-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
failover
failover lan unit secondary
failover lan interface Failover Ethernet0/2
failover key *****
failover link Failover Ethernet0/2
failover interface ip Failover 192.168.215.1 255.255.255.0 standby 192.168.215.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 82.109.238.4
nat (inside) 0 access-list nonat
nat (inside) 2 192.168.204.11 255.255.255.255
nat (inside) 2 192.168.204.12 255.255.255.255
nat (inside) 1 192.168.204.0 255.255.255.0
nat (GUEST) 1 192.168.77.0 255.255.255.0
static (inside,outside) tcp 82.109.238.4 https 192.168.204.24 https netmask 255.255.255.255
static (inside,outside) tcp 82.109.238.4 smtp 192.168.204.24 smtp netmask 255.255.255.255
static (inside,outside) tcp 82.109.238.4 pop3 192.168.204.15 pop3 netmask 255.255.255.255
static (inside,outside) tcp 82.109.238.5 ldap 192.168.204.10 ldap netmask 255.255.255.255
static (inside,outside) tcp 82.109.238.6 3389 192.168.204.26 3389 netmask 255.255.255.255
static (inside,outside) tcp 82.109.238.6 telnet 192.168.204.170 telnet netmask 255.255.255.255
static (inside,outside) tcp 82.109.238.6 www 192.168.204.170 www netmask 255.255.255.255
static (inside,outside) tcp 82.109.238.6 5201 192.168.204.170 5201 netmask 255.255.255.255
static (inside,outside) udp 82.109.238.6 1025 192.168.204.170 1025 netmask 255.255.255.255
static (inside,outside) udp 82.109.238.6 2074 192.168.204.170 2074 netmask 255.255.255.255
static (inside,outside) udp 82.109.238.6 2075 192.168.204.170 2075 netmask 255.255.255.255
static (inside,outside) tcp 82.109.238.6 ftp 192.168.204.170 ftp netmask 255.255.255.255
access-group inbound in interface outside
access-group outbound in interface inside
access-group guest in interface GUEST
route outside 0.0.0.0 0.0.0.0 82.109.238.1 1
route inside 192.168.205.0 255.255.255.0 192.168.204.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.204.0 255.255.255.0 inside
http 217.206.78.192 255.255.255.240 outside
no snmp-server location
no snmp-server contact
snmp-server community MFM
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 20 match address metvpn
crypto map outside_map 20 set peer met-bir
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 30 match address Londonvpn
crypto map outside_map 30 set peer LondonPix
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 101 match address vpn-met-backup
crypto map outside_map 101 set peer met-hc1
crypto map outside_map 101 set transform-set ESP-3DES-SHA
crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 25
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.204.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 212.135.1.36 195.40.1.36
!
dhcpd address 192.168.77.10-192.168.77.20 GUEST
dhcpd enable GUEST
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 158.43.128.33
ntp server 158.43.128.66
group-policy marl-client-vpn internal
group-policy marl-client-vpn attributes
wins-server value 192.168.204.10 192.168.204.10
dns-server value 192.168.204.10 192.168.204.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value marl-client-vpn_splitTunnelAcl
default-domain value marlboroughfunds.com
username nowcomm password 6mgDBpf35tTgyYjf encrypted
username johnh password 1mirC13Epno6tdfv encrypted
username dannyl password 75jgebLSkEqwZCZ1 encrypted
username lindawf password 6KL7J1G4dMOJQHyt encrypted
username wayneg password JXN3V52DZrjIQ7mr encrypted
username metadmin password 0yBgZqK5ICOwSlT9 encrypted
username leanp password WJ8NfGczYwBJWvQ. encrypted
username leand password bWH.fO2xC9kW2nuz encrypted
username krisn password lx.q1jZwDSbcCcqu encrypted
username chawkes password TCaQ94hHk6NnozTW encrypted
username mfmsoftology password k5aBRfpOqBPVeSbG encrypted
username orchid password 4moL6SrGT0qiojn6 encrypted
username heleng password lNZRORt1GtQ/Oi02 encrypted
username allanhamer password nNZaF7j95Wy.ZQCw encrypted
username keith password gKCJhFSvHtbNEz8k encrypted
username [username]heleng password pGsY06jc.k/KOIh6 encrypted
username keitho password Qes/.8qABLFujmT4 encrypted
username andrewa password tfu6b029ItYA3sMo encrypted
username justind password mMGEasUsRr998h3a encrypted
tunnel-group 81.171.227.12 type ipsec-l2l
tunnel-group 81.171.227.12 ipsec-attributes
pre-shared-key *
tunnel-group 217.206.78.200 type ipsec-l2l
tunnel-group 217.206.78.200 ipsec-attributes
pre-shared-key *
tunnel-group 217.10.137.194 type ipsec-l2l
tunnel-group 217.10.137.194 ipsec-attributes
pre-shared-key *
tunnel-group marl-client-vpn type remote-access
tunnel-group marl-client-vpn general-attributes
address-pool Clinet-Pool
default-group-policy marl-client-vpn
tunnel-group marl-client-vpn ipsec-attributes
pre-shared-key *
tunnel-group 212.36.44.46 type ipsec-l2l
tunnel-group 212.36.44.46 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:d3760b3c23e2cee9f5e420734811cb5f
: end
mfm-bol-fw#
10-03-2012 04:43 AM
Hello Andrew,
just to confirm, the requirement is you have an inside cctv station with ip address of 192.168.204.170 and that PC wants to access 213.130.134.56 & 81.130.198.97 on the menioned ud&tcp ports. or it is the other way around ?
harish.
10-03-2012 05:05 AM
Hi Harish,
Its actually both way round. The CCTV company has requested that the ports be opened inbound AND outbound.
Thanks
Andrew
10-03-2012 05:22 AM
Hello Andrew,
ok. for inside --> outside connection, it is already permitted and should be working but for outside-inside connection, you need a static public IP address where you NAT your server and allow the ports
Regards
harish
10-03-2012 05:54 AM
Yeah, I can ftp no problem onto the server using the external IP of 82.109.238.6:
static (inside,outside) tcp 82.109.238.6 telnet 192.168.204.170 telnet netmask 255.255.255.255
That is the IP that the CCTV people use.
I need to allow traffic from those ports outbound (alarms etc) to the CCTV companies monitoring software.
Andrew
10-17-2012 02:19 PM
Hi Andrew,
I work in the CCTV industry, and have a fair bit of experience on the ASA5510 and 5550.
Out of the box, once nat has been set up, an ASA will allow any inside address to initiate either a TCP or UDP session to the outside (think of it punching a hole through the firewall) and will look for the corresponding return traffic and allow it back in.
Where the firewall does what it should do, is when you want to allow the session to be initiated from the outside... out of the box, the ASA will block all traffic from the outside (untrusted) to the inside (trusted).
We have a application that will set up a udp session from the inside to the remote device on port 15000(allowed by default), when the remote device sees this, it then tries to initiate a TCP connection back into the ASA from the outside on the port range 15000 - 15007(blocked by default)
I have configured the ASA with object groups and network objects, at present we have around 40 sites that connect back this way, using two different flavours of this (this one is the old version, the newer one uses RTP - so I have another object group for this.
By configuring this way, as you add more sites, all you need to do is add network objects with the sites IP address into your object group and the ASA does the rest for you. Makes life very easy.
The relevent parts of my config is pasted below (my client has a single device that is used for viewing all of these remote DVRs, but you could set up another object group for the allowed inside hosts that can connect to the outside devices, or a range) - dont forget to make sure that you have nat translation sorted for the device / devices you are trying to connect from - ask me how I know.....
object-group service AdproTCP tcp
description Adpro TCP Ports 15001 to 15007
port-object range 15001 15007
object-group network FASTTRACE_NETWORKS
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
network-object x.x.x.x 255.255.255.255
access-list Outside_access_in extended permit tcp object-group FASTTRACE_NETWORKS host x.x.x.x object-group AdproTCP
Cheers
Mark
10-19-2012 12:46 AM
Hello Andrew,
try the following configuration...
It will surely help you to solve the problem, Instead of Static PAT , you need to do the NAt, as you have already allowed the traffic on particular ports through the access list
no static (inside,outside) tcp 82.109.238.6 telnet 192.168.204.170 telnet netmask 255.255.255.255
no static (inside,outside) tcp 82.109.238.6 www 192.168.204.170 www netmask 255.255.255.255
no static (inside,outside) tcp 82.109.238.6 5201 192.168.204.170 5201 netmask 255.255.255.255
no static (inside,outside) udp 82.109.238.6 1025 192.168.204.170 1025 netmask 255.255.255.255
no static (inside,outside) udp 82.109.238.6 2074 192.168.204.170 2074 netmask 255.255.255.255
no static (inside,outside) udp 82.109.238.6 2075 192.168.204.170 2075 netmask 255.255.255.255
no static (inside,outside) tcp 82.109.238.6 ftp 192.168.204.170 ftp netmask 255.255.255.255
static(inside,outside) 82.109.238.6 192.168.204.170 netmask 255.255.255.255
Do this configuration and let me know if you have any problem.
Cheers
Saurabh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide