Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
719
Views
0
Helpful
4
Replies

Opening Ports on a 5505

ismith
Level 1
Level 1

‎01-03-2013 04:01 PM - edited ‎03-11-2019 05:42 PM

Hi. I am trying to configure a new 5505 but I am having difficulties opening ports that allow traffic in from the outside. My setup is Comcast Business Modem (w/ single static IP) -> ASA (10.0.0.1) -> (dumb) Switch -> NAS (10.0.0.10). I am attemping to open port 5001 to the NAS. I am very new to IOS so I have mostly been working in ASDM. Not sure if I am overcomplicating this for myself or what but I am stuck.

My running config is -

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.0.0.10 MiniSrvr description MiniSrvr

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 74.x.x.249 255.255.255.252

!

ftp mode passive

object-group service Syno_HTTPS tcp

port-object eq 5001

object-group service DM_INLINE_TCP_1 tcp

group-object Syno_HTTPS

port-object eq https

access-list outside_access_in extended permit tcp any host MiniSrvr object-group DM_INLINE_TCP_1

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 5001 MiniSrvr 5001 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 74.x.x.250 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.0.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd dns 75.75.75.75 75.75.76.76

dhcpd lease 38600

!

dhcpd address 10.0.0.100-10.0.0.199 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username xxx password XTTcBNvipbwHw4hk encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:33ba890463db57b8ad5a2ecbf378b412

: end

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎01-03-2013 05:00 PM

Your ACL is wrong. With version 8.2x you have to use the translated IP in the ACL. With only one IP you can also use the keyword "interface":

access-list outside_access_in extended permit tcp any interface eq 5001
no access-list outside_access_in extended permit tcp any host MiniSrvr object-group DM_INLINE_TCP_1

static (inside,outside) tcp interface 5001 MiniSrvr 5001 netmask 255.255.255.255

That will forward tcp/5001 arriving on the external interface to your MiniSrvr on Port tcp/5001


BTW: You should move this question to Security->Firewalling.


Sent from Cisco Technical Support iPad App

0 Helpful

ismith
Level 1
Level 1
In response to Karsten Iwen

‎01-03-2013 06:01 PM

Moved. Thanks.

When I tried to run the first command I get an error -

Result of the command: "access-list outside_access_in extended permit tcp any interface eq 5001"

access-list outside_access_in extended permit tcp any interface eq 5001

                                                                ^

ERROR: % Invalid Hostname

0 Helpful

shamax_1983
Level 3
Level 3
In response to ismith

‎01-03-2013 08:10 PM

Hi Lan,

This line is wrong

access-list outside_access_in extended permit tcp any host MiniSrvr object-group DM_INLINE_TCP_1

it should be

access-list outside_access_in extended permit tcp any host 74.x.x.249 object-group DM_INLINE_TCP_1

Please rate this post if helpful..

0 Helpful

Karsten Iwen
VIP
VIP
In response to ismith

‎01-04-2013 12:11 AM

>When I tried to run the first command I get an error -

>Result of the command: "access-list outside_access_in extended permit tcp any interface eq 5001"
>access-list outside_access_in extended permit tcp any interface eq 5001

I forgot the interface-name after the keyword "interface" .... The right command is:

access-list outside_access_in extended permit tcp any interface outside eq 5001


Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card