10-02-2012 12:51 PM - edited 03-11-2019 05:03 PM
After banging my head on my keyboard for about 3 days straight now I have to ask for help. I am trying to forward specific ports from the outside interface on my ASA5505 to my servers inside and can not get it to work! I have a VPN that currently works and the firewall rule in place I am just overlooking something simple I'm sure. Here is the config:
ASA Version 8.2(5)
!
hostname ASA
enable password <removed>
passwd <removed>
names
name 172.20.2.4 DC
name 172.20.2.7 VP
name 172.20.2.24 AP
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.0.3 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address <Public-IP> 255.255.255.252
!
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 172.20.22.0 255.255.255.192
access-list outside_access_in extended permit tcp any host <Public-IP>eq 2332
access-list outside_access_in extended permit tcp any host <Public-IP>eq 5901
access-list outside_access_in extended permit tcp any host <Public-IP>eq 5500
access-list outside_access_in extended permit tcp any host <Public-IP>eq 5705
access-list outside_access_in extended permit tcp any host <Public-IP>eq 81
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPN-IP-Pool 172.20.22.1-172.20.22.55 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.20.0.0 255.255.0.0
static (inside,outside) tcp interface 2332 VP 2332 netmask 255.255.255.255
static (inside,outside) tcp interface 5901 VP 5901 netmask 255.255.255.255
static (inside,outside) tcp interface 5500 VP 5500 netmask 255.255.255.255
static (inside,outside) tcp interface 5705 AP 5705 netmask 255.255.255.255
static (inside,outside) tcp interface 81 AP 81 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Radius protocol radius
aaa-server Radius (inside) host 172.20.0.3
timeout 5
key *****
aaa-server Radius (inside) host DC
timeout 5
key *****
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 172.20.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set VPN esp-des esp-sha-hmac
crypto ipsec transform-set VPN mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
crypto ipsec transform-set l2tp-transform mode transport
crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
crypto dynamic-map dyn-map 10 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
crypto map vpn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 15
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.20.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.20.0.0 255.255.0.0 inside
ssh timeout 20
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 172.20.2.4
vpn-tunnel-protocol l2tp-ipsec
default-domain value hq.vertique.com
username admin password <removed> privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-IP-Pool
authentication-server-group Radius
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Thanks in advance for any input!
Solved! Go to Solution.
10-04-2012 07:23 AM
yup, you can't possibly have all the internet routes configured on the server, so yes, the server will definitely use default gateway to route back the traffic.
And no, it is not how the server would respond back to the same ASA where the traffic is coming from. Server will respond back by routing via its default gateway since the traffic is from the internet, it will use a default gateway coz you couldn't possibly configure static routes or have the whole internet in your server routing table.
As a test, just configure the server default gateway to point to this ASA, i am sure you will be able to access it from the internet with no issue.
10-05-2012 09:21 AM
Thank you for the help! I knew it was something overly simple and stupid I was overlooking!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide