Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2404
Views
0
Helpful
23
Replies

Port Forwarding on ASA 5505

Go to solution
mramirez
Level 1
Level 1

‎02-07-2011 07:41 PM - edited ‎03-11-2019 12:46 PM

I am trying to get my Cisco ASA 5505 to forward 2 ports to a server that runs a program called a repeater which is basically UltraVNC for remote access. The 2 ports are 5500 and 5901.

The server IP is 192.168.0.xx and my public IP is 173.165.93.xx

If I scan the two ports from outside my network using the following link they are open so I know the following commands below must be working somewhat but not entirely for the program to work.

http://www.yougetsignal.com/tools/open-ports

The problem is that the outside client can not establish a connection with 192.168.0.xxx.

Here is more informatio regarding the program if that helps.

http://www.chunkvnc.com/installationguide.html

I thought the commands below is what I would need but I think there is something that I am missing. I have attached the full config.

same-security-traffic permit intra-interface

access-list 110 extended permit tcp any any
access-list 110 extended permit icmp any any
access-list 110 extended permit tcp any host 173.165.93.xxx eq 5500
access-list 110 extended permit tcp any host 173.165.93.xxx eq 5901

static (Inside,outside) 173.165.93.xxx 192.168.0.xxx netmask 255.255.255.255
access-group 110 in interface outside

By the way, the application works great if I remove my Cisco ASA 5505 and connect a regular home Linksys router and use the application forwarding ports. I think the ASA is not allowing ports to go out the same interface it came in??

Any help would be great!

Thanks,
Manny

Labels:
80047-ASA.txt.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to mramirez

‎02-07-2011 08:39 PM

Not at all, just add the commands I gave you and check the hitcounts.

Federico.

View solution in original post

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to mramirez

‎02-07-2011 08:55 PM

Since you need both ports to get this working... check both ACLs (110 and 109) to make sure both lines on both ACLs are getting hitcounts.

From your last post, there were no hitcounts for 5901

Federico.

View solution in original post

0 Helpful
23 Replies 23

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-07-2011 07:49 PM

Hi,

You're trying to reach an internal server via two ports, why would the ASA have to reroute the traffic back out the same interface?

The command you need is this:

static (Inside,outside) 173.165.93.xxx 192.168.0.xxx netmask 255.255.255.255

It means whatever reaches 173.165.93.xxx will be sent by the ASA to 192.168.0.xxx

By the way, you're not only allowing those ports but TCP and ICMP according to the ACL.

What I would do is check the logs show log and see what does the ASA report for this connection to see why it's not working.

Federico.

0 Helpful

Go to solution
mramirez
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-07-2011 08:01 PM

Hi,

I already have the command you suggested into the ASA (static (Inside,outside) 173.165.93.xxx 192.168.0.xxx netmask 255.255.255.255). Also I have the 2 following commands that open the 2 ports 5500 & 5901 below that open the ports.

access-list 110 extended permit tcp any host 173.165.93.xxx eq 5500
access-list 110 extended permit tcp any host 173.165.93.xxx eq 5901

I do not see anything in the log that tells me otherwise. Currently I can remote desktop into the server by opening port 3389 from the outside.

Do you know how I would turn on debugging for the ASA to monitor these ports?

Thanks,

Manny

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to mramirez

‎02-07-2011 08:04 PM

Easy way...

show access-list 110

Will show if traffic is matching those lines for those ports.

To check if the ASA is forwarding those ports to the inside server:

access-list 109 permit tcp any host 192.168.0.x eq 5500

access-list 109 permit tcp any host 192.168.0.x eq 5901

access-list 109 permit ip any any

access-group 109 out interface inside

A show access-list 109 will show if the ASA is sending the traffic.


Federico.

0 Helpful

Go to solution
mramirez
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-07-2011 08:12 PM

Ok I just tried putting the program onto another pc to make sure it wasn't the server and the ASA came up with this.

%ASA-4-106023: Deny tcp src outside:67.167.xxx.xxxx/54318 dst Inside:173.165.93.xxxx/5500 by access-group "110" [0x0, 0x0]

The 67.xxxx is the outside pc and the 173.165.93.xxx is the server running the program.

Any ideas??

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to mramirez

‎02-07-2011 08:15 PM

The error means the ASA is denying the connection on that port.

Could you verify your ACL is correct?

sh run access-list

sh run access-group

And make sure the IPs are correct.


Federico.

0 Helpful

Go to solution
mramirez
Level 1
Level 1
In response to mramirez

‎02-07-2011 08:17 PM

Ok disregard the previous post because I had not put the 2 commands in.

access-list 110 extended permit tcp any host 173.165xxxx 5901
access-list 110 extended permit tcp any host 173.165.xxx 5500

After inserting the the commands I get a sucessfull connection but the program still does not connect.

%ASA-6-302013: Built outbound TCP connection 789 for outside:173.165.93.163/5901 (173.165.93.163/5901) to Inside:192.168.0.9/2616 (173.165.93.161/20803)

0 Helpful

Go to solution
mramirez
Level 1
Level 1
In response to mramirez

‎02-07-2011 08:19 PM

When I do the command show access-list 110, I get the following.

access-list 110 line 47 extended permit tcp any host 173.165.xxxx eq 5500 (hitcnt=3) 0x14a6743d
access-list 110 line 48 extended permit tcp any host 173.165.xxxx eq 5901 (hitcnt=1) 0x3ab1819a

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to mramirez

‎02-07-2011 08:19 PM

Please check the ACL applied to the inside interface in the outbound direction.

Federico.

0 Helpful

Go to solution
mramirez
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-07-2011 08:21 PM

Do you mean this command?

access-group 110 in interface outside

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to mramirez

‎02-07-2011 08:23 PM

To check if the ASA is forwarding those ports to the inside server:

access-list 109 permit tcp any host 192.168.0.x eq 5500

access-list 109 permit tcp any host 192.168.0.x eq 5901

access-list 109 permit ip any any

access-group 109 out interface inside

A show access-list 109 will show if the ASA is sending the traffic.


Federico.

0 Helpful

Go to solution
mramirez
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-07-2011 08:26 PM

Hi, I do not have access-list 109 but 110. When I do the show access-list 110, I can see that it forwards traffic to that port because I have hitcnt=4 and hitcnt=2. This is what you mean correct? If it was 0 then it would mean that no traffic is being passed.

Manny

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to mramirez

‎02-07-2011 08:28 PM

Yes.

With ACL 110 we know the traffic is hitting the ASA.

What I'm trying to determine with ACL 109 (a new ACL) is if the ASA is forwarding the traffic to the internal server.

Federico.

0 Helpful

Go to solution
mramirez
Level 1
Level 1
In response to Federico Coto Fajardo

‎02-07-2011 08:33 PM

Do I have to remove the 110 ACL for that server before applying 109?

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to mramirez

‎02-07-2011 08:39 PM

Not at all, just add the commands I gave you and check the hitcounts.

Federico.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card