Solved: Re: Port Forwarding on ASA 5505 - Page 2

mramirez · ‎02-07-2011

I am trying to get my Cisco ASA 5505 to forward 2 ports to a server that runs a program called a repeater which is basically UltraVNC for remote access. The 2 ports are 5500 and 5901.

The server IP is 192.168.0.xx and my public IP is 173.165.93.xx

If I scan the two ports from outside my network using the following link they are open so I know the following commands below must be working somewhat but not entirely for the program to work.

http://www.yougetsignal.com/tools/open-ports

The problem is that the outside client can not establish a connection with 192.168.0.xxx.

Here is more informatio regarding the program if that helps.

http://www.chunkvnc.com/installationguide.html

I thought the commands below is what I would need but I think there is something that I am missing. I have attached the full config.

same-security-traffic permit intra-interface

access-list 110 extended permit tcp any any
access-list 110 extended permit icmp any any
access-list 110 extended permit tcp any host 173.165.93.xxx eq 5500
access-list 110 extended permit tcp any host 173.165.93.xxx eq 5901

static (Inside,outside) 173.165.93.xxx 192.168.0.xxx netmask 255.255.255.255
access-group 110 in interface outside

By the way, the application works great if I remove my Cisco ASA 5505 and connect a regular home Linksys router and use the application forwarding ports. I think the ASA is not allowing ports to go out the same interface it came in??

Any help would be great!

Thanks,
Manny

mramirez · ‎02-07-2011

This is what I got after the new commands were applied. You can see I got I hit for the IP any any.

Inserted the following commands

access-list 109 extended permit tcp any host 173.165.xxx eq 5500
access-list 109 extended permit tcp any host 173.165.xxx eq 5901
access-list 109 extended permit ip any any
access-group 109 out interface inside

CSC-ASA5505# sh access-list 109
access-list 109; 3 elements
access-list 109 line 1 extended permit tcp any host 173.165.xxx eq 5500 (hitcnt=0) 0xb21c4c10
access-list 109 line 2 extended permit tcp any host 173.165.xxx eq 5901 (hitcnt=0) 0x7f0234af
access-list 109 line 3 extended permit ip any any (hitcnt=1) 0xd21772a5

Federico Coto Fajardo · ‎02-07-2011

You're not using the right IPs on the ACL:

Should be:

access-list 109 permit tcp any host 192.168.0.x eq 5500

access-list 109 permit tcp any host 192.168.0.x eq 5901

access-list 109 permit ip any any

access-group 109 out interface inside

Assuming 192.168.0.x is the inside IP.

Please do the test again once you correct it.

Federico.

mramirez · ‎02-07-2011

Sorry Federico, I noticed I mixed up the Ip's. Here is the new show acess-list 109.

.

CSC-ASA5505# sh access-list 109
access-list 109; 3 elements
access-list 109 line 1 extended permit tcp any host 192.168.0.xxx eq 5500 (hitcnt=1) 0x3aa31ae6
access-list 109 line 2 extended permit tcp any host 192.168.0.xx eq 5901 (hitcnt=0) 0x0821f806
access-list 109 line 3 extended permit ip any any (hitcnt=7) 0xd21772a5
CSC-ASA5505#

Federico Coto Fajardo · ‎02-07-2011

No hitcounts on this one:

access-list 109 line 2 extended permit tcp any host 192.168.0.xx eq 5901

But if you do get hitcounts we know the ASA is sending the traffic to the server... so, the problem seems the server is not replying back.

When you remove the ASA (and it works), how do you NAT the server?

Federico.

mramirez · ‎02-07-2011

I know I am getting closer because the server program created a text file of the remote session of the client but the connection still fails.

mramirez · ‎02-07-2011

I have attached a screen shot of how simple it is on the Cisco Valet Plus router.

Federico Coto Fajardo · ‎02-07-2011

Since you need both ports to get this working... check both ACLs (110 and 109) to make sure both lines on both ACLs are getting hitcounts.

From your last post, there were no hitcounts for 5901

Federico.

mramirez · ‎02-07-2011

Ok it is working now! I ended up rebooting the Cisco ASA since I was getting a text file on the remote server.

I appreciate your help! Seems like the access list 109 did it.

Thanks again.

Federico Coto Fajardo · ‎02-07-2011

Glad it worked, but actually the ACL 109 is doing nothing (it was just to show traffic)..

You can safely delete it :-)

Federico.