Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2392
Views
0
Helpful
20
Replies

Simple Port Forwarding / ACL Question

macdady843
Level 1
Level 1

‎11-27-2012 08:11 AM - edited ‎03-11-2019 05:28 PM

Hi Everyone,

I'm kind of a novice when it comes to Cisco configuration. I went to college for networking but haven't used it enough since graduating and I'm having some trouble with opening some ports for email to my home PC.

Specifically i'm trying to set up IMAP with Gmail to be downloaded to my Mozilla Thunderbird client. I'm using a similar syntax for other ports that i've opened but it isn't working. I also did a "show access list" and saw that one of my rules had hit counts on it but i'm not sure what this means as far as troubleshooting goes.

Can someone lend a hand and explain what i'm doing wrong? If you're feeling extra nice could you let me know what I would need to do to open some Xbox Live ports as well? The rules aren't set up yet but the ports are present in my config. I've bolded the relevant ports below.

*** Config ****

ASA Version 8.2(5)

!

hostname RyansFirewall

enable password C5OQraC02mISnP8p encrypted

passwd 3mBdM08UO1apR0bB encrypted

names

name 192.168.1.130 theking

name 192.168.1.240 wap

name 192.168.1.252 cam

name 192.168.1.253 switch

name 192.168.1.150 xbox

name x.x.x.x vpnreactor

name x.x.x.x HSoftware

name x.x.x.x Mom_and_Dad

!

interface Ethernet0/0

description Connection_to_Cable_Modem

switchport access vlan 10

!

interface Ethernet0/1

description Cisco_Catalyst_2960

!

interface Ethernet0/2

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

description Guest_Wireless

switchport access vlan 20

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

description Private_Internal_Lan

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan10

description WOW_Internet

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan20

description Guest_Wireless

no forward interface Vlan1

nameif dmz

security-level 30

ip address 172.16.1.254 255.255.255.0

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone Eastern -5

object-group network outside_ip_group

description This group contains a list of allowed public IP Addresses

network-object HSoftware 255.255.255.255

network-object Mom_and_Dad 255.255.255.255

object-group service Xbox_Ports tcp-udp

description Ports needed for Xbox Live

port-object eq www

port-object eq 88

port-object eq domain

port-object eq 3074

object-group service Email_Ports tcp-udp

description Ports needed for Email

port-object eq 143

port-object eq 465

port-object eq 587

port-object eq 993

access-list outside_access_in extended permit tcp object-group outside_ip_group any eq 1024

access-list outside_access_in extended permit tcp any any eq 3389

access-list outside_access_in extended permit tcp any any eq ftp

access-list outside_access_in extended permit gre host vpnreactor host theking

access-list outside_access_in extended permit tcp host vpnreactor host theking eq pptp

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit tcp object-group outside_ip_group any eq 5900

access-list outside_access_in extended permit tcp any any object-group Email_Ports

access-list outside_access_in extended permit udp any any object-group Email_Ports

pager lines 24

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 access-list outside_access_in

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 theking 3389 netmask 255.255.255.255

static (inside,outside) tcp interface ftp theking ftp netmask 255.255.255.255

static (inside,outside) tcp interface 1024 cam 1024 netmask 255.255.255.255

static (inside,outside) tcp interface 5900 theking 5900 netmask 255.255.255.255

static (inside,outside) tcp interface 143 theking 143 netmask 255.255.255.255

static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255

static (inside,outside) tcp interface 587 theking 587 netmask 255.255.255.255

static (inside,outside) tcp interface 993 theking 993 netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh Mom_and_Dad 255.255.255.255 outside

ssh HSoftware 255.255.255.255 outside

ssh timeout 10

console timeout 10

dhcpd address 192.168.1.2-192.168.1.25 inside

dhcpd dns x.x.x.x x.x.x.x interface inside

dhcpd lease 10800 interface inside

dhcpd domain RyanJohn interface inside

dhcpd enable inside

!

dhcpd address 172.16.1.2-172.16.1.25 dmz

dhcpd dns 8.8.8.8 8.8.4.4 interface dmz

dhcpd domain RyanJohnGuest interface dmz

dhcpd enable dmz

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username XXXXX password ZpRIy72StEDDpdfG encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect pptp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3c7abf7d5d55aba0e19d5da340132000

: end

*** Show Access List ****

RyansFirewall# show access-list outside_access_in

access-list outside_access_in; 19 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit tcp object-group outside_ip_group any eq 1024 0xf13a69fb

  access-list outside_access_in line 1 extended permit tcp host HSoftware any eq 1024 (hitcnt=0) 0xc8c42900

  access-list outside_access_in line 1 extended permit tcp host Mom_and_Dad any eq 1024 (hitcnt=0) 0x7e777675

access-list outside_access_in line 2 extended permit tcp any any eq 3389 (hitcnt=7451) 0x51a647d7

access-list outside_access_in line 3 extended permit tcp any any eq ftp (hitcnt=11) 0x8d0d5aac

access-list outside_access_in line 4 extended permit gre host vpnreactor host theking (hitcnt=0) 0x894a4bbb

access-list outside_access_in line 5 extended permit tcp host vpnreactor host theking eq pptp (hitcnt=0) 0xcb0322a8

access-list outside_access_in line 6 extended permit icmp any any echo-reply (hitcnt=563) 0x54b872f3

access-list outside_access_in line 7 extended permit icmp any any time-exceeded (hitcnt=703) 0x03690eb3

access-list outside_access_in line 8 extended permit icmp any any unreachable (hitcnt=7408) 0x5c2fa603

access-list outside_access_in line 9 extended permit tcp object-group outside_ip_group any eq 5900 0xe88875b2

  access-list outside_access_in line 9 extended permit tcp host HSoftware any eq 5900 (hitcnt=0) 0x2208e16f

  access-list outside_access_in line 9 extended permit tcp host Mom_and_Dad any eq 5900 (hitcnt=0) 0xa3aaaedd

access-list outside_access_in line 10 extended permit tcp any any object-group Email_Ports 0x91529965

  access-list outside_access_in line 10 extended permit tcp any any eq imap4 (hitcnt=17) 0x53d153bd

  access-list outside_access_in line 10 extended permit tcp any any eq 465 (hitcnt=0) 0x4d992f5e

  access-list outside_access_in line 10 extended permit tcp any any eq 587 (hitcnt=0) 0x734d200d

  access-list outside_access_in line 10 extended permit tcp any any eq 993 (hitcnt=0) 0xb91930a9

access-list outside_access_in line 11 extended permit udp any any object-group Email_Ports 0xe12dbb9d

  access-list outside_access_in line 11 extended permit udp any any eq 143 (hitcnt=0) 0x34d1c49d

  access-list outside_access_in line 11 extended permit udp any any eq 465 (hitcnt=0) 0x5cc4b908

  access-list outside_access_in line 11 extended permit udp any any eq 587 (hitcnt=0) 0x6e3b53a3

  access-list outside_access_in line 11 extended permit udp any any eq 993 (hitcnt=0) 0x7f9dd9b7

Labels:
0 Helpful
20 Replies 20

lanbrown
Level 1
Level 1
In response to macdady843

‎11-28-2012 10:44 AM

I wouldn’t trust certain regions in the world; I would at least use different ports. You could keep them the same on the inside, but on the outside you wouldn’t be connecting to 3389.  Ideally you would use different ports (unless you can’t) but also create a list of subnets that can use that service and deny the rest.

From the capture, we did see traffic.  Was that traffic from the telnet command?  Try the packet tracer command again but instead of 192.168.1.10 use the machine you are trying to get the e-mail client to work on.

0 Helpful

macdady843
Level 1
Level 1
In response to lanbrown

‎11-28-2012 11:00 AM

Yes the capture was from the telnet command. I re-ran the packet tracer to my machine IP address and got the same success result.

0 Helpful

lanbrown
Level 1
Level 1
In response to macdady843

‎11-28-2012 11:09 AM

What OS are you using?  Is a software firewall being used on the local machine?

0 Helpful

macdady843
Level 1
Level 1
In response to lanbrown

‎11-29-2012 06:35 AM

I'm using Windows XP and I do have a Zone Alarm software firewall but i've disabled it for purposes of this testing.

0 Helpful

lanbrown
Level 1
Level 1
In response to macdady843

‎11-29-2012 07:19 AM

If the firewall is dropping the traffic for any reason, then this will show us:

cap IMAP type asp-drop all real-time

Perform your IMAP test with your mail client and post the results.

0 Helpful

macdady843
Level 1
Level 1
In response to lanbrown

‎11-30-2012 01:07 PM

So I went ahead and set up the ASDM console which I hadn't used before and somehow got it working. Not really sure what changed except for the fact that there is a command called "nat-control" now present. I pasted the new config below if you'd like to compare. Thanks for the help.

ASA Version 8.2(5)

!

hostname RyansFirewall

enable password C5OQraC02mISnP8p encrypted

passwd 3mBdM08UO1apR0bB encrypted

names

name 192.168.1.130 theking

name 192.168.1.240 wap

name 192.168.1.252 cam

name 192.168.1.253 switch

name 192.168.1.150 xbox

name 76.73.18.130 vpnreactor

name x.x.x.x HSoftware

name x.x.x.x Mom_and_Dad

!

interface Ethernet0/0

description Connection_to_Cable_Modem

switchport access vlan 10

!

interface Ethernet0/1

description Cisco_Catalyst_2960

!

interface Ethernet0/2

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

description Guest_Wireless

switchport access vlan 20

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

description Private_Internal_Lan

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan10

description WOW_Internet

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan20

description Guest_Wireless

no forward interface Vlan1

nameif dmz

security-level 30

ip address 172.16.1.254 255.255.255.0

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone Eastern -5

same-security-traffic permit intra-interface

object-group network outside_ip_group

description This group contains a list of allowed public IP Addresses

network-object HylandSoftware 255.255.255.255

network-object Mom_and_Dad 255.255.255.255

object-group service Xbox_Ports

service-object tcp-udp eq 3074

service-object tcp-udp eq domain

service-object tcp eq www

service-object udp eq 88

object-group service Email_Ports

service-object tcp eq 465

service-object tcp eq 587

service-object tcp eq 933

service-object tcp eq imap4

access-list outside_access_in extended permit gre host vpnreactor host theking

access-list outside_access_in extended permit tcp host vpnreactor host theking eq pptp

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit tcp any host theking eq 4444

access-list outside_access_in extended permit object-group Xbox_Ports any host xbox

pager lines 24

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 access-list outside_access_in dns

nat (dmz) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 4444 theking 3389 netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh Mom_and_Dad 255.255.255.255 outside

ssh HylandSoftware 255.255.255.255 outside

ssh timeout 10

console timeout 10

dhcpd address 192.168.1.2-192.168.1.25 inside

dhcpd dns 64.233.214.34 64.233.214.41 interface inside

dhcpd lease 10800 interface inside

dhcpd domain RyanJohn interface inside

dhcpd enable inside

!

dhcpd address 172.16.1.2-172.16.1.25 dmz

dhcpd dns 8.8.8.8 8.8.4.4 interface dmz

dhcpd domain RyanJohnGuest interface dmz

dhcpd enable dmz

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username rfosco password ZpRIy72StEDDpdfG encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect pptp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:07d54f18cd4da365f9afc97d5c4ffb12

: end

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card