Solved: ASA 5510 Port Triggering not working for inbound connection

kevin.r.bailey1 · ‎03-05-2015

I am successfully getting INSIDE computers to connect to Internet. INSIDE computers can see and "interact" with each other normally.

I am having difficulty with getting an outside application server to connect to an inside application server using mySQL connections. I am hoping to use port triggering to use a non-standard port on the Internet exposed side of the connection.

I am trying to let the outside application server (X.Y.Z.114) request a connection to my outside interface (A.B.C.D) with port 50002. This would then trigger the ASA5510 to create a connection from there to my inside application server (172.16.83.4) on port 3306.

X.Y.Z.114(any)>>>INTERNET>>>A.B.C.D(50002)===(outside interface)ASA5510(inside interface)===172.16.83.1(???)>>>172.16.83.4(3306)

I thought I had found all the instructions needed and set it up properly but have not had success connecting. Turning on logging debug I can see the "TCP request discarded from X.Y.Z.114/48725 to outside:A.B.C.D/50002"

Here are the my config. I have also attached a .txt file for use if preferred.

CiscoASA5510(config)# show config
: Saved
: Written by enable_15 at 08:27:08.843 PST Thu Mar 5 2015
!
ASA Version 8.2(5)
!
hostname CiscoASA5510
enable password &&&&&&&&& encrypted
passwd &&&&&&&&& encrypted
names
name 172.16.83.0 LocalLAN
name 173.8.224.19 VendorOffice
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/1
nameif outside
security-level 0
pppoe client vpdn group ISPlink
ip address pppoe setroute
!
interface Redundant2
member-interface Ethernet0/2
member-interface Ethernet0/3
nameif inside
security-level 100
ip address 172.16.83.1 255.255.255.192
!
banner exec Access to this device is restricted.
banner exec If you are not authorized to connect to this device, disconnect immediately.
banner exec Unauthorized access is punishable by law.
banner exec All device activity is logged and reviewed for unauthorized access.
banner login Access to this device is restricted.
banner login If you are not authorized to connect to this device, disconnect immediately.
banner login Unauthorized access is punishable by law.
banner login All device activity is logged and reviewed for unauthorized access.
banner asdm Access to this device is restricted.
banner asdm If you are not authorized to connect to this device, disconnect immediately.
banner asdm Unauthorized access is punishable by law.
banner asdm All device activity is logged and reviewed for unauthorized access.
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
access-list INSIDE-IN-ACL extended permit ip LocalLAN 255.255.255.192 any
access-list INSIDE-IN-ACL remark - Allow inside connections to outside
access-list INSIDE-IN-ACL extended permit udp LocalLAN 255.255.255.192 any eq ntp
access-list INSIDE-IN-ACL extended permit tcp LocalLAN 255.255.255.192 any eq www
access-list INSIDE-IN-ACL extended permit udp LocalLAN 255.255.255.192 any eq www
access-list INSIDE-IN-ACL extended permit tcp LocalLAN 255.255.255.192 any eq 8080
access-list INSIDE-IN-ACL extended permit udp LocalLAN 255.255.255.192 any eq 8080
access-list INSIDE-IN-ACL extended permit tcp LocalLAN 255.255.255.192 any eq https
access-list INSIDE-IN-ACL remark - Allow Application Server connections to outside
access-list INSIDE-IN-ACL extended permit tcp host 172.16.83.4 any eq 3306
access-list INSIDE-IN-ACL extended permit tcp host 172.16.83.4 any eq smtp
access-list INSIDE-IN-ACL extended permit tcp host 172.16.83.4 any eq 8181
access-list INSIDE-IN-ACL extended permit udp host 172.16.83.4 any eq 8181
access-list INSIDE-IN-ACL extended permit tcp host 172.16.83.4 any eq ssh
access-list INSIDE-IN-ACL extended permit tcp host 172.16.83.4 any range 50001 50010
access-list INSIDE-IN-ACL extended permit udp host 172.16.83.4 any range 50001 50010
access-list OUTSIDE-IN-ACL extended permit tcp host X.Y.Z.126 host 172.16.83.4
access-list OUTSIDE-IN-ACL extended permit tcp host X.Y.Z.114 host 172.16.83.4
access-list INSIDE-OUT-ACL remark - Allow inside connections to inside network only
access-list INSIDE-OUT-ACL extended permit ip any LocalLAN 255.255.255.192
access-list INSIDE-OUT-ACL extended permit ip host X.Y.Z.126 host 172.16.83.4
access-list inside_access_out extended permit ip LocalLAN 255.255.255.192 any
access-list outside_access_in extended permit tcp host X.Y.Z.114 host A.B.C.D
access-list outside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip any LocalLAN 255.255.255.192
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu management 1500
mtu outside 1492
mtu inside 1500
ip local pool FirstPool 172.16.83.31-172.16.83.40 mask 255.255.255.192
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 LocalLAN 255.255.255.192
static (inside,outside) X.Y.Z.114 172.16.83.4 netmask 255.255.255.255
access-group OUTSIDE-IN-ACL in interface outside
access-group outside_access_out out interface outside
access-group INSIDE-IN-ACL in interface inside
access-group inside_access_out out interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl OUTSIDE-IN-ACL
network-acl INSIDE-OUT-ACL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http LocalLAN 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto ca server
shutdown
smtp from-address admin@CiscoASA5510.null
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh LocalLAN 255.255.255.192 inside
ssh timeout 10
console timeout 0
management-access inside
vpdn group ISPlink request dialout pppoe
vpdn group ISPlink localname USERNAME
vpdn group ISPlink ppp authentication pap
vpdn username USERNAME password %%%%%%%% store-local
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 172.16.83.41 /
webvpn
enable outside
enable inside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 172.16.83.1 208.67.222.222
vpn-tunnel-protocol l2tp-ipsec
group-policy DfltGrpPolicy attributes
banner value Access to this device is restricted.
banner value If you are not authorized to connect to this device, disconnect immediately.
banner value Unauthorized access is punishable by law.
banner value All device activity is logged and reviewed for unauthorized access.
dns-server value 172.16.83.1 208.67.222.222
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
address-pools value FirstPool
username onerain password &&&&&&&&& encrypted privilege 15
username 911coe password &&&&&&&&& encrypted privilege 15
username jdwcadmin password &&&&&&&&& encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool FirstPool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group FirstGroup type remote-access
tunnel-group FirstGroup general-attributes
address-pool (outside) FirstPool
tunnel-group FirstGroup ipsec-attributes
pre-shared-key *
!
class-map exit
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7af42920186ac31bbf1d867d50532ad3
CiscoASA5510(config)#

Jon Marshall · ‎03-05-2015

Couple of things -

1) you have in and out acls on both interfaces. Your outside acl outbound is "permit ip any any" so it may as well not be there

your inside acl doesn't make any sense and may block the server access although that's not the immediate problem eg -

access-list inside_access_out extended permit ip LocalLAN 255.255.255.192 any
access-group inside_access_out out interface inside

the source IPs would never be the LAN IPs. They would only be the source IPs for the inbound acl on your inside interface so I don't think you need that either.

In terms of your current problem can you be more specific ie.

static (inside,outside) X.Y.Z.114 172.16.83.4 netmask 255.255.255.255

you are presenting the internal server 172.16.83.4 as X.Y.Z.114 to the outside. What are the source IP addresses connecting from the outside to the public IP address.

Is it a specific IP or could it be any IP on the internet ?

Jon

View solution in original post

Jon Marshall · ‎03-09-2015

Kevin

access-list OUTSIDE-IN-ACL extended permit tcp host X.Y.Z.126 host 172.16.83.4
access-list OUTSIDE-IN-ACL extended permit tcp host X.Y.Z.114 host 172.16.83.4

Before version 8.3 of the code for ASAs you need to reference the public IP not the private IP in your acls.

So instead of 172.16.83.4 you need to use the public IP address.

Jon

View solution in original post

Jon Marshall · ‎03-05-2015

Couple of things -

1) you have in and out acls on both interfaces. Your outside acl outbound is "permit ip any any" so it may as well not be there

your inside acl doesn't make any sense and may block the server access although that's not the immediate problem eg -

access-list inside_access_out extended permit ip LocalLAN 255.255.255.192 any
access-group inside_access_out out interface inside

the source IPs would never be the LAN IPs. They would only be the source IPs for the inbound acl on your inside interface so I don't think you need that either.

In terms of your current problem can you be more specific ie.

static (inside,outside) X.Y.Z.114 172.16.83.4 netmask 255.255.255.255

you are presenting the internal server 172.16.83.4 as X.Y.Z.114 to the outside. What are the source IP addresses connecting from the outside to the public IP address.

Is it a specific IP or could it be any IP on the internet ?

Jon

kevin.r.bailey1 · ‎03-09-2015

Jon,

Thank you for your answer. I am sorry for my long delay in responding.

Your answer has been helpful to a degree. I have made a change to my PAT setup. I had been thinking Access Lists for so long was not thinking straight and created my inside IP address to present itself as the IP address of the source IP address. I have corrected that configuration and it now reads as follows:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 HEP-FWS-LAN 255.255.255.192
static (inside,outside) tcp interface 50002 172.16.83.4 3306 netmask 255.255.255.255

The X.Y.Z.114 is the source IP address connecting to the outside public IP address with port 50002. My outside public IP address is A.B.C.D as it is configured to the global (outside) 1 interface through PPPoE with my ISP.

After making this change to my PAT configuraiton I ran a packet-tracer and here are my results:

ciscoasa5510(config)# packet-tracer input outside tcp 204.144.130.114 48726 A.B.C.D 50002 ntemask 255.255.255.255

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 50002 172.16.83.4 3306 netmask 255.255.255.255
nat-control
match tcp inside host 172.16.83.4 eq 3306 outside any
static translation to A.B.C.D/50002
translate_hits = 0, untranslate_hits = 48
Additional Information:
NAT divert to egress interface inside
Untranslate A.B.C.D/50002 to 172.16.83.4/3306 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Suggestions on where to go from here?

Thank you,

Kevin Bailey

Jon Marshall · ‎03-09-2015

Kevin

Can you post the acl details or just post the full configuration if that is easier.

Jon

kevin.r.bailey1 · ‎03-09-2015

X.Y.Z.126 and X.Y.Z.114 are the two potential IP source addresses for inbound connection to the inside server. 114 is the most likely source.

A.B.C.D is my outside public IP address.

Here the ACL:

same-security-traffic permit inter-interface
access-list INSIDE-IN-ACL extended permit ip 172.16.83.0 255.255.255.192 any
access-list INSIDE-IN-ACL remark - Allow inside connections to outside
access-list INSIDE-IN-ACL remark - Allow inside connections to outside
access-list INSIDE-IN-ACL extended permit udp 172.16.83.0 255.255.255.192 any eq ntp
access-list INSIDE-IN-ACL extended permit tcp 172.16.83.0 255.255.255.192 any eq www
access-list INSIDE-IN-ACL extended permit udp 172.16.83.0 255.255.255.192 any eq www
access-list INSIDE-IN-ACL extended permit tcp 172.16.83.0 255.255.255.192 any eq 8080
access-list INSIDE-IN-ACL extended permit udp 172.16.83.0 255.255.255.192 any eq 8080
access-list INSIDE-IN-ACL remark - Allow Internet Server connections to outside
access-list INSIDE-IN-ACL extended permit tcp 172.16.83.0 255.255.255.192 any eq https
access-list INSIDE-IN-ACL remark - Allow Internet Server connections to outside
access-list INSIDE-IN-ACL extended permit tcp host 172.16.83.4 any eq 3306
access-list INSIDE-IN-ACL extended permit tcp host 172.16.83.4 any eq smtp
access-list INSIDE-IN-ACL extended permit tcp host 172.16.83.4 any eq 8181
access-list INSIDE-IN-ACL extended permit udp host 172.16.83.4 any eq 8181
access-list INSIDE-IN-ACL extended permit tcp host 172.16.83.4 any eq ssh
access-list INSIDE-IN-ACL extended permit tcp host 172.16.83.4 any range 50001 50010
access-list INSIDE-IN-ACL extended permit udp host 172.16.83.4 any range 50001 50010
access-list OUTSIDE-IN-ACL extended permit tcp host X.Y.Z.126 host 172.16.83.4
access-list OUTSIDE-IN-ACL extended permit tcp host X.Y.Z.114 host 172.16.83.4
access-list INSIDE-OUT-ACL remark - Allow inside connections to inside network only
access-list INSIDE-OUT-ACL remark - Allow inside connections to inside network only
access-list INSIDE-OUT-ACL extended permit ip any 172.16.83.0 255.255.255.192
access-list INSIDE-OUT-ACL extended permit ip host X.Y.Z.126 host 172.16.83.4
access-list inside_access_out extended permit ip 172.16.83.0 255.255.255.192 any
access-list outside_access_in extended permit tcp host X.Y.Z.114 host A.B.C.D
access-list inside_nat0_outbound extended permit ip any 172.16.83.0 255.255.255.192
access-list outside_access_out extended permit ip any any

Here are the ACG

access-group OUTSIDE-IN-ACL in interface outside
access-group outside_access_out out interface outside
access-group INSIDE-IN-ACL in interface inside
access-group inside_access_out out interface inside

Sorry for delays in getting back to you. Mix of assignments I am on right now so away from my desk often and no wireless devices here.

Thanks,
Kevin

Jon Marshall · ‎03-09-2015

Kevin

access-list OUTSIDE-IN-ACL extended permit tcp host X.Y.Z.126 host 172.16.83.4
access-list OUTSIDE-IN-ACL extended permit tcp host X.Y.Z.114 host 172.16.83.4

Before version 8.3 of the code for ASAs you need to reference the public IP not the private IP in your acls.

So instead of 172.16.83.4 you need to use the public IP address.

Jon

kevin.r.bailey1 · ‎03-09-2015

Packet-tracer allowed all the way through. I have asked the people at the other end to initiate a test connection. They did not answer their phone so I had to email them and I am awaiting a response.

Thank you.

Jon Marshall · ‎03-09-2015

Kevin

Sounds like good news.

Hope it works and let me know if there any more issues.

Jon

kevin.r.bailey1 · ‎03-10-2015

I finally got in touch with someone on the other end to verify all was working as needed. It is all good to go!

I have marked all your responses that contributed to my solution as Correct Answers and put ratings on your comments.

Thank you!

Jon Marshall · ‎03-10-2015

Kevin

Thank you very much.

Glad to hear you got it working.

Jon

Jon Marshall · ‎03-09-2015

You also have this -

access-list inside_access_out extended permit ip 172.16.83.0 255.255.255.192 any

this makes no sense because it is applied outbound not inbound and the source IPs will never be 172.16.83.x.

Is there a reason you are trying to use acls in both directions on both interfaces ?

Jon

kevin.r.bailey1 · ‎03-09-2015

No I believe that is a remenant I missed from my multiple tries of trying to get the process to work.

I will remove this line.

Thank you.