Allow a user to enter from a known ip into a server on a given port (Cisco Asa 5505) 7.2

stewartrose · ‎11-10-2020

Good Evening Team,

I am have problem allowing a person to enter the server via a asa 5505 to port 60287 on a given ip

Please advise...

Thank you from Alan

ASA Version 7.2(3)
!
hostname xxxxxx
domain-name xxxxxxxxx.org
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 87.75.xxx.yyy 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd yyyyyyyyyy encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxxxx.org
access-list OUTSIDE_IN extended permit tcp host 82.36.xxx.yyy host 192.168.1.3 eq 60287
access-list OUTSIDE_IN extended permit tcp host 87.75.xxx.yyy host 192.168.1.3 eq 60287
no pager
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface 60287 192.168.1.3 60287 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 87.75.xxx.yyy 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context

balaji.bandi · ‎11-10-2020

7.2 is tool can not remember the syntax correctly

below block should work as expected :

nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface 60287 192.168.1.3 60287 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside

what is the packet tracer output.

you can try no nat for that IP.

example for testing.

nat (inside) 0 access-list bypassnat

access-list bypassnat cover only 192.168.1.3 IP.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

stewartrose · ‎11-11-2020

Thank you for the reply, but from my understanding that will let in everyone

Hence I used this line access-list OUTSIDE_IN extended permit tcp host 82.36.xxx.yyy host 192.168.1.3 eq 60287

but that does not work...

Thank from Alan

Aref Alsouqi · ‎11-11-2020

On pre 8.3 versions you need to use the NAT'ed IP addresses on the ACLs, so in your case you would need this:

access-list OUTSIDE_IN extended permit tcp host <the source public IP of the client> host <the public IP of the outside interface> eq 60287

stewartrose · ‎11-11-2020

Thank you for the reply, I have added that line with the appropriate IP's

But it still dont work, is there something else missing please

All the best from Alan

Aref Alsouqi · ‎11-11-2020

You welcome. Do you see any hits on the ACL? if not that might suggest the client is sourcing from a different public IP address than the one you specified. I would also try to run packet capture on both the outside and inside interfaces filtering out the capture to the traffic destined to port 60287/tcp.

stewartrose · ‎11-11-2020

As I have 2 isp suppliers, I know what the ip's are also checked with WHATS MY IP to make sure

I first connect the server direct to the internet, and used ssh on the other server on the other isp to talk to the first one

all worked well no problems, I have taken the ethernet cable from the back of the server and plugged it into 0/0

and plugged a straight ethernet cable in 0/1 to the ethernet port on the server...

So the answer has to be in the asa5505, would you agree..

Thank from Alan

Aref Alsouqi · ‎11-11-2020

Please share a topology diagram and what you are trying to achieve for review.

stewartrose · ‎11-11-2020

Aref Alsouqi · ‎11-11-2020

I see. The ACE you would need is:

access-list OUTSIDE_IN extended permit tcp host 82.36.xxx.yyy host 87.75.xxx.yyy eq 60287

If it does not work, I would try to run packet capture on both outside and inside interfaces filtering out the capture on port 60287 only and take it from there.

stewartrose · ‎11-11-2020

Its a shame that 7.2 V is such a pain, I brought an other asa5505 9.1v and everything works...

The command you gave looks right to me, but don't work, so something is wrong with the config

Thank you for your help and support...

All the best from Alan

Aref Alsouqi · ‎11-12-2020

Did you have the chance to run packet capture?