11-10-2020 12:07 PM
Good Evening Team,
I am have problem allowing a person to enter the server via a asa 5505 to port 60287 on a given ip
Please advise...
Thank you from Alan
ASA Version 7.2(3)
!
hostname xxxxxx
domain-name xxxxxxxxx.org
enable password xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 87.75.xxx.yyy 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd yyyyyyyyyy encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxxxx.org
access-list OUTSIDE_IN extended permit tcp host 82.36.xxx.yyy host 192.168.1.3 eq 60287
access-list OUTSIDE_IN extended permit tcp host 87.75.xxx.yyy host 192.168.1.3 eq 60287
no pager
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface 60287 192.168.1.3 60287 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 87.75.xxx.yyy 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
11-10-2020 10:30 PM
7.2 is tool can not remember the syntax correctly
below block should work as expected :
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface 60287 192.168.1.3 60287 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
what is the packet tracer output.
you can try no nat for that IP.
example for testing.
nat (inside) 0 access-list bypassnat
access-list bypassnat cover only 192.168.1.3 IP.
11-11-2020 12:15 AM
Thank you for the reply, but from my understanding that will let in everyone
Hence I used this line access-list OUTSIDE_IN extended permit tcp host 82.36.xxx.yyy host 192.168.1.3 eq 60287
but that does not work...
Thank from Alan
11-11-2020 01:19 AM
On pre 8.3 versions you need to use the NAT'ed IP addresses on the ACLs, so in your case you would need this:
access-list OUTSIDE_IN extended permit tcp host <the source public IP of the client> host <the public IP of the outside interface> eq 60287
11-11-2020 03:30 AM
Thank you for the reply, I have added that line with the appropriate IP's
But it still dont work, is there something else missing please
All the best from Alan
11-11-2020 04:37 AM
You welcome. Do you see any hits on the ACL? if not that might suggest the client is sourcing from a different public IP address than the one you specified. I would also try to run packet capture on both the outside and inside interfaces filtering out the capture to the traffic destined to port 60287/tcp.
11-11-2020 05:25 AM
As I have 2 isp suppliers, I know what the ip's are also checked with WHATS MY IP to make sure
I first connect the server direct to the internet, and used ssh on the other server on the other isp to talk to the first one
all worked well no problems, I have taken the ethernet cable from the back of the server and plugged it into 0/0
and plugged a straight ethernet cable in 0/1 to the ethernet port on the server...
So the answer has to be in the asa5505, would you agree..
Thank from Alan
11-11-2020 07:30 AM
Please share a topology diagram and what you are trying to achieve for review.
11-11-2020 08:13 AM
11-11-2020 09:49 AM
I see. The ACE you would need is:
access-list OUTSIDE_IN extended permit tcp host 82.36.xxx.yyy host 87.75.xxx.yyy eq 60287
If it does not work, I would try to run packet capture on both outside and inside interfaces filtering out the capture on port 60287 only and take it from there.
11-11-2020 11:29 AM
Its a shame that 7.2 V is such a pain, I brought an other asa5505 9.1v and everything works...
The command you gave looks right to me, but don't work, so something is wrong with the config
Thank you for your help and support...
All the best from Alan
11-12-2020 12:48 AM
Did you have the chance to run packet capture?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide