Open Ports & enable ping on ASA 5505

Unanswered Question
Sep 20th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

I am very new to the ASA, I have a working VPN, now i want to open 4 ports (6735, 6736, 2029, 1434)

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";} and to enable ping to my server from a vpn client. Is there anyway i can easily do this using ASDM. If not possible how best can i tackle this.





!
ASA Version 7.2(4)
!
hostname pretoria
domain-name default.domain.invalid
enable password yiRw5ideotZmWUDS0 encrypted
passwd 6KFQasNIilI.2KFCA encrypted
names
!
interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
  nameif outside
  security-level 0
  ip address 10.5.12.5 255.255.255.0
!
interface Ethernet0/0
  switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
  domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object udp
  protocol-object tcp
object-group network DM_INLINE_NETWORK_1
  network-object host 10.5.12.100
  network-object host 192.168.1.10
  network-object host 10.5.12.5
object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object udp
  protocol-object tcp
access-list HQ-TUNNEL_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.5.112.0 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any object-group DM_INLINE_NETWORK_1 log debugging
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any log debugging
pager lines 24
logging enable
logging asdm debugging0.
mtu inside 1500
mtu outside 1500
ip local pool VPN-POOL1 10.5.112.1-10.5.112.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.5.12.100 192.168.1.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.5.12.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 213.193.45.233 255.255.255.255 outside
http 10.5.12.11 255.255.255.255 outside
http 67.165.22.34 255.255.255.255 outside
http 192.168.1.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  .


.


.


.


.
!
dhcpd address 192.168.1.2-192.168.1.50 inside
dhcpd enable inside
!




group-policy HQ-TUNNEL internal
group-policy HQ-TUNNEL attributes
  dns-server value 213.193.43.4
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value HQ-TUNNEL_splitTunnelAcl
username admin password HEH5MDcPeRt4KaUW encrypted
username HQ-User1 password LoNCAAClgPoPODsS encrypted privilege 0
username HQ-User1 attributes
  vpn-group-policy HQ-TUNNEL
tunnel-group HQ-TUNNEL type ipsec-ra
tunnel-group HQ-TUNNEL general-attributes
  address-pool VPN-POOL1
  default-group-policy HQ-TUNNEL
tunnel-group HQ-TUNNEL ipsec-attributes
  pre-shared-key Pret0ri@
!
!
prompt hostname context
Cryptochecksum:7zm4e45f146604386d9e3eac38531a6d
: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 09/20/2010 - 04:43
User Badges:
  • Cisco Employee,

From your current vpn configuration, you should be able to ping and access those ports since you haven't configured any vpn-filter to only allow

specific ports.


You would need to make sure that the internal hosts that you are trying to ping has the windows firewall turn off because it normally does not allow inbound connection from different subnets.

ronald.ngara Mon, 09/20/2010 - 04:57
User Badges:

There is no internal firewall in place. I uninstalled the symantec endpoint firewall that was there and disabled windows firewall. I cant ping still

Jennifer Halim Mon, 09/20/2010 - 05:01
User Badges:
  • Cisco Employee,

Also enable icmp inspection under your global_policy:


policy-map global_policy
   class inspection_default
        inspect icmp

ronald.ngara Mon, 09/20/2010 - 05:43
User Badges:

Using the packet tracer on the ADSM, it looks like all icmp packet are going through, but i cant ping from the client. What about opening the ports i mentioned. How easily can i do that?

Actions

This Discussion