Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5955
Views
0
Helpful
4
Replies

Open Ports & enable ping on ASA 5505

ronald.ngara
Level 1
Level 1

‎09-20-2010 04:39 AM

I am very new to the ASA, I have a working VPN, now i want to open 4 ports (6735, 6736, 2029, 1434)

and to enable ping to my server from a vpn client. Is there anyway i can easily do this using ASDM. If not possible how best can i tackle this.


!
ASA Version 7.2(4)
!
hostname pretoria
domain-name default.domain.invalid
enable password yiRw5ideotZmWUDS0 encrypted
passwd 6KFQasNIilI.2KFCA encrypted
names
!
interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
  nameif outside
  security-level 0
  ip address 10.5.12.5 255.255.255.0
!
interface Ethernet0/0
  switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
  domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object udp
  protocol-object tcp
object-group network DM_INLINE_NETWORK_1
  network-object host 10.5.12.100
  network-object host 192.168.1.10
  network-object host 10.5.12.5
object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object udp
  protocol-object tcp
access-list HQ-TUNNEL_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.5.112.0 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any object-group DM_INLINE_NETWORK_1 log debugging
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any log debugging
pager lines 24
logging enable
logging asdm debugging0.
mtu inside 1500
mtu outside 1500
ip local pool VPN-POOL1 10.5.112.1-10.5.112.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.5.12.100 192.168.1.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.5.12.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 213.193.45.233 255.255.255.255 outside
http 10.5.12.11 255.255.255.255 outside
http 67.165.22.34 255.255.255.255 outside
http 192.168.1.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  .

.

.

.

.
!
dhcpd address 192.168.1.2-192.168.1.50 inside
dhcpd enable inside
!

group-policy HQ-TUNNEL internal
group-policy HQ-TUNNEL attributes
  dns-server value 213.193.43.4
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value HQ-TUNNEL_splitTunnelAcl
username admin password HEH5MDcPeRt4KaUW encrypted
username HQ-User1 password LoNCAAClgPoPODsS encrypted privilege 0
username HQ-User1 attributes
  vpn-group-policy HQ-TUNNEL
tunnel-group HQ-TUNNEL type ipsec-ra
tunnel-group HQ-TUNNEL general-attributes
  address-pool VPN-POOL1
  default-group-policy HQ-TUNNEL
tunnel-group HQ-TUNNEL ipsec-attributes
  pre-shared-key Pret0ri@
!
!
prompt hostname context
Cryptochecksum:7zm4e45f146604386d9e3eac38531a6d
: end

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-20-2010 04:43 AM

From your current vpn configuration, you should be able to ping and access those ports since you haven't configured any vpn-filter to only allow

specific ports.

You would need to make sure that the internal hosts that you are trying to ping has the windows firewall turn off because it normally does not allow inbound connection from different subnets.

0 Helpful

ronald.ngara
Level 1
Level 1
In response to Jennifer Halim

‎09-20-2010 04:57 AM

There is no internal firewall in place. I uninstalled the symantec endpoint firewall that was there and disabled windows firewall. I cant ping still

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to ronald.ngara

‎09-20-2010 05:01 AM

Also enable icmp inspection under your global_policy:

policy-map global_policy
   class inspection_default
        inspect icmp

0 Helpful

ronald.ngara
Level 1
Level 1
In response to Jennifer Halim

‎09-20-2010 05:43 AM

Using the packet tracer on the ADSM, it looks like all icmp packet are going through, but i cant ping from the client. What about opening the ports i mentioned. How easily can i do that?

0 Helpful
Customers Also Viewed These Support Documents