×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Can't open port on ASA!

Unanswered Question
Apr 7th, 2012
User Badges:

If anyone thinks they can help, please do, I'm desperately trying to help a company with a short term deadline.  Just doing it to help out a friend in a rural area where every CISCO tech contact they had seems to be unavailable (For the last and next week) all at once.  I'm tearing my hair out!  Here's the current ASA configuration:



------------------------------------------------------------------------

ASA Version 7.2(3)

!

hostname [top secret!]

domain-name [top secret!]

enable password [top secret!] encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address [top secret!].140 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address [top secret!].11 255.255.255.248

!

interface Vlan3

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd [top secret!] encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name [top secret!]

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip [top secret!] 255.255.255.0 10.0.

8.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.0.50.0 255.255.255.24

8

access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.

6.0 255.255.255.0 – Not in your configuration

access-list outside_1_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.0.8

.0 255.255.255.0

access-list tr-remote_splitTunnelAcl standard permit any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit esp any any

access-list outside_access_in extended permit tcp [top secret!] 255.255.255.0 any eq

smtp

access-list outside_2_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.0.6

.0 255.255.255.0 – Not in your configuration

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool remote-vpn 10.0.50.0-10.0.50.7 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 10.0.1.201 smtp netmask 255.255.255.2

55 

access-group outside_access_in in interface outside – Not in your configuration


route outside 0.0.0.0 0.0.0.0 [top secret!].9 1 – was [top secret!].194 in you config

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.0.6.0 255.255.255.0 inside – Not in your configuration

http 10.0.8.0 255.255.255.0 inside – Outside in your configuration

http 10.0.1.0 255.255.255.0 inside

http 10.0.50.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac – Not in your configuration

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA – Not in your configuration

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer [top secret!].194

crypto map outside_map 1 set transform-set ESP-DES-MD5

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer [top secret!].162

crypto map outside_map 2 set transform-set ESP-3DES-SHA – Not in your configuration

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 10.0.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

smartcard-removal-disconnect enable

client-firewall none

client-access-rule none

webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not

been met or due to some specific group policy, you do not have permission to us

e any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate – Not in your configuration

group-policy tr-remote internal

group-policy tr-remote attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value tr-remote_splitTunnelAcl

group-policy staff-remote internal

group-policy staff-remote attributes

dns-server value 10.0.1.200

vpn-tunnel-protocol IPSec

username remote password [top secret!] encrypted privilege 0

username remote attributes

vpn-group-policy [top secret!]

username [top secret!] password [top secret!] encrypted privilege 0

username [top secret!] attributes

vpn-group-policy tr-remote

tunnel-group [top secret!].194 type ipsec-l2l

tunnel-group [top secret!].194 ipsec-attributes

pre-shared-key *

tunnel-group tr-remote type ipsec-ra

tunnel-group tr-remote general-attributes

address-pool remote-vpn

default-group-policy tr-remote

tunnel-group tr-remote ipsec-attributes

pre-shared-key *

tunnel-group [top secret!].162 type ipsec-l2l

tunnel-group [top secret!].162 ipsec-attributes

pre-shared-key *

tunnel-group staff-remote type ipsec-ra

tunnel-group staff-remote general-attributes

address-pool remote-vpn

default-group-policy [top secret!]

tunnel-group [top secret!] ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:[top secret!]

------------------------------------------------------------------------


an epic thin client is being set up and the company was simply told to (on their Cisco ASA) enable NAT, with external ip xxx.xxx.xxx.14, internal ip 10.0.xx.xx, and open port 8222.


I went in and added this:



static (inside,outside) xxx.xxx.xxx.58 xxx.xxx.xxx.14 netmask 255.255.255.255

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.14 eq 8222

access-group inbound in interface outside



But when we try and run the thin client install, we get an error saying invalid ip/port xxx.xxx.xxx.14/8222.


Please help if you can.  I'd be so appreciative.  Have already been so thankful for earlier responses.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pgmccullough Sat, 04/07/2012 - 08:51
User Badges:

Thanks so much for the quick reply!


Okay, I switched it to


static (inside,outside) xxx.xxx.xxx.14 xxx.xxx.xxx.58 netmask 255.255.255.255


but it didn't appear to make a difference.


Do I need to also change all of the access-list lines to define the xxxxxxx.58 (internal) ip instead of the xxxxxxxxxxxx.14 (external)?

pgmccullough Sat, 04/07/2012 - 10:41
User Badges:

Okay--so the ASA's ip is xxxxxxxxx.11.  The external ip that needs to be set up for this is xxxxxxxxxx.14 and point to internal ip xxx.xxx.xxx.58 with port 8222 open.


So originally I had:


static (inside,outside) xxx.xxx.xxx.58 xxx.xxx.xxx.14 netmask 255.255.255.255

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.11 eq 8222

access-group inbound in interface outside


but a commenter on another discussion said that the 14 and 11 needed to match.  So I changed to


static (inside,outside) xxx.xxx.xxx.58 xxx.xxx.xxx.14 netmask 255.255.255.255

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.14 eq 8222

access-group inbound in interface outside


Above poster pointed out that static statement needed to be swapped, so it became:


static (inside,outside) xxx.xxx.xxx.14 xxx.xxx.xxx.58 netmask 255.255.255.255

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.14 eq 8222

access-group inbound in interface outside


I am certain that the swapping statics was correct, but it didn't make a difference.  I went back and tried to run the epic thin client set up, and still got an invalid ip/port error.


So I went back to having the original instance of pointing from the public IP the thin client will connect to, to the ASA ip.  And I went nuclear with permissions:


static (inside,outside) xxx.xxx.xxx.58 xxx.xxx.xxx.14 netmask 255.255.255.255

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.11 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.11 eq 8222

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.14 eq 8222

access-list inbound extended permit tcp any host xxx.xxx.xxx.58 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.58 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.58 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.58 eq 8222

access-group inbound in interface outside


And now the thin client install gives another error, saying it can't install to specified host or something.  Which feels like progress!  Though I'm sure the access-list inbound on everything is a bad security idea.  I just needed to play around to see what was going on.


Any thoughts?

Amit Rai Sat, 04/07/2012 - 22:52
User Badges:

did you try to run the packet tracer to find out what is causing the issue.


also try to capture the traffic on the ingress and egress interface to see if the issue is at the ASA or somewhere else.


refer to the below link for the packet capture on ASA

https://supportforums.cisco.com/docs/DOC-17345#comment-8416


Send me the output of the below command.


packet-tracer input outside tcp 1.1.1.1 1234 xxx.xxx.xxx.58 8222 det

Roman Rodichev Sun, 04/08/2012 - 00:18
User Badges:
  • Gold, 750 points or more

This is absolutely correct:


static (inside,outside) xxx.xxx.xxx.14 xxx.xxx.xxx.58 netmask 255.255.255.255

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq www

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq https

access-list inbound extended permit tcp any host xxx.xxx.xxx.14 eq 8222

access-list inbound extended permit udp any host xxx.xxx.xxx.14 eq 8222

access-group inbound in interface outside


Static goes as : inside outside externalIP internalIP

Inbound outside ACL must reference externalIP


starting with ASA code 8.3 (you are running something before 8.3), there are no more static commands, and ACL would have to reference internalIP


Can you telnet to xxx.xxx.xxx.14 ports 80, 443 and 8222 from outside. Just do "telnet xxx.xxx.xxx.14 80", if it connects, then you are good, if not, then something's wrong. Verify that you can telnet xxx.xxx.xxx.58 80 from inside. And verify that xxx.xxx.xxx.14 is definitely routed to the ASA's outside interface.

pgmccullough Mon, 04/09/2012 - 11:54
User Badges:

Thanks so much.  At this point, it looks like things OUGHT to be working.  I can successfully telnet xx.xx.xx.14 8222, which seems like it bodes well.  I can't tell you how deeply I appreciate everyone's responses.  I will come back and rate appropriately once we can confirm success in the next day or two.

pgmccullough Mon, 04/09/2012 - 09:15
User Badges:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x3582098, priority=1, domain=permit, deny=false
        hits=1722090, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.1.0        255.255.255.0   inside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x35fa678, priority=11, domain=permit, deny=true
in  id=0x35fa678, priority=11, domain=permit, deny=true
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss Mon, 04/09/2012 - 11:28
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Can you also post the whole "packet-tracer" command that you used for the above output?


To my understanding if you just want to give an inside IP address its own public IP address it should be done the way it was already mentioned.


static (inside,outside) netmask 255.255.255.255


access-list permit tcp any host eq 8222


If you test the configuration with "packet-tracer" command the format should be this


packet-tracer input outside tcp 1.2.3.4 1025 8222


Command parameters in order from left to right

  • packet-tracer = the command itself
  • input = the input parameter (no other available) used before giving the actual interface name on ASA
  • outside = the interface name on the ASA
  • tcp = protocol used
  • 1.2.3.4 = random source address chosen
  • 1025 = random source port chosen
  • = the IP address you have chosen for the static command
  • 8222 = the port you were asked to open (or any other port you need to test)



- Jouni

Actions

This Discussion

Related Content