×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Help with basic access lists.

Answered Question
Oct 9th, 2013
User Badges:

Hi,


We have an ASA 5515 and we have a pretty basic setup, one ousite interface, one inside.  We have a remote DVR setup at a location, we need to view the DVR through viewing software that communicates to the DVR over port 2000.


I setup an access list to allow all outside traffic over tcp/2000 through to an entire vlan:


access-list outside-in extended permit tcp any 192.168.6.0 255.255.255.0 eq 2000


It still seems to be blocking all port 2000 traffic, do I need to setup a NAT from the outside interface to this vlan?

Correct Answer by Jouni Forss about 3 years 10 months ago

Hi,


To be honest its a pretty basic configuration and the TCP/2000 connection should pass.


Only thing I can think of is that the port TCP/2000 is typically used to my understanding by VOIP Phones


2000 TCP UDP Cisco SCCP (Skinny)



So I am wondering if the "inspect skinny" is causing the traffic to drop?


If you dont have need for the "inspect skinny", remove it from the


policy-map global_policy

description Net Flow

class inspection_default

   inspect skinny


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jouni Forss Wed, 10/09/2013 - 09:32
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Are you saying that the DVR is on a site where there is an ASA5515-X and users need to contact the DVR from the external network through the ASA with destination port TCP/2000 ?


Then you will need Static PAT (Port Forward) atleast


object network DVR

host

nat (inside,outside) static interface service 2000 2000


access-list outside-in permit tcp any object DVR eq 2000


- Jouni

ukdkbr1234 Wed, 10/09/2013 - 09:33
User Badges:

Other way around, the dvr is not behind the asa, the users attempting to connect to it are.

Jouni Forss Wed, 10/09/2013 - 09:38
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Well in that case you will only need the basic Dynamic PAT configuration with regards to NAT. I assume this is already in place as otherwise no external connection from your LAN would not work.


I dont see how your ACLs are configured and attached to interfaces but judging from its name the ACL in question might be attached with the following command


access-group outside-in in interface outside


If so, then this ACL only controls connections initiated from behind the "outside" interface.


If you have an ACL attached to the "inside" interface then you would have to make sure the traffic is allowed in that ACL


You can test the rules/configurations applied to the traffic with the "packet-tracer" command


packet-tracer input tcp 12345 2000


This should simulate and tell us what would happen to a connection coming from your LAN through the ASA towards the DVR with destination port TCP/2000. Naturally you will have to replace the above with some LAN user IP address.


- Jouni

ukdkbr1234 Wed, 10/09/2013 - 09:48
User Badges:

>I dont see how your ACLs are configured and attached to interfaces  but judging from its name the ACL in question might >be attached with the  following command


>access-group outside-in in interface outside


Yes that is correct.  I ran the packet-tracer command as you suggested and it appear that it allows everything.


Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow


Yet I still can't seem to get this to connect.  If I connect the workstation to a connection that is not behind the ASA it connects without issue.

Jouni Forss Wed, 10/09/2013 - 09:53
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I would probably monitor the logs while connecting to see if anything gets blocked or if the connections get through what happens to them when the logs show the "Teardown" message for the connections. This is probably easiest done through the ASDM monitor/logging section.


- Jouni

Anas Hijjawi Wed, 10/09/2013 - 10:00
User Badges:

Check if you have route for DVR on the ASA, and that you have a route to the 192.168.6.0/24 subnet on the DVR L3 device

Jouni Forss Wed, 10/09/2013 - 10:06
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I got the picture atleast that the users are behind the ASA and the DVR is at some remote location.


If that is the case then there should already be a default route and I would imagine from the DVRs perspective should also be fine.


- Jouni

Anas Hijjawi Wed, 10/09/2013 - 10:10
User Badges:

Jouni, as he mentioned that he is allowing the traffic frm outside, then DVR should be Inside, defualt route on the FW will be to outside, and he needs to add a static route to DVR network through the Inside network

Jouni Forss Wed, 10/09/2013 - 10:13
User Badges:
  • Super Bronze, 10000 points or more

Though it was mentioned that the users are behind the ASA and I doubt they are behind the "outside" interface or it would be a pretty uncommon/wierd setup. Which again would mean that the DVR is behind the "outside" interface.


But again this would be clearer if could see actual configurations


- Jouni

ukdkbr1234 Wed, 10/09/2013 - 12:51
User Badges:

Yes, it's layed out like this:


DVR <-> Internet <-> ASA <-> users


I attached my config if that would give you a better idea of how we are setup, I removed the access-list for the port 2000 because it didn't make any difference and I wanted you to see the config before i edited it.  Any other ideas?

Attachment: 
Correct Answer
Jouni Forss Wed, 10/09/2013 - 13:18
User Badges:
  • Super Bronze, 10000 points or more

Hi,


To be honest its a pretty basic configuration and the TCP/2000 connection should pass.


Only thing I can think of is that the port TCP/2000 is typically used to my understanding by VOIP Phones


2000 TCP UDP Cisco SCCP (Skinny)



So I am wondering if the "inspect skinny" is causing the traffic to drop?


If you dont have need for the "inspect skinny", remove it from the


policy-map global_policy

description Net Flow

class inspection_default

   inspect skinny


- Jouni

ukdkbr1234 Wed, 10/09/2013 - 13:42
User Badges:

>So I am wondering if the

>"inspect skinny"

>is causing the traffic to drop?


Thank you thank you thank you!!!! That was indeed the issue!

Actions

This Discussion