Open ports problem ASA5505

Answered Question
Oct 11th, 2013
User Badges:

Hi everyone.


I'm trying to open ports on a specific host but I can't make it work.


I tried to make it clear as possible,


Thanks for helping.



There is my config:


Result of the command: "show run"



: Saved

:

ASA Version 9.1(3)

!

hostname ciscoasa

enable password *** encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd *** encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 1.1.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address MY-FIREWALL-IP 255.255.255.240

!

boot system disk0:/asa913-k8.bin

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network LAN-SITE-B

subnet 1.1.2.0 255.255.255.0

object network LAN-SITE-A

subnet 1.1.1.0 255.255.255.0

object network Firewall-SITE-B

host VPN-SITE-B-IP

object network SERVER01

host 1.1.1.2 (MY SERVER THAT I WANT TO ACCESS FROM OUTSIDE)

object-group service ALL-IP tcp-udp

description ALL-IP

port-object range 1 65535 (FOR TESTING PURPOSE, I'M TRYING TO OPEN ALL PORTS ON THIS HOST)

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B

access-list outside_access_in extended permit object-group TCPUDP any host MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE) object-group ALL-IP

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static LAN-SITE-A LAN-SITE-B destination static LAN-SITE-B LAN-SITE-A no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network SERVER01

nat (inside,outside) static MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE)

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 MY-GATEWAY 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no user-identity enable

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 1.1.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer SITE-B

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0



dhcpd auto_config outside

!

dhcpd address 1.1.1.100-1.1.1.125 inside

dhcpd dns 24.200.241.37 24.201.245.77 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy GroupPolicy_SITE-B internal

group-policy GroupPolicy_SITE-B attributes

vpn-tunnel-protocol ikev1 ikev2

username MY-USER password *** encrypted privilege 15

tunnel-group SITE-B type ipsec-l2l

tunnel-group SITE-B general-attributes

default-group-policy GroupPolicy_SITE-B

tunnel-group SITE-B ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f5d698f2b08e98028f2d487a42c7187e

: end

Correct Answer by Jouni Forss about 3 years 10 months ago

Hi,


You have no ACL attached to the "outside" interface


You would have to add


access-group SERVER01 in interface outside


Do notice that the ACL might be good to be named a bit more generally rather referencing the inteface to which its attached since any other future ACL rules would have to use this ACL


So you could for example instead do (WITHOUT adding the above "access-group" command)


access-list OUTSIDE-IN extended permit ip any object SERVER01


access-group OUTSIDE-IN in interface outside


- Jouni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jouni Forss Fri, 10/11/2013 - 05:09
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Make sure that you allow the traffic to the local IP address of the server rather then the public IP address


The general format for Static NAT and the ACL you should use is


object network SERVER01

host

nat (inside,outside) static


access-list permit ip any object SERVER01


The ACL in this situation reflects your need to allow everything in the testing phase. This is a lot simpler ACL than the one above because this essentially allows all TCP/UDP and for example also ICMP


After this you can test the rules with


packet-tracer input outside tcp 1.1.1.1 12345


Hope this helps


Please  do remember to mark a reply as the correct answer if it answered your question


Feel free to ask more if needed


- Jouni

pl.mailloux Fri, 10/11/2013 - 05:23
User Badges:

Hi JouniForss,


Thanks for your help.


Still no access, there is the reply from packet-tracer


ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 MY-SERVER01-PUBLIC-IP 12345



Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list



Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network SERVER01

nat (inside,outside) static MY-SERVER01-PUBLIC-IP

Additional Information:

NAT divert to egress interface inside

Untranslate MY-SERVER01-PUBLIC-IP/12345 to 1.1.1.2/12345



Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:



Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:



Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jouni Forss Fri, 10/11/2013 - 05:27
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Can you provide the output of


show run access-list


show run access-group


- Jouni

pl.mailloux Fri, 10/11/2013 - 05:41
User Badges:

There is the info your requested :


ciscoasa# show run access-list

access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B

access-list SERVER01 extended permit ip any object SERVER01


ciscoasa# show run access-group

ciscoasa#



Thanks

Correct Answer
Jouni Forss Fri, 10/11/2013 - 05:55
User Badges:
  • Super Bronze, 10000 points or more

Hi,


You have no ACL attached to the "outside" interface


You would have to add


access-group SERVER01 in interface outside


Do notice that the ACL might be good to be named a bit more generally rather referencing the inteface to which its attached since any other future ACL rules would have to use this ACL


So you could for example instead do (WITHOUT adding the above "access-group" command)


access-list OUTSIDE-IN extended permit ip any object SERVER01


access-group OUTSIDE-IN in interface outside


- Jouni

pl.mailloux Fri, 10/11/2013 - 06:45
User Badges:

Hi Jouni,


Thanks for helping again,


Looks like i'm getting the same problem.



ciscoasa# show run access-list

access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B

access-list OUTSIDE-IN extended permit ip any object SERVER01

ciscoasa#


ciscoasa# show run access-group

access-group OUTSIDE-IN in interface outside

ciscoasa#




ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 MY-SERVER01-PUBLIC-IP 12345



Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network SERVER01

nat (inside,outside) static MY-SERVER01-PUBLIC-IP

Additional Information:

NAT divert to egress interface inside

Untranslate MY-SERVER01-PUBLIC-IP/12345 to 1.1.1.2/12345



Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:



Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

pl.mailloux Fri, 10/11/2013 - 07:49
User Badges:

After a system reload on the ASA, I'm now able to access the server from outside.


Thanks

Jouni Forss Fri, 10/11/2013 - 07:51
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Glad to hear its working.


I was scratching my head here wondering what I am missing since I see no reason for it to block the traffic.


- Jouni

Actions

This Discussion