10-11-2013 04:43 AM - edited 03-11-2019 07:50 PM
Hi everyone.
I'm trying to open ports on a specific host but I can't make it work.
I tried to make it clear as possible,
Thanks for helping.
There is my config:
Result of the command: "show run"
: Saved
:
ASA Version 9.1(3)
!
hostname ciscoasa
enable password *** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd *** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address MY-FIREWALL-IP 255.255.255.240
!
boot system disk0:/asa913-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LAN-SITE-B
subnet 1.1.2.0 255.255.255.0
object network LAN-SITE-A
subnet 1.1.1.0 255.255.255.0
object network Firewall-SITE-B
host VPN-SITE-B-IP
object network SERVER01
host 1.1.1.2 (MY SERVER THAT I WANT TO ACCESS FROM OUTSIDE)
object-group service ALL-IP tcp-udp
description ALL-IP
port-object range 1 65535 (FOR TESTING PURPOSE, I'M TRYING TO OPEN ALL PORTS ON THIS HOST)
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B
access-list outside_access_in extended permit object-group TCPUDP any host MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE) object-group ALL-IP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LAN-SITE-A LAN-SITE-B destination static LAN-SITE-B LAN-SITE-A no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network SERVER01
nat (inside,outside) static MY-HOST-PUBLIC-IP (DIFFERENT FROM THE OUTSIDE INTERFACE)
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 MY-GATEWAY 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 1.1.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer SITE-B
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 1.1.1.100-1.1.1.125 inside
dhcpd dns 24.200.241.37 24.201.245.77 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_SITE-B internal
group-policy GroupPolicy_SITE-B attributes
vpn-tunnel-protocol ikev1 ikev2
username MY-USER password *** encrypted privilege 15
tunnel-group SITE-B type ipsec-l2l
tunnel-group SITE-B general-attributes
default-group-policy GroupPolicy_SITE-B
tunnel-group SITE-B ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f5d698f2b08e98028f2d487a42c7187e
: end
Solved! Go to Solution.
10-11-2013 05:55 AM
Hi,
You have no ACL attached to the "outside" interface
You would have to add
access-group SERVER01 in interface outside
Do notice that the ACL might be good to be named a bit more generally rather referencing the inteface to which its attached since any other future ACL rules would have to use this ACL
So you could for example instead do (WITHOUT adding the above "access-group" command)
access-list OUTSIDE-IN extended permit ip any object SERVER01
access-group OUTSIDE-IN in interface outside
- Jouni
10-11-2013 05:09 AM
Hi,
Make sure that you allow the traffic to the local IP address of the server rather then the public IP address
The general format for Static NAT and the ACL you should use is
object network SERVER01
host
nat (inside,outside) static
access-list
The ACL in this situation reflects your need to allow everything in the testing phase. This is a lot simpler ACL than the one above because this essentially allows all TCP/UDP and for example also ICMP
After this you can test the rules with
packet-tracer input outside tcp 1.1.1.1 12345
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question
Feel free to ask more if needed
- Jouni
10-11-2013 05:23 AM
Hi JouniForss,
Thanks for your help.
Still no access, there is the reply from packet-tracer
ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 MY-SERVER01-PUBLIC-IP 12345
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SERVER01
nat (inside,outside) static MY-SERVER01-PUBLIC-IP
Additional Information:
NAT divert to egress interface inside
Untranslate MY-SERVER01-PUBLIC-IP/12345 to 1.1.1.2/12345
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
10-11-2013 05:27 AM
Hi,
Can you provide the output of
show run access-list
show run access-group
- Jouni
10-11-2013 05:41 AM
There is the info your requested :
ciscoasa# show run access-list
access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B
access-list SERVER01 extended permit ip any object SERVER01
ciscoasa# show run access-group
ciscoasa#
Thanks
10-11-2013 05:55 AM
Hi,
You have no ACL attached to the "outside" interface
You would have to add
access-group SERVER01 in interface outside
Do notice that the ACL might be good to be named a bit more generally rather referencing the inteface to which its attached since any other future ACL rules would have to use this ACL
So you could for example instead do (WITHOUT adding the above "access-group" command)
access-list OUTSIDE-IN extended permit ip any object SERVER01
access-group OUTSIDE-IN in interface outside
- Jouni
10-11-2013 06:45 AM
Hi Jouni,
Thanks for helping again,
Looks like i'm getting the same problem.
ciscoasa# show run access-list
access-list outside_cryptomap extended permit ip object LAN-SITE-A object LAN-SITE-B
access-list OUTSIDE-IN extended permit ip any object SERVER01
ciscoasa#
ciscoasa# show run access-group
access-group OUTSIDE-IN in interface outside
ciscoasa#
ciscoasa# packet-tracer input outside tcp 1.1.1.1 12345 MY-SERVER01-PUBLIC-IP 12345
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SERVER01
nat (inside,outside) static MY-SERVER01-PUBLIC-IP
Additional Information:
NAT divert to egress interface inside
Untranslate MY-SERVER01-PUBLIC-IP/12345 to 1.1.1.2/12345
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
10-11-2013 07:49 AM
After a system reload on the ASA, I'm now able to access the server from outside.
Thanks
10-11-2013 07:51 AM
Hi,
Glad to hear its working.
I was scratching my head here wondering what I am missing since I see no reason for it to block the traffic.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide