Cisco ASA 5505 Open acces outside interface

bavo · ‎02-07-2016

Hi,

I know there are allot topics that describe how to open port on the outside interface to a server inside.
But i'f tried lots of them but is is not working.

I have a game server inside on my network. i'f ask a few friends to join me on this quest. Therefore i need to open 4 ports for them to access the server. The server has an static ip address 10.0.0.1. i need to open the following ports to connect to the server correctly:
tcp/12871, tcp/12881, udp/12871, and udp/12881

This is what i already done:

object network [server name]
host 10.0.0.1
nat (inside,outside) static interface service tcp 12871 12871
nat (inside,outside) static interface service tcp 12881 12881
nat (inside,outside) static interface service udp 12871 12871
nat (inside,outside) static interface service udp 12881 12881

From here off i'm lost what to do next.
May be some one can help me with this.

Would we greatly appreciated
Thanks in advanced

Greetings
Palermo

I'm running ASDM version: 7.5(1)
Software version: 9.2(4)

Boris Uskov · ‎02-08-2016

Hello,

The correct NAT sentences are not enough to open access from outside. By default, outside-interface on ASA has a security level equal to 0. And inside interface by defauls has a security level equal to 100.

Cisco ASA works according to the following rule. If no access-lists are configured, the traffic from lower security level interface flowing to higher security level interface (ex. from outside to inside) is denied.

To permit some traffic-patterns from outside to inside you need to create an access-list and apply it to outside interface with "in-" direction.

I usually use CLI for configuring ASA, so, I can give you some CLI-examples:

// NAT configuration
object network Server
 host 10.0.0.1
object network Server_tcp12871
 host 10.0.0.1
 nat (inside,outside) static interface service tcp 12871 12871 
object network Server_tcp12881
 host 10.0.0.1
 nat (inside,outside) static interface service tcp 12881 12881 
object network Server_udp12871
 host 10.0.0.1
 nat (inside,outside) static interface service udp 12871 12871 
object network Server_udp12881
 host 10.0.0.1
 nat (inside,outside) static interface service udp 12881 12881 

// Access-list configuration
access-list outside-in extended permit tcp any object Server eq 12871
access-list outside-in extended permit tcp any object Server eq 12881
access-list outside-in extended permit udp any object Server eq 12871
access-list outside-in extended permit udp any object Server eq 12881
// Apply access-list to outside interface
access-group outside-in in interface outside

Hope this helps.

bavo · ‎02-17-2016

Hi Boris,

Thanks for helping.

If configured the ASA with the CLI example you gave.
But it is still not possible to access through the ports.

The strange thing is that i don`t see any denies on the outside interface. I`f configured a "deny ip any any" with logging at the end of the outside interface.
I`f ask a person to telnet on port 80 and indeed i see the deny. This is also working for port 443. But all higher ports is don`s see the denies in the logging.

In the next post i`l post the configuration

Thanks again for helping

Boris Uskov · ‎02-17-2016

Hello,

so, I think, the following nat rule might be the issue:

nat (inside,outside) source static obj_any obj_any

It seems, that you need this rule for NAT exception and VPN. But I don't see tunnel-groups and group-policies for VPN cpnfiguration, so, I can make a suggestion, that VPN is not used on your gear.

If my suggestion is correct, try to remove the following nat rule from your configuration:

no nat (inside,outside) source static obj_any obj_any
clear xlate

bavo · ‎02-17-2016

Here is the configuration.
of course i removed the private parts of this configuration.

!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.0.96_28
subnet 10.0.0.96 255.255.255.240
object network hwserver
host 10.0.0.1
object network hwserver_tcp12871
host 10.0.0.1
object network hwserver_tcp12881
host 10.0.0.1
object network hwserver_udp12871
host 10.0.0.1
object network hwserver_udp12881
host 10.0.0.1
access-list inside_access_in extended permit ip any any
access-list outside-in extended permit tcp any object hwserver eq 12871 log errors
access-list outside-in extended permit tcp any object hwserver eq 12881 log errors
access-list outside-in extended permit udp any object hwserver eq 12871 log errors
access-list outside-in extended permit udp any object hwserver eq 12881 log errors
access-list outside-in extended deny ip any any log errors
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0.96_28 NETWORK_OBJ_10.0.0.96_28 no-proxy-arp route-lookup
nat (outside,outside) source dynamic RA_VPN interface
nat (inside,outside) source static obj_any obj_any
!
object network obj_any
nat (inside,outside) dynamic interface
object network hwserver_tcp12871
nat (inside,outside) static interface service tcp 12871 12871
object network hwserver_tcp12881
nat (inside,outside) static interface service tcp 12881 12881
object network hwserver_udp12871
nat (inside,outside) static interface service udp 12871 12871
object network hwserver_udp12881
nat (inside,outside) static interface service udp 12881 12881
access-group inside_access_in in interface inside control-plane
access-group outside-in in interface outside
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 15
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
wins-server none
dns-server value 62.179.104.210
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect ipsec-pass-thru
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:f792adb275d170cb96958a45566c248d
: end
ciscoasa#