5505ASA and Counterstrike

Unanswered Question
Jan 27th, 2007
User Badges:

hello,

i run a game server and currenly client cannot connect. i can connect to the internet and the game server connects to the internet game managers, clients cannot connect to me. below is the running config, as you can see i have attempted to open the ports several times/ ways? still nothing! when i probe these ports with and outside tool, it is shown as 'stealth', i should have full opening here!

here is the config, please help me!

Saved

:

ASA Version 7.2(2)

!

hostname CISCO-ASA

domain-name DAVIDUMMEL.COM

enable password BQ3AMEy1YDiWi3f7 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group verizon

ip address pppoe setroute

!

interface Vlan3

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name DAVIDUMMEL.COM

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service STEAM_SERVER tcp-udp

description this is for connectivity to steam server

port-object range 27005 27050

access-list outside_access_in extended permit tcp any host 192.168.1.5 range 27005 27050

access-list outside_access_in extended permit udp any host 192.168.1.5 range 27005 27050

access-list outside_access_in extended permit tcp interface outside 192.168.1.0 255.255.255.0 range 27005 27050

access-list outside_access_in extended permit udp interface outside 192.168.1.0 255.255.255.0 range 27005 27050

access-list outside_access_in extended permit tcp any any range 27005 27050

access-list outside_access_in extended permit udp any any range 27005 27050

access-list inside_access_out extended permit tcp host 192.168.1.5 any range 27005 27050

access-list inside_access_out extended permit udp host 192.168.1.5 any range 27005 27050

access-list inside_access_out extended permit tcp 192.168.1.0 255.255.255.0 interface outside range 27005 27050

access-list inside_access_out extended permit udp 192.168.1.0 255.255.255.0 interface outside range 27005 27050

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group verizon request dialout pppoe

vpdn group verizon localname 1

vpdn group verizon ppp authentication pap

vpdn username 1 password ********* store-local

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.200 inside

dhcpd enable inside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

i had to remove stuff for it to fit here

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
swharvey Sun, 01/28/2007 - 11:35
User Badges:

Hello,


In looking at your configuration, I don't believe the problem is with your acl's, but may be related to the dynamic nat. If you have available public ip addresses, can you setup a static nat for your server? I believe that would be the simplest solution.


If you don't have additional public ip addy's available, you could try doing port forwarding.


Example:

port-forward CS-inside range 27005 27050


Two possible problems though with this command:

1) This command may not support the range option.

2) This command may only funtion with the WebVPN "function" command.


If that is the case, you may need to use Static PAT:


Example:


static (inside,outside) tcp interface 27005 192.168.1.5 27005


The bummer with this command is that I don't believe you can specify a range of ports, so you will need to define several static port redirection commands to reflect all the ports you are trying to allow inbound to your server.


One other item to consider is that I recommend you define a 3rd interface vlan as a dmz (say 192.168.2.0/24) and place your game server on port in that vlan. Define a security level that is lower than the inside but higher that the outside. This will segragate your game server from your internal devices so that if it is compromised your internal devices are less suseptible to attack.


In thinking about your scenario, I believe option 3 is the most likely to acheive the solution you are after.


I hope this helps. If so please let me know and rate this post!




davidummel_2 Sun, 01/28/2007 - 11:40
User Badges:

thank you SO much for the reply!

i will do as you say and then come back later to report.

her are some log entries. not sure if this will help, as well.

thanks again!

does this shed any light?

log entries...

6 Jan 28 2007 19:37:18 302016 69.28.151.162 192.168.1.5 Teardown UDP connection 1696 for outside:69.28.151.162/27011 to inside:192.168.1.5/27015 duration 0:02:01 bytes 183

6 Jan 28 2007 19:35:45 302015 68.142.64.165 192.168.1.5 Built outbound UDP connection 1699 for outside:68.142.64.165/27014 (68.142.64.165/27014) to inside:192.168.1.5/26900 (71.177.125.89/1160)

6 Jan 28 2007 19:35:47 302014 65.193.119.140 192.168.1.3 Teardown TCP connection 1690 for outside:65.193.119.140/80 to inside:192.168.1.3/2459 duration 0:01:05 bytes 3216 TCP FINs

swharvey Sun, 01/28/2007 - 12:48
User Badges:

On the ASA you can setup a capture filter to monitor traffic between the internet and your CS server. Below is an example of a general filter that will capture traffic for you to look at for match hits on the acl definition:



access-list cs-acl permit ip any host 192.168.1.5

access-list cs-acl permit ip host 192.168.1.5 any

capture cs-cap access-list cs-acl interface inside



show capture cs-cap


run the show capture cs-cap repeatedly during client connection attempts to see if the traffic is making it through the ASA.


Other commands that are helpful include:


show connection | inc 192.168.1.5 (shows connection threads through the ASA)

show xlate | inc 192.168.1.5 (shows nat translations through the ASA)


To remove the capture access lists just put a no in front of the lines you entered, likewise for the capture command.

Lastly, there is a good book out on the ASA's that Cisco release. It called Cisco ASA:All-in-one Firewall, IPS and VPN Adaptive Security Appliance, written by Jazib Frahim. The ISBN for the book is 1-58705-209-1

davidummel_2 Sun, 01/28/2007 - 13:52
User Badges:

I addes the static pat,

i began to recieve the messages show below as people attempt to connect.

strange thing, the 71.177.125.89 address is the outside ip of my connection.


4 Jan 28 2007 21:10:59 106023 86.203.19.8 71.177.125.89 Deny udp src outside:86.203.19.8/1825 dst inside:71.177.125.89/27015 by access-group "inside_access_out" [0x0, 0x0]

4 Jan 28 2007 21:10:58 106023 208.64.90.74 71.177.125.89 Deny udp src outside:208.64.90.74/1212 dst inside:71.177.125.89/27015 by access-group "inside_access_out" [0x0, 0x0]

4 Jan 28 2007 21:10:58 106023 85.212.35.236 71.177.125.89 Deny udp src outside:85.212.35.236/3375 dst inside:71.177.125.89/27015 by access-group "inside_access_out" [0x0, 0x0]

swharvey Sun, 01/28/2007 - 14:16
User Badges:

Okay I now better understand the problem. The issue is that your acl's are incorrectly permitting the outside Internet clients to connect the internal private 192.168.1.5 address of your server, which this ip address the clients will never see. Try changing your acl's so that the destination is the outside interface, or the outside vlan interface:


Example:

Test 1: access-list outside_access_in extended permit tcp any interface vlan2 range 27005 27050

repeat for all other outside_access_in acls

If that does not work, then try:


Test 2: extended permit tcp any interface Ethernet0/0 range 27005 27050

likewise repeat changes to destination for all outside_access_in acls


One of those two options should work.


Good luck!


davidummel_2 Sun, 01/28/2007 - 15:28
User Badges:

WOW!

you got it!

the command was not recognized, but you had me thinking in the correct direction. i made the corrections in the GUI setup and all is good with the world again. and this was a very good lesson. i have much to learn with this unit, but no better way than to abandon my original firewall and work with the cisco.

thank you VERY SO MUCH!

swharvey Sun, 01/28/2007 - 17:01
User Badges:

Glad to hear it and thanks for the gret ratings.


Happy gaming!


-Scott

Actions

This Discussion