i run a game server and currenly client cannot connect. i can connect to the internet and the game server connects to the internet game managers, clients cannot connect to me. below is the running config, as you can see i have attempted to open the ports several times/ ways? still nothing! when i probe these ports with and outside tool, it is shown as 'stealth', i should have full opening here!
here is the config, please help me!
ASA Version 7.2(2)
enable password BQ3AMEy1YDiWi3f7 encrypted
ip address 192.168.1.1 255.255.255.0
pppoe client vpdn group verizon
ip address pppoe setroute
no forward interface Vlan1
no ip address
switchport access vlan 2
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service STEAM_SERVER tcp-udp
description this is for connectivity to steam server
port-object range 27005 27050
access-list outside_access_in extended permit tcp any host 192.168.1.5 range 27005 27050
access-list outside_access_in extended permit udp any host 192.168.1.5 range 27005 27050
In looking at your configuration, I don't believe the problem is with your acl's, but may be related to the dynamic nat. If you have available public ip addresses, can you setup a static nat for your server? I believe that would be the simplest solution.
If you don't have additional public ip addy's available, you could try doing port forwarding.
port-forward CS-inside range 27005 27050
Two possible problems though with this command:
1) This command may not support the range option.
2) This command may only funtion with the WebVPN "function" command.
If that is the case, you may need to use Static PAT:
The bummer with this command is that I don't believe you can specify a range of ports, so you will need to define several static port redirection commands to reflect all the ports you are trying to allow inbound to your server.
One other item to consider is that I recommend you define a 3rd interface vlan as a dmz (say 192.168.2.0/24) and place your game server on port in that vlan. Define a security level that is lower than the inside but higher that the outside. This will segragate your game server from your internal devices so that if it is compromised your internal devices are less suseptible to attack.
In thinking about your scenario, I believe option 3 is the most likely to acheive the solution you are after.
I hope this helps. If so please let me know and rate this post!
On the ASA you can setup a capture filter to monitor traffic between the internet and your CS server. Below is an example of a general filter that will capture traffic for you to look at for match hits on the acl definition:
run the show capture cs-cap repeatedly during client connection attempts to see if the traffic is making it through the ASA.
Other commands that are helpful include:
show connection | inc 192.168.1.5 (shows connection threads through the ASA)
show xlate | inc 192.168.1.5 (shows nat translations through the ASA)
To remove the capture access lists just put a no in front of the lines you entered, likewise for the capture command.
Lastly, there is a good book out on the ASA's that Cisco release. It called Cisco ASA:All-in-one Firewall, IPS and VPN Adaptive Security Appliance, written by Jazib Frahim. The ISBN for the book is 1-58705-209-1
Okay I now better understand the problem. The issue is that your acl's are incorrectly permitting the outside Internet clients to connect the internal private 192.168.1.5 address of your server, which this ip address the clients will never see. Try changing your acl's so that the destination is the outside interface, or the outside vlan interface:
Test 1: access-list outside_access_in extended permit tcp any interface vlan2 range 27005 27050
repeat for all other outside_access_in acls
If that does not work, then try:
Test 2: extended permit tcp any interface Ethernet0/0 range 27005 27050
likewise repeat changes to destination for all outside_access_in acls
the command was not recognized, but you had me thinking in the correct direction. i made the corrections in the GUI setup and all is good with the world again. and this was a very good lesson. i have much to learn with this unit, but no better way than to abandon my original firewall and work with the cisco.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :