Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Accessing a client maching with port forwarding ASA 5505

We are implementing a program on mobile phones that access port 2439 for syncing files from a computer within the domain.  I'm new to cisco routers, and am having a hard time wrapping my head around how to set this up.  I'm using an ASA 5505 with ASDM 6.2.  I'm just trying to use port forwarding to access the files. Any help would be appreciated.

12 REPLIES
Hall of Fame Super Blue

Accessing a client maching with port forwarding ASA 5505

Jeremy

Can you post current ASA config and remove any public IPs for secuirty.

Jon

New Member

Accessing a client maching with port forwarding ASA 5505

I'm assuming this is what you are looking for.

ASA Version 8.2(3)

!

hostname ****-asa

domain-name default.domain.invalid

enable password  encrypted

passwd encrypted

no names

name **.**.***.** Cox-Static-IP

name ***.***.*.* Site-*****-Subnet

name ***.***.*.* Site-**********-Subnet

name **.*.*.*** Video-Camera-DVR

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.100 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address **.**.***.** 255.255.255.240

!

interface Vlan5

no forward interface Vlan1

nameif dmz

security-level 50

ip address dhcp

!

boot system disk0:/asa823-k8.bin

ftp mode passive

clock timezone MST -7

dns domain-lookup outside

dns server-group DefaultDNS

name-server 68.105.28.16

name-server 68.105.29.16

name-server 8.8.8.8

domain-name default.domain.invalid

object-group network MarvPc

object-group service 2439

service-object tcp source eq 2439

access-list outside_access_in extended permit ip any any

access-list outside_access_in remark Swann Security Camera TCP Admin Access

access-list outside_access_in extended permit tcp any host **.**.***.** eq 9000

access-list outside_access_in remark Swann Security Camera HTTP Access

access-list outside_access_in extended permit tcp any host **.**.***.** eq www

access-list outside_access_in remark Swann Security Camera

access-list outside_access_in extended permit tcp any host **.**.***.** eq 18004

access-list outside_access_in extended permit tcp any any eq 2439

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-625-53.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 9000 10.0.0.125 9000 netmask 255.255.255.255

static (inside,outside) tcp interface www 10.0.0.125 www netmask 255.255.255.255

static (inside,outside) tcp interface 18004 10.0.0.125 18004 netmask 255.255.255.255

static (inside,outside) tcp interface 2439 10.0.0.110 2439 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 **.**.***.** 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer **.***.**.**

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer **.***.**.***

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 20

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns **.***.**.** **.***.**.**

dhcpd auto_config outside

!

dhcpd address 10.0.0.131-10.0.0.150 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec

username aljoasatech password .fUia4yjsvpgYe4v encrypted privilege 15

tunnel-group **.***.**.** type ipsec-l2l

tunnel-group **.***.**.** ipsec-attributes

pre-shared-key *****

tunnel-group **.***.**.*** type ipsec-l2l

tunnel-group **.***.**.*** ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:b0c3b7b7db62ba5122feede6a72a65f8

: end

Hall of Fame Super Blue

Accessing a client maching with port forwarding ASA 5505

Your config looks fine assuming the internal machine is 10.0.0.110.

So is the port definitely TCP and are you sure there are no other ports needed for this connection ?

Jon

Silver

Accessing a client maching with port forwarding ASA 5505

Well, I would change the next ACE due to security reasons:

enable

config t

no access-list outside_access_in extended permit tcp any any eq 2439

access-list outside_access_in extended permit tcp any interface outside eq 2439

But as Jon stated the connection should go through.

Value our effort and rate the assistance!
New Member

Accessing a client maching with port forwarding ASA 5505

The computer I am trying to reach is 10.0.0.110,  the server on the other hand is 10.0.0.115  Is there an issue with that? I just don't understand why this isn't working, maybe a setting I've overlooked?  I have the ports open on 10.0.0.110 and a firewall exception on the server.

Hall of Fame Super Blue

Re: Accessing a client maching with port forwarding ASA 5505

Jeremy

I'm not sure i understand. What is the difference between the computer 10.0.0.110 and the server 10.0.0.115. Which one are you trying to sync the phones with ?

Jon

Silver

Accessing a client maching with port forwarding ASA 5505

If they are on the same subnet traffic does not even reach the ASA so I am bit confused on what you are asking

Value our effort and rate the assistance!

Value our effort and rate the assistance!
New Member

Accessing a client maching with port forwarding ASA 5505

The mobile phones need to sync with a client computer @10.0.0.110.  The server is 10.0.0.115.  I added this info because the router seems to be set up properly yet I still cannot connect to sync the phones.  I'm thinking I have something setup wrong somewhere, just not sure how to diagnose it.  The phones sync fine while connected to the companies wifi using 10.0.0.110.  But unreachable when I use the outside IP address.  Sorry for being confusing, I was more trying to clarify the setup.

Hall of Fame Super Blue

Accessing a client maching with port forwarding ASA 5505

Jeremy

Still can't see anything wrong with your config. Is there a specific application name for the syncing of the phones ? It may be there is some issue with them using NAT.

Jon

New Member

Accessing a client maching with port forwarding ASA 5505

It's a program called HandiFox, it's installed on the phones, and within quickbooks.  It tracks inventory and sales.  Supposedly it just needs port 2439 to be forwarded. They haven't had this problem before, is there any more info you guys would like to look at?  Nic setting, firewall settings?  My head is spinning like Linda Blair.  It has to be a rookie mistake on my part somewhere.

New Member

Accessing a client maching with port forwarding ASA 5505

After pooring over it a couple more times I realized Jumora mentioned the subnet.  Finally noticed this in the log file

static (inside,outside) tcp interface 2439 10.0.0.110 2439 netmask 255.255.255.255

The subnet mask of that address is 255.255.255.0  Looks like this is the problem.  Unfortunately I haven't found how to change the subnet of that forwarding.  How can I correct this?

Silver

Accessing a client maching with port forwarding ASA 5505

Oh my friend I believe that you are confused. Please call me juanmh84 through skype today or tomorrow or at my phone number that is posted on Monday after 11 am CST.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
369
Views
0
Helpful
12
Replies
CreatePlease login to create content