Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow TCP Port from outside in

Hi all. I have a Cisco 5510 I am learning, but I need some assistance. I have a laptop behind a router behind the ASA5510 that I am trying to allow an application to accept requests on TCP port 11350. I just don't get enough time to bash this stuff into my head (Too many hats). I appreciate the help!

 

I am using

Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.1(5)

 

Can someone point out the steps to allow Port 11350 access to a specific IP? That LAPTOP is IP 192.168.1.20 Subnet 255.255.255.0

 

Here is my existing config:

 

ASA5510# show running-config
: Saved
:
ASA Version 9.1(4)
!
hostname ASA5510
domain-name maladomini.int
enable password REDACTED encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd REDACTED encrypted
names
dns-guard
!
interface Ethernet0/0
 description LAN Interface
 nameif Inside
 security-level 100
 ip address 10.10.1.1 255.255.255.252
!
interface Ethernet0/1
 description WAN Interface
 nameif Outside
 security-level 0
 ip address 199.195.XXX.XXX 255.255.255.240
!
interface Ethernet0/2
 description DMZ
 nameif DMZ
 security-level 100
 ip address 10.10.0.1 255.255.255.252
!
interface Ethernet0/3
 description VOIP
 nameif VOIP
 security-level 100
 ip address 10.10.2.1 255.255.255.252
!
interface Management0/0
 management-only
 shutdown
 nameif management
 security-level 0
 no ip address
!
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Inside
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server 199.195.XXX.X
 name-server 205.171.2.65
 name-server 205.171.3.65
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name maladomini.int
same-security-traffic permit inter-interface
object network ROUTER-2811
 host 10.10.1.2
object network ROUTER-2821
 host 10.10.0.2
object network WEBCAM-01
 host 192.168.1.5
object network DNS-SERVER
 host 192.168.1.2
object network ROUTER-3745
 host 10.10.2.2
object network RDP-DC1
 host 192.168.1.2
object network BLUE
 host 192.168.1.2
 description Blue Iris Server
object-group network PAT-SOURCE
 network-object 10.10.1.0 255.255.255.252
 network-object 10.10.0.0 255.255.255.252
 network-object 10.10.2.0 255.255.255.252
 network-object 192.168.0.0 255.255.255.0
 network-object 172.16.10.0 255.255.255.0
 network-object 172.16.20.0 255.255.255.0
 network-object 128.162.1.0 255.255.255.0
 network-object 128.162.10.0 255.255.255.0
 network-object 128.162.20.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.10.0 255.255.255.0
 network-object 192.168.20.0 255.255.255.0
 network-object 172.16.1.0 255.255.255.0
 network-object 162.128.1.0 255.255.255.0
 network-object 162.128.10.0 255.255.255.0
 network-object 162.128.20.0 255.255.255.0
 network-object 142.16.1.0 255.255.255.0
 network-object 142.16.10.0 255.255.255.0
 network-object 142.16.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object host 98.22.xxx.x
object-group network Outside_access_in
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object gre
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.xxx.x object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.x object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.xxx.x interface Outside eq https
access-list Outside_access_in extended permit tcp host 98.22.xxx.x object WEBCAM-01 eq www
access-list Outside_access_in extended permit tcp host 98.22.xxx.x object RDP-DC1 eq xxxx
access-list Outside_access_in extended permit tcp host 98.22.xxx.x object BLUE eq xxxx
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu DMZ 1500
mtu VOIP 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network ROUTER-2811
 nat (Inside,Outside) static interface service tcp ssh XXX
object network ROUTER-2821
 nat (DMZ,Outside) static interface service tcp ssh XXXX
object network WEBCAM-01
 nat (Inside,Outside) static interface service tcp www xxxx
object network ROUTER-3745
 nat (VOIP,Outside) static interface service tcp ssh XXXX
object network RDP-DC1
 nat (Inside,Outside) static interface service tcp xxxx xxxx
object network BLUE
 nat (Inside,Outside) static interface service tcp xxxx xxxx
!
nat (any,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 199.195.XXX.XXX 1
route DMZ 128.162.1.0 255.255.255.0 10.10.0.2 1
route DMZ 128.162.10.0 255.255.255.0 10.10.0.2 1
route DMZ 128.162.20.0 255.255.255.0 10.10.0.2 1
route VOIP 142.16.1.0 255.255.255.0 10.10.2.2 1
route VOIP 142.16.10.0 255.255.255.0 10.10.2.2 1
route VOIP 142.16.20.0 255.255.255.0 10.10.2.2 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.10.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.20.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
http 98.22.xxx.x 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh 98.22.xxx.x 255.255.255.255 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 24.56.178.140 source Outside prefer
username REDACTED password vj4PdtfGNFrB.Ksz encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
  inspect pptp
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
password encryption aes
hpm topN enable
Cryptochecksum:8b44b8e0616a87bd31026b1c6ec06c41
: end

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

I am assuming the you want to

I am assuming the you want to allow access from the outside interface to the inside interface (where 1.2.3.4 is the address on the outside interface you want to access 192.168.1.20 from):

access-list Outside_access_in extended permit tcp any host 192.168.1.20 any eq 11350

object network PC
  host 192.168.1.20
  nat (inside,outside) static 1.2.3.4 service tcp 11350 11350

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
3 REPLIES
VIP Green

I am assuming the you want to

I am assuming the you want to allow access from the outside interface to the inside interface (where 1.2.3.4 is the address on the outside interface you want to access 192.168.1.20 from):

access-list Outside_access_in extended permit tcp any host 192.168.1.20 any eq 11350

object network PC
  host 192.168.1.20
  nat (inside,outside) static 1.2.3.4 service tcp 11350 11350

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Thanks, I did everything

Thanks, I did everything except use service for the object network! Thanks! Would it be different is I wanted it any to 11350?

VIP Green

If you are refering to the

If you are refering to the second any in the ACL i posted, that is a typo. -- Please remember to select a correct answer and rate helpful posts
--

Please remember to rate and select a correct answer
135
Views
0
Helpful
3
Replies
CreatePlease login to create content