Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1310
Views
0
Helpful
6
Replies

Always allow traffic on a single port.

michaelatwell
Level 1
Level 1

‎02-02-2012 07:59 AM - edited ‎03-11-2019 03:23 PM

I have a private network behind a configured Cisco ASA 5510. I need to send data back and forth between a server on the inside network and a device on the outside network on port 44818. No amount of configuration is allowing this to happen. The packet tracer always fails on of the implicity "deny" rules, even though my other rule should explicitly permit it. I also realize I need to set up routing from my outside network to the inside network, but I cannot see from the documentation how to do that on this particular port without simultaneously breaking my outside connection.

The inside IP for the ASA is 192.168.25.1

The outside IP for the ASA 192.168.11.54

Here is my current configuration:

: Saved

: Written by enable_15 at 08:49:25.956 UTC Thu Feb 2 2012

!

ASA Version 8.2(5)

!

hostname asa1

domain-name XXXXXX

enable password jkJ5Rkk2KBfYmP01 encrypted

passwd jkJ5Rkk2KBfYmP01 encrypted

names

name 192.168.25.13 dc1

name 192.168.25.14 dc2

name 192.168.25.11 sorter

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.25.1 255.255.255.0 standby 192.168.25.2

!

interface Ethernet0/1

nameif outside

security-level 0

ip address dhcp

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description LAN Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server dc1

name-server dc2

domain-name xxxxxxxx

access-list INSIDE_NAT0_OUTSIDE extended permit ip 192.168.25.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list ICMPACL extended permit icmp any any

access-list 100 extended permit tcp any any eq 44818

access-list ICMP extended permit icmp any any

access-list outside_access_in extended permit tcp any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool vpnpool 192.168.3.150-192.168.3.169

failover

failover lan unit primary

failover lan interface Failover1 Ethernet0/3

failover interface ip Failover1 192.168.26.1 255.255.255.0 standby 192.168.26.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any echo outside

asdm location 192.168.11.54 255.255.255.255 inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list INSIDE_NAT0_OUTSIDE

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 44818 sorter 44818 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.11.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.25.0 255.255.255.0 inside

snmp-server host inside dc1 community public

snmp-server host inside dc2 community public

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set VpnSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set VpnSet

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

telnet 192.168.25.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

dns-server value 192.168.25.13 192.168.25.14

vpn-simultaneous-logins 6

vpn-tunnel-protocol IPSec webvpn

username xxxxx password zpcqJUyd.u02o3AA encrypted

username xxxxxx attributes

vpn-simultaneous-logins 6

webvpn

  url-entry enable

tunnel-group vpngroup type remote-access

tunnel-group vpngroup general-attributes

address-pool vpnpool

tunnel-group vpngroup ipsec-attributes

pre-shared-key zxcASD123098PoIlKjmNb

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:72cded64c55d29a3d231684a59d5abe4

: end

Labels:
0 Helpful
6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

‎02-02-2012 10:29 AM

Hello Michael,

The thing is that you are using Port-forwarding and that is just for inbound connections.

The outbound packet will use the PAT rule.

Regards,

Julio

Rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

michaelatwell
Level 1
Level 1
In response to Julio Carvajal

‎02-02-2012 11:19 AM

The thing is that you are using Port-forwarding and that is just for inbound connections.

The outbound packet will use the PAT rule.

I appreciate your feedback, but I am not sure I follow. I assume you mean I need to add to my existing PAT rules:

nat (inside) 0 access-list IN

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

What would that look like? The documentation is a bit ambiguous in this regard.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to michaelatwell

‎02-02-2012 12:01 PM

I mean you want the outside and inbound connection to use the same port.

With this nat rule:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

The outbound connection will use the next available port.

With this nat:

static (inside,outside) tcp interface 44818 sorter 44818 netmask 255.255.255.255

Only inbounds connections will use 44818, not outbound as Port-forwarding only works for inbound connections,

Do you follow me?

Julio

Do rate all the helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

michaelatwell
Level 1
Level 1
In response to Julio Carvajal

‎02-02-2012 12:15 PM

Yes, I follow you, but that does not answer my question.

How do I allow traffic on port 44818 through my firewall? I have tried the walkthroughs on Cisco's web site, but the packets are still dropped with this error:

"flow is denied by configured rule"

The ASDM proceeds to point to one of the implicit rules, but have I not allowed it to permit this traffic? How do I explicitly allow it?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to michaelatwell

‎02-02-2012 12:56 PM

Hello,

Provide the following

packet-tracer input outside tcp 4.2.2.2 1025 interface_ip 44818

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

michaelatwell
Level 1
Level 1
In response to Julio Carvajal

‎02-02-2012 01:07 PM

I had to change it a bit to work for me. 192.168.25.1 is the inside IP address of the ASA.

asa1# packet-tracer input outside tcp 4.2.2.2 1025 192.168.25.1 44818

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.25.1    255.255.255.255 identity

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card