I have an ASA 5505 I am wanting to use in lieu of a tired old MS ISA Server. I have as a public address 10.1.1.210 for network 10.1.1.0/24.
I have on the private side 10.150.8.4 255.255.255.248 with network DG 10.150.8.254. I need to allow TCP Port 300 in and out and UDC Port 300 in and out.
I can ping both the default gateway and the host on the public side (10.1.1.200), but the application program ( a financial app) which requires port 300 at both sides of the interface will not work.
I feel I am missing something fundamental here. I set up the ISA server (on Windows 2000 no less about 8 years ago - but I can't set up the ASA 5505 even though I have eight VPN using same running to a ASA 5510 all of which I set up)
My IPV4 (that is all thats used here) 1, 2, and 3 inside are: (using the graphic firewall rules section)
any outside-network/24 tcp Permit
any outside-network/24 udp Permit
any outside-network/24 ip Permit
any any ip Deny
any any tcp Permit
any any udp Permit
any inside-network/21 ip Permit
any any ip Deny
The CLI reads (for the ACL)
access-list TCP_300 extended permit tcp any eq 300 any
access-list UDP_300 extended permit udp any eq 300 any
access-list outside_access_in extended permit tcp any any
access-list outside_access_in extended permit udp any any
access-list outside_access_in extended permit ip any 10.15.8.0 255.255.248.0
access-list inside_access_in extended permit tcp any 10.1.1.0 255.255.255.0
access-list inside_access_in extended permit udp any 10.1.1.0 255.255.255.0
access-list inside_access_in extended permit ip any 10.1.1.0 255.255.255.0
I would thinnk this would render the firewall absolutely wide-open, but apparently not.
The host is a SAMBA/AIX machine (works fine with present firewall) at adress 10.1.1.200 they are the only two devices on the "PUBLIC" side.
The PRIVATE side goes into a CISCO VPN router (10.150.8.254) and to IP addresses it routes to.
Basically it is a Home Banking program where intial contact is made (from the Private Side) some questions are answered at the Private Side host and then it is to pull up the data from the SAMBA/AIX device. This is where it fails. Because I am not altogether sure that there isn't another port or set of ports required.
I have examined my ISA server and most ports opened are typicals. I should think that the NetBIOS stuff would be irrelevant (shows what I get for thinking). The rules are basically allow all. If I could get the ASA to do that then I could winnow it down (perhaps).
So the next thing to determine is that is there ANY connections that need to be opened specifically from the "outside" network towards the "inside" OR are ALL connections initiated formed from the "inside"?
At the moment the NAT configurations only holds a Dynamic PAT from "inside" to "outside". Together with ACL configurations it means that any connections can be formed from "inside" to "outside" without any problems (or should be).
On the other hand, if there was to be some need to form a connection from "outside" to "inside", I mean initiated from "outside" to "inside" this would fail. This is because the Dynamic PAT configuration only enables one way connection initiation.
The best way to monitor what happens would probably be in your case to use ASDM and use its Monitor window to see what connections are getting blocked.
Naturally if you can say right away that there is some connection that need to be initiated through "outside" to "inside" it might be as easy as configuration a couple of Static PAT configurations.
By the way,
Which one is the correct mask. You have different masks on the "inside" network in your post. One has 10.150.8.0/29 and the other one has 10.150.8.0/21. The bigger network being in the actual configuration. In that case if the source of the connection were to fall into that network segment the connections would naturally fail because of the return traffic would never make it back.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :