Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA 5510 8.3 open ports problem

Hi All,

I got a situation here for Nat-ed IPs i configured. I expected to open some ports on the interface to allow certain traffics to pass through, yet there are some of them are failed. Down is my current config.

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object tcp destination eq https

service-object tcp-udp destination eq 443

service-object tcp-udp destination eq 3389

service-object tcp-udp destination eq www

service-object tcp-udp destination eq domain

service-object tcp-udp destination eq 5061

service-object tcp-udp destination eq 3478

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2

ny any

access-group outside_access_in in interface outside

The only ports opened are 443, www, 3389 while ports domain, 5061,3478,3389.

Please advise how to open domain, 5061, 3478, and 3389 ports on my ASA .

Thanks

  • Firewalling
6 REPLIES
Red

Cisco ASA 5510 8.3 open ports problem

Hi Luqman,

What are the static commands that you have, can you please let me know the ip address for which you need to open these ports and can you also share an output of "show run static"

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Cisco ASA 5510 8.3 open ports problem

Hi Varun,

object network DMZ-11

host 192.168.1.11

nat (DMZ,outside) static 1.1.1.1

object network DMZ-12

host 192.168.1.12

nat (DMZ,outside) static 1.1.1.2

object network DMZ-13

host 192.168.1.13

nat (DMZ,outside) static 1.1.1.3

I supposed those the only static nat i configured. and those IPs above i want it ports opened as well, sh run static doesnt work on 8.3 version. I tried using any any but seems doesnt work either on access list.

Red

Cisco ASA 5510 8.3 open ports problem

Can you please use these static and try:

object newtork DMZ11_public

  host 1.1.1.1

object newtork DMZ12_public

  host 1.1.1.2

object newtork DMZ13_public

  host 1.1.1.3

nat (outside,DMZ) source static any any destination static DMZ11-public DMZ-11

nat (outside,DMZ) source static any any destination static DMZ12-public DMZ-12

nat (outside,DMZ) source static any any destination static DMZ13-public DMZ-13

Let me knw how it goes.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Cisco ASA 5510 8.3 open ports problem

Hi varon, nope, still remain the same.

I reckon there's nothing wrong with the NAT but the access list it self since some ports are opened.

Red

Cisco ASA 5510 8.3 open ports problem

Hi Luqman,

If you suspect it to be the access-list, can you just for testing apply this:

access-list outside_access_in extended permit any any

Just check if it works, if not then it does seem to be the ACL issue.

Lets see what happens.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Cisco ASA 5510 8.3 open ports problem

Hi Varun,

It doesnt work either. Anyway, below is the packet tracer i did try.

ciscoasa# packet-tracer input DMZ tcp 8.8.8.8 80 192.168.1.11 5061

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

Does it mean it already opened ? yet i still cant see it opened on the scanner

1755
Views
0
Helpful
6
Replies