Configuring inbound access on ASA 5520

amcmillon · ‎12-19-2011

I have successfully been able to allow outbound access from inbound hosts on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT. What I need to do is to configure access to certain inbound hosts from outside. What's wrong with my running config? Below are the commands that I believe need to be changed from the configuration.

object-group service RDP tcp

port-object range 3389 3410

access-list 101 extended permit tcp any host 207.87.60.150 object-group RDP

access-list 101 extended permit ip any any

nat-control

global (Outside) 1 207.87.60.150

nat (Inside) 1 10.28.100.0 255.255.255.0

static (Inside,Outside) 207.87.60.150 10.28.100.22 netmask 255.255.255.255

access-group 101 in interface Outside

route Outside 0.0.0.0 0.0.0.0 207.87.60.149 1

ajay chauhan · ‎12-19-2011

is this IP configured on your outside interface (207.87.60.150 ) ??

amcmillon · ‎12-19-2011

Ajay,

Yes. That is the outside interface IP address. Now, Regarding host 10.28.100.22, with inbound acces for object-group RDP, that is just for testing inbound access.

ajay chauhan · ‎12-19-2011

can you make these changes and try ?

no static (Inside,Outside) 207.87.60.150 10.28.100.22 netmask 255.255.255.255

access-list 101 extended permit tcp any interface outside eq 3389

static (inside,Outside) tcp interface 3389 10.28.100.22 3389 netmask 255.255.255.255

Thanks

Ajay

amcmillon · ‎12-19-2011

Ajay,

I'll make these changes and let you know later in the day. By the way, there are some other ports that need to be open to another local host? Can I have open ports to multiple hosts. For example, I need to have telnet open on the inside IP address of another host. Is this possible with static PAT?

ajay chauhan · ‎12-19-2011

Yes you can very well do it .

Just need to add more statement like-

static (inside,Outside) tcp interface www 10.28.100.23 www netmask 255.255.255.255

And allowe outside acl .

Thanks

Ajay

amcmillon · ‎12-19-2011

Ajay,

Thanks. Can I use the same ACL name or number for the other inside hosts or do I need to enter a different ACL name or number, such as ACL 102 to open the ports for the other inside host?

Anthony

ajay chauhan · ‎12-19-2011

You can only have one acl in one direction . Since you already have 101 on outside interface you just need to add more entries to allow communication. If i understood your question correctly you mean to say more mapped ports to outside interface ?

Then yes that ACL 101 will do .

access-list 101 extended permit tcp any interface outside eq 3389

Also object group can be used .

access-list 101 extended permit tcp any interface outside object-group

Better to use object group if you are going to open multiple ports.

Thanks

Ajay

amcmillon · ‎12-19-2011

Ajay,

I believe that you have answered my question. What I meant is that I have another inside host, let's say its IP address is 10.28.100.23 and I need to be able to have lelnet open; so, if I am interpreting your response correctly, I can just add another access list entry to access-list 101, for example, I could add after the first access list entry:

access-list 101 extended permit tcp any interface 0utside eq 23

Next, the appropriate static translation for this IP address and port should be the following:

static (inside, outside) tcp interface 23 10.28.100.23 23 netmask 255.255.255.255.

I hope that I made the correct assumption.

Anthony

`

ajay chauhan · ‎12-19-2011

Thats correct!

amcmillon · ‎12-19-2011

Ajay,

I had changed the default RDP port on the local host to port 3400, which explains why I had to leave the static and access-list entries for that port as they were. I have been trying to remote to the local host from an outside network; but, I am still having no luck. I believe that RDP outbound may be blocked on the VPN network at work where I have been trying to remote to the local host.

Would you please just look at the complete configuration of the appliance and let me know whether there are any additional problems and whether the changes I have made are complete.

Anthony

asdm image disk0:/asdm-508.bin

asdm location 10.28.100.22 255.255.255.255 Inside

no asdm history enable

: Saved

:

ASA Version 7.0(8)

!

hostname dcc-asa

domain-name default.domain.invalid

enable password encrypted

passwd encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

no ip address

!

interface GigabitEthernet0/1

nameif Inside

security-level 10

ip address 10.28.100.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

object-group service RDP tcp

port-object range 3389 3410

access-list 101 extended permit ip any any

access-list 101 extended permit tcp any interface Outside eq 3389

access-list 101 extended permit tcp any interface Outside eq 3400

pager lines 24

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

no failover

monitor-interface Outside

monitor-interface Inside

monitor-interface management

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 207.87.60.150

nat (Inside) 1 10.28.100.0 255.255.255.0

static (Inside,Outside) tcp interface 3389 10.28.100.22 3389 netmask 255.255.255.255

static (Inside,Outside) tcp interface 3400 10.28.100.22 3400 netmask 255.255.255.255

access-group 101 in interface Outside

route Outside 0.0.0.0 0.0.0.0 207.87.60.149 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username admin password tFn1CkZYLaQnGOOs encrypted privilege 15

http server enable

http 10.28.100.0 255.255.255.0 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.28.100.70-10.28.100.254 Inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 65.106.1.196 65.106.7.196

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable Inside

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:0df74e4074761a32da84a1c0c8caef42

: end

ajay chauhan · ‎12-20-2011

interface GigabitEthernet0/0

nameif Outside

security-level 0

no ip address

Not sure why 207.87.60.150 is not configured here ?

Thanks

Ajay

amcmillon · ‎12-20-2011

Ajay,

Should I add an IP address there? I didn't because in Document ID: 63872, entitled, "PIX/ASA 7.x: Port Redirection(Fowarding) with nat, global, sttic and access-list Commands," on page 2, below the section entitled, "Allow Outbound Access," no IP address is assigned to the outbound interface. Do you have any other suggestions? Would it be possible to just open up all inbound ports?

Anthony

amcmillon · ‎12-22-2011

Ajay,

Hopefully, you will read this; but, I did add the outside IP address to the interface; but, still I am unable to access the inbound host. Should I just update the appliance?

Anthony

ajay chauhan · ‎12-22-2011

Paste me your latest config.