12-19-2011 08:33 AM - edited 03-11-2019 03:03 PM
I have successfully been able to allow outbound access from inbound hosts on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT. What I need to do is to configure access to certain inbound hosts from outside. What's wrong with my running config? Below are the commands that I believe need to be changed from the configuration.
object-group service RDP tcp
port-object range 3389 3410
access-list 101 extended permit tcp any host 207.87.60.150 object-group RDP
access-list 101 extended permit ip any any
nat-control
global (Outside) 1 207.87.60.150
nat (Inside) 1 10.28.100.0 255.255.255.0
static (Inside,Outside) 207.87.60.150 10.28.100.22 netmask 255.255.255.255
access-group 101 in interface Outside
route Outside 0.0.0.0 0.0.0.0 207.87.60.149 1
12-19-2011 09:04 AM
is this IP configured on your outside interface (207.87.60.150 ) ??
12-19-2011 09:30 AM
Ajay,
Yes. That is the outside interface IP address. Now, Regarding host 10.28.100.22, with inbound acces for object-group RDP, that is just for testing inbound access.
12-19-2011 09:40 AM
can you make these changes and try ?
no static (Inside,Outside) 207.87.60.150 10.28.100.22 netmask 255.255.255.255
access-list 101 extended permit tcp any interface outside eq 3389
static (inside,Outside) tcp interface 3389 10.28.100.22 3389 netmask 255.255.255.255
Thanks
Ajay
12-19-2011 10:10 AM
Ajay,
I'll make these changes and let you know later in the day. By the way, there are some other ports that need to be open to another local host? Can I have open ports to multiple hosts. For example, I need to have telnet open on the inside IP address of another host. Is this possible with static PAT?
12-19-2011 10:17 AM
Yes you can very well do it .
Just need to add more statement like-
static (inside,Outside) tcp interface www 10.28.100.23 www netmask 255.255.255.255
And allowe outside acl .
Thanks
Ajay
12-19-2011 10:53 AM
Ajay,
Thanks. Can I use the same ACL name or number for the other inside hosts or do I need to enter a different ACL name or number, such as ACL 102 to open the ports for the other inside host?
Anthony
12-19-2011 11:20 AM
You can only have one acl in one direction . Since you already have 101 on outside interface you just need to add more entries to allow communication. If i understood your question correctly you mean to say more mapped ports to outside interface ?
Then yes that ACL 101 will do .
access-list 101 extended permit tcp any interface outside eq 3389
Also object group can be used .
access-list 101 extended permit tcp any interface outside object-group
Better to use object group if you are going to open multiple ports.
Thanks
Ajay
12-19-2011 11:42 AM
Ajay,
I believe that you have answered my question. What I meant is that I have another inside host, let's say its IP address is 10.28.100.23 and I need to be able to have lelnet open; so, if I am interpreting your response correctly, I can just add another access list entry to access-list 101, for example, I could add after the first access list entry:
access-list 101 extended permit tcp any interface 0utside eq 23
Next, the appropriate static translation for this IP address and port should be the following:
static (inside, outside) tcp interface 23 10.28.100.23 23 netmask 255.255.255.255.
I hope that I made the correct assumption.
Anthony
`
12-19-2011 11:56 AM
Thats correct!
12-19-2011 02:19 PM
Ajay,
I had changed the default RDP port on the local host to port 3400, which explains why I had to leave the static and access-list entries for that port as they were. I have been trying to remote to the local host from an outside network; but, I am still having no luck. I believe that RDP outbound may be blocked on the VPN network at work where I have been trying to remote to the local host.
Would you please just look at the complete configuration of the appliance and let me know whether there are any additional problems and whether the changes I have made are complete.
Anthony
asdm image disk0:/asdm-508.bin
asdm location 10.28.100.22 255.255.255.255 Inside
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname dcc-asa
domain-name default.domain.invalid
enable password encrypted
passwd encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
no ip address
!
interface GigabitEthernet0/1
nameif Inside
security-level 10
ip address 10.28.100.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
object-group service RDP tcp
port-object range 3389 3410
access-list 101 extended permit ip any any
access-list 101 extended permit tcp any interface Outside eq 3389
access-list 101 extended permit tcp any interface Outside eq 3400
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 207.87.60.150
nat (Inside) 1 10.28.100.0 255.255.255.0
static (Inside,Outside) tcp interface 3389 10.28.100.22 3389 netmask 255.255.255.255
static (Inside,Outside) tcp interface 3400 10.28.100.22 3400 netmask 255.255.255.255
access-group 101 in interface Outside
route Outside 0.0.0.0 0.0.0.0 207.87.60.149 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password tFn1CkZYLaQnGOOs encrypted privilege 15
http server enable
http 10.28.100.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.28.100.70-10.28.100.254 Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 65.106.1.196 65.106.7.196
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable Inside
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:0df74e4074761a32da84a1c0c8caef42
: end
12-20-2011 10:24 AM
interface GigabitEthernet0/0
nameif Outside
security-level 0
no ip address
Not sure why 207.87.60.150 is not configured here ?
Thanks
Ajay
12-20-2011 12:34 PM
Ajay,
Should I add an IP address there? I didn't because in Document ID: 63872, entitled, "PIX/ASA 7.x: Port Redirection(Fowarding) with nat, global, sttic and access-list Commands," on page 2, below the section entitled, "Allow Outbound Access," no IP address is assigned to the outbound interface. Do you have any other suggestions? Would it be possible to just open up all inbound ports?
Anthony
12-22-2011 02:24 PM
Ajay,
Hopefully, you will read this; but, I did add the outside IP address to the interface; but, still I am unable to access the inbound host. Should I just update the appliance?
Anthony
12-22-2011 11:32 PM
Paste me your latest config.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: