help w/ port forwarding on 5505

Richard Langly · ‎09-02-2012

I have the following configuration in my ASA 5505 and I'm having problems connecting with other players on my XBox (moderate NAT).

I think my problem is that I need to forward ports tcp:3074, udp:3074, and udp:88 to my xbox which is at 192.168.2.50 (vlan 3 below).

Could anyone help w/ this?

[code]

# sh run

: Saved

:

ASA Version 8.4(4)1

!

hostname genesis

enable password 6SENS23lWMa10SSIA encrypted

passwd 6SENS23lWMa10SSIA encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

description Wired Network

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description Comcast WAN

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

description Wireless 802.11n

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.2.1 255.255.255.0

!

banner motd

boot system disk0:/asa844-1-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 68.87.85.98

name-server 68.87.69.146

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list ACL_IN extended permit ip any any

access-list WAN_IN extended permit udp any eq domain any

pager lines 24

logging enable

logging timestamp

logging trap errors

logging asdm informational

logging host inside 192.168.1.200

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (dmz,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

access-group ACL_IN out interface inside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd dns 68.87.58.98 68.86.69.146

dhcpd lease 43200

!

dhcpd address 192.168.1.100-192.168.1.131 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 24.56.178.140 source inside

webvpn

username myName password QHA6sf25jCukcu7c encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

hpm topN enable

Cryptochecksum:77681e92c2ef5a97a5c2f91be78cb3c6

: end

[/code]

varrao · ‎09-03-2012

Hi Richard,

You can try this NAT:

orts tcp:3074, udp:3074, and udp:88 to my xbox which is at 192.168.2.50

object service tcp_3074

service tcp destination eq 3074

object service udp_3074

service udp destination eq 3074

object service udp_88

service udp destination eq 88

object network obj-192.168.2.50

host 192.168.2.50

nat(outside,dmz) source static any any destination static interface obj-192.168.2.50 service tcp_3074 tcp_3074

nat(outside,dmz) source static any any destination static interface obj-192.168.2.50 service udp_3074 udp_3074

nat(outside,dmz) source static any any destination static interface obj-192.168.2.50 service udp_88 udp_88

access-list outside_access_in permit tcp any host 192.168.2.50 eq 3074

access-list outside_access_in permit udp any host 192.168.2.50 eq 3074

access-list outside_access_in permit udp any host 192.168.2.50 eq 88

access-list outside_access_in in interface outside

Hope this helps.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Richard Langly · ‎09-03-2012

Thanks Varun,

I'm going to assume that the last line is really ...

access-group outside_access_in in interface outside

varrao · ‎09-03-2012

Ooooppsss m sorry, yup you got it right

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao