Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3925
Views
0
Helpful
15
Replies

How do I open ports on ASA 5505?

pershingit
Level 1
Level 1

‎08-03-2010 09:27 AM - edited ‎03-11-2019 11:20 AM

Hello,

I am new to the Cisco model so excuse my lack of wisdom with this product.  I work for a small rural Hospital and we need to FTP a report once a month to a clearing house.  Problem is I can't FTP their site, I can others but not theres.  I was told that it was because I didn't have the correct ports open for their transmission.  I was told that I needed 20,21,22 (possibly) and all ports above 1023 available.  I thought I had that setup through my ASDM configuration but I still can't get connected.  If I try to trace the packet it works fine on the inside test but if I run it from outside it always goes back to the implicit rule to block IP.  What am I missing?  I can provide screen shots of what ever is needed.  I know the site works as I was able to connect to it from my home last night.

Thanks for your help!

Labels:
Preview file
55 KB
0 Helpful
15 Replies 15

Magnus Mortensen
Cisco Employee
Cisco Employee

‎08-07-2010 10:21 PM

Scott,

     I just took a second look at the .doc you provided at the start. The screen shot you posted shows a packet tracer attempt of a packet:

- coming in the outside interface

- coming from source 150.199.100.225 port 21

- destined to 204.13.92.99 on port 21

This traffic flow doesn't make too much sense as you would never see packets to *and* from port 21...

The implicit rule error you are seeing in the output is becuase you are testing a packet coming in destined to  204.13.92.99. A packet destined to  204.13.92.99 would never come *in" the outside interface since  204.13.92.99 is the FTP you are trying to get to on the internet. THe 'implicit rule' you are hitting is the firewall denying traffic from hairpinning on the outside interface (if a packet came 'in' the outside destined to  204.13.92.99, the firewall would have to bounce it right back out the outside interface toward you ISP wouldn't it... )

In order to get a valid packet tracer output please select the following options in the GUI:

Interface: INSIDE

Source IP: (the IP address of the machine your are FTP'ing *from* (get this from 'ipconfig' on the machine)

Source Port: 12345

Destination IP:  204.13.92.99

Destination Port: 21

Or you can get this from the CLI with the following:

packet input inside tcp 12345  204.13.92.99 21 detailed

- Magnus

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card