Solved: Open a port 9933 in ASA 5505 Firewall

shameem05 · ‎04-09-2014

Hi. I have Cisco ASDM 6.1 For an ASA 5505 . I would just like to to open TCP/UDP port 9933 in the ASA 5505 Firewall so that our Primary Domain Controller could use this port to sync time with an external time source. We have already added an access rule for this port under the firewall configuration in ASDM 6.1 and this port was also allowed in the inbound and outbound rule of the Firewall but it seems that it was still blocked. Is there something else we are missing with the configuration?

Any help appreciated.

Shameem

Marius Gunnerud · ‎04-10-2014

Which IP represents you domain controller in your configuration?

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎04-11-2014

Hi,

The reason I asked you to run the following trace again with different destination IP:

packet-tracer input outside tcp 4.2.2.2 9933 10.0.0.1 9933

is because the first trace you posted showed the input and output interface to be the outside interface. I wanted to see what the result of that command would show.

But as for the inside to outside, the traffic is permitted.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marvin Rhoads · ‎04-09-2014

Do you have a network address translation (NAT) rule in place? If you could share your running configuration, it would be easier to look at that.

shameem05 · ‎04-09-2014

Hi Mavin,

Thank you for the answer . yes i have network address translate(NAT) rules.

The configuration would look something like the following:

ASA Version 8.0(4)
!
terminal width 511
hostname asa5505
................
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 208.109.126.196 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
......................
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any any eq ftp-data
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq 42
access-list outside_access_in extended permit udp any any eq nameserver
access-list outside_access_in extended permit tcp any any eq domain
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq pop3
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any any eq 465
access-list outside_access_in extended permit tcp any any eq 587
access-list outside_access_in extended permit tcp any any eq 995
access-list outside_access_in extended permit tcp any any eq 993
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq 8443
access-list outside_access_in extended permit tcp any any eq 2006
access-list outside_access_in extended permit tcp any any eq 8447
access-list outside_access_in extended permit tcp any any eq 9999
access-list outside_access_in extended permit tcp any any eq 2086
access-list outside_access_in extended permit tcp any any eq 2087
access-list outside_access_in extended permit tcp any any eq 2082
access-list outside_access_in extended permit tcp any any eq 2083
access-list outside_access_in extended permit tcp any any eq 2096
access-list outside_access_in extended permit tcp any any eq 2095
access-list outside_access_in extended permit tcp any any eq 8880
access-list outside_access_in extended permit tcp any any eq telnet
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended deny tcp any any eq imap4
access-list outside_access_in extended permit tcp any any eq 1433
access-list outside_access_in extended deny tcp any any eq 3306
access-list outside_access_in extended permit tcp any any eq 9080
access-list outside_access_in extended deny tcp any any eq 9090
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any any eq 8080
access-list outside_access_in extended permit udp any any eq 8080
access-list outside_access_in extended permit udp any any eq www
access-list outside_access_in extended permit udp any any eq 9933
access-list outside_access_in extended permit tcp any any eq 9933
access-list outside_access_in extended permit object-group TCPUDP any any eq 9933
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit udp any any
no pager
logging enable
logging timestamp
logging buffered warnings
logging history warnings
logging asdm notifications
logging queue 500
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
static (inside,outside) 208.109.123.62 10.0.0.1 netmask 255.255.255.255
static (inside,outside) 208.109.123.105 10.0.0.2 netmask 255.255.255.255
static (outside,outside) 10.0.0.2 208.109.123.105 netmask 255.255.255.255
static (outside,inside) 10.0.0.1 208.109.123.62 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 208.109.123.254 1
route outside 0.0.0.0 255.255.255.0 208.109.123.254 1
route outside 208.109.96.4 255.255.255.255 208.109.123.254 1
route outside 208.109.188.4 255.255.255.255 208.109.123.254 1
route outside 216.69.160.4 255.255.255.255 208.109.123.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username trueformgames password gQaHEpCaaJ92JBB1 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
.................
: end

Regards,

Shameem

Marius Gunnerud · ‎04-10-2014

Which IP represents you domain controller in your configuration?

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

shameem05 · ‎04-10-2014

Hi Marius,

Thank you for the answer. I am using 208.109.123.62 for the configuration .

Regards,

Shameem

Marius Gunnerud · ‎04-10-2014

"static (inside,outside) 208.109.123.62 10.0.0.1 netmask 255.255.255.255"

Well you are NATing all ports to 10.0.0.1 as per the above statement.

Now, is 9933 a port you have chosen to use on your internal network or is that what the external time source has instructed you to use? I ask this because normally NTP uses port UDP 123 to communicate over.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

shameem05 · ‎04-10-2014

Hi Marius,

Thank you for the answer.I am access outside this Ip and Its working and every Ports are working But 9933 is not working.

Regards,

Shameem

Marius Gunnerud · ‎04-10-2014

As I mentioned in my earlier post NTP by default uses port UDP 123. So my question is, did the external time source instruct you to use port 9933 or is this a port you have personally chosen to use?

Unless the external time source has instructed you to use port 9933 then you will need to either use port 123 or translate port 123 to 9933 using PAT.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

shameem05 · ‎04-10-2014

Hi Marius,

Thank you for response. I am not using port 9933 from outside. Its not working via telnet(208.x.x.x 9933) . i have required this Port 9933 for establish a TCP/UDP connection to a remote host.

Regards,

Shameem

Marius Gunnerud · ‎04-10-2014

If you do a packet trace on the ASA is the packet allowed? Could you post the output here please.

packet-tracer input outside tcp 4.2.2.2 9933 208.109.123.62 9933

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

shameem05 · ‎04-10-2014

Hi Marius,

Thank you for response. I am sending Packet - tracer input outside TCP 4.2.2.2 9933 208.109.123.62 9933 and 10.0.0.1 9933 208.109.123.62 9933.

Regards,

Shameem

Marius Gunnerud · ‎04-10-2014

Please issue the following packet tracer:

packet-tracer input outside tcp 4.2.2.2 9933 10.0.0.1 9933

as well as

packet-tracer input inside tcp 10.0.0.1 9933 4.2.2.2 9933

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

shameem05 · ‎04-11-2014

Hi Marius,

Thank you for response . i am sending packet- tracer input inside tcp 10.0.0.1 9933 4.2.2.2 9933.

Regards

Shameem

Marius Gunnerud · ‎04-11-2014

Hi,

The reason I asked you to run the following trace again with different destination IP:

packet-tracer input outside tcp 4.2.2.2 9933 10.0.0.1 9933

is because the first trace you posted showed the input and output interface to be the outside interface. I wanted to see what the result of that command would show.

But as for the inside to outside, the traffic is permitted.

--

Please remember to select a correct answer and rate

--
Please remember to select a correct answer and rate helpful posts

sahilseth88 · ‎04-18-2014

Hi Shameem,

Hope you are doing great.

Please check if you have access list in place on Windows Server Firewall to allow Inbound connection for TCP port 9933 check both directions Inbound and Outbound rules.

Also, if you are using some application which is using non standard ports like TCP 9933 and if you already have running application on Server which is using port TCP 9933 and if option bind with 10.0.0.1 as ARP on ASA will be for IP 10.0.0.1.

For tshoot on Server run netstat -ap tcp to take print for list of system TCP port listening. Confirm if you have socket like: TCP 10.0.0.1:9933 Listening

Then try to telnet on 208.109.123.62 9933 from internet to test and share how it goes.

Regards,

Sahil Seth