Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Open a port 9933 in ASA 5505 Firewall

Hi. I have Cisco ASDM 6.1 For an ASA 5505  .  I would just like to to open TCP/UDP port 9933 in the ASA 5505 Firewall so that our Primary Domain Controller could use this port to sync time with an external time source. We have already added an access rule for this port under the firewall configuration in ASDM 6.1 and this port was also allowed in the inbound and outbound rule of the Firewall but it seems that it was still blocked. Is there something else we are missing with the configuration? 

Any help appreciated.

 

Shameem

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Green

Which IP represents you

Which IP represents you domain controller in your configuration?

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

Hi,The reason I asked you to

Hi,

The reason I asked you to run the following trace again with different destination IP:

packet-tracer input outside tcp 4.2.2.2 9933 10.0.0.1 9933

is because the first trace you posted showed the input and output interface to be the outside interface.  I wanted to see what the result of that command would show.

But as for the inside to outside, the traffic is permitted.

--

Please remember to select a correct answer and rate

--

Please remember to rate and select a correct answer
14 REPLIES
Hall of Fame Super Silver

Do you have a network address

Do you have a network address translation (NAT) rule in place? If you could share your running configuration, it would be easier to look at that.

New Member

 Hi Mavin,Thank you for the

 

Hi Mavin,

Thank you for the answer . yes i have network address translate(NAT) rules. 

The configuration would look something like the following:

 

ASA Version 8.0(4) 
!
terminal width 511
hostname asa5505
................
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 208.109.126.196 255.255.255.0 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
 ......................
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit tcp any any eq ftp-data 
access-list outside_access_in extended permit tcp any any eq ftp 
access-list outside_access_in extended permit tcp any any eq ssh 
access-list outside_access_in extended permit tcp any any eq 42 
access-list outside_access_in extended permit udp any any eq nameserver 
access-list outside_access_in extended permit tcp any any eq domain 
access-list outside_access_in extended permit udp any any eq domain 
access-list outside_access_in extended permit tcp any any eq www 
access-list outside_access_in extended permit tcp any any eq pop3 
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in extended permit tcp any any eq 465 
access-list outside_access_in extended permit tcp any any eq 587 
access-list outside_access_in extended permit tcp any any eq 995 
access-list outside_access_in extended permit tcp any any eq 993 
access-list outside_access_in extended permit tcp any any eq 3389 
access-list outside_access_in extended permit tcp any any eq 8443 
access-list outside_access_in extended permit tcp any any eq 2006 
access-list outside_access_in extended permit tcp any any eq 8447 
access-list outside_access_in extended permit tcp any any eq 9999 
access-list outside_access_in extended permit tcp any any eq 2086 
access-list outside_access_in extended permit tcp any any eq 2087 
access-list outside_access_in extended permit tcp any any eq 2082 
access-list outside_access_in extended permit tcp any any eq 2083 
access-list outside_access_in extended permit tcp any any eq 2096 
access-list outside_access_in extended permit tcp any any eq 2095 
access-list outside_access_in extended permit tcp any any eq 8880 
access-list outside_access_in extended permit tcp any any eq telnet 
access-list outside_access_in extended permit tcp any any eq smtp 
access-list outside_access_in extended deny tcp any any eq imap4 
access-list outside_access_in extended permit tcp any any eq 1433 
access-list outside_access_in extended deny tcp any any eq 3306 
access-list outside_access_in extended permit tcp any any eq 9080 
access-list outside_access_in extended deny tcp any any eq 9090 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any source-quench 
access-list outside_access_in extended permit icmp any any unreachable 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list outside_access_in extended permit tcp any any eq 8080 
access-list outside_access_in extended permit udp any any eq 8080 
access-list outside_access_in extended permit udp any any eq www 
access-list outside_access_in extended permit udp any any eq 9933 
access-list outside_access_in extended permit tcp any any eq 9933 
access-list outside_access_in extended permit object-group TCPUDP any any eq 9933 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit tcp any any eq www 
access-list inside_access_in extended permit udp any any 
no pager
logging enable
logging timestamp
logging buffered warnings
logging history warnings
logging asdm notifications
logging queue 500
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
static (inside,outside) 208.109.123.62 10.0.0.1 netmask 255.255.255.255 
static (inside,outside) 208.109.123.105 10.0.0.2 netmask 255.255.255.255 
static (outside,outside) 10.0.0.2 208.109.123.105 netmask 255.255.255.255 
static (outside,inside) 10.0.0.1 208.109.123.62 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 208.109.123.254 1
route outside 0.0.0.0 255.255.255.0 208.109.123.254 1
route outside 208.109.96.4 255.255.255.255 208.109.123.254 1
route outside 208.109.188.4 255.255.255.255 208.109.123.254 1
route outside 216.69.160.4 255.255.255.255 208.109.123.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL 
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username trueformgames password gQaHEpCaaJ92JBB1 encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
.................
: end

 

Regards,

Shameem

VIP Green

Which IP represents you

Which IP represents you domain controller in your configuration?

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Hi Marius,Thank you for the

Hi Marius,

Thank you for the answer. I am using 208.109.123.62 for the configuration .

Regards,

Shameem

VIP Green

"static (inside,outside) 208

"static (inside,outside) 208.109.123.62 10.0.0.1 netmask 255.255.255.255"

Well you are NATing all ports to 10.0.0.1 as per the above statement.

Now, is 9933 a port you have chosen to use on your internal network or is that what the external time source has instructed you to use?  I ask this because normally NTP uses port UDP 123 to communicate over.

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Hi Marius,Thank you for the

Hi Marius,

Thank you for the answer.I am access outside this Ip and Its working and every Ports are working But 9933 is not working. 

Regards,

Shameem

VIP Green

As I mentioned in my earlier

As I mentioned in my earlier post NTP by default uses port UDP 123.  So my question is, did the external time source instruct you to use port 9933 or is this a port you have personally chosen to use?

Unless the external time source has instructed you to use port 9933 then you will need to either use port 123 or translate port 123 to 9933 using PAT.

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

 Hi Marius,Thank you for

 

Hi Marius,

Thank you for response. I am not using port 9933 from outside. Its not working via telnet(208.x.x.x 9933) . i have required this Port 9933 for establish a TCP/UDP connection to a remote host.

Regards,

Shameem 

 

VIP Green

If you do a packet trace on

If you do a packet trace on the ASA is the packet allowed?  Could you post the output here please.

packet-tracer input outside tcp 4.2.2.2 9933 208.109.123.62 9933

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Hi Marius,Thank you for

Hi Marius,

Thank you for response. I am sending Packet - tracer input outside TCP 4.2.2.2 9933 208.109.123.62 9933 and 10.0.0.1 9933 208.109.123.62 9933.

 

Regards,

Shameem

 

 

VIP Green

Please issue the following

Please issue the following packet tracer:

packet-tracer input outside tcp 4.2.2.2 9933 10.0.0.1 9933

as well as

packet-tracer input inside tcp 10.0.0.1 9933 4.2.2.2 9933

--

Please remember to select a correct answer and rate

--

Please remember to rate and select a correct answer
New Member

Hi Marius,Thank you for

Hi Marius,

Thank you for response . i am sending packet- tracer input inside tcp 10.0.0.1 9933 4.2.2.2 9933.

Regards

Shameem

 

 

VIP Green

Hi,The reason I asked you to

Hi,

The reason I asked you to run the following trace again with different destination IP:

packet-tracer input outside tcp 4.2.2.2 9933 10.0.0.1 9933

is because the first trace you posted showed the input and output interface to be the outside interface.  I wanted to see what the result of that command would show.

But as for the inside to outside, the traffic is permitted.

--

Please remember to select a correct answer and rate

--

Please remember to rate and select a correct answer
New Member

Hi Shameem,Hope you are doing

Hi Shameem,

Hope you are doing great.

Please check if you have access list in place on Windows Server Firewall to allow Inbound connection for TCP port 9933 check both directions Inbound and Outbound rules.

Also, if you are using some application which is using non standard ports like TCP 9933 and if you already have running application on Server which is using port TCP 9933 and if option bind with 10.0.0.1 as ARP on ASA will be for IP 10.0.0.1.

For tshoot on Server run netstat -ap tcp to take print for list of system TCP port listening. Confirm if you have socket like: TCP     10.0.0.1:9933     Listening

Then try to telnet on 208.109.123.62 9933 from internet to test and share how it goes.

Regards,

Sahil Seth

 

 

1505
Views
5
Helpful
14
Replies
CreatePlease to create content