Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Opening up a port in ASA5505

Hi!

I have an ASA5505 running 8.2(5) and it works fine with a simple config (thanks JF). However, behind it, a NAS is set to download stuff automatically somehow using port 51413. It seems this has stopped working.

How do I open that port to a specific internal IP?

D

Everyone's tags (2)
8 REPLIES
Super Bronze

Opening up a port in ASA5505

Hi,

So are you saying that something is going to connect to one of your internal network devices with the destination port TCP/51413 from the external network?

Also, do you mean that it has stopped working during the time the ASA has been in use or do you perhaps mean that you had some other device in use instead of the ASA when it worked and after switching to ASA it stopped working?

Typically if you have one public IP address usable (which is configured on the ASA interface) then you would use a Static PAT configuration (Port Forward)

Its configuration format is basically the following

static (inside,outside) tcp interface netmask 255.255.255.255

The above (when filled with the correct IP/port information should enable access from the external network to your internal host on the specified port. For multiple ports you have to make similiar configuration for each. Above also presumes that your interfaces are called "inside" and "outside"

You will naturally also require an ACL rule on the "outside" interface that will allow the traffic to your public IP address on the mentioned destination port.

- Jouni

New Member

Opening up a port in ASA5505

Hi!

OK, I have more info: t is a Bittorrent client on a Readynas. With this plain config (below) I was thinking it would work, but no.

I can only find guides to block .torrent, how about the opposite?

D

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description WAN

switchport access vlan 2

!

interface Ethernet0/1

description LAN

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.1.10 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

access-list INSIDE-IN remark Allow all traffic from LAN

access-list INSIDE-IN extended permit ip 10.0.1.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 1 10.0.1.0

global (outside) 1 interface

nat (inside) 1 10.0.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group INSIDE-IN in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 195.67.199.15 195.67.199.16

!

dhcpd address 10.0.1.65-10.0.1.95 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b28d2a8848db95e9836702a28b692078

: end

no asdm history enable

Super Bronze

Opening up a port in ASA5505

Hi,

Your current configuration enabled any connection to be formed from LAN to WAN because you have a Dynamic PAT configuration for the  internal network . Also all traffic is allowed.

However, if something/someone needs to be able to initiate connection to some host on your internal network then you need to configure Static PAT (Port Forward)

If something is not getting through the external network and you are not sure what to allow you can always monitor the logs through ASDM Monitor/Logging section and see what connections are initiated and blocked by your firewall.

If you know what ports you need to forward to the internal host then you can use the above mentioned Static PAT configuration format to make your configurations and after that configure ACL on the "outside" interface to allow the traffic.

Again, For TCP or UDP the configuration formats for Static PAT could be

static (inside,outside) tcp interface 10.0.1.x netmask 255.255.255.255

static (inside,outside) udp interface 10.0.1.x netmask 255.255.255.255

- Jouni

New Member

Opening up a port in ASA5505

Embarrasing question time: can I filter the log so it shows only one source IP?

D

Super Bronze

Opening up a port in ASA5505

Hi,

If you go to ASDM -> Monitoring -> Logging and open the log window from the View -button then you should see a field called Filter By at the top where you can enter the IP address and press Enter or click Filter

You could also use the Build Filter -button at the top to get separate fields to filter by.

- Jouni

New Member

Opening up a port in ASA5505

You are a hero. I will try some more.

D

New Member

Opening up a port in ASA5505

Another (possibly) dumb question: can it have anything to do with the udp:// prefixing the tracker?

D

Super Bronze

Opening up a port in ASA5505

Hi,

I don't really know what the whole situation is.

But judging by your configuration there should be no problem with your internal hosts connectivity to the external network.

Current configuration wont enable anything on the external network to initiate the connection towards your network devices. All connections that are formed are formed/initiated by your internal hosts.

Typically with torrent I would imagine that the connectivity should work with simply allowing outbound connections but I would also imagine that there might be need to external source to be able to initiate connectivity to your host and for that you need Static PAT (since you only have 1 public IP address)

I dont know exactly what you are trying to get working and what its requirements are with regards to the firewall configurations so its impossible to say more.

Either what you are using has come with a manual or has one available online that should state the requirements or you can perhaps determine them by seeing what is getting blocked by the firewall.

- Jouni

284
Views
5
Helpful
8
Replies