Hi!

OK, I have more info: t is a Bittorrent client on a Readynas. With this plain config (below) I was thinking it would work, but no.

I can only find guides to block .torrent, how about the opposite?

D

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description WAN

switchport access vlan 2

!

interface Ethernet0/1

description LAN

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.1.10 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

access-list INSIDE-IN remark Allow all traffic from LAN

access-list INSIDE-IN extended permit ip 10.0.1.0 255.255.255.0 any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 1 10.0.1.0

global (outside) 1 interface

nat (inside) 1 10.0.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group INSIDE-IN in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 195.67.199.15 195.67.199.16

!

dhcpd address 10.0.1.65-10.0.1.95 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b28d2a8848db95e9836702a28b692078

: end

no asdm history enable

Hi,

Your current configuration enabled any connection to be formed from LAN to WAN because you have a Dynamic PAT configuration for the  internal network . Also all traffic is allowed.

However, if something/someone needs to be able to initiate connection to some host on your internal network then you need to configure Static PAT (Port Forward)

If something is not getting through the external network and you are not sure what to allow you can always monitor the logs through ASDM Monitor/Logging section and see what connections are initiated and blocked by your firewall.

If you know what ports you need to forward to the internal host then you can use the above mentioned Static PAT configuration format to make your configurations and after that configure ACL on the "outside" interface to allow the traffic.

Again, For TCP or UDP the configuration formats for Static PAT could be

static (inside,outside) tcp interface 10.0.1.x netmask 255.255.255.255

static (inside,outside) udp interface 10.0.1.x netmask 255.255.255.255

- Jouni

Embarrasing question time: can I filter the log so it shows only one source IP?

D

Hi,

If you go to ASDM -> Monitoring -> Logging and open the log window from the View -button then you should see a field called Filter By at the top where you can enter the IP address and press Enter or click Filter

You could also use the Build Filter -button at the top to get separate fields to filter by.

- Jouni

You are a hero. I will try some more.

D

Another (possibly) dumb question: can it have anything to do with the udp:// prefixing the tracker?

D

Hi,

I don't really know what the whole situation is.

But judging by your configuration there should be no problem with your internal hosts connectivity to the external network.

Current configuration wont enable anything on the external network to initiate the connection towards your network devices. All connections that are formed are formed/initiated by your internal hosts.

Typically with torrent I would imagine that the connectivity should work with simply allowing outbound connections but I would also imagine that there might be need to external source to be able to initiate connectivity to your host and for that you need Static PAT (since you only have 1 public IP address)

I dont know exactly what you are trying to get working and what its requirements are with regards to the firewall configurations so its impossible to say more.

Either what you are using has come with a manual or has one available online that should state the requirements or you can perhaps determine them by seeing what is getting blocked by the firewall.

- Jouni