cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5957
Views
0
Helpful
10
Replies

Port forwarding - Cisco ASA5505 - Running ASA 9.1(2) - ADSM 7.1(3)

pavi
Level 1
Level 1

Hi!

I have a few issues configuring the right stuff for this asa with the software mentioned above.

This is what i need done...

1. OpenVPN (port 1194 - UDP) - Open from outside to inside and back. - The OpenVPN server is connected to a NAS-server on a 192.168.10.xxx adress

2. I have problems sending out mails from a server on the inside using either port 25 or port 587.. The asa won't let the traffic pass from inside to outside.

3. Last config looking for..   I have placed a FTP-server on the inside running on port 31030. how do i get it up and running from the outside to reach it..

If you guys can help me out with the config for these thru the ASDM - It would be great , but thru CLI is fine aswell..  As long as i can get those things running - i would be really happy.. ;-)

Looking forward to hear from you guys..

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Is this a brand new configuration? Your questions imply that it is.

Usually (but not always) you need a NAT for inside traffic to the outside. Do you have only the single public IP on the outside or do you have a subnet to work with? This bounds your options in setting up NAT entries and how to allow the things you asked about. If you can post the configuration file that would be helpful in answering your questions better.

1. Simply add an access-list entry on the outside interface. Source any, destination real IP and port 1194 of your server (which may be associated with either a static or dynamic NAT entry).

2. The NAT needs to be in place for this to work. Once it is, and assuming no access-list on the inbound interface and that a route exists to the destination, traffic is allowed by default from high security (inside) to lower security zones (outside).

3. Same approach as #1 above.

View solution in original post

Sometimes the ASA's smtp inspection actions break email. You can try:

class inspection_default

no inspect esmtp

...to turn it off.

View solution in original post

10 Replies 10

Marvin Rhoads
Hall of Fame
Hall of Fame

Is this a brand new configuration? Your questions imply that it is.

Usually (but not always) you need a NAT for inside traffic to the outside. Do you have only the single public IP on the outside or do you have a subnet to work with? This bounds your options in setting up NAT entries and how to allow the things you asked about. If you can post the configuration file that would be helpful in answering your questions better.

1. Simply add an access-list entry on the outside interface. Source any, destination real IP and port 1194 of your server (which may be associated with either a static or dynamic NAT entry).

2. The NAT needs to be in place for this to work. Once it is, and assuming no access-list on the inbound interface and that a route exists to the destination, traffic is allowed by default from high security (inside) to lower security zones (outside).

3. Same approach as #1 above.

Hi Marvin,

Is it possible for you to do the lines i have to put in thru the CLI-interface..   I tried a dozen of different ways but i don't seem to be able to do it..  Pretty new to this box - So trying to learn. hehe..   Here is my config file - Pretty clean as for now..  Simple config - Building it up step by step..

Please let me know how to get those three requests working with the cli-commands i have to do..  if it ain't to much work.. hehe ..  Thanks alot..  AND YES - Only one public IP to work with..  ;-)

Config file currently :

: Written by enable_15 at 21:50:51.749 UTC Sat Jul 6 2013

!

ASA Version 9.1(2)

!

hostname asa

domain-name asa

enable password XX encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd XX encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 12

switchport protected

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan12

nameif DMZ

security-level 50

ip address 192.168.2.1 255.255.255.0

!

boot system disk0:/asa912-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name asa

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Work

host 192.168.2.10

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

object network Work

nat (any,outside) static interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=brainbox

keypair

crl configure

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.10.10-192.168.10.30 inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username pascal password XX encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:XX

Something like this:

asa# conf t

asa(config)# object network host OpenVPN_Server

asa(config-network-object)# nat (inside, outside) dynamic 192.168.10.xxx service tcp 1194

asa(config-network-object)# object network host FTP_Server

asa(config-network-object)# nat (inside, outside) dynamic service tcp 31030

asa(config)# exit

asa(config)# access-list outside_access permit tcp any host OpenVPN_Server eq 1194

asa(config)# access-list outside_access permit tcp any host FTP_Server eq 31030

asa(config)# access-group outside_access interface outside

asa(config)exit

I'm not sure why your outbound email isn't working already. Are you getting a good interface address and default route on the ASA from the outside DHCP server?

Thanks for the above..  I will try it out right away and see if it works out..   I appricate your time in this.

In regards to the email..  Its my Synology-server that comes up with an error trying to send an email..  I have set it up to send mesages thru gmail for warnings etc..   It used to work on a different firewall without any settings..  But hasn't worked after installing this one..  So for me it sounds like that it won't let me send email from those ports without rules created in the box ??     I will look into the log an see what error it comes up with and copy/paste it here..

Thanks so far for the info above - I will try it out and let you know if it fixed it..

/pascal

Sometimes the ASA's smtp inspection actions break email. You can try:

class inspection_default

no inspect esmtp

...to turn it off.

Hey Marvin,

The email-part worked perfectly..   I can now send emails thru it.. PERFECT !!! thanks for fixing that one.. 

But the other part..   Didnt work out.. it comes with errors..  Look below :

Already at the first part it goes wrong..  

brainbox# config t

brainbox(config)# object network host OpenVPN_Server

                                      ^

ERROR: % Invalid input detected at '^' marker.

brainbox(config)#

So i believe before that one is created - The next line won't make any sense...  

nat (inside, outside) dynamic 192.168.10.xxx service tcp 1194 <-----------

Uhmm.. does this make sense to you .. what is wrong?

Great that the mail is working.

I think my syntax was a bit off - it should be object-network etc. But you might be better off trying the GUI for setting up a public server for your two public servers. The configuration guide section here should help:

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/access_public_servers.html#wp1091646

Hi Marvin,

Tried to follow the guide - But still not home free..  I'm just thinking...  How hard can it really be to make OpenVPN on port 1194 working..   Thats the only port for OpenVPN that needs access thru my firewall and i can't seem to figure out how to configure it correctly.

Anyone in the forum here that has a Synology like i do and knows how to get this working ?

I appriciate your tryings Marvin..   ;-)   

Uhmm.. it says " Question is answered" - Not 100 percent..  Please read above this post..    I still need assistance...    Thanks...

Pascal,

Did you get the "object-network host" command with its associated nat and access-list entries to take? If you could post the updated configuration with that in place, we can have a look at it some more.

Regards,

- Marvin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: