Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Port Opening

Dear All ,

 

Hope all are doing well..

 

I have Cisco ASA Firewall i need to open LAN to WAN two port 9005 and 9006 because i have one software that software not communicating with inside to outside their server for that reason i contact software support team they said i need to open port in Cisco Firewall

 

I have attached current configuration 

================================

name 192.168.150.210 EMAIL-RELAY description RELAY-EXCHANGE
name 192.168.150.211 PROXY
name 192.168.10.10 DC01
name 192.168.0.0 INSIDE-LAN
name 192.168.20.100 Admin
name 192.168.150.213 TEST-DMZ
name 192.168.20.17 test
name 192.168.10.13 ExchangeServer
dns-guard
!
interface GigabitEthernet0/0
 description CONNECTED TO THE LAN
 speed 1000
 duplex full
 nameif INSIDE
 security-level 100
ip address 192.168.100.5 255.255.255.0 standby 192.168.100.6 
!
interface GigabitEthernet0/1
 description CONNECTED TO THE INTERNET
 speed 100
 duplex full
 nameif OUTSIDE
 security-level 0
 ip address 192.168.200.5 255.255.255.224 standby 192.168.200.6 
!
interface GigabitEthernet0/2
 speed 1000
 duplex full
 nameif DMZ
 security-level 50
 ip address 192.168.150.1 255.255.255.0 standby 192.168.150.2 
!
interface GigabitEthernet0/3
 description CONNECTED TO INTERNET2_ITC
 nameif OUTSIDE2
 security-level 0
 ip address 192.168.201.5 255.255.255.224 standby 192.168.201.6 
!
interface Management0/0
<--- More --->
              
 description LAN/STATE Failover Interface
 speed 100
 duplex full
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
 
object-group service PROXY-PORTS tcp-udp
 port-object eq 8080
 port-object eq domain
 port-object eq www
 port-object eq 110
 port-object eq 443
 port-object eq 389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
 
object-group service EMAIL-RELAY-PORTS tcp
 port-object eq imap4
 port-object eq pop2
 port-object eq pop3
 port-object eq smtp
 port-object eq www
 port-object eq https
 port-object eq domain
 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq domain
 port-object eq www
 port-object eq pop2
 port-object eq pop3
 port-object eq smtp
 
object-group service DM_INLINE_TCPUDP_1 tcp-udp
 port-object eq domain
 port-object eq www
 
object-group service DM_INLINE_UDP_1 udp
 port-object eq domain
 port-object eq www
 
object-group icmp-type ICMP
 description ICMP
 icmp-object echo
 icmp-object echo-reply
 
object-group service RDP tcp-udp
 description RDP Block
 port-object eq 3389
 
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group service IPSEC_4500 udp
 port-object eq 4500
 
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host PROXY any object-group PROXY-PORTS 
access-list DMZ_access_in extended permit tcp host EMAIL-RELAY host ExchangeServer object-group EMAIL-RELAY-PORTS 
access-list DMZ_access_in extended permit tcp host EMAIL-RELAY any object-group DM_INLINE_TCP_1 
access-list DMZ_access_in extended permit udp host EMAIL-RELAY any object-group DM_INLINE_UDP_1 
access-list DMZ_access_in extended permit object-group TCPUDP host EMAIL-RELAY any object-group DM_INLINE_TCPUDP_1
 
access-list OUTSIDE_access_in extended permit tcp any host EMAIL-RELAY object-group EMAIL-RELAY-PORTS 
access-list OUTSIDE_access_in extended permit tcp any host PROXY eq https 
access-list OUTSIDE_access_in extended permit udp any any eq 4500 
access-list OUTSIDE_access_in extended permit udp any any eq isakmp 
access-list OUTSIDE_access_in extended permit ip 192.168.80.0 255.255.255.252 any 
access-list OUTSIDE_access_in extended permit tcp any any eq telnet 
access-list OUTSIDE_access_in extended permit tcp any any eq https 
access-list OUTSIDE_access_in extended permit esp any any 
access-list OUTSIDE_access_in extended permit udp any any object-group IPSEC_4500 
access-list OUTSIDE_access_in extended permit ip 192.168.200.0 255.255.255.224 192.168.201.0 255.255.255.224 

 
access-list INSIDE_access_in extended permit object-group TCPUDP any 192.168.150.0 255.255.255.0 object-group RDP 
access-list INSIDE_access_in extended permit ip any any 

access-list OUTSIDE2_access_in extended permit tcp any host EMAIL-RELAY object-group EMAIL-RELAY-PORTS 
access-list OUTSIDE2_access_in extended permit tcp any host PROXY eq https 
access-list OUTSIDE2_access_in extended permit tcp any host EMAIL-RELAY eq pop2 
access-list OUTSIDE2_access_in extended permit tcp any host EMAIL-RELAY eq pop3 
access-list OUTSIDE2_access_in extended permit tcp any host EMAIL-RELAY eq smtp 
access-list OUTSIDE2_access_in extended permit tcp any host EMAIL-RELAY eq www 
access-list OUTSIDE2_access_in extended permit tcp any host EMAIL-RELAY eq https 
access-list OUTSIDE2_access_in extended permit tcp any host EMAIL-RELAY eq domain 

access-list split_tunnel_vpngroup1 extended permit ip 192.168.10.0 255.255.255.0 172.16.20.0 255.255.255.0 
access-list split_tunnel_vpngroup1 extended permit ip 192.168.20.0 255.255.255.0 172.16.20.0 255.255.255.0
 
access-list OUTSIDE_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.80.0 255.255.255.252 
access-list OUTSIDE_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.80.0 255.255.255.252 
access-list OUTSIDE_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.80.4 255.255.255.252 
access-list OUTSIDE_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.80.4 255.255.255.252 
access-list OUTSIDE_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.60.0 255.255.255.0 
access-list OUTSIDE_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.60.0 255.255.255.0 
access-list OUTSIDE_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.60.0 255.255.255.0 
access-list OUTSIDE_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.60.0 255.255.255.0 
access-list OUTSIDE_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.70.0 255.255.255.0 
access-list OUTSIDE_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.70.0 255.255.255.0 
access-list OUTSIDE_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.70.0 255.255.255.0 
access-list OUTSIDE_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.70.0 255.255.255.0 
access-list OUTSIDE_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.252 
access-list OUTSIDE_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.80.4 255.255.255.252 
access-list OUTSIDE_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.80.0 255.255.255.252 

pager lines 24
logging enable
logging asdm informational
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
mtu OUTSIDE2 1500
ip local pool vpn-pool 172.16.20.1-172.16.20.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover Management0/0
failover polltime unit 1 holdtime 3
failover key *****
failover link failover Management0/0
failover interface ip failover 192.168.1.1 255.255.255.252 standby 192.168.1.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400

access-group INSIDE_access_in in interface INSIDE

access-group OUTSIDE_access_in in interface OUTSIDE

access-group DMZ_access_in in interface DMZ

access-group OUTSIDE2_access_in in interface OUTSIDE2


route OUTSIDE 0.0.0.0 0.0.0.0 192.168.200.1 1 track 1
route INSIDE 192.168.10.0 255.255.255.0 192.168.100.1 1
route INSIDE 192.168.20.0 255.255.255.0 192.168.100.1 1
route INSIDE 192.168.40.0 255.255.255.0 192.168.100.1 1
route INSIDE 192.168.50.0 255.255.255.0 192.168.100.1 1
route OUTSIDE2 0.0.0.0 0.0.0.0 192.168.201.1 2

 

 

kindly help me 

 

 

Regards

Muhammed

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,I don't see the attached

Hi,

I don't see the attached configuration.

Thanks and Regards,

Vibhor Amrodia

4 REPLIES
Cisco Employee

Hi,I don't see the attached

Hi,

I don't see the attached configuration.

Thanks and Regards,

Vibhor Amrodia

Community Member

Sorry bro Can you check now 

Sorry bro

 

Can you check now 

Cisco Employee

Hi,You already have all the

Hi,

You already have all the traffic allowed from the Inside to the Outside through this ASA device.

Also , if you need to allow the traffic from the Outside to Inside , then you can apply an ACL rule for this ACL:- access-list OUTSIDE_access_in .

Also , try to use the packet-tracer feature to check if this port is allowed or blocked.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Thanks and Regards,

Vibhor Amrodia

Community Member

thanks for your reply  If i

thanks for your reply 

 

If i want apply outside to inside rule for port number 9005 and 9006  how i can create rule bcz all outside trafic coming dmz 

 

may i have to create outside to dmz and dmz to inside ??

 

If u dont mind can you help me how i can create above rule like outside to dmz and dmz to inside 

 

please help me 

 

 

Regards

Muhammed shafi

99
Views
0
Helpful
4
Replies
CreatePlease to create content