01-12-2008 01:06 PM - edited 03-03-2019 08:14 PM
Hi,
I've tried everything to get the port forwarding on my cisco asa 5505 to work.
I found this on the cisco web to configure port forwarding for http,https,smtp and rdp
http://www.cisco.com/en/US/docs/secu...html#wp1102023
The only thing different in my setup contra this setup, is that my server is on my inside LAN and not in the DMZ. My ISP also provides me with a dynamic IP for my outside interface.
Still nothing works, this is not the only config I've tried. I hav also tried to do packet tracing, but it does not seem to work properly, it always gives me an error on the config implicit acl.
Here is the result of the command: "sh run"
: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.x.x 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service rdp tcp
port-object eq 3389
access-list outside_access_in extended permit tcp any eq smtp interface outside eq smtp
access-list outside_access_in extended permit tcp any eq www interface outside
access-list outside_access_in extended permit tcp any eq https interface outside eq https
access-list outside_access_in extended permit tcp any object-group rdp interface outside object-group rdp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.x smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.x www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.x https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.x 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
01-14-2008 12:04 AM
Hi,
Can you post the configuration your applying and the error it generates?
Tim
01-14-2008 01:21 AM
Isnt that what I have sent?
Well, I have now managed to get it working. The only downside is that my internet stops working. I added an exempt NAT rule, and suddenly everything worked in packet tracing.
It seems to me that my server on the inside is nolonger capable of retreiving DNS lookups. Cached DNS is working just fine, but new requests are not working. I have an Active directory on the inside, and my clients are using this server as a DNS-server. The DNS-server forwards requests for external domains to the DNS-server at my ISP. This is no longer working when I put on the Exempt rule.
01-14-2008 06:32 AM
Hi there,
Is your internet not working, or is DNS not working?
For example, if you open a web browser and attempt to go to http://64.233.187.99 Does that get you to Google?
I have an idea of what might be wrong, but I need you to confirm that for me first.
Mike
01-14-2008 06:52 AM
My internet has stopped working because my DNS has stopped working. I cannot resolve DNS-addresses anymore, and only cached DNS lookups is working. I have not tried to do what you propose, but my guess is that this should work.
BTW, the config I posted is not the same anymore. I have done many adjustments to make it work.
01-14-2008 08:38 AM
Please post your updated config if you'd like assistance with this.
Also, you may want to look into the fact that sometimes Cisco security devices block UDP DNS packets that are larger than 512 bytes (EDNS0).
You can turn off Extension Mechanisms for DNS on Windows 2003 by entering the following command from the command line:
dnscmd Server Name/Config /EnableEDnsProbes 0
I had this problem with a Windows 2003 DNS server looking up external entries, and the above command solved it for me.
But your problem may be different. Post the config if you're still having problems.
HTH
Mike
01-14-2008 01:48 PM
Hi, Here is the config for the ASA. I tried what you said, and by browsing the IP-address google showed right up. I also checked my 2k3 server and it was configured to forward DNS lookups to 192.168.1.1. Changed this to my ISPs DNS, but no change. Deleted the Exempt rule, to try to connect to internet, but it seems that the dns error sticks with the asa. The command you mention seems logical, but what kind of implications will this have for my internal dns-lookups and Active Directory?
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name xxx.xx
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan5
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.x.x 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name xxx.xx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service rdp tcp
port-object eq 3389
access-list outside_access_in extended permit tcp any eq smtp host 192.168.1.x eq smtp
access-list outside_access_in extended permit tcp any eq www host 192.168.1.x eq www
access-list outside_access_in extended permit tcp any eq https host 192.168.1.x eq https
access-list outside_access_in extended permit tcp any object-group rdp host 192.168.1.x object-group rdp
access-list inside_nat0_outbound extended permit ip host 192.168.1.x any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
01-15-2008 06:40 AM
It should have no implications on your DNS service, as that solution comes from Microsoft themselves:
http://support.microsoft.com/kb/828263/en-us
Your DNS forwarders should definitely be set to your ISP's servers, and not internal or the ASA.
Just to verify, in the network adapter for your server, you've got it set with a static IP, and what do you have for a DNS server? I'm assuming this same server is also a Domain Controller.
Also, if you setup a laptop or desktop on the network, assign it an IP on your LAN, but set the DNS servers to your ISP's servers (external). See if that will resolve domain names. If so, then the problem is with your server's DNS service (Which I can fix...I've seen this before).
Back to your config, I'll need a little while to look at it. But let me know about the server. (I realize this is turning into more Microsoft than Cisco right now :-)
01-15-2008 07:46 AM
Hi,
Yes, I found that article myself, and ran the command but no change. I will try what you suggest tonight(GMT+1)
You are absolutely right about the server. It has static IP,and is also a Domain contoller running Windows 2003 Service pack 1 with Exchange 2003 SP2.
01-15-2008 08:26 AM
I have seen what you are decribing before, and whether or not the test I gave you works will let me know for sure. I'm starting to think that the ASA is not the problem, and your Windows DNS is.
Basically, you want to make sure your internal DNS is set up appropriately.
On your server:
1) In the TCP/IP properties of the network adapter, for DNS servers you want to supply the first DNS Server field with the server's OWN IP address. Make sure not to do 127.0.0.1, but it's actual internal IP address (192.168.1.1, or whatever it is). Don't put anything in the 2nd box...just leave it blank.
2) While you're in the TCP/IP properties, click on the Advanced button at the bottom, and then go to the DNS tab. In there, first make sure there is only 1 DNS server listed (your server's IP address) in the DNS servers box.
Then, make sure the first 2 radio buttons are checked (Append Primary and Conn... and Append Parent Suffix...). At the bottom, check Register this Connection's address in DNS.
3) In the DNS service snap-in, make sure your IP forwarders are your ISP's DNS servers IP addresses (And nothing else.) I use 5 Seconds before Timeout, and "Do Not use Recursion" is NOT checked.
On the "Interfaces" tab, I have it set to Listen on All IP Addresses, even though there is only 1.
Let me know how you make out.
Mike
01-16-2008 01:22 PM
All the settings were exactly like you described in my DNS-settings, on my server. Using my ISP's DNS-addresses on my clients did not work either.
This case started out as a case about port forwarding, and I did manage to get that to work,according to the packet tracing anyway. Odd behaviour before, during and later from the ASA, and losing my internet connection completely almost everytime I try to fix the problems, leaves me thinking that it is something physically wrong with it.
I have given it to one of my collegues so he can start over and see if he get it working. And then we will see. Thanks for all help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: