- Posts: 1
- Thank you received: 0
ASA 5505 Newbie Question - Port Translation?
16 years 5 days ago #27413
by BollaertN
ASA 5505 Newbie Question - Port Translation? was created by BollaertN
Hello! I apologize for being severely under educated on this subject, but here is my situation:
I am attempting to install an ASA 5505 to replace my aging PIX 515. The 515 was installed by someone else. The PIX is old and out of contract, so the software is out of date etc.
My firewall setup is pretty basic however, so I simply manually created the rules and NAT in the ASA 5505. I have a couple of servers that I need to be able to access port 80 from the outside, and I have Novell Groupwise where I need access to 1677and a few Citrix boxes (port 1494).
My problem seems to be that even though I have an access rule that says to allow these Ports, they fail. If I open up ALL TCP, it works. Playing around with the Packet Tracer in the GUI I /think/ that my problem is when the NAT translates my server internet address to the server internal address, it passes it along without the port specification. So say 1.2.3.4/80 gets translated to 192.1.2.1 but without keeping it at specifically 80 so it gets dropped by the implicit rule to block traffic.
Am I close? Here is my config (IPs and such edited):
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password (edited) encrypted
passwd (edited) encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address (my internal ip) 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address (My extrnal IP address) 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service DM_INLINE_TCP_1 tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
object-group service Groupwise tcp
description Groupwise
port-object eq 1677
port-object eq 8009
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq 1677
port-object eq 8009
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in remark CTX1 ICA
access-list outside_access_in extended permit tcp any host 192.168.1.xxx eq citrix-ica
access-list outside_access_in remark CTX5 ICA
access-list outside_access_in extended permit tcp any host 192.168.1.xxx eq citrix-ica
access-list outside_access_in remark CTX2 ICA
access-list outside_access_in extended permit tcp any host 192.168.1.xxx eq citrix-ica
access-list outside_access_in remark CTX3
access-list outside_access_in extended permit tcp any host 192.168.1.xxx object-group DM_INLINE_TCP_1
access-list outside_access_in remark CTX4
access-list outside_access_in extended permit tcp any host 192.168.1.xxx eq citrix-ica
access-list outside_access_in remark Mail
access-list outside_access_in extended permit tcp any host 192.168.1.xxx object-group DM_INLINE_TCP_2
access-list outside_access_in remark Helpdesk
access-list outside_access_in extended permit tcp any host 192.168.1.xxx object-group DM_INLINE_TCP_3
access-list outside_access_in remark Corporate
access-list outside_access_in extended permit tcp any host 192.168.1.xxx object-group DM_INLINE_TCP_4
access-list outside_access_in remark Citrix
access-list outside_access_in extended permit tcp any host 192.168.1.xxx object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit udp any host 192.168.1.xxx
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255 dns
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.152.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.xxx-192.168.1.254 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1f4680b0d2dfdf07a2d17c919b679cda
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
I am attempting to install an ASA 5505 to replace my aging PIX 515. The 515 was installed by someone else. The PIX is old and out of contract, so the software is out of date etc.
My firewall setup is pretty basic however, so I simply manually created the rules and NAT in the ASA 5505. I have a couple of servers that I need to be able to access port 80 from the outside, and I have Novell Groupwise where I need access to 1677and a few Citrix boxes (port 1494).
My problem seems to be that even though I have an access rule that says to allow these Ports, they fail. If I open up ALL TCP, it works. Playing around with the Packet Tracer in the GUI I /think/ that my problem is when the NAT translates my server internet address to the server internal address, it passes it along without the port specification. So say 1.2.3.4/80 gets translated to 192.1.2.1 but without keeping it at specifically 80 so it gets dropped by the implicit rule to block traffic.
Am I close? Here is my config (IPs and such edited):
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password (edited) encrypted
passwd (edited) encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address (my internal ip) 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address (My extrnal IP address) 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service DM_INLINE_TCP_1 tcp
port-object eq citrix-ica
port-object eq www
port-object eq https
object-group service Groupwise tcp
description Groupwise
port-object eq 1677
port-object eq 8009
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq 1677
port-object eq 8009
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in remark CTX1 ICA
access-list outside_access_in extended permit tcp any host 192.168.1.xxx eq citrix-ica
access-list outside_access_in remark CTX5 ICA
access-list outside_access_in extended permit tcp any host 192.168.1.xxx eq citrix-ica
access-list outside_access_in remark CTX2 ICA
access-list outside_access_in extended permit tcp any host 192.168.1.xxx eq citrix-ica
access-list outside_access_in remark CTX3
access-list outside_access_in extended permit tcp any host 192.168.1.xxx object-group DM_INLINE_TCP_1
access-list outside_access_in remark CTX4
access-list outside_access_in extended permit tcp any host 192.168.1.xxx eq citrix-ica
access-list outside_access_in remark Mail
access-list outside_access_in extended permit tcp any host 192.168.1.xxx object-group DM_INLINE_TCP_2
access-list outside_access_in remark Helpdesk
access-list outside_access_in extended permit tcp any host 192.168.1.xxx object-group DM_INLINE_TCP_3
access-list outside_access_in remark Corporate
access-list outside_access_in extended permit tcp any host 192.168.1.xxx object-group DM_INLINE_TCP_4
access-list outside_access_in remark Citrix
access-list outside_access_in extended permit tcp any host 192.168.1.xxx object-group DM_INLINE_TCP_5
access-list outside_access_in extended permit udp any host 192.168.1.xxx
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255 dns
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.152.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.xxx-192.168.1.254 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1f4680b0d2dfdf07a2d17c919b679cda
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
16 years 5 days ago #27419
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: ASA 5505 Newbie Question - Port Translation?
Hello BollaertN,
I believe those access-list commands destination IP should point to the external IPs like this:
[code:1]access-list outside_access_in remark CTX1 ICA
access-list outside_access_in extended permit tcp any host 66.152.xxx.xxx eq citrix-ica
access-list outside_access_in remark CTX5 ICA
access-list outside_access_in extended permit tcp any host 66.152.xxx.xxx eq citrix-ica
.............
.............[/code:1]
I'd also assign VLAN1 to the interface that is actually connected to the inside (unless it's the default behavior in ASA), Say it's Ethernet0/1, then:
[code:1]interface Ethernet0/1
switchport access vlan 1 [/code:1]
If nothing works, I'd still concentrate my attention on the ACLs since you already said it works without them.
ps. Packet Tracer, does not support ASAs yet!!. I'm not sure what you were referring to.
I believe those access-list commands destination IP should point to the external IPs like this:
[code:1]access-list outside_access_in remark CTX1 ICA
access-list outside_access_in extended permit tcp any host 66.152.xxx.xxx eq citrix-ica
access-list outside_access_in remark CTX5 ICA
access-list outside_access_in extended permit tcp any host 66.152.xxx.xxx eq citrix-ica
.............
.............[/code:1]
I'd also assign VLAN1 to the interface that is actually connected to the inside (unless it's the default behavior in ASA), Say it's Ethernet0/1, then:
[code:1]interface Ethernet0/1
switchport access vlan 1 [/code:1]
If nothing works, I'd still concentrate my attention on the ACLs since you already said it works without them.
ps. Packet Tracer, does not support ASAs yet!!. I'm not sure what you were referring to.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
16 years 4 days ago #27423
by Patiot
Replied by Patiot on topic Re: ASA 5505 Newbie Question - Port Translation?
1. Yes as Solo said, the access list that you have for the outside interface should be addressed with the translated ip and not with the internal ip .
2. I see that you have static statements configured for translation :
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255 dns
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
so there should be an appropriate access list for each and every static entry to allow access .
EX :
Say you static statement is like this
static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
then the appropriate access list that needs to be in place on the outside interface should look like this .
access-list outside_access_in permit ip (internet ip or any ) host x.x.x.x .
3. I can help you with the whole configuration if you need help , please specify your needs .
By the way Solo, packet tracer is an utility that is available in ASDM. It is used to simulate, how a packet from a source to a given destination would be handled by th firewall (really cool )!!! .
Please let me know if you have any questions .
Thanks
Patiot
2. I see that you have static statements configured for translation :
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255 dns
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
static (inside,outside) 66.152.xxx.xxx 192.168.1.xxx netmask 255.255.255.255
so there should be an appropriate access list for each and every static entry to allow access .
EX :
Say you static statement is like this
static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255
then the appropriate access list that needs to be in place on the outside interface should look like this .
access-list outside_access_in permit ip (internet ip or any ) host x.x.x.x .
3. I can help you with the whole configuration if you need help , please specify your needs .
By the way Solo, packet tracer is an utility that is available in ASDM. It is used to simulate, how a packet from a source to a given destination would be handled by th firewall (really cool )!!! .
Please let me know if you have any questions .
Thanks
Patiot
16 years 4 days ago #27432
by S0lo
Oh!!
I though that he was talking about Cisco's Packet Tracer Simulation tool. Misunderstanding.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: ASA 5505 Newbie Question - Port Translation?
By the way Solo, packet tracer is an utility that is available in ASDM. It is used to simulate, how a packet from a source to a given destination would be handled by th firewall (really cool )!!! .
Oh!!
I though that he was talking about Cisco's Packet Tracer Simulation tool. Misunderstanding. Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.123 seconds