Skip to main content

ASA 5505 "portforward" problem. Port 80 works but

More
14 years 7 months ago #34105 by Linus
Hello.
I've got a new asa 5505 firewall, and trying to setup what we newbies call portforwaring.
I have manage to setup some portforwarding that works (http, smtp and www).
Now I'm trying to setup a new forwarding with port 6112, and it does not work.
It seems like when I'm setting up new services that are not build in, it does not work. What am i missing?

BR
Linus

Here is a post of my running config.

ASA Version 8.0(2)

interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd XXXX.XXXX encrypted
boot system disk0:/asa802-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.3
name-server XXX.67.199.39
name-server XXX.67.199.40
domain-name XXXX.XXXX
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service EAGamesTCP tcp
description EA
port-object eq 13505
port-object eq 18121
port-object eq 18126
object-group service EAGamesUDP udp
description EA
port-object eq 18126
access-list XXXGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.224
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq 27015 inactive
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq 27015
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit tcp any interface outside eq 27016 inactive
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit udp any interface outside eq 27016 inactive
access-list outside_access_in extended permit tcp any interface outside eq 46353 inactive
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit tcp any interface outside eq 6112 inactive
access-list outside_access_in extended permit tcp any interface outside eq www inactive
access-list outside_access_in extended permit tcp any interface outside eq 18121 inactive
access-list outside_access_in extended permit tcp any interface outside eq 18126 inactive
access-list outside_access_in extended permit tcp any interface outside eq 13505 inactive
access-list outside_access_in extended permit udp any interface outside eq 18126 inactive
access-list outside_access_in extended permit udp any interface outside object-group EAGamesUDP inactive
access-list outside_access_in extended permit tcp any interface outside object-group EAGamesTCP inactive
access-list outside_access_in extended permit tcp any interface outside object-group EAGamesTCP
access-list outside_access_in extended permit udp any interface outside object-group EAGamesUDP


global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp interface smtp 192.168.1.22 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.22 https netmask 255.255.255.255
static (inside,outside) tcp interface 46353 192.168.1.31 46353 netmask 255.255.255.255
static (dmz,outside) tcp interface 6112 10.10.10.11 6112 netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 27015 10.10.10.14 27015 netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 27016 10.10.10.14 27016 netmask 255.255.255.255 dns
static (dmz,outside) tcp interface www 10.10.10.11 www netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 18121 10.10.10.11 18121 netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 18126 10.10.10.11 18126 netmask 255.255.255.255 dns
static (dmz,outside) udp interface 18126 10.10.10.11 18126 netmask 255.255.255.255 dns
static (dmz,outside) tcp interface 13505 10.10.10.11 13505 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside


class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp

asdm image disk0:/asdm-602.bin
no asdm history enable
More
14 years 7 months ago #34108 by r0nni3
[code:1]access-list outside_access_in extended permit tcp any interface outside eq 6112 inactive [/code:1]

Try removing the inactive at the end ;)

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
More
14 years 7 months ago #34109 by Linus
Sorry about the dump, the correct values from running is enabled.
:oops:

I did disable them just before doing this post, and that why you see the the dump with wrong values

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.224
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq 27015
access-list outside_access_in extended permit object-group TCPUDP any interface outside eq 27015
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit tcp any interface outside eq 27016
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit udp any interface outside eq 27016
access-list outside_access_in extended permit tcp any interface outside eq 46353
access-list outside_access_in remark Albin Games
access-list outside_access_in extended permit tcp any interface outside eq 6112
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq 18121
access-list outside_access_in extended permit tcp any interface outside eq 18126
access-list outside_access_in extended permit tcp any interface outside eq 13505
access-list outside_access_in extended permit udp any interface outside eq 18126
access-list outside_access_in extended permit udp any interface outside object-group EAGamesUDP inactive
access-list outside_access_in extended permit tcp any interface outside object-group EAGamesTCP inactive
access-list outside_access_in extended permit tcp any interface outside object-group EAGamesTCP
More
14 years 7 months ago #34110 by r0nni3
Could you connect from the outside with that portnumber and then type the following commands and paste the output here ?

[code:1] show xlate[/code:1]

and

[code:1] show access-list outside_access_in[/code:1]

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
More
14 years 7 months ago #34111 by Linus
Replied by Linus on topic newbee
Hmm, as I said I'm a newbee, how to I connect from outside on a specific på and run a command, is there any good testtools out there?

I have only used port test sites on the internet.

Or do you meen try to connect with testsites, and then in commandline on asa run the commands?

BR
Linus
More
14 years 7 months ago #34112 by r0nni3
from a pc on the outside network (internet) you could just telnet to the external IP address with a specified port.

[code:1]telnet 1.1.1.1 6112[/code:1]
*edit* telnet from a windows machine. Go to start -> run -> type cmd -> hit enter. Then you can use telnet (not on vista or windows 7 tho..)

If you PM me your IP i'll try it for you if you have no other options.

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
Time to create page: 0.131 seconds