Cisco Firewall :: ASA 5505 - PAT Range Of Ports
May 31, 2011
I've an ASA 5505 as my gateway for my internet at home. I've one public IP, so I use Port Address translatetion for my internal clients.
Now i wanna setup a FTP server, on a internal client. I will use Filezilla FTP server. I'm running the FTP server in passive mode, since the FTP server would be behind my ASA firewall/nat device.
I need 50 ports for the passive mode to be running.
I will use port range 50000-50050. I can easy make a firewall rule (access-list) that permit that port range.
But how do I PAT(NAT) a port-range on the ASA device? I can only figure out how to NAT one port at the time.
View 2 Replies
ADVERTISEMENT
Mar 11, 2011
I have an ASA 5505 running 8.4(1), and I'm configuring it with ASDM 6.4(1). The outside interface is configured with a single static address. I have a few services port forwarded sucessfully to three different servers on the inside network.
I need to make a media proxy on a SIP server available to the outside. It requires a large range of forwarded UDP ports for the media channels.
I tried adding a network object NAT rule like the others I'm already using to forward HTTP and RDP. I entered a range of ports for the real port and the mapped port using the syntax 60000-60999. ASDM accepted it, but the NAT rule list displays "Any" in the service column. When I apply the change, I get the following error:
nat (inside,outside) static interface service tcp 60000-60999 60000-60999
^
ERROR: % Invalid input detected at '^' marker.
How do I forward a large range of UDP ports from the outside interface to a single server on my inside network? I'd like to use ASDM, but I can switch to the CLI if that works better.
View 3 Replies
View Related
Jun 9, 2013
We have an ASA 5505. 5505 comes with two default vlans 1&2 with each of them marked as inside & outside respectively.My query is , if i do not want to use vlans on 5505 and only want to use the Ethernet ports as pure physical layer 3 ports, is it possible?i.e. i want to assign a layer 3 ip address on eth0/0 and eth0/1 and make them as the inside & outside interfaces rather than vlans. is it possible to do away with vlans in 5505 & will it work otherwise?
View 3 Replies
View Related
Dec 5, 2012
I have a network with multiple servers behind a PIX with 6.3 on it. I have one public IP address, and I'm using NAT. I'm currently trying to port my Exchange server to a cloud host, and the vendor is requiring I open up a wide range of ports for MAPI, basically ports 1024 on. What would be the command to forward all of the trafic cominto/from that broad range? if I could simply route all trafic to and from their two IP addresses to my email server, that would accomplish the same end goal.
View 3 Replies
View Related
May 8, 2011
I need to open the following ports on a pix:
-tcp 3230 to 3235
-udp 3230 to 3253
How do I open the ports?
View 2 Replies
View Related
May 22, 2012
i have a cisco asa 5510 and would like to add a NAT rule for a range of ports like 50000-59999
View 1 Replies
View Related
Feb 21, 2013
I have a Cisco ASA 5505 (version above) and I have someone that needs to SSH into a box behind the ASA. I'm having a few issues trying to configure this access-list and NAT. I've tried many combinations and clearly my IOS is not as good as I thought. What commands should I enter to accomplish mapping SSH from an outside network range to an internal host ?
View 5 Replies
View Related
Dec 15, 2011
Im new to the ASA and is trying to setup at test net. The ASA is connected to my router on port zero using DHPC. (Or i guess its not as the router use the same ip range as ASA does inside).
I tried to set a static IP in the same range (eg. 192.168.1.20) but then get the message "cannot overlap with the subnet of interface inside". So I belive that is why it dont get a IP from my router - it does show up in the router DHPC table as 192.168.1.5 but ASDM home says outside "no IP address".
I tried to change the inside range of the ASA but if I change the inside IP i loose connection. (Had to restore factory-default useing the console).
I guess I could setup another range using the console, but how?
View 9 Replies
View Related
Nov 7, 2011
trying to configure our ASA 5505 (hence my request for the ASDM). However, I can go CLI if push comes to shove.
What I'm trying to do is allow a range of IP addresses on the inside interface (those which the DHCP server is doling out IPs which are XXX.X.XXX.14-140) to access email only (which is hosted offsite). They still need to access the file servers which are on the inside but nothing should be going out to the internet other than email.
I believe I have to create a Network Object which contains the IP range I wish to restrict. I can see where I add the Network Object but I don't know what the syntax should be to specify the address range.
I'm also not sure what the sequence of the ACLs should be and whether or not I can keep the default Access Rules in place. There are the two implicit rules: 1) Permit any traffic out to less secure networks 2) Deny any traffic to anywhere (which is superceded by rule 1, yes?)
To create an Access Rule like the one I desire, do I need to move the two existing rules down the list so that the new one will supercede both implicit rules?
View 1 Replies
View Related
Feb 7, 2013
: Saved
: Written by enable_15 at 03:51:29.049 UTC Mon Feb 4 2013
ASA Version 8.4(4)1
host name cisco asa
enable password xxxxx encrypted
password xxxxx encrypted
names
interface Ethernet0/0
switch port access v lan 100
interface Ethernet0/1
interface Ethernet0/2
[code]...
View 2 Replies
View Related
Jan 7, 2013
After getting hacked I want to limit terminal server/ remote desktop to only my computer. (although I may need to let other net in later)
In other words I want only computers from my home ip range (lets say my ISP gives me at home something in 28.28.XX.0) to be let in to the router at work and then to port 3389.
In the work ASA 5505 softwareVersion 7.2(4) I now have:
access-list outside_in extended permit tcp any interface outside eq 3389
static (inside, outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
acces-group outside_in in interface outside
View 3 Replies
View Related
Apr 15, 2013
We have a client that is running a PC on a internet over satellite. To avoid any unessecery traffic over the satellite link (data traffic is quite expensive), we've suggested to use a 5505, as we had one handy already.
So basically what we wanted was to block everything outgoing and everything ingoing, except for example port 22 (ssh).
But I'm struggling a bit, since this is my first cisco router to be configured.
My interfaces are as follows.
Outside - DHCP
Inside (port 1) - 192.168.1.1
I'm only running ipv4.
in ASDM I made a static NAT rule for port 22, being forwarded to 192.168.1.5 (the computer)
in Access rules I made under outside (incomming rules) source=any destination=outside service=ssh action=permit
But when I try to add further rules to block everything else, it takes the SSH on port 22 with it. How should I do this the easiest way?
the hardware setup is pretty straight forward.
sat-terminal(with IP 192.168.0.1 running DHCP) -> 5505 (outside IP=DHCP - inside IP=192.168.1.1) -> computer (IP=192.168.1.5)
View 24 Replies
View Related
May 9, 2013
I have an ASA 5505 with ASA version 7.2(2) and ASDM version 5.2(2) and I am attempting to open ports 88 and 5445 and forward them to the IP address of my DVR. This is all new for me. I see several posts for other software version to do this same thing but my version appears to be older?
View 1 Replies
View Related
Nov 7, 2011
I need to forward some ports for remote desktop and remote outlook which I host on an internal server. I have looked all over the web and got close, but no hints on how to do it in the asa 8.2. there is an 8.3 guide, but it is just different enough to not work. I am new to this device and cli.
View 3 Replies
View Related
Jan 2, 2013
I am trying to configure a new 5505 but I am having difficulties opening ports that allow traffic in from the outside. My setup is Comcast Business Modem (w/ single static IP) -> ASA (10.0.0.1) -> (dumb) Switch -> NAS (10.0.0.10). I am attemping to open port 5001 to the NAS. I am very new to IOS so I have mostly been working in ASDM. Not sure if I am overcomplicating this for myself or what but I am stuck.
My running config is -
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
[Code].....
View 4 Replies
View Related
May 5, 2013
I'm working on setting up a PBX server in our office, and I'm having trouble getting a port opened for SIP on my ASA 5505.I created static NAT rule for SIP traffic from internal server to the outside IP address.I created access rules on outside interface to forward port 5060 to internal PBX server (192.168.1.8)I also disabled sip packet inspection on the ASA.I'm still receiving a message from the PBX that the firewall is configured incorrectly.
[code]....
View 5 Replies
View Related
Aug 7, 2011
When I do an NMAP scan against my ASA 5505 on it's internal interface's IP address, it appears to be listening on all TCP ports. If I do it from across a VPN tunnel, the ports show as open according to NMAP, if I do the scan from the local subnet they show up as unknown. I'm running 8.0.4 code on this ASA.
View 1 Replies
View Related
May 14, 2012
We've read everything about inspecting SIP packets and allowing them to pass through on port 5060, the default SIP port. However, our setup requires the ASA 5505 to allow SIP on ports 5060, 5160 and 5260.
Is this possible with the ASA 5505? If it's not, it would be a blocking issue for us to move forward with ASA appliances. We are currently investigating in a lab environment and really having difficulties configuring it to facilitate full SIP functionality.
View 1 Replies
View Related
Oct 21, 2011
I am in search of a new routers. I don't have any special task to do. Just the flow of maximum 2mb/sec data and some times video conference. However I need the Voip solution as well. I just got excited on the cisco ASA 5505 product. Can this fulfill my requirements. Can this work as the router 1841. Does this support DMVPN, SSL VPN and dynamic routing. Can I upgrade the IOS for dynamic routing purpose. Do you recommend to purchase this produe act or not instead of router ? What are the limitations of this product. If I purchase this I can use this as an router as well as strong security solution. How many ports are available for traffic flow in ASA 5505. Are all routed mode or some of them switch port.
View 1 Replies
View Related
Jun 20, 2011
I am trying to open up 3 TCP ports in Cisco ASDM Launcher:
16000
16001
8098
And have a Cisco ASA 5505 Router. I need these ports open in order for a software that I have installed on the server to communicate with my local client computers for my business, The software is installed on Windows 2008 Server Standard Edition and was installed with MicrosoftSQL 2005. The software and Microsft SQL 2005 is pretty much installed and just requires this last step in order for the server to be connected to the local computers. In order to resolve this, I have gone to.
View 1 Replies
View Related
Oct 12, 2011
How to list ports open on Cisco ASA 5505 appliance? I have tried to see using Cisco ASDM launcher, but no luck.
View 1 Replies
View Related
Feb 25, 2011
I am used to setting up access-lists on outside interfaces with ip addresses that are static. I have recently been given a site that is using a dyndns.org client for name to ip address resolution on an outside interface that is dhcp assigned. I created an access-list to open up ports 41794 and 41795 to an engineering application but everytime I try to connect from the outside I get a syn timeout. The application works when inside the lan. Basically I want to allow outside connections from anywhere on the outside to go to ports 41794 and 41795. I am running a Cisco ASA 5505 on version 7.2(4) Below is my conifg. what I may have misconfigured?
: Saved:ASA Version 7.2(4)!names!interface Vlan1 nameif inside security-level 100 ip address 172.31.2.1 255.255.255.0!interface Vlan2 nameif outside security-level 0 ip address dhcp setroute!interface Ethernet0/0 switchport access vlan 2!interface
[Code].....
View 5 Replies
View Related
Jun 22, 2011
I'm stuck at asa 5505 nat, port forwarding configuration Here is what i need:
host1: 192.168.1.1 service tcp/100 >>>>> public ip 1.1.1.1 service tcp/100
host2: 192.168.1.2 service tcp/200 >>>>> public ip 1.1.1.1 service tcp/200
host3: 192.168.1.3 service tcp/300 >>>>> public ip 1.1.1.1 service tcp/300
So people from remote just need to use 1.1.1.1 public ip to access all the ports on three different inside server.I can do this on my old ASA 5505 with 8.0(4). Looks like there're lots of change from 8.0 to 8.4.
View 7 Replies
View Related
Jan 16, 2013
We have a client that has a Cisco 1801W Firewall that is setup as a site to site VPN terminating to a Cisco ASA 5505. The tunnel is up and established, I can ping from both sides of the tunnel.
The problem is the clients behind the Cisco ASA (192.168.2.x) cannot reach certain ports behind the Router (192.168.1.x). The main thing we're trying to do is browse via UNC path (ex: \192.168.1.120 from a 192.168.2.x machine).
I got 3389 working after I changed the - ip nat inside source static tcp 192.168.1.120 3389 y.y.x.x 3389 route-map DM_RMAP_1 extendable Modified the command to include the public IP instead of interface FastEthernet0
I believe it has something to do with the way NAT and route-maps are setup currently but I'm not familar enough with them to make the changes. I worked with Cisco to ensure the VPN tunnel was fine and it's something security related on the Router.
Here is the configuration (removed a few lines not necessary. y.y.x.x = WAN IP of Router x.x.y.y = WAN IP of ASA).
Building configuration...
Current configuration : 23648 bytes
!
version 12.4
no service pad
[Code].....
View 1 Replies
View Related
Oct 27, 2012
I'm preparing myself for CCNA exam and i started doing a lot of different examples. I've got problem with Packet Tracer when i'm trying to apply some security settings for the range of switch ports in default VLAN 1. I might just demonstrate my commands so it will be easier do understand.
View 2 Replies
View Related
Mar 17, 2011
Using CCP I am trying to create a NAT entry for a range of ports. CCP window for a new NAT has only one entry for the port #. Is it possible to set uf port ranges in 877 router?
View 2 Replies
View Related
Oct 14, 2012
I am new to the RV180W. I am running the most recent firmware--version 1.0.1.9.
I am having trouble getting FTP to work with my QNAP NAS.
QNAP indicates that I should forward ports 55536-56559 to my NAS. I created a custom service to accomplish this, and then, under port forwarding, I selected the service and forwarded it to the private IP that corresponds with the NAS.
However, the port forwarding configuration only allows me to specify *ONE* internal port. With other routers I have always specified the same private port *RANGE* that corresponds with the public ports that I have opened up.
View 11 Replies
View Related
Jun 28, 2012
I am trying to add a couple VOIP phone units that do not have their own router. They are designed to run of the existing router and have three ranges of UDP ports opened up. They also do not advise using internal (private) statics on the phones. So what they are asking for is three different ranges of UDP ports to be opened up to all behind the router?
I cannot figure out how to do this (or if it is possible) with a RV016.
View 4 Replies
View Related
Aug 27, 2012
So this is somewhat of a strange issue. I have a program called PeerGuardian 2 and it allows me to simplistically see the packets being sent to and from devices on my home network. It's showing that my computer is sending packets to random IP addresses, some of them reoccur, on a massive range of ports all going in order.
(example)
From 192.168.1.253:6812 - To 74.120.148.2:80
From 192.168.1.253:6813 - To 74.120.148.2:80
From 192.168.1.253:6814 - To 74.120.148.2:80
From 192.168.1.253:6815 - To 74.120.148.2:80
From 192.168.1.253:6816 - To 74.120.148.2:80
From 192.168.1.253:6817 - To 74.120.148.2:80
This happens in spurts and it usually sends 20-40 to varying IP addresses in a matter of a few seconds. I asked my ISP if they understood what this was and it stumped the technician I spoke with. I also have run multiple virus/malware scans and everything comes up clean.
View 2 Replies
View Related
May 14, 2013
Is there a way to associate spare firewall ports with another port that is being used..For example...int gi 0/2 is being used currently for my web dmz. Its ip is 192.168.10.1..Is there a way for me to associate gi 0/3 with the same layer 2 as gi 0/2 ?
In my webdmz I use 2 ACE 4710 proxys in FT mode. I used a layer 2 switch to connect firewall and proxys together.
I would like to eliminate this switch if possible..and connect both 4710's (layer 2) direct to firewall.If I could make gi0/2 - 4 part of the same vlan, then I would be good to go.
View 2 Replies
View Related
May 21, 2011
I wanted to move to the cisco arena, and having a bugger of a time figuring out simple nat/pat rules combined with access lists. I've been reading Richard Deal's Cisco ASA configuration book, googling the heck out of this simple problem and can't see what I'm missing.
I have an ASA 5505 unlimited security plus license running 8.2(3) and a simple network, 192.168.0.x internal, 192.168.3.x dmz (not even touching that yet!) and outside I have a /29 subnet of addresses, 25 is the gateway, and 26-30 are my addresses.
I have simple dynamic nat set up on the .26 address to nat to 192.168.0.x. All I'm trying to do is port forward a simple tcp port I set for my linux server (192.168.0.2) on the inside, for arguement's sake, it's 2222 (it's not really). My outside vlan 50 is X.X.X.226 255.255.255.248 , can I make a static nat (inside,outside) x.x.x.226 192.168.0.2 netmask 255.255.255.255 ?
I tried using (inside,outside) x.x.x.230 192.168.0.2 netmask 255.255.255.255 and that didn't work either. Is it not possible to use two external addresses to hit the entire /24 range AND a single server?
My access rule for this nat is permit tcp any 192.168.0.2 eq 2222 (where I'm using 2222 for my ssh port). then I apply that access list to the access group interface "outside".
I thought the outside interface would do a proxy arp (since I do not have the sysopt noproxyarp command) for my 227,228,229, and 230 addresses where .226 is my internal nat for all my internal machines i.e. 192.168.0.1 -> x.x.x.226 . I had this working like a charm before with my fortinet, so I know I have systems listening.
View 3 Replies
View Related
Dec 26, 2010
I need to open ports 25, 993, 995, 443 and 465 to setup MS-Exchange. I don't have an inhouse IT guy and this seems pretty straight-forward in theory but I can't figure it out I need to open ports 25, 993, 995, 443 and 465 to setup MS-Exchange.
View 5 Replies
View Related
Jul 11, 2011
There is a PIX firewall and it has this configured on it.static (inside,outside) tcp interface 3389 192.168.1.250 3389 netmask 255.255.255.255 0 0.This line of code works ok for port 3389 but I want all tcp ports to be translated. Not just 3389.
View 2 Replies
View Related
