Trying to replace a Linksys router/firewall ( BEFSR41 ) with a Cisco ASA5505 (ran out of ports and port forwarding capability - also would like to do more with network management and vpn but that's for later)
Linksys device was set to forward ports from one public IP address to multiple private IP addresses as below:
forward ports 5635-5636 tcp to 192.168.1.223
forward ports 5637-5638 tcp to 192.168.1.224
forward ports 5639-5640 tcp to 192.168.1.225
forward port 7011 tcp to 192.168.1.223
forward port 7013 tcp to 192.168.1.224
forward port 7015 tcp to 192.168.1.225
Config I currently have is below (with public IP's x'd out) and is not working.
xxx.xxx.xxx.1 is gateway (cable modem)
xxx.xxx.xxx.2 is ASA public IP
I am not by any stretch a PIX/ASA expert. Any help is much appreciated!
moria6
##########################################################
ASA Version 7.2(3)
!
hostname asa1
domain-name default.domain.invalid
enable password
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5635
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5636
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5637
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5638
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5639
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5640
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5641
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5642
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 7013
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 7015
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 7017
access-list inbound extended permit icmp any any
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any echo
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging console warnings
logging asdm informational
logging host inside 192.168.1.xxx
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp xxx.xxx.xxx.2 5635 192.168.1.223 5635 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5636 192.168.1.223 5636 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5637 192.168.1.224 5637 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5638 192.168.1.224 5638 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5639 192.168.1.225 5639 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5640 192.168.1.225 5640 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5641 192.168.1.226 5641 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5642 192.168.1.226 5642 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7013 192.168.1.223 7011 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7013 192.168.1.224 7013 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7015 192.168.1.225 7015 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7017 192.168.1.226 7017 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
console timeout 0
!
!
prompt hostname context
##########################################################
Linksys device was set to forward ports from one public IP address to multiple private IP addresses as below:
forward ports 5635-5636 tcp to 192.168.1.223
forward ports 5637-5638 tcp to 192.168.1.224
forward ports 5639-5640 tcp to 192.168.1.225
forward port 7011 tcp to 192.168.1.223
forward port 7013 tcp to 192.168.1.224
forward port 7015 tcp to 192.168.1.225
Config I currently have is below (with public IP's x'd out) and is not working.
xxx.xxx.xxx.1 is gateway (cable modem)
xxx.xxx.xxx.2 is ASA public IP
I am not by any stretch a PIX/ASA expert. Any help is much appreciated!
moria6
##########################################################
ASA Version 7.2(3)
!
hostname asa1
domain-name default.domain.invalid
enable password
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5635
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5636
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5637
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5638
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5639
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5640
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5641
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5642
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 7013
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 7015
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 7017
access-list inbound extended permit icmp any any
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any echo
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging console warnings
logging asdm informational
logging host inside 192.168.1.xxx
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp xxx.xxx.xxx.2 5635 192.168.1.223 5635 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5636 192.168.1.223 5636 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5637 192.168.1.224 5637 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5638 192.168.1.224 5638 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5639 192.168.1.225 5639 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5640 192.168.1.225 5640 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5641 192.168.1.226 5641 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5642 192.168.1.226 5642 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7013 192.168.1.223 7011 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7013 192.168.1.224 7013 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7015 192.168.1.225 7015 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7017 192.168.1.226 7017 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
console timeout 0
!
!
prompt hostname context
##########################################################