erickdrny
Technical User
- Feb 4, 2005
- 5
I need help badly here, I'm new to the cisco enviroment and the CLI, I've been trying to get this firewall to ward the ports 3389 for rdp and also ports 20 and 21 for ftp to the same machine, I've follow all the instructions, think I have giving all permissions but still nothing.
I don't know if it's because I'm not using DMZ zone or or I'm have static Ip from my ISP x.x.x.218 with netmask 255.255.255.248, the outside IP is x.x.x.218, any tips would be greatly apreciated, thanks for your help.
right now I am managing the device remotely, so I have the hppt access without any problems, but I can't access using telnet though.
Result of the command: "SH RUNNING-CONFIG"
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
domain-name default.domain
enable password /yB/dTCJeUBCqR7U encrypted
passwd /yB/dTCJeUBCqR7U encrypted
names
name x.x.x.19 OUTSIDE description OUTSIDE
name 10.1.0.4 AMCSERVER description INSIDE SERVER
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.18 255.255.255.248
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
boot system disk0:/disk0:/asdm-634.bin
boot system disk0:/asdm-634.bin
boot system disk0:/asdm-641.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network OUTSIDE
host x.x.x.18
object network AMCSERVER
host 10.1.0.4
object network OUTSIDE-01
host x.x.x.19
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network amp
host x.x.x.219
object-group service FTP tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_1 tcp
group-object FTP
port-object eq 3389
port-object eq https
access-list OUT extended permit ip host 50.74.254.18 any
access-list out extended permit ip object OUTSIDE any
access-list OUTSIDE_ACCESS_IN extended permit tcp any interface outside eq 3389
access-list outside-entry extended permit tcp any object OUTSIDE eq 3389
access-list outside-entry extended permit tcp any object OUTSIDE eq ftp
access-list outside-entry extended permit tcp any object OUTSIDE eq ftp-data
access-list outside-entry extended permit tcp any object OUTSIDE eq smtp
access-list ACL_IN extended permit ip any any
access-list outside_access_in extended permit tcp any eq 3389 object AMCSERVER eq 3389
access-list outside_access_in extended permit tcp any object AMCSERVER object-group FTP
access-list outside_access_in extended permit tcp object amp eq telnet object OUTSIDE eq telnet
access-list outside_access_in extended permit tcp object amp object-group DM_INLINE_TCP_1 any
access-list outside_mpc extended permit tcp object amp eq telnet object OUTSIDE eq telnet
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
!
object network OUTSIDE
nat (inside,outside) static AMCSERVER service tcp 3389 3389
object network obj-10.1.0.0
nat (inside,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http x.x.x.128 255.255.255.128 outside
http x.x.x.219 255.255.255.255 outside
http x.x.x.20 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.1.0.0 255.255.255.0 inside
telnet x.x.x.219 255.255.255.255 outside
telnet timeout 5
ssh x.x.x.219 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd dns AMCSERVER
dhcpd lease 3000
dhcpd option 3 ip 10.1.0.1
!
dhcpd address 10.1.0.100-10.1.0.190 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password JptQHJ2xW4tQ5Yrz encrypted
!
class-map outside-class1
match port tcp range 3389 3389
class-map outside-class
match access-list outside_mpc
!
!
policy-map outside-policy
class outside-class
inspect http
class outside-class1
inspect http
!
service-policy outside-policy interface outside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4c6a1dc625caa5267307ee6b52f27f25
: end
I don't know if it's because I'm not using DMZ zone or or I'm have static Ip from my ISP x.x.x.218 with netmask 255.255.255.248, the outside IP is x.x.x.218, any tips would be greatly apreciated, thanks for your help.
right now I am managing the device remotely, so I have the hppt access without any problems, but I can't access using telnet though.
Result of the command: "SH RUNNING-CONFIG"
: Saved
:
ASA Version 8.3(2)
!
hostname ciscoasa
domain-name default.domain
enable password /yB/dTCJeUBCqR7U encrypted
passwd /yB/dTCJeUBCqR7U encrypted
names
name x.x.x.19 OUTSIDE description OUTSIDE
name 10.1.0.4 AMCSERVER description INSIDE SERVER
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.18 255.255.255.248
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
boot system disk0:/disk0:/asdm-634.bin
boot system disk0:/asdm-634.bin
boot system disk0:/asdm-641.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network OUTSIDE
host x.x.x.18
object network AMCSERVER
host 10.1.0.4
object network OUTSIDE-01
host x.x.x.19
object network obj-10.1.0.0
subnet 10.1.0.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network amp
host x.x.x.219
object-group service FTP tcp
port-object eq ftp
port-object eq ftp-data
object-group service DM_INLINE_TCP_1 tcp
group-object FTP
port-object eq 3389
port-object eq https
access-list OUT extended permit ip host 50.74.254.18 any
access-list out extended permit ip object OUTSIDE any
access-list OUTSIDE_ACCESS_IN extended permit tcp any interface outside eq 3389
access-list outside-entry extended permit tcp any object OUTSIDE eq 3389
access-list outside-entry extended permit tcp any object OUTSIDE eq ftp
access-list outside-entry extended permit tcp any object OUTSIDE eq ftp-data
access-list outside-entry extended permit tcp any object OUTSIDE eq smtp
access-list ACL_IN extended permit ip any any
access-list outside_access_in extended permit tcp any eq 3389 object AMCSERVER eq 3389
access-list outside_access_in extended permit tcp any object AMCSERVER object-group FTP
access-list outside_access_in extended permit tcp object amp eq telnet object OUTSIDE eq telnet
access-list outside_access_in extended permit tcp object amp object-group DM_INLINE_TCP_1 any
access-list outside_mpc extended permit tcp object amp eq telnet object OUTSIDE eq telnet
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
!
object network OUTSIDE
nat (inside,outside) static AMCSERVER service tcp 3389 3389
object network obj-10.1.0.0
nat (inside,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http x.x.x.128 255.255.255.128 outside
http x.x.x.219 255.255.255.255 outside
http x.x.x.20 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.1.0.0 255.255.255.0 inside
telnet x.x.x.219 255.255.255.255 outside
telnet timeout 5
ssh x.x.x.219 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd dns AMCSERVER
dhcpd lease 3000
dhcpd option 3 ip 10.1.0.1
!
dhcpd address 10.1.0.100-10.1.0.190 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password JptQHJ2xW4tQ5Yrz encrypted
!
class-map outside-class1
match port tcp range 3389 3389
class-map outside-class
match access-list outside_mpc
!
!
policy-map outside-policy
class outside-class
inspect http
class outside-class1
inspect http
!
service-policy outside-policy interface outside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4c6a1dc625caa5267307ee6b52f27f25
: end