Need Help on Port Blocking in ASA

Dear All,
I have configured firewall and allow only port 443 and deny all tcp ports for destination, but when i am scanning from port scanner it shows several tcp ports are enabled.. need your seuggestion and help on it.. how to block these tcp ports..
Early response is required..
Thanks

Hi,
Still don't know the ports that were supposedly open.
Though if that is the ACL you have bound to the "outside" interface on the ASA then it should be blocking the connections through the ASA for everything else other than the TCP/443 for a single destination IP address.
Then there is naturally the ASAs own services and ports on which its listening on.
You can check that with the following command
show asp table socket
Most likely the ports that are open on the ASA are the ones used for management purposes perhaps
Those set with the following commands
telnet
ssh
http
You also have the option to create an ACL that blocks all traffic to the ASA "outside" interface IP address. You can then attach it with "access-group" command
access-group in interface outside control-plane
This would limit the "To the Box" traffic. Though the above mentioned management commands "telnet", "ssh" and "http" would still override this ACL.
- Jouni

Similar Messages

Need help with port mapping on Airport Utility 6.1

Ive been trying to port map on my TC with Airport Utility 6.1 and failing miserably. Port still closed. Can anyone advise where Im going wrong? Am trying to set up my home camera to be viewed outside.
I managed to key in the ports etc under Network and Port Settings. But nothing works. I'm tearing my hair out.
Any suggestions to try would be helpful.
Thanks

Use the 5.6 utility.. it is much easier and I think works better.. although you cannot load 5.6 directly into 10.8 the version for Lion actually works fine.
Download 5.6.
http://support.apple.com/kb/DL1482
Download unpkg
http://www.macupdate.com/app/mac/16357/unpkg
Open the AU 5.6 dmg and drag the pkg over the open unpkg.. it will create the directory on the desktop. You can either run it from there or drag the utility to your utilties directory.
Take screen shots of each step. Post them here.
That way we can tell you where it has gone wrong.
What port exactly does the camera need open?
How are you connecting remotely?
ie do you have a fixed public IP?? If not how are you getting IP?
Is the TC the only router in the network.. it is irrelevant unless the TC is the one and only router.

Need help identifying ports needed to access a website.

I am trying to access the following site:
Interactive mapping | City of Lawrence, Kansas
At the bottom of the page is a button that states "I agree with the above disclaimer".
When I press that button, I am redirected to this site:
http://ims03.ci.lawrence.ks.us:10002/iisstart.htm
I have added these rules:
Source Interface: All
Destination Interface: Public Interface
Packet Type: MapSite Out
Protocol: TCP
Source Port: 1024-65535
Destination Port: 10002
Source Address: All
Destination Address: 208.191.35.52
Source Interface: All
Destination Interface: Public Interface
Packet Type: MapSite In
Protocol: TCP
Source Port: 10002
Destination Port: 1024-65535
Source Address: 208.191.35.52
Destination Address: All
I get a "Loading the viewer" text message, but then eventually get a 504 Gateway TimeOut error.
If I drop the BorderManager Firewall...
unload ipflt
unload ipxflt
unload filtserv
then the site works just fine.
I just can't seem to get the filter exceptions correct for this site.
Any help would be appreciated.

In article <[email protected]>, Cadd wrote:
> Source Interface: All
> Destination Interface: Public Interface
> Packet Type: MapSite Out
> Protocol: TCP
> Source Port: 1024-65535
> Destination Port: 10002
> Source Address: All
> Destination Address: 208.191.35.52
>
This looks good. TCP packets with dest. Port 10002 will be allowed to
pass through BM only if they go from the private to the public
interface, and only if they are addressed to 208.191.35.52. So far so
good, but since you made this non-stateful, you have to add a return
exception. (Easier for you to make another exception, like '10002-st'
and just enable the stateful feature on it).
Your goal in the next exception is to allow the replies to these
outbound packets. Everything will be reversed in the exception for the
replies - interfaces, ports and addresses.
> Source Interface: All
> Destination Interface: Public Interface
> Packet Type: MapSite In
> Protocol: TCP
> Source Port: 10002
> Destination Port: 1024-65535
> Source Address: 208.191.35.52
> Destination Address: All
>
This one is the problem. It only allows the 10002 replies (source
port) from 208.191.35.52 if the reply is passing through the public
interface second. You did not reverse the interfaces. The packet
needs to go from public to private (or public to all if you have more
than one private interface). This exception is not allowing the return
in, which you would see if you have filter debug enabled looking at tcp
discards. You would see ACK packets with source port 10002 being
discarded.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Need help adding ports to my router.

I have a Linksys WRT54GS Router. I am having an issue with Xbox Live and I was told by Xbox customer support to add the ports UDP 88, UDP 3674, and TCP 3074. The problem is is that I have no idea how to do this. I am at the Applications & Gaming tab of the Router page (192.168.1.1), I just don't know where to put the numbers. Any help is greatly appreciated.

First, setup up a static IP address on the XBOX. I can't tell you how to do that. Check the manual. Currently the XBOX is probably on "automatic IP address" or "DHCP" or whatever they have called it. Set up a static IP address and use these numbers on the XBOX:
IP Address 192.168.1.50
Subnet Mask 255.255.255.0
Default Gateway 192.168.1.1
DNS 192.168.1.1
If the XBOX has some Status pages to check the current IP address verify that you have those values after the change. Also verify you have a working internet connection on the XBOX.
Now the port forwarding. I assume it looks something like this demo UI. For port UDP 88 enter
Application udp88
Start 88
End 88
Protocol UDP
IP address 192.168.1.50
Enable SET
Do similar with all other ports. The application name is only a descriptive text for you. You can enter anything you like, but keep it short and simple and don't use special characters in the name. The above "udp88" is O.K.
Don't forget to save the settings at the end.

Need help: wired ports cycling (no, 10M, 100M)...

I ahve the WRTP54G purchased as part of a Vonage package. Has been working great for last 7 months. Just recently, I had an issue with a laptop wired connection, where all of the 4 wired ports cycle about 2-3 seconds through no connect, 10M, 100M. I've tried the laptop & CAT-5 (short) cable on another router and it works fine. Also, I have no problems with the wireless access port from another laptop. ANsd, no issues with the Vonage phone port. I've tried power down as well as the reset button and no change. Accessing the admin page, I don't see anything related to ENET port changes/configs to try. Anyone seen this and have any suggestions? Last resort I'll get a replacement (does anyone know the warranty period?) Thanks!

Acabanave Thanks for the suggestion, tried a different computer, same results. I'll check on the firmware. When I looked into this before, it was at the latest version. Since this is a Vonage-based router, I don't believe I have access for firmware updates without them pushing it. I'll bet I have "bum" HW for these ports (I was trying to remember if we had any t-storms in the area before it went out, but I don't think so...I lost a previous Linksys box due to lightning. I have a heavy-duty surge suppressor on the cable and power lines...but you never know about mother nature :-) Guess I need to check the warranty period on the box. I've had it since August with no issues until now.

Need help: diagonal artifact blocks problem

I just bought a new MSI 9800 PRO TD128SP and I'm having a problem in all games and applications that use any 3d.
There are diagonal artifacts of blocks throughout the entire screen, and I can't find a way to correct this.
Here is a small image of what it looks like :
It is not necessarily the best image but the pattern is repetitive and diagonal...
Does someone know what is the problem ? Does the card have a dead pipeline ? Or is it something else ?
Thanks for your input
Here are my specs by the way:
AMD64 3000+
Asus K8V-SE Deluxe
Antec Sonata /w 380watt PSU
2x512meg Kingston PC3200
200gigs Seagate SATA
No overclocking

Sounds like the card is bad. Mine had similar problems after a month of use. It was the R360 core green card. I RMA'd it and got back another green card with the R350 core and have had no problems so far. I do not overclock either. The performance seems to be about the same though I've been told the R360 is supposed to have a slight edge in performance and graphics quality. My guess is that the damage is most likely due to heat. These cards tend to run pretty hot and you may need to check your ventilation and get more airflow. Maybe you had a bad core to start with as, from what I'm told, the R360's on the pro's are cores that couldnt meet XT specs(which is why they show up as XT). So maybe you got a bad one in the batch. I know your specs say no overclocking but did you ever OC it at all? If so maybe that damaged it. Could also be possible static damage from the installation.
Those are my guesses. I would RMA it but that could take up to a month to get the new one. Mine took a while. I had to email them after the card sat in processing for a few weeks and then I had a tracking number the next day. So if it's going slow and you get impatient like I did just send a friendly email asking for an update and maybe you'll have similar luck. That's what I did.
Maybe try getting some better airflow first or just RMA it if you think you have enough. Just know that you might get a different model of the same card back.
Goodluck
zig

Need help with port forwarding an Avtech DVR

For some reason I can't get my Avtech DVR to work on my android phone on Avtech's Eagle Eyes app.
The camera/dvr comes up on wifi, but not on 4g. I am trying to get the port forwarding to work, but its not working. It says the ip address is not accesible.
The port for the dvr is 80. This is what I have. I thought it was correct?
I have a Westell 9100EM router.
Solved!
Go to Solution.

Thought I'd post an update to this. I fixed it. I had to change ports on my dvr.

Need help with iPhone VPN non-ASA

I am a network hobbiest. I am trying to set up my home router so my family can VPN to the house with our iphnones and ipads. I have tried to figure this out several times on my own and and for some reason I can not get the policies to match.
At this point I am looking to start from scratch as my current config is pretty sloppy from trying many different methods.
Here is my setup
[cable modem] <==> [c1841] <==> [8 port switch]
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 15.1(4)M, RELEASE SOFTWARE (fc1)
So I am using NAT, and I do want to have 3-4 external devices able to conect to the VPN and without a static IP on the roaming end. The 1841 does have a static IP.
I am looking for the method that will work best in this setup.
Thanks.
Bryan

Ok, I have set my mac up to connect to the VPN using straight cisco ipsec in my system prefs.
This is a small section of the debug log from the 1841.
.Sep 20 12:22:13.517 EDT: ISAKMP:(0):Checking ISAKMP transform 5 against priority 4 policy
.Sep 20 12:22:13.517 EDT: ISAKMP:      life type in seconds
.Sep 20 12:22:13.517 EDT: ISAKMP:      life duration (basic) of 3600
.Sep 20 12:22:13.517 EDT: ISAKMP:      encryption 3DES-CBC
.Sep 20 12:22:13.517 EDT: ISAKMP:      auth XAUTHInitPreShared
.Sep 20 12:22:13.517 EDT: ISAKMP:      hash SHA
.Sep 20 12:22:13.517 EDT: ISAKMP:      default group 2
.Sep 20 12:22:13.517 EDT: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
At that point the encryption seems to match but something else is not. I have double and tripple checked that the pre-shared key is exact on both ends.

Need help with porting from Java 1.1 to 1.4

One of our applications is an applet and we're in the
process of upgrading it's version of Java from 1.1 to 1.4. For the most part,the upgrade has gone smoothly, but we are having two big problems. The first problem is that the list objects on one of the windows resize when a mouse event occurs on the Tabbed Panel it sits on. The list object is made from a Symantec class called MultiList. The list actually shrinks so that the data on it can hardly be seen.
The other problem is that when dispose() is called on all of the windows, an IllegalStateException: Cannot dispose InputContext while its active error occurs.

If you people have nothing good to say, please do the
rest of us in the forum(s) a favor and don't say
anything at all.
Also, do not assume that threads are posted because
people are lazy and haven't researched their
problem(s).
People post threads in these forums looking for help,
not abuse.What are you talking about?
If the original poster disregarded my advice and searched the bug database as indicated, they would have found the answer to their question. I know. I had the same problem and solved it by using the workaround I found in the bug database.
I would say it was very helpful advice.

HT5312 I need help! My Apple id Is blobked, i answer the security question And it blocked. What can i do?

I need help to un blocked my Apple id

You might be able to re-enable it via this page : http://appleid.apple.com, then 'reset your password'
You might then need to log out of your account on your iPad by tapping on your id in Settings > iTunes & App Store and then log back in so as to 'refresh' the account on it.
For your security questions, the HT5312 page that you posted from has instructions for how to reset them i.e. if you have a rescue email address (which is not the same thing as an alternate email address) on your account then steps 1 to 5 half-way down that page should give you a reset link.
If you don't have a rescue email address (you won't be able to add one until you can answer your questions) then you will need to contact Support in your country to get the questions reset.
Contacting Apple about account security : http://support.apple.com/kb/HT5699 (you can also try this link if you can't get your account enabled via the above)
When they've been reset (and if you don't already have a rescue email address) you can then use the steps half-way down the HT5312 page that you posted from to add a rescue email address for potential future use

Need help with ASA 5512 and SQL port between DMZ and inside

Hello everyone,
Inside is on gigabitEthernet0/1 ip 192.9.200.254
I have a dmz on gigabitEthernet2 ip 192.168.100.254
I need to pass port 443 from outside to dmz ip 192.168.100.80 and open port 1433 from 192.168.100.80 to the inside network.
I believe this will work for port 443:
object network dmz
subnet 192.168.100.0 255.255.255.0
object network webserver
host 192.168.100.80
object network webserver
nat (dmz,outside) static interface service tcp 443 443
access-list Outside_access_in extended permit tcp any object webserver eq 443
access-group Outside_access_in in interface Outside
However...How would I open only port 1433 from dmz to inside?
At the bottom of this message is my config if it helps.
Thanks,
John Clausen
Config:
: Saved
ASA Version 9.1(2)
hostname ciscoasa-gcs
domain-name router.local
enable password f4yhsdf.4sadf977 encrypted
passwd f4yhsdf.4sadf977 encrypted
names
ip local pool vpnpool 192.168.201.10-192.168.201.50
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.222.222.212 255.255.255.224
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.9.200.254 255.255.255.0
interface GigabitEthernet0/2
nameif dmz
security-level 100
ip address 192.168.100.254 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name router.local
object network inside-subnet
subnet 192.9.200.0 255.255.255.0
object network netmotion
host 192.9.200.6
object network inside-network
subnet 192.9.200.0 255.255.255.0
object network vpnpool
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.168.201.0_26
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.9.200.0_24
subnet 192.9.200.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 log disable
access-list Outside_access_in extended permit udp any object netmotion eq 5020
access-list split standard permit 192.9.200.0 255.255.255.0
access-list VPNT_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool
nat (inside,outside) source static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24 destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup
object network netmotion
nat (inside,outside) static interface service udp 5020 5020
nat (inside,outside) after-auto source dynamic any interface
access-group Outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.222.222.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.9.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.9.200.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value router.local
group-policy VPNT internal
group-policy VPNT attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNT_splitTunnelAcl
default-domain value router.local
username grimesvpn password 7.wersfhyt encrypted
username grimesvpn attributes
service-type remote-access
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool vpnpool
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
tunnel-group VPNT type remote-access
tunnel-group VPNT general-attributes
address-pool vpnpool
default-group-policy VPNT
tunnel-group VPNT ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:36271b5a1b9382621e14c3aa635e2fbb
: end

Hi Vibor. Apologies if my comment was misunderstood. What I meant to say was that the security level of the dmz interface should probably be less than 100.
And therefore traffic could be controlled between DMZ and inside networks.
As per thr security level on the DMZ interface. ....... that command is correct. :-)

I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
I need to allow the following IP addresses to have RDP access to my server:
66.237.238.193-66.237.238.222
69.195.249.177-69.195.249.190
69.65.80.240-69.65.80.249
My external WAN server info is - 99.89.69.333
The internal IP address of my server is - 192.168.6.2
The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
THE FOLLOWING IS MY CONFIGURATION FILE
Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
Also the bolded lines are the modifications I made but that arent working.
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password DowJbZ7jrm5Nkm5B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 99.89.69.233 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network EMRMC
network-object 10.1.2.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.9.0 255.255.255.0
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service GMED tcp
description GMED
port-object eq 3390
object-group service MarsAccess tcp
description MarsAccess
port-object range pcanywhere-data 5632
object-group service MarsFTP tcp
description MarsFTP
port-object range ftp-data ftp
object-group service MarsSupportAppls tcp
description MarsSupportAppls
port-object eq 1972
object-group service MarsUpdatePort tcp
description MarsUpdatePort
port-object eq 7835
object-group service NM1503 tcp
description NM1503
port-object eq 1503
object-group service NM1720 tcp
description NM1720
port-object eq h323
object-group service NM1731 tcp
description NM1731
port-object eq 1731
object-group service NM389 tcp
description NM389
port-object eq ldap
object-group service NM522 tcp
description NM522
port-object eq 522
object-group service SSL tcp
description SSL
port-object eq https
object-group service rdp tcp
port-object eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.6.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.156.148.5
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group 68.156.148.5 type ipsec-l2l
tunnel-group 68.156.148.5 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
: end
ciscoasa(config-network)#

Unclear what did not work. In your original post you include said some commands were added but don't work:
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
and later you state you add another command that gets an error:
static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface. Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive? Static PAT usually makes sense when you need to change the TCP port number. In your example, you are not changing the TCP port 3389.

Need help w/ setting up ports to run a server for America's Army

Need help w/ setting up ports to run a server for America's Army. I read wat u need to change the ports but i dont understand wat to put. here is wat the site says
Q: How do I run my own server?
A: Quick and dirty server info:
1. Edit RunServer.bat to change the map.
2. Run RunServer.bat
Or:
server.exe LAN MAPNAME.aao (Host a LAN game)
server.exe global MAPNAME.aao (Host a Public game)
Also: When you create a server setup and want to allow other users to join your server, you need make sure the following ports are open for outgoing and incoming traffic in your firewall: 1716 (UDP), 1717 (UDP), 20025-20045 (TCP), and 20047 (TCP). Failure to open these ports will prevent the server from accepting connections from other players or prevent other players from being able to see your server online.
There are several settings that also need to be defined in your server configuration INI file (in the Windows version, these files are located in “My Documents\America’s Army Server Settings\{settings file name}.ini”).
[Engine.GameEngine]
ServerActors=Andromeda.AndromedaMBS
[Andromeda.Andromeda]
GameServerIp=
Make sure that you set the actual IP address of the America’s Army Server under GameServerIp= (for example, “GameServerIp=000.000.000.000”). The supplied address must be your actual internet IP address, if this is left blank or you supply the IP address for your internal network (such as 192.168.0.x), your server will not be able to accept connections from the internet.
If your server.ini file contains the setting shown below, please change the QueryPort setting to 20025. This setting can also be removed, as the default setting is port 20025.
[Andromeda.AndromedaMBS]
QueryPort=20025
Punkbuster user fix correction.
If [Engine.GameEngine] block has been changed to read as below:
[Engine.GameEngine]
ServerActors=IPDrv.AndromedaMBS
Please add the following block to your INI file:
[IpDrv.AndromedaMBS]
QueryPort=20025
(Last Updated: 2006-04-20)

Your images are not stored in the catalog. They are stored in folders on your computer. If you imported images that were already on your computer using the "Add" Option they are still in that same folder. If you imported images from your camera then they are in the folders that you specified when you imported. The catalog points to those images wherever they are located, and records all of the adjustments that you make to the image. When you send an image to Photoshop for further editing and save that image in Photoshop, it is normally saved back in the same folder as the original image.
Images are not "saved" in Lightroom. The basic default workflow in Lightroom is to store all of the adjustments in the catalog, leaving the original image completely unmodified. The catalog becomes the central controlling mechanism. It is a database that contains pointers to where the images are located and a record of all adjustments made to those images using Lightroom. Properly managed, you only have those original master files and secondary files for the ones that you have sent to Photoshop for further adjustment. When you want to provide a copy for someone else, you use the export dialogue for that purpose. I often export JPEG images to share with others or to post on the web. After I have usedthe JPEG for its intended purpose I delete it.

How can I delete my old iCloud account cause I forgot my password and my email has been block. Please I need help urgently

How can I delete my old iCloud account cause I forgot my password and my email has been block. Please I need help urgently

Contact the Apple account security team for assistance resetting your password: Apple ID: Contacting Apple for help with Apple ID account security.

I need help authenticating my outgoing server settings in setting up my work email on my Galaxy S5. It says unable to authenticate or connect to server and I even called helpdesk at my email support and they tried every possible port (80, 25, 3535 or 465

I need help authenticating my outgoing server settings in setting up my work email on my Galaxy S5. It says unable to authenticate or connect to server and I even called helpdesk at my email support and they tried every possible port (80, 25, 3535 or 465 SSL) and none of them work. Please help!

You will need to get the required info to create/access the account with an email client from your school.
Are you currently accessing the account with an email client on your computer - if you have a Mac with the Mail.app, or if you have a PC with Outlook Express, etc.? If so, you can get the required account settings there.

Need Help on Port Blocking in ASA

Similar Messages

Maybe you are looking for