Issues connecting to remote site through ASA

[Daveyd123]

I am trying to connect to a remote IP (1.2.3.4 in this case) via port 3500 and am having issues. I used the following command on the ASA:

permit tcp object-group Internal_Networks 1.2.3.4 255.255.255.224 eq 3500

I test the connection by using telnet 1.2.3.4 3500
The connection does not establish.

Here are the logs:


6|Sep 12 2007|16:05:33|305011|192.168.0.201|MYFIREWALL|Built dynamic TCP translation from inside:192.168.0.201/3252 to outside(inside_pnat_outbound):MYFIREWALL/35076


6|Sep 12 2007|16:05:33|302013|1.2.3.4|192.168.0.201|Built outbound TCP connection 7895222 for outside:1.2.3.4/3500 (1.2.3.4/3500) to inside:192.168.0.201/3252 (MYFIREWALL/35076)


6|Sep 12 2007|16:05:35|302014|1.2.3.4|192.168.0.201|Teardown TCP connection 7895066 for outside:1.2.3.4/3500 to inside:192.168.0.201/3249 duration 0:00:30 bytes 0 SYN Timeout

I've verified that the remote sie is allowing incoming connections on port 3500.

Any ideas?

 

[brianinms]

You have to have a static along with an access-list

Static (inside,outside) tcp interface 3500 inside_ip 3500 netmask 3500

access-list inbound permit tcp any interface outside eq 3500

access-group inbound in interface out

 

[brianinms]

Don't know what happen but that should be

Static (inside,outside) tcp interface 3500 192.168.0.201 3500 netmask 255.255.255.255

 

[Daveyd123]

What is the purpose of the static? I need to allow access to the remote IP from all of our internal IPs [Internal_Networks]

 

[brianinms]

Sorry, I was confused by your first post. I thought you wanted to connect to a machine behind your firewall remotely. If you are trying to connect to a machine outside your firewall and you dont have any access-lists blocking the traffic then it is permitted by default.

 

[Daveyd123]

No problem.

Yea, I need all of my internal IP addresses behind my firewall to be able to access a remote IP address [1.2.3.4] via port 3500. I do have that port blocked. So I have to open it. I opened it with the command...

permit tcp object-group Internal_Networks 1.2.3.4 255.255.255.224 eq 3500

But I am unable to establish a connection from an internal workstation using telnet 1.2.3.4 3500

The logs generated when trying to telnet to that port are posted above

 

[brianinms]

You have that port blocked where? On the inside?

 

[Daveyd123]

Yea, only thing I allow from the inside to the outside are ports 80, 21, 443, 53 and some other ports that internal applications need

 

[NetworkGhost]

The key phrase in your first post is "SYN Timeout". Why is there a syn timeout?

The fact that the firewall is reporting a SYN timeout tells me the firewall is allowing this traffic and is creating a connection entry in the connection table.

From the workstation you telnet with do you have access to other resources on the internet?

What application is this for?

Have you tried to telnet from somewhere else?

My best bet is one of the following:

Your nat is jacked (Probably Not)

The distant end has a bad return route to your network (Possible)

Your supposed to be using UDP vs TCP (Probably Not)

The distant end has the port open but not to you (Are there any other firewalls in the path on their end?)


Are there any other ports that are supposed to be open that you can telnet to?


Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[Daveyd123]

Thanks for the response. Definitely great info! Found it it was a syntax problem. My tech told me that we needed to be able to access "24 IP addresses". So i set the range with a /27...In reality, the "24 IP addresses" were really a /24 *sigh*

I opened the entire range up and telnetting to that port worked. He originally telnetting to an IP out of the /27 range