Issue with ASA port forwarding

Xertzski — Fri, 21 Feb 2020 14:30:15 GMT

Hi guys,

Firstly, please shoot me down if I'm being a moron. Secondly, it's my first time posting, so please point me in the right direction if I'm asking this in the wrong place!

I've seen this asked before, however, I can't seem to find a post that matches my issue and all of the similar solutions haven't worked so far!

So, I'm trying to manage a switch on my internal network through SSH externally. I was hoping to be able to add a NAT rule to translate port 22 internally to port 4444 (For example) externally. I've created an object with the host IP address, and I think I added the port translation correctly. I then created an ACL to allow this, but it doesn't seem to be working.

TL;DR: I want to be able to manage 172.25.0.2 externally with SSH and I'm about to pull my hair out, as my exposure to ASAs is limited at best!

I've included the config below with the necessary stuff removed (And some unnecessary!). If possible I'd really appreciate a breakdown of where I'm going wrong. I'd love to learn more about this stuff rather than just jam in lines to the CLI that someone on the internet said would fix my problem!

Thanks in advance.

!
interface GigabitEthernet1/1
description WAN Interface
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface GigabitEthernet1/2
description Staff Interface
nameif inside
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface GigabitEthernet1/3
description Guest Access Interface
nameif Guest
security-level 100
ip address x.x.x.x 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network xxxx
subnet x.x.x.x 255.255.252.0
description Range1
object network xxxx
subnet x.x.x.x 255.255.252.0
description Range2
object network xxxx
subnet x.x.x.x 255.255.248.0
object network xxxx
subnet x.x.x.x 255.255.248.0
object network xxxx
subnet x.x.x.x 255.255.252.0
object network xxxx
subnet x.x.x.x 255.255.252.0
object network xxxx
subnet x.x.x.x 255.255.252.0
object network Cisco3650Switch
host 172.25.0.2
object-group network xxxx
description VOIP Provider
network-object object xxxx
network-object object xxxx
network-object object xxxx
network-object object xxxx
network-object object xxxx
network-object object xxxx
object-group service VoIP-MobileApp
service-object tcp destination range 5090 5091
service-object udp destination range 50000 59999
service-object tcp-udp destination eq 5097
service-object udp destination range 60000 64999
service-object tcp destination eq 5091
service-object udp destination eq 5099
service-object tcp destination eq https
object-group service VoIP-Softphone
service-object udp destination range 50000 59999
service-object tcp-udp destination eq 5097
service-object udp destination range 60000 64999
service-object udp destination eq 5099
service-object tcp-udp destination eq 5091
object-group network xxxx
description IPs for Remote Management
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object host x.x.x.x
network-object x.x.x.x 255.255.255.252
access-list VOIP_OUT extended permit ip 172.25.0.0 255.255.255.0 object-group xxxx
access-list VOIP_Inbound extended permit ip object-group xxxx 172.25.0.0 255.255.255.0
access-list outside_access_in remark Allow access to Internal Switch
access-list outside_access_in extended permit tcp object-group xxxx object Cisco3650Switch eq ssh
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1492
mtu inside 1500
mtu Guest 1500
mtu FirepowerAccess 1500
mtu Backup 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
nat (Guest,outside) source dynamic any interface
!
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
http server enable
http x.x.x.x 255.255.254.0 inside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
http x.x.x.x 255.255.255.255 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
!
telnet timeout 5
no ssh stricthostkeycheck
ssh x.x.x.x 255.255.255.252 outside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.255.255 outside
ssh x.x.x.x 255.255.254.0 inside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 172.25.0.20-172.25.0.250 inside
dhcpd dns 75.75.75.75 8.8.8.8 interface inside
dhcpd lease 43200 interface inside
dhcpd enable inside
!
dhcpd address 10.1.0.20-10.1.0.250 Guest
dhcpd dns 75.75.75.75 8.8.8.8 interface Guest
dhcpd lease 14400 interface Guest
dhcpd enable Guest
!
priority-queue outside
queue-limit 800
tx-ring-limit 15
priority-queue inside
queue-limit 800
tx-ring-limit 15
dynamic-access-policy-record DfltAccessPolicy
username xxxx password xxxx
username xxxx password xxxx
!
class-map VOIP
match dscp ef
class-map VOIP_INBOUND
match access-list VOIP_Inbound
class-map icmp-class
match default-inspection-traffic
class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
class-map VOIP_IPs
match access-list VOIP_OUT
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map VOIP_priority_Inbound
class VOIP_INBOUND
priority
policy-map VOIP_priority
class VOIP
priority
class VOIP_IPs
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
class icmp-class
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
service-policy VOIP_priority interface outside
service-policy VOIP_priority_Inbound interface inside
prompt hostname context
no call-home reporting anonymous

Re: Issue with ASA port forwarding

Flavio Miranda — Mon, 16 Oct 2017 17:58:34 GMT

Hello @Xertzski

I am missing some config like this:

nat (inside,outside) source static real_IP mapped_IP service real_port mapped_port

You can refer to this guide:

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

-If I helped you somehow, please, rate it as useful.-

Re: Issue with ASA port forwarding

Xertzski — Mon, 16 Oct 2017 18:54:33 GMT

Hi Flavio,

Thanks for you quick and constructive response!

My bad on the config part! I seem to have given you the backup I took prior to having a stab at this one!

I have currently:

object network Static3650
nat (inside,outside) static interface service tcp ssh 4444

The article you linked was actually the one I followed originally, however with little luck!

I was hoping someone may be able to idiot check my config, but it seems the idiot check failed at the part where I forgot to include any actual config!

Any further assistance would be greatly appreciated.

Re: Issue with ASA port forwarding

Flavio Miranda — Mon, 16 Oct 2017 19:03:11 GMT

No problem. Try to run a packet tracer on ASA and see if the problem is NAT or permission.

Also start an capture on the interface to see packet back and forth.

Re: Issue with ASA port forwarding

Xertzski — Mon, 16 Oct 2017 19:23:08 GMT

I'll have a crack at that packet capture tomorrow. I've been up too long and my brain is fried tonight!

Thanks again.

topic Re: Issue with ASA port forwarding in Network Security

Issue with ASA port forwarding

Re: Issue with ASA port forwarding

Re: Issue with ASA port forwarding

Re: Issue with ASA port forwarding

Re: Issue with ASA port forwarding