topic Something like the in Network Security

PAT multiple ports to outside interface IP?

slug420 — Tue, 12 Mar 2019 09:02:55 GMT

old school PIX ASAer here who is lost in the new code 🙂

I am setting up an ASA running 9.4.4 and trying to use port forwarding with the outside interface IP address to forward the necessary ports to a video conferencing server.

It seems as though there are 2 places to do NAT..one is within a specific host object, the other is at a "global" level like you used to with statics or nat/global.

It also seems that in order to forward ports on the outside interface...I have to apply the NAt within the network object. I was able to to this with a single port....but I need to forward groups of ports/services.

443

TCPandUDP1719/1720

TCPandUDP50000-50499

and so on.

how can I do this? the NAT configuration line within the network object configuration doesnt seem to want to let me use service/port groups or even ranges?

Something like the

Marvin Rhoads — Sun, 12 Mar 2017 06:34:51 GMT

Something like the configuration below should work. In summary, we:

a. define the service objects

b. make a group of the services

c. define the server (network object)

d. make a NAT rule combining the above

e. make an access-list (or an additional access list entry if the ACL already exists) and

f. apply the access-list inbound for traffic ariving at the outside interface

object service VTC_udp_ports_1
  service udp source range 1719 1720 
object service VTC_udp_ports_2
  service udp source range 50000 50499
object service VTC_tcp-ports_1
  service tcp source range 1719 1720 
object service VTC_tcp_ports_2
  service tcp source range 50000 50499
object service SSL-TLS
 service tcp destination eq https 
object-group service VTC_Services
 description Needed from outside inbound to VTC server
 service-object object VTC_udp_ports_1
 service-object object VTC_udp_ports_2
 service-object object VTC_tcp_ports_1
 service-object object VTC_tcp_ports_2
 service-object object SSL-TLS
object network VTC_Server
 host <server real IP address>

nat (inside,outside) source static VTC_Server interface service VTC_Services VTC_Services

access-list outside_access_in extended permit object-group VTC_Services any object VTC_Server

access-group outside_access_in in interface outside

Let me know if that helps.

Based in part on the following document:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

the problem with articles

slug420 — Sun, 12 Mar 2017 14:29:26 GMT

the problem with articles like that is when they show how to do static PAT, they are doing it for a single port, and doing so within the network object.

The NAT statements I had in place were already similar to what you are proposing...

nat (inside,outside) source static yealink interface service YeaLink-1719-UDP YeaLink-1719-UDP
nat (inside,outside) source static yealink interface service YeaLink-1720-TCP YeaLink-1720-TCP
nat (inside,outside) source static yealink interface service YeaLink-HTTPS YeaLink-HTTPS
nat (inside,outside) source static yealink interface service YeaLink-50000-50499-TCP YeaLink-50000-50499-TCP
nat (inside,outside) source static yealink interface service YeaLink-50000-50499-UDP YeaLink-50000-50499-UDP
nat (inside,outside) source static yealink interface service YeaLink-5060-5061-TCP YeaLink-5060-5061-TCP
nat (inside,outside) source static yealink interface service YeaLink-5060-5061-UDP YeaLink-5060-5061-UDP

The only difference is that your proposed NAT statement uses a service group (which incidentally the NAT command didnt seem to like when I just tried to use it). Did your FW accept your commands as written?

the error I get in the logs is just

Mar 12 2017 07:25:41: %ASA-3-710003: TCP access denied by ACL from

This goes away if I go into the network object and add a local NAT statement there (like this:
object network yealink
nat (inside,outside) static interface service tcp https https) so I am pretty sure its not an ACL issue, just an issue with the FW not recognizing the translation of the port to the internal server so it doesnt think the ACL even applies...

I see what you mean. the docs

Marvin Rhoads — Sun, 12 Mar 2017 15:54:35 GMT

I see what you mean. the docs and examples are a bit hazy when it comes to service groups.

I labbed it on an ASA with 9.6(2) and got the errors with the NAT statement as well.

I think the modification below using separate NAT statements might work. (Make sure none of the ports are in use by any other services - 443 is often used for SSL VPN.) The access-list can use the group still. I also believe we want to define the services as destination type (vs. source).

If a flow appears to fail, then check out what packet-tracer gives you. It will inject a simulated packets and examine the internal flow indicating what NAT, ACL etc is encountered and the eventual disposition of the flow. We sometimes learn from this diagnostic tool that the command syntax is correct but it's necessary to adjust a NAT or ACE order with respect to the other ones to make the ASA behave as desired.

object service VTC_udp_ports_1
 service udp destination range 1719 1720 
object service VTC_udp_ports_2
 service udp destination range 50000 50499
object service VTC_tcp_ports_1
 service tcp destination range 1719 1720 
object service VTC_tcp_ports_2
 service tcp destination range 50000 50499
object service SSL-TLS
 service tcp destination eq https

object-group service VTC_Services
 description Needed from outside inbound to VTC server
 service-object object VTC_udp_ports_1
 service-object object VTC_udp_ports_2
 service-object object VTC_tcp_ports_1
 service-object object VTC_tcp_ports_2
 service-object object SSL-TLS

object network VTC_Server
 host <real IP Address of server>

nat (inside,outside) source static VTC_Server interface service VTC_udp_ports_1 VTC_udp_ports_1
nat (inside,outside) source static VTC_Server interface service VTC_udp_ports_2 VTC_udp_ports_2
nat (inside,outside) source static VTC_Server interface service VTC_tcp_ports_1 VTC_tcp_ports_1
nat (inside,outside) source static VTC_Server interface service VTC_tcp_ports_2 VTC_tcp_ports_2
nat (inside,outside) source static VTC_Server interface service SSL-TLS SSL-TLS

access-list outside_access_in extended permit object-group VTC_Services any object VTC_Server

I believe what you are

slug420 — Sun, 12 Mar 2017 16:35:37 GMT

I believe what you are suggesting is what I have in the firewall right now...the only thing FW int 443 is used for is ASDM and I have moved that to another port...there are some extra permit ACLs but only because I was trying to throw stuff against the wall when it wasn't working....

Keep in mind if I att a 443 PAT config to the TeleConference network object, it works fine.

FIREWALL1(config)# show run access-list
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit tcp any object TeleConference eq https
access-list outside extended permit tcp any object TeleConference eq h323
access-list outside extended permit udp any object TeleConference eq 1719
access-list outside extended permit tcp any object TeleConference range sip 5061
access-list outside extended permit tcp any object TeleConference range 50000 50499
access-list outside extended permit udp any object TeleConference range 50000 50499
access-list outside extended permit udp any object TeleConference range sip 5061
access-list outside extended permit tcp any4 interface outside eq https
access-list outside extended permit tcp any4 host 200.200.200.200 eq https
access-list outside extended permit ip host 5.5.5.5 interface outside
access-list outside extended permit ip host 5.5.5.5 object TeleConference
access-list outside extended permit ip host 5.5.5.5 host 200.200.200.200
access-list outside extended permit object-group TeleConference-SVC any object TeleConference
FIREWALL1(config)# show run nat
nat (inside,any) source static obj-10.10.30.0 obj-10.10.30.0 destination static obj-10.10.0.0 obj-10.10.0.0 no-proxy-arp route-lookup
nat (inside,outside) source static TeleConference interface service TeleConference-1719-UDP TeleConference-1719-UDP
nat (inside,outside) source static TeleConference interface service TeleConference-1720-TCP TeleConference-1720-TCP
nat (inside,outside) source static TeleConference interface service TeleConference-HTTPS TeleConference-HTTPS
nat (inside,outside) source static TeleConference interface service TeleConference-50000-50499-TCP TeleConference-50000-50499-TCP
nat (inside,outside) source static TeleConference interface service TeleConference-50000-50499-UDP TeleConference-50000-50499-UDP
nat (inside,outside) source static TeleConference interface service TeleConference-5060-5061-TCP TeleConference-5060-5061-TCP
nat (inside,outside) source static TeleConference interface service TeleConference-5060-5061-UDP TeleConference-5060-5061-UDP
!
object network obj_any
 nat (inside,outside) dynamic interface
FIREWALL1(config)# show run obj
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-10.10.0.0
 subnet 10.10.0.0 255.255.252.0
object network obj-10.10.30.0
 subnet 10.10.30.0 255.255.255.0
object network TeleConference
 host 10.10.30.120
object service TeleConference-1719-1720
 service tcp destination range 1719 h323
object service TeleConference-5060-5061
 service tcp destination range sip 5061
object service TeleConference-1719-UDP
 service udp destination eq 1719
object service TeleConference-1720-TCP
 service tcp destination eq h323
object service TeleConference-HTTPS
 service tcp destination eq https
object service TeleConference-50000-50499-UDP
 service udp destination range 50000 50499
object service TeleConference-50000-50499-TCP
 service tcp destination range 50000 50499
object service TeleConference-5060-5061-TCP
 service tcp destination range sip 5061
object service TeleConference-5060-5061-UDP
 service udp destination range sip 5061
FIREWALL1(config)# show run object-group
object-group service TeleConferenceSvc tcp
 port-object range 50000 50499
 port-object range 1719 h323
 port-object eq https
 port-object range sip 5061
object-group service TeleConference-SVC
 service-object object TeleConference-1719-UDP
 service-object object TeleConference-1720-TCP
 service-object object TeleConference-HTTPS
 service-object object TeleConference-50000-50499-UDP
 service-object object TeleConference-50000-50499-TCP
 service-object object TeleConference-5060-5061-TCP
 service-object object TeleConference-5060-5061-UDP
FIREWALL1(config)#

FIREWALL1(config)# packet-tracer input outside tcp 5.5.5.5 20202 200.200.200.200 443 det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 200.200.200.200 using egress ifc identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x7fffe133eb20, priority=0, domain=nat-per-session, deny=false
 hits=73795, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in id=0x7fffe1a59dc0, priority=0, domain=permit, deny=true
 hits=5580, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
 input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

any other thoughts on this?

slug420 — Thu, 16 Mar 2017 00:31:36 GMT

any other thoughts on this? I feel like this shouldn't be that difficult...

I think that your service

Rahul Govindan — Thu, 16 Mar 2017 17:46:31 GMT

I think that your service object should be "service tcp source eq https" not destination. With respect to the inside server, the source port is 443, not the destination port. Your packet tracer should have ideally hit an un-nat phase if the NAT rule was correct.

My goal is to expose the

slug420 — Thu, 16 Mar 2017 17:54:23 GMT

My goal is to expose the inside server to the outside on a number of ports, using port forwarding on the outside interface to map those ports to the internal server.

As such I used a destination port of 443 in the packet tracer to simulate an incoming 443 connection which should be forwarded (by NAT/PAT) to the internal server and allowed by ACL.

I am open to changing the NAT commands to say source instead of destination but I guess I am confused since when a packet comes to the firewall from the internet, it is the destination port which will be 443. When the internal server sends a syn-ack back to the host on the Internet to build the connection, that would have a source port of 443 and a destination port of whatever but on the initial packet (SYN) that needs to be NAT/PATd properly to the inside server, the destination would be 443.

Static Nat rules are bi

Rahul Govindan — Thu, 16 Mar 2017 18:27:54 GMT

Static Nat rules are bi-directional. When you define the rules, you are actually defining the rule from inside to outside interfaces for your inside server. If you look at it in that direction, the server uses the source port of 443. That is why the the service-object comes after the "source static" section. The actual traffic is initiated in the opposite direction and reverse of the NAT rule is applied (destination NAT translation)

that appears to have done it

slug420 — Thu, 16 Mar 2017 18:45:00 GMT

that appears to have done it,thanks. I figured it was something being interpreted backwards but didnt know if it was an ACL, NAT statement, object etc 🙂