topic This looks very promising, by in Network Security

Cisco ASA 9.4 Port-forwarding issue using multiple ports to same inside host

trylvis123 — Tue, 12 Mar 2019 08:59:43 GMT

Greetings everyone,

I'm trying to set up a port-forward through Cisco ASA running version 9.4.3.8.

I want to use one public IP, and forward different ports coming to this IP, into one or more internal servers on the same port.

I also want the clients on this subnet to be PAT'ed outwards on the same IP.

We do have multiple public IP's in this subnet the Outside interface, used for different purposes.

Example scenario, public IP address 9.9.9.9 - internal address 10.0.0.20 for server A and 10.0.0.30 for server B.

Internet -> Outside interface - IP 9.9.9.9:tcp6881 ->NAT-> Inside server 10.0.0.20:tcp6881

Internet -> Outside interface - IP 9.9.9.9:udp6882 ->NAT-> Inside server 10.0.0.20:udp6882

Internet -> Outside interface - IP 9.9.9.9:tcp7881 -> NAT-> Inside server 10.0.0.30:tcp7881

Internet -> Outside interface - IP 9.9.9.9:udp7882 ->NAT-> Inside server 10.0.0.30:udp7882

I'm currently working on getting host A(10.0.0.20) to work, and I've used the following commands:

access-list Outside_access_in extended permit udp any4 object 10.0.0.20 eq 6881
access-list Outside_access_in extended permit tcp any4 object 10.0.0.20 eq 6881

object service TCP_6881
service tcp source eq 6881
object service UDP_6881
service udp source eq 6881

nat (InternalNetworkX,Outside) source static 10.0.0.20 Outside_9.9.9.9 destination static Outside_9.9.9.9 Outside_9.9.9.9 service TCP_6881 TCP_6881
nat (InternalNetworkX,Outside) source static 10.0.0.20 Outside_9.9.9.9 destination static Outside_9.9.9.9 Outside_9.9.9.9 service UDP_6881 UDP_6881

object network InternalNetworkX
nat (InternalNetworkX,Outside) dynamic 9.9.9.9

Now we get incoming UDP traffic(hits in access rules get updated), but no TCP traffic.

However, if I run a packet tracer, it says that both UDP and TCP should be dropped:

UDP packet-tracer:

packet-tracer input Outside udp 8.8.8.8 6881 10.0.0.20 6881

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.20 using egress ifc InternalNetworkX

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit udp any4 object hostA eq 6881
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network InternalNetworkX
nat (InternalNetworkX,Outside) dynamic 9.9.9.9
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: InternalNetworkX
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

TCP packet-trace:

packet-tracer input Outside tcp 8.8.8.8 6881 10.0.0.20 6881

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.20 using egress ifc InternalNetworkX

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit tcp any4 object hostA eq 6881

Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network InternalNetworkX
nat (InternalNetworkX,Outside) dynamic 9.9.9.9
Additional Information:

Any ideas on this?

You are configuring it in a

Karsten Iwen — Wed, 01 Mar 2017 13:24:10 GMT

You are configuring it in a too complicated way ...

object network SRV-10.0.0.20-6881
 host 10.0.0.20
 nat (InternalNetworkX,Outside) static 9.9.9.9 service tcp 6881 6881
!
object network SRV-10.0.0.20-6882
 host 10.0.0.20
 nat (InternalNetworkX,Outside) static 9.9.9.9 service udp 6882 6882
!
object network SRV-10.0.0.30-7881
 host 10.0.0.30
 nat (InternalNetworkX,Outside) static 9.9.9.9 service tcp 7881 7881
!
object network SRV-10.0.0.30-7882
 host 10.0.0.30
 nat (InternalNetworkX,Outside) static 9.9.9.9 service udp 7882 7882
!
object network InternalNetworkX
 nat (InternalNetworkX,Outside) dynamic 9.9.9.9

And you need to allow the traffic in your outside ACL:

access-list OUTSIDE-IN permit tcp any host 10.0.0.20 eq 6881
access-list OUTSIDE-IN permit udp any host 10.0.0.20 eq 6882
access-list OUTSIDE-IN permit tcp any host 10.0.0.30 eq 7881
access-list OUTSIDE-IN permit udp any host 10.0.0.30 eq 7882

Thanks for your reply!

trylvis123 — Wed, 01 Mar 2017 13:27:28 GMT

Thanks for your reply!

That seems alot easier, but how will that be if we use port 6881 for both TCP and UDP, can I create two objects with the same IP, but different ports?

Like:

object network SRV-10.0.0.20-TCP6881
 host 10.0.0.20
 nat (InternalNetworkX,Outside) static 9.9.9.9 service tcp 6881 6881
!
object network SRV-10.0.0.20-UDP6881
 host 10.0.0.20
 nat (InternalNetworkX,Outside) static 9.9.9.9 service udp 6881 6881
!

Yes, exactly like that.

Karsten Iwen — Wed, 01 Mar 2017 13:31:31 GMT

Yes, exactly like that.

This looks very promising, by

trylvis123 — Wed, 01 Mar 2017 14:10:52 GMT

This looks very promising, by the hits in the Access Rule list, it seem to translate correctly. I've yet only configured one host, "10.0.0.20".

I'm a bit curious about my packet-tracer tho. This still drop's the packet, have I entered the wrong information here?

I've run the following in packet-tracer (I do use 8.8.8.8 in the actual packet-tracer):

packet-tracer input Outside tcp 8.8.8.8 6881 10.0.0.20 6881

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.20 using egress ifc InternalNetworkX

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit tcp any4 object SRV-10.0.0.20 eq 6881

Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network SRV-10.0.0.20-TCP6881
nat (InternalNetworkX,Outside) static 9.9.9.9 service tcp 6881 6881
Additional Information:

The same goes for UDP.

The packet-tracer has to be

Karsten Iwen — Wed, 01 Mar 2017 14:37:04 GMT

The packet-tracer has to be used with the packet-information as it enters the ASA:

packet-tracer input Outside tcp 8.8.8.8 6881 9.9.9.9 6881

Exactly, that seems to work

trylvis123 — Thu, 02 Mar 2017 12:33:34 GMT

Exactly, that seems to work perfectly.

Thanks!