topic ASA 5505 Stupid Simple Problem but I can't get it in Network Security

ASA 5505 Stupid Simple Problem but I can't get it

Ryan Huff — Tue, 12 Mar 2019 08:14:34 GMT

ASA 5505 9.2 (ASDM 7.6)

Outside = ip address dhcp setroute

Inside = 192.168.95.0 255.255.255.240

On the inside network I have a single host with a static IP address ( 192.168.95.5 ), its an IP camera. The camera can be accessed from the outside and requires 5 various ports to be open on the outside.

I understand the concept perfectly; I need the outside interface to port redirect (forward) traffic on those specific ports into the inside interface for that specific inside host. What has me perplexed, is. the. syntax.

I am a Collaboration engineer .... I blame firewalls most of the time, not work on or configure them :). Can any one help this poor collab guy out with the syntax?

Thanks,

Ryan

Hi Ryan,

Aditya Ganjoo — Wed, 07 Sep 2016 02:19:56 GMT

Hi Ryan,

You can use the following syntax for Static port translation:

 object network obj-10.1.1.16----REAL IP of the inside server
   host 10.1.1.16
   nat (inside,outside) static interface service tcp 8080 www

where interface keyword is used for outside interface IP and service keyword is used for tcp ports.

You can check this link for further clarity ( check Regular Static PAT section) :

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Thanks for the reply Aditya!

Ryan Huff — Wed, 07 Sep 2016 02:47:37 GMT

Thanks for the reply Aditya!

It seems though, this is only allowing one source and destination port for the PAT. I actually need to translate 5 different ports coming in from the outside into the inside.

So do I just create a new network object (with a different name) using the same host, for each of the 5 PATs?

Hi Ryan,

Aditya Ganjoo — Wed, 07 Sep 2016 03:04:28 GMT

Hi Ryan,

Yes you can either create a new network object or if the ports are continuous then you can use the range keyword for it.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Aditya, thanks!

Ryan Huff — Wed, 07 Sep 2016 12:54:07 GMT

Aditya, thanks!

I added the PAT and it seemed to work. Packet tracer showed it clearing and an external NMAP on the outsdie interface showed the port open. Then, something change; but I am not sure what.

I used to work at a managed services provider and I did a lot of ASA work .... but that was pre 8.3 and a long time ago .... I am finding quite a bit has changed, so thanks for your help!

Now, packet tracer (incoming on the outside interface) shows it failing on the reverse-path NAT. Typically, that would mean it is matching the wrong rule in the egress direction and reordering the rules would fix it.

The issue is when I run a detailed output of packet tracer, it shows that it is matching the correct NAT. This is a very basic firewall config so there isn't much that could be tripping it up ... I just am not seeing it.

I have attached a show-run if you don't mind lookin, I would appreciate it.

Thanks,

Ryan

Hi Ryan,

Aditya Ganjoo — Wed, 07 Sep 2016 13:11:19 GMT

Hi Ryan,

Yes you are correct.

So lets remove the existing PAT for the rtsp traffic and configure a manual NAT statement like this and test:

object service rtsp
service tcp source eq rtsp
object service rtsp-1
service tcp source eq rtsp

nat (inside,out) 1 source static obj_192.168.95.5A interface service rtsp rtsp-1

Regards,

Aditya

Please rate helpful posts and mark correct answers.

I have got to the bottom of

Ryan Huff — Fri, 09 Sep 2016 00:50:03 GMT

I have got to the bottom of the issue ...

nat (inside,outside) dynamic interface

It seems that no matter what manual NAT or PAT i enter in, as long as that dynamic nat for the inside hosts is there ... it is always matached for the reverse path.

My ultimate goal is this; all hosts on the 192.168.95.0 255.255.255.240 network be able to access the Internet via the outside interface without port restriction.

Then, also have the 5th host of that network (.5) have specific TCP and UDP ports mapped to it from the outside.

So I removed the dynamic NAT and entered a manual NAT like;

nat (inside,outside) 2 static (network obj for the inside network) interface any any which seems to work fine (generates a warning about all services on the outside mapped to the inside) .... which I guess is OK?

Now, shouldn't I be able to create additional, more specific manual NATs at a higher priority and have it match the more specific NAT?