topic Do you need to translate the in Network Security

Challenge on port to port forwarding on ASA 5512-X

bashiru.bayonle — Tue, 12 Mar 2019 08:09:44 GMT

Hello House,

Please i need help on port to port forwarding on ASA 5512-X. Below is the config and the port redirection is working but the range of ports and other ports permitted in the access-list are not opening. Kindly HELP pls....

object network TEST_PUBLIC_IP

host 10.10.10.10

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

access-group Outside_IN in interface outside

Hi

Henrik Grankvist — Tue, 23 Aug 2016 08:55:39 GMT

What is the output of:

packet-tracer input OUTSIDE tcp 4.4.4.4 23432 10.10.10.10 8085

You will have to create NAT statement for the rest of the ports if you want them to work too.

@Henrik, Thanks so much for

bashiru.bayonle — Tue, 23 Aug 2016 12:54:16 GMT

@Henrik, Thanks so much for taken your precious time to read my post. I was thinking its access-list that should permit those ports. However, i would appreciate if you can help with the NAT statement for the rest of the ports.

Hi

Henrik Grankvist — Tue, 23 Aug 2016 13:37:47 GMT

This is how I would have done it. One static NAT statement per port, note that I'm using manual NAT and not object NAT, which makes it easier to see which order the NAT statements gets processed. Then I would try and reuse as many objects as I could in the access-list so you know which access-list entry and NAT statement is working together.

objekt service TCP-EQ-80
 service tcp source eq 80

object service TCP-EQ-443
 service tcp source eq 22

object service TCP-EQ-22
 service tcp source eq 22

object service TCP-EQ-8000
 service tcp source eq 8000

object service TCP-EQ-8001
 service tcp source eq 8001

object service TCP-EQ-8002
 service tcp source eq 8002

object network SERVER1
 host 1.1.1.1

object network SERVER_PUBLIC_IP
 host 209.88.9.35

nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service tcp TCP-EQ-80 TCP-EQ-8000
nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service tcp TCP-EQ-443 TCP-EQ-8001
nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service tcp TCP-EQ-22 TCP-EQ-8002

access-list OUTSIDE permit tcp any object SERVER1 object TCP-EQ-80
access-list OUTSIDE permit tcp any object SERVER1 object TCP-EQ-443
access-list OUTSIDE permit tcp any object SERVER1 object TCP-EQ-22

Thanks for your swift

bashiru.bayonle — Tue, 23 Aug 2016 15:04:01 GMT

Thanks for your swift response, but the port range is from 8000 to 8200. Doing this in 200 places is gonna be too cumbersome. And Applications are listening on those 200 ports...

Do you need to translate the

Henrik Grankvist — Tue, 23 Aug 2016 15:10:22 GMT

Do you need to translate the port or can it be a one-to-one relationship? For example: The connection is from the client is done to TCP/8043 to the ASA and the server is listening to TCP/8043?

what i need is to open those

bashiru.bayonle — Tue, 23 Aug 2016 15:53:28 GMT

what i need is to open those port range on the firewall so that application on the server can be listening to it. Also, ssh port so that i can be able to ssh remotely to the server

Is it only one server that is

Henrik Grankvist — Tue, 23 Aug 2016 18:10:40 GMT

Is it only one server that is mapped to the public IP? If so you could do just a standard static NAT statement without port forwarding and then control the access with the ACL.

It is only one server that is

bashiru.bayonle — Wed, 24 Aug 2016 17:05:00 GMT

It is only one server that is mapped to the public IP and i have done static NAT with port redirection because of security reason. that is if one accessess the domain name on the server on default port 80 web traffic, Firewall redirects the default port to 8085 internally because 8085 has been binded to the private IP of the server and its working perfectly. However, the challenge is with the access-list that permits range of ports that the application is listening to on the server that is not working. so, also telnet to the server. I think the focus should be on the access-list that is permitting the port ranges. See the config below:

object network TEST_PUBLIC_IP

host 10.10.10.10

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

access-group Outside_IN in interface outside

NOTE: If i remove service tcp 8085 www of the NAT, the domain name will be opening with port no 8085 and the access-list that permits all the range of ports will be working perfectly. Thus, we need the port redirection from default 80 to 8085 for security reason and also, we cannot be giving people our domain name with port no 8085 before they can be able to access it. Do you get the logic?

It looks correct. What is the

Henrik Grankvist — Wed, 24 Aug 2016 17:05:34 GMT

It looks correct. What is the output of this packet trace?

packet-tracer input OUTSIDE tcp 4.4.4.4 23432 10.10.10.10 80

TFW/sec/actNoFailover# packet

bashiru.bayonle — Thu, 25 Aug 2016 07:47:59 GMT

TFW/sec/actNoFailover# packet-tracer input OUTSIDE tcp 4.4.4.4 23432 10.10.10.10 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network TEST_PRIVATE_IP
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP
Additional Information:
NAT divert to egress interface PRODUCTION
Untranslate 10.10.10.10/80 to 1.1.1.1/80

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: PRODUCTION
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Pls note that its only NAT that is configured now. Port redirection aspect has been removed (service tcp 8085 www) and the domain name is being access with port 8085.

@Henrik, Pls am still

bashiru.bayonle — Fri, 26 Aug 2016 10:33:29 GMT

@Henrik, Pls am still awaiting your feedback.Thanks in anticipation for your kind gesture.

Do you have the access rules

Henrik Grankvist — Fri, 26 Aug 2016 11:50:40 GMT

Do you have the access rules in place? If so try wto implement just one of the port forwarding rules:

objekt service TCP-EQ-80
 service tcp source eq 80

object service TCP-EQ-8085
 service tcp source eq 8085

nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service tcp TCP-EQ-8085 TCP-EQ-80

And then try the same packet-tracer command as before

There is access rule in place

bashiru.bayonle — Fri, 26 Aug 2016 12:40:15 GMT

There is access rule in place that is why port redirection is working but port range declared and allowed are not opening... I think the emphasis should be laid on how to ensure range of ports are opening after the redirection.

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

This config seems to be equivalent to the one currently working for redirection.

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www

objekt service TCP-EQ-80
 service tcp source eq 80

object service TCP-EQ-8085
 service tcp source eq 8085

nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service tcp TCP-EQ-8085 TCP-EQ-80

Hello,

Cristian Nilsson — Fri, 26 Aug 2016 13:16:11 GMT

Hello,

You can map a range of port like this:

object service TCP-RA-8000_8200
 service tcp source range 8000 8200

nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service TCP-RA-8000_8200 TCP-RA-8000_8200

Mind that this will be 1-to-1 mapping of ports (8000 > 8000 etc).

If you want inside 8000 to be accessed by outside lets say 1025 you need multiple NAT statements.

Hope this helps.

//Cristian

@Cristian. Thanks for your

bashiru.bayonle — Fri, 26 Aug 2016 14:05:51 GMT

@Cristian. Thanks for your effort. But, existing NAT is doing both NAT and port redirection very well with this config below.

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www

However, the below config is not allowing access to the server

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101.

Pls are you saying i should also use NAT to allow access to the server through all the ports-objects declared?. Because access to the server via all the ports is the challenge now.

Hello,

Cristian Nilsson — Fri, 26 Aug 2016 14:49:06 GMT

Hello,

Unfortunaly i dont think that service groups can be used in NAT statements.

- not static facts here, but i find it hard for ASA to figure out if its source or destination port as it is not an option to specify.

It should work in ACL thou.

//Cristian

see...lemme explain this

bashiru.bayonle — Fri, 26 Aug 2016 15:58:04 GMT

see...lemme explain this fully. With the below config, i can access abc.com.ng:8085 for example because 8085 has been binded to the locap IP of the server.Thus, it is not ideal to be giving client because of the port no. Also, i can ssh in to the server and as well all the ports used internally for the application on the server are opened. (port-object range 8000 8200)

object network TEST_PUBLIC_IP

host 10.10.10.10

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

access-group Outside_IN in interface outside

However, with the below config, when i added service tcp 8085 www to the NAT for the redirection, then i can access abc.com.ng without the port 8085 added which is ideal and it shows port redirection is working. But, the challenge now is that with the below config, i can not ssh in to the server and as well all the ports used internally for the application on the server are not opening.

object network TEST_PUBLIC_IP

host 10.10.10.10

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

access-group Outside_IN in interface outside

KINDLY HELP PLS.

Hello,

Cristian Nilsson — Fri, 26 Aug 2016 16:09:01 GMT

Hello,

If you want to use twice-nat you cannot use a service group as it wouldnt understand what port to map to which.

This should be what you are looking for:

object network TEST_PUBLIC_IP
 host 10.10.10.10

object network TEST_PRIVATE_IP
 host 1.1.1.1

object-group service PROD_101 tcp
 port-object eq ssh
 port-object eq https
 port-object range 8000 8200

object service TCP-SOURCE-8443
 service tcp source eq 8443

object service TCP-SOURCE-443
 service tcp source eq 443

object service TCP-SOURCE-922
 service tcp source eq 922

object service TCP-SOURCE-22
 service tcp source eq 22

object service TCP-SOURCE-8000_8200
 service tcp source range 8000 8200

nat (PRODUCTION,OUTSIDE) <seq no> static TEST_PRIVATE_IP TEST_PUBLIC_IP destination any any service TCP-SOURCE-8443 TCP-SOURCE-443

nat (PRODUCTION,OUTSIDE) <seq no> static TEST_PRIVATE_IP TEST_PUBLIC_IP destination any any service TCP-SOURCE-922 TCP-SOURCE-22

nat (PRODUCTION,OUTSIDE) <seq no> static TEST_PRIVATE_IP TEST_PUBLIC_IP destination any any service TCP-SOURCE-8000_8200 TCP-SOURCE-8000_8200

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

access-group Outside_IN in interface outside

//Cristian

I really appreciate your

bashiru.bayonle — Fri, 26 Aug 2016 17:09:39 GMT

I really appreciate your effort...I will check it out and get back you next week...Thanks a lot...