topic It won't work if you don't in Network Security

ASA port forwading

Anthonize Rajaratne — Tue, 12 Mar 2019 08:05:23 GMT

Hello,

I have internal server 10.10.10.1 mapped to 2.2.2.2 (public ip). I can access the server via port 80 without no issues. Now I wanted to ssh into with different port number 222. I have made the following config. Just want to find out do I have need more config other than following?

object network DEVICE-10.10.10.1

host 10.10.10.1

nat (inside,outside) static 2.2.2.2

object network DEVICE-10.10.10.1-222

host 10.10.10.1

nat (inside,outside) static 2.2.2.2 service tcp 22 222

ACL outside (outside interface for inbound traffic)

permit any host 10.10.10.1 eq 222

ACL inside (inside interface for outbound traffic)

permit any any eq 222

Thanks in advance.

Thili

Your NAT looks fine. To make

Karsten Iwen — Wed, 03 Aug 2016 18:29:53 GMT

Your NAT looks fine. To make the config more readable, you could change the first NAT-rule to be only for service tcp/80.

For the outside-ACL, you have to allow the real port that is opened on the server. I assume the server is listening on tcp/22? Then the ACL has to be the following:

permit any host 10.10.10.1 eq 22

For this incoming traffic, you don't need an ACE on the inside ACL.

Thanks Karsten,

Anthonize Rajaratne — Wed, 03 Aug 2016 18:49:46 GMT

Thanks Karsten,

The whole purpose of this is, block well known 22 port from outside. Instead I want to use port 222 for ssh. The server is listening to port 22.If I enable port forwarding to 222 do I still need a ACE for opening port 22 from outside? if yes, then I'm loosing the purpose of the port forwarding.

Let me know your thoughts.

It won't work if you don't

Karsten Iwen — Wed, 03 Aug 2016 18:58:54 GMT

It won't work if you don't open the real port from outside. NAT is done first and the translated packet (with changed port numbers from 222 to 22) is compared to the ACL. But that doesn't mean that your server is reachable through tcp/22 from outside. It's not!

I tried it. I opened port 22.

Anthonize Rajaratne — Wed, 03 Aug 2016 20:20:32 GMT

I tried it. I opened port 22. server responded to port 22 but not for 222.

Was your new NAT-rule in

Karsten Iwen — Wed, 03 Aug 2016 20:33:20 GMT

Was your new NAT-rule in place?

ok, just tested it out and it

Karsten Iwen — Wed, 03 Aug 2016 21:00:21 GMT

ok, just tested it out and it seems that the ASA doesn't behave at it should. The general NAT always takes preference. To make it work, you have to change the first NAT to also do a port-forwarding:

object network DEVIDE-10.10.10.1-80
 host 10.10.10.1
 nat (inside,outside) static 2.2.2.2 service tcp 80 80

object network DEVIDE-10.10.10.1-22
 host 10.10.10.1
 nat (inside,outside) static 2.2.2.2 service tcp 22 222

permit any host 10.10.10.1 eq 80
permit any host 10.10.10.1 eq 22

everything is working now.

Anthonize Rajaratne — Fri, 05 Aug 2016 02:19:43 GMT

everything is working now. you are right, I have to enable port 22 from outside.

Same time general NAT rule must take off. Otherwise it overrides other NAT rules.

Thanks for your help.