topic I think this can happen if in Network Security

static nat config on ASA 9.1 for port forwarding

mahesh18 — Tue, 12 Mar 2019 05:13:42 GMT

Hi Everyone,

I have only single Public IP on ASA outside interface.

Server is connected to inside network of ASA.I want server should be reachable from internet on port 443.

I try the static nat config on ASA

nat (inside,outside) ?

configure mode commands/options:
<1-2147483647> Position of NAT rule within before auto section
after-auto Insert NAT rule after auto section
source Source NAT parameters

There is no static command?

how can i config below config

nat (inside,outside) static interface service tcp http http in ASA 9.1 version?

Regards

MAhesh

Hi Mahesh,You can create an

Rishabh Seth — Sat, 13 Dec 2014 17:35:54 GMT

Hi Mahesh,

You can create an object nat for this requirement.

>> create object for server private ip.

object network SERVER

host x.x.x.x

nat (inside,outside) static interface service tcp 443 443

NOTE: If you are doing translating traffic coming for ASA IP on port 443 to SERVER then you will not be able to run ASDM on port 443. In order to manage ASA on the public IP make sure that you have changed the port for ASDM.

Thanks,

Rishabh

Hi Rishabh, Under 9.1 i

mahesh18 — Sat, 13 Dec 2014 17:45:26 GMT

Hi Rishabh,

Under 9.1 i tried this

ASA1(config)# nat (inside,outside) source static ?

configure mode commands/options:
WORD Specify object or object-group name for real source
any Abbreviation for source address and mask of 0.0.0.0

There is no option for interface?

Regards

Mahesh

Hi Mahesh, The interface

Rishabh Seth — Sat, 13 Dec 2014 18:07:48 GMT

Hi Mahesh,

The interface option for:

>> object NAT:-

>> create object for server private ip.

(config)#object network SERVER

(config-network-object)# host x.x.x.x

(config-network-object)# nat (inside,outside) static interface service tcp 443 443

>> For mannual nat

(config)#nat (outside,inside) source static <real-ip> <mapped-ip> destination static interface <real-ip> service <real-service> <mapped-service>

Hope it helps.

Thanks,

Rishabh

Hi Rishabh, When i do ass

mahesh18 — Sat, 13 Dec 2014 18:51:49 GMT

Hi Rishabh,

When i do ass you said

ASA1(config-network-object)# nat (inside,outside) static interface ser$
ERROR: NAT unable to reserve ports.

i try ssh same error

Any idea how can i allow ssh to server or 443 connection from outside?

Also ACL is there to allow traffic from outside - any IP to ASA public IP.

Regards

MAhesh

I think this can happen if

Rishabh Seth — Sat, 13 Dec 2014 19:31:02 GMT

I think this can happen if ASA is listening for connections on port 22 and 443 on outside interface. Probably you have enabled ssh and http server on outside interface.

You can check it by running command sh asp table socket.

You can change port for http server by command http server enable <port>.

Try changing port and then configure NAT.

Thanks,

Rishabh

For ssh I haven't seen any

Rishabh Seth — Sat, 13 Dec 2014 19:42:26 GMT

For ssh I haven't seen any command that would make as a listen on any other port than 22.

So to ssh to your server you can use mapped service port as some random port (say 22222)and then real port as 22 in your NAT.

And then ssh to public IP port 22222

For testing purposes i am

mahesh18 — Sat, 13 Dec 2014 23:17:21 GMT

For testing purposes i am only allowing telnet connection to server as SSH

and https is used by ASA itself.

When i try telnet from outside world to server IP

i see logs in ASA

%ASA-3-710003: TCP access denied by ACL from 70.75.x.x/49966 to outside:96.51.x.x/23

i have ACL that shows no hit counters

access-list outside_access_in extended permit tcp any object server eq telnet

pri/act/ASA1# sh run access-group
access-group outside_access_in in interface outside

Current NAT config

sh run nat
nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside description Allow Ping and SSH to 10.0.0.1 using Anyconnect with Full Tunnel
nat (inside,outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
nat (inside,outside) source static inside inside destination static inside inside
nat (outside,outside) source dynamic vpn_pool_ip interface description Allow Access to Internet using Anyconnect VPN
nat (sales,outside) source static Sales Sales destination static Sales Sales
nat (inside,outside) source dynamic inside interface description Allow R1 to ping to Internet Sites
nat (sales,outside) source dynamic Sales interface description Allow 2950 to Pint to Internet Sites
nat (sales,outside) source static Sales Sales destination static vpn_pool_ip vpn_pool_ip description Allow Ping to 2950 Switch while connected Via Anyconnect Full tunnel
!
object network server
nat (inside,outside) static interface service tcp telnet telnet

Regards

Mahesh

When you are testing telnet

Rishabh Seth — Sun, 14 Dec 2014 09:16:39 GMT

When you are testing telnet traffic, check NAT counter for the object NAT you have created.

Make sure the traffic is not hitting any Manual NAT which you have.

If it is hitting some manual NAT then place that NAT after object NAT using the command "after-auto" in that manual NAT statement.

Also check what packet tracer shows.

I do not see any hit

mahesh18 — Sun, 14 Dec 2014 14:58:37 GMT

I do not see any hit counters on object NAT.

Also i have 2 manual NAT statements as below

2 (inside) to (outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
translate_hits = 0, untranslate_hits = 0

6 (inside) to (outside) source dynamic inside interface description Allow R1 to ping to Internet Sites
translate_hits = 7204, untranslate_hits = 2578

Can you please tell me command via CLI which i can use to put below commands after Object NAT?

Regards

MAhesh

I think all your traffic is

Rishabh Seth — Sun, 14 Dec 2014 16:04:24 GMT

I think all your traffic is hitting this NAT statement :

(inside) to (outside) source dynamic inside interface description Allow R1 to ping to Internet Sites

Remove this NAT statement and place it after object nat by using after-auto command.

eg:

nat (inside,outside) after-auto source dynamic inside interface

i moved the nat config below

mahesh18 — Sun, 14 Dec 2014 16:47:55 GMT

i moved the nat config below as you said here is packet tracer output

pri/act/ASA1# packet-tracer input outside tcp 70.75.x.x. 23 10.0.0.4 23

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object server eq telnet
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network server
nat (inside,outside) static interface service tcp telnet telnet
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

seems it is denied by object NAT rule?

Regards

MAhesh

As per your requirement you

Rishabh Seth — Sun, 14 Dec 2014 16:58:37 GMT

As per your requirement you will be sending traffic on public IP.

Check IP addresses in packet tracer.

packet-tracer input outside tcp <source-ip> <any port> <asa outside ip> <23>

Here is output ASA1# packet

mahesh18 — Sun, 14 Dec 2014 17:05:33 GMT

Here is output

ASA1# packet-tracer input outside tcp 70.75.x.x 1023 96.51.x.x 23

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 96.51.x.x 255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

refer this article:https:/

Rishabh Seth — Sun, 14 Dec 2014 17:55:13 GMT

refer this article:

https://rowell.dionicio.net/configuring-nat-for-a-public-server-using-same-outside-interface/

I tried as per above website

mahesh18 — Sun, 14 Dec 2014 19:15:04 GMT

I tried as per above website seems some NAT issue which i need to fix

Logs shows

%ASA-3-710003: TCP access denied by ACL from 70.75.x.x/52948 to outside:96.51.x.x/443

NAT config

ASA1# sh run nat
nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside description Allow Ping and SSH to 10.0.0.1 using Anyconnect with Full Tunnel
nat (inside,outside) source static inside inside destination static vpn_pool_ip vpn_pool_ip
nat (outside,outside) source dynamic vpn_pool_ip interface description Allow Access to Internet using Anyconnect VPN
nat (sales,outside) source static Sales Sales destination static Sales Sales
nat (sales,outside) source dynamic Sales interface description Allow 2950 to Pint to Internet Sites
nat (sales,outside) source static Sales Sales destination static vpn_pool_ip vpn_pool_ip description Allow Ping to 2950 Switch while connected Via Anyconnect Full tunnel
!
object network server
nat (inside,outside) static interface service tcp https https
!
nat (inside,outside) after-auto source static inside inside destination static inside inside
nat (inside,outside) after-auto source dynamic inside interface description Allow R1 to ping to Internet Sites

Regards

MAhesh

For testing you can try to

Rishabh Seth — Mon, 15 Dec 2014 00:06:41 GMT

For testing you can try to put all your manual nat after object NAT (using after auto command). So that you can confirm that there is no other NAT getting hit for the server traffic.

And also make sure that your ACL for this traffic has UN NATed (private IP address) of the server.

I put this object NAT

mahesh18 — Tue, 16 Dec 2014 01:03:10 GMT

I put this object NAT statement at top of all the NATs.

Now i can telnet to server.

Many thanks for helping all the way.

Best Regards

MAhesh