topic 5525-x making port forwarding in Network Security

5525-x making port forwarding

blackswans — Tue, 12 Mar 2019 03:20:29 GMT

Hi,

I've made object nat in the 5525-x firewall and give permission to these ports in the ACL. But we cannot access to these ports from outside? Are there any changes in these new firewall series?

Thanks.

object network xx_Exch_Rdp
nat (Inside,Outside) static interface service tcp 3389 3389
object network xx_Exch_Send
nat (Inside,Outside) static interface service tcp pop3 pop3
object network xx_Exch_Mapi
nat (Inside,Outside) static interface service tcp imap4 imap4
object network xx_Exch_Pop3
nat (Inside,Outside) static interface service tcp 587 587
object network xx_Exch_Smtp
nat (Inside,Outside) static y.y.y.z service tcp smtp smtp

Re: 5525-x making port forwarding

Karsten Iwen — Thu, 19 Dec 2013 10:45:13 GMT

The NAT looks fine. What about the ACL? Remember that you have to use the real-address in the ACL and not the public/natted address.

So the ACL would be something like:

permit tcp any object xx_Exch_Rdp eq 3389

permit tcp any object xx_Exch_Send eq pop3

...

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: 5525-x making port forwarding

blackswans — Thu, 19 Dec 2013 12:09:06 GMT

I think also the ACL seems to me good... I'm using the real ip addresses. But you say to use the object I'm using the host keyword here... Is that wrong?

access-list Outside_access_in extended permit tcp any host PUBLIC_IP object-group DM_INLINE_TCP_1

object-group service DM_INLINE_TCP_1 tcp

port-object eq 3389

port-object eq 587

port-object eq www

port-object eq https

port-object eq imap4

port-object eq pop3

port-object eq smtp

Re: 5525-x making port forwarding

Karsten Iwen — Thu, 19 Dec 2013 12:13:28 GMT

The host-keyword is perfectly fine. But it seems that you use the public IP in your ACL and not the real address. You need to use the address that your Exchange-server has configured on the interface.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: 5525-x making port forwarding

blackswans — Thu, 19 Dec 2013 12:19:10 GMT

Ok I then I will try with the real host ip address which is a private ip. But we were using the public ip address in the older firewalls like 5510 5520...

Thanks.

5525-x making port forwarding

Karsten Iwen — Thu, 19 Dec 2013 12:22:30 GMT

On the 5510/5520 you probably didn't use a version 8.3+. There it changed from public to real address.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: 5525-x making port forwarding

blackswans — Thu, 19 Dec 2013 12:26:33 GMT

Thank you very much for the information. I will try these.

Regards.

5525-x making port forwarding

blackswans — Mon, 23 Dec 2013 21:33:27 GMT

These nat translations are two way translations is it right? So if the server wants to go to internet it will go from the natted ip ?

5525-x making port forwarding

Karsten Iwen — Mon, 23 Dec 2013 22:33:33 GMT

Yes and no ... 😉

They can be used from both sides which is what static translations are used for. But they are restricted to the tcp-ports 3389/imap/pop3 ... on the server side. And as it is unlikely that the server initiates a connection with source-port 110/143/... you need an additional entry for outgoing connections.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni