topic Port forwarding with an ASA 5520 in Network Security

Port forwarding with an ASA 5520

bazzaroo — Tue, 12 Mar 2019 03:05:57 GMT

Hi all,

I've recently bought a Cisco ASA 5520 on eBay for study and I've decided to use it solely as a firewall between my home LAN and the Internet. Wow, what a learning curve! I've managed to add my internal networks as objects and create a NAT rule (thanks for youtube) to PAT my internal devices to get out to the Internet with ASDM but I'm really struggling to do the following: -

- allow any incoming traffic that hits the external facing interface destined for port 38921 and nat to 10.1.10.101:38921

- allow any incoming traffic that hits the external facing interface destined for port 30392 and nat to 10.1.10.101:30392

Can anyone guide me on how to do this, as I have a couple of services running behind these ports on a server that I want to get at when I'm not at home? My (rather messy) config is as follows: -

hostname FW1

enable password encrypted

passwd encrypted

names

interface GigabitEthernet0/0

description **External facing to Internet**

nameif Outside

security-level 0

ip address dhcp setroute

interface GigabitEthernet0/1

description **Internal Facing to 3750**

nameif Internal

security-level 100

ip address 10.1.10.2 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ftp mode passive

object network VLAN1

subnet 192.168.1.0 255.255.255.0

description Legacy

object network WiredLAN

subnet 10.1.10.0 255.255.255.0

description Wired LAN

object network CorporateWifi

subnet 10.1.160.0 255.255.255.0

description Corporate Wireless VLAN 160

object network GuestWifi

subnet 10.1.165.0 255.255.255.0

description Guest Wireless VLAN 165

object network LegacyLAN

subnet 192.168.1.0 255.255.255.0

description Legacy LAN in place until change over

object network FileServer

host 10.1.10.101

description File Server

object service Service1

service tcp source eq 38921 destination eq 38921

description 1st service

object-group network All_Inside_Networks

network-object object VLAN1

network-object object WiredLAN

network-object object CorporateWifi

network-object object GuestWifi

network-object object LegacyLAN

object-group service Service2 tcp-udp

port-object eq 30392

object-group service DM_INLINE_TCPUDP_1 tcp-udp

port-object eq 30392

group-object Service2

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list Outside_access_in extended permit object-group TCPUDP any object FileServer object-group DM_INLINE_TCPUDP_1 inactive

access-list Outside_access_in extended permit object Service1 any object FileServer inactive

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Internal 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

nat (Internal,Outside) source dynamic FileServer interface service Service1 Service1 inactive

nat (any,Outside) source dynamic All_Inside_Networks interface

access-group Outside_access_in in interface Outside

route Internal 10.1.160.0 255.255.255.0 10.1.10.1 1

route Internal 10.1.165.0 255.255.255.0 10.1.10.1 1

route Internal 192.168.1.0 255.255.255.0 10.1.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.1.160.15 255.255.255.255 Internal

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 10.1.160.15 255.255.255.255 Internal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface Outside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username Barry password encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:19be38edefe8c3fd05e720aedee62c8e

: end

Port forwarding with an ASA 5520

Jouni Forss — Sat, 16 Nov 2013 15:52:54 GMT

Hi,

So you want to configure Static PAT (Port Forward) for these 2 mentioned ports

You can accomplish that with the following configurations

object network STATIC-PAT-TCP38921

host 10.1.10.101

nat (Internal,outside) static interface service tcp 38921 38921

object network STATIC-PAT-TCP30392

host 10.1.10.101

nat (Internal,outside) static interface service tcp 30392 30392

access-list Outside_access_in extended permit tcp any object STATIC-PAT-TCP38921 eq 38921

access-list Outside_access_in extended permit tcp any object STATIC-PAT-TCP30392 eq 30392

A few things to consider

If either of the ports was actually meant to be UDP then replace the parameter "tcp" with "udp"
Choose your own names for the objects as they arent really descriptive of the actual service

You might also have the chance to configure Client VPN on your firewall which would enable you to access the servers securely without opening any other external access. You could either use IPsec VPN with a 3rd party VPN Client or Cisco AnyConnect if its installed on the ASA. But this is just a suggestion of what you could go for in the future.

I also wrote a document about the new NAT 8.3+ (software level) configuration format. Maybe it will help. It can be found here

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more and naturally if you have some other NAT related or ASA configuration related problems then post a question here on the forums.

- Jouni

Port forwarding with an ASA 5520

bazzaroo — Sun, 17 Nov 2013 20:54:58 GMT

Thanks Jouni - I'll give that a try and post back with how it goes!

Port forwarding with an ASA 5520

bazzaroo — Tue, 19 Nov 2013 00:04:38 GMT

OK then... so... I've made the changes and tested this externally and it still doesn't work. I ran packet tracer to try and get an idea of what it's doing and this was the result: -

packet-tracer input Outside tcp 9.13.12.6 3456 10.1.10.101 30392

Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.10.0 255.255.255.0 Internal

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit tcp any object STATIC-PAT-TCP30392 eq 30392
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (any,Outside) source dynamic All_Inside_Networks interface
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Internal
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Then...

packet-tracer input Outside tcp 9.13.12.6 3456 [Public IP Address removed] 30392

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop

So when I'm trying to connect to the services on the public facing IP address from somewhere out on the Internet, it's being dropped by the implicit rule. Do I need a rule to allow any incoming on tcp port 30392? If so, once I add that rule am I simply going to start hitting the same NAT problem like in the first trace? How do I fix the NAT drop from the first trace?

Port forwarding with an ASA 5520

Jouni Forss — Tue, 19 Nov 2013 00:11:47 GMT

Hi,

The first "packet-tracer" fails because you are using the internal IP address as the target. You will never see traffic coming from the Internet with the target IP address that is a private IP address. Because you target the internal IP address and not the public IP address then the other direction of the test matches no NAT rules and the reverse check fails because it matches a NAT rule. For the traffic to pass the traffic must match the same NAT rule on both direction. But the main problem here is that you are indeed targetting the internal IP address.

The problem with the second "packet-tracer" output is that its not matching any NAT configuration. Before any ACCESS-LIST Phase you should be seeing an UN-NAT Phase.

Since you are not seeing one the reason could be

You dont have the correct NAT configuration present
There is another NAT configuration present that overrides the Static PAT (Port Forward)
There is some bug that prevents the traffic from matching the correct NAT rule

To determine what the reason is we should see your NAT configuration.

Can you share the output of

show run nat

- Jouni

Port forwarding with an ASA 5520

jumora — Tue, 19 Nov 2013 04:15:22 GMT

1. This is just a configuration example and another option with to due this and avoid sending us the complete NAT configuration:

object network 10.1.10.101

host 10.1.10.101

object service 38921

service tcp source eq 38921

object service 30392

service tcp source eq 30392

nat (inside,outside) 1 source static 10.1.10.101 interface service 38921 38921

nat (inside,outside) 1 source static 10.1.10.101 interface service 30392 30392

Let me know if it works

Port forwarding with an ASA 5520

jumora — Tue, 19 Nov 2013 04:43:44 GMT

FYI: it is because of your manual NAT

Port forwarding with an ASA 5520

bazzaroo — Tue, 19 Nov 2013 09:34:54 GMT

As I say, I've only just got this so it's all new to me. NAT config is as follows: -

FW# sh run nat

nat (Internal,Outside) source dynamic FileServer interface service Service1 Service1 inactive

nat (any,Outside) source dynamic All_Inside_Networks interface

object network STATIC-PAT-TCP38921

nat (Internal,Outside) static interface service tcp 38921 38921

object network STATIC-PAT-TCP30392

nat (Internal,Outside) static interface service tcp 30392 30392

The first NAT rule (which I deactivated) was part of my original attempt to get this working...

Port forwarding with an ASA 5520

Jouni Forss — Tue, 19 Nov 2013 10:09:37 GMT

Hi,

For some reason I managed to completely miss the Manual NAT configuration you had for Dynamic PAT.

As Jumora mentioned above the problem is the following command

nat (any,Outside) source dynamic All_Inside_Networks interface

Do do the following change

no nat (any,Outside) source dynamic All_Inside_Networks interface

nat (any,Outside) after-auto source dynamic All_Inside_Networks interface

Notice that this change will cause a small outage in the outbound connections as you are changing the Dynamic PAT configuration for all users. But this is the configuration that is causing problems with the Static PAT (Port Forward)

- Jouni

Port forwarding with an ASA 5520

bazzaroo — Tue, 19 Nov 2013 12:49:16 GMT

Thanks Jouni! As far as packet tracer is concerned, that seems to have done the trick. I'll test it externally when I next get the chance. Packet tracer now shows...

FW(config)# packet-tracer input Outside tcp 9.13.12.6 3456 [Public IP Address removed] 30392

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network STATIC-PAT-TCP30392
nat (Internal,Outside) static interface service tcp 30392 30392
Additional Information:
NAT divert to egress interface Internal
Untranslate [Public IP Address removed]/30392 to 10.1.10.101/30392

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit tcp any object STATIC-PAT-TCP30392 eq 30392
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network STATIC-PAT-TCP30392
nat (Internal,Outside) static interface service tcp 30392 30392
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2, packet dispatched to next module

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Internal
output-status: up
output-line-status: up
Action: allow

So what is it that 'after-auto' keyword changes to allow the traffic flow?

Port forwarding with an ASA 5520

bazzaroo — Tue, 19 Nov 2013 12:58:35 GMT

And thanks too for you input Jumora! Much appreciated.

Re: Port forwarding with an ASA 5520

Jouni Forss — Tue, 19 Nov 2013 13:03:43 GMT

Hi,

Remember also to mark Jumoras reply as the correct answer since he noticed it first. He also provided another "nat" configuration that would work in your case.

I usually suggest changing the existing configuration though since it keeps the configuration clearer to read and manage in the long run but that is naturally my personal opinion only

With regards to the "after-auto" its there only to change the priority of the NAT configuration.

To give you the all the information shortly consider these facts about the new NAT behaviour and operation.

There are 2 NAT Rule types: Auto NAT and Manual NAT
- Auto NAT is NAT configured under an "object"
- Manual NAT is NOT configured under any "object" but rather uses "object" and "object-group" as its parameters
There are 3 Sections of NAT
- Section 1 is Manual NAT
- Section 2 is Auto NAT
- Section 3 is Manual NAT
- They are processed in that order for a match
Manual NAT is by default Section 1
- The "nat" configuration WITHOUT "after-auto"
Auto NAT is always Section 2
- For example the Static PAT (Port Forward) we configured
Manual NAT is also Section 3
- The "nat" configuration WITH "after-auto"

So if you consider all the above mentioned points you will notice that we configured a Section 2 Auto NAT and you had a Section 1 Manual NAT. The Section 1 Manual NAT in this case overrided the Section 2 Auto NAT (since it uses the same public IP address) therefore the Static PAT we configured with Auto NAT didnt work. We then changed the existing configuration to include "after-auto". Since this means the NAT configuration is now Section 3 it means it cant override the Section 2 Auto NAT (Static PAT) we configured and it started working.

EDIT: The "after-auto" also refers that this NAT rule will be after Auto NAT which you will see if you look at the ASDM or CLI of the NAT configuration. You will notice the existing "nat" you changed has now moved to the very bottom.

Hope it makes sense

You can check a document I wrote for a bit more information about the above subject.

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

Port forwarding with an ASA 5520

bazzaroo — Tue, 19 Nov 2013 13:13:22 GMT

Thanks for the explanation - makes sense now. I'll take a look at the document too.