topic Port to application mapping on asa in Network Security

Port to application mapping on asa

alkabeer80 — Tue, 12 Mar 2019 03:00:34 GMT

Hi,

i have cisco asa 8.4, i am using simple topology on gns3:

R1 ----------------------------------(inisde) ASA (outside) ------------------------------ R2

192.168.1.1 192.168.1.2 192.168.2.2 192.168.2.1

I have enabled http on R1, telnet from R2 to R1 (telnet 192.168.1.1 80) , it work.

Now i want to configure ASA to port map 80 to 8080, telnet from R2 to R1 ( telnet 192.168.1.1 8080) , how can i do it ?

Thankssss

Port to application mapping on asa

Jouni Forss — Tue, 05 Nov 2013 13:17:45 GMT

Hi,

This depends on your software level used. The NAT configuration format is different for software levels 8.2 (and below) compared to levels 8.3 (and above)

Here is an example of both

Software 8.2 and below

static (inside,outside) tcp 192.168.1.1 8080 192.168.1.1 80 netmask 255.255.255.255

access-list permit tcp any host 192.168.1.1 8080

Software 8.3 and above

object network R1

host 192.168.1.1

nat (inside,outside) static 192.168.1.1 service tcp 80 8080

access-list permit tcp any object R1 eq 80

Hope this helps

Let me know if it works for you. If not then will have to look more into the configuration.

- Jouni

Port to application mapping on asa

alkabeer80 — Tue, 05 Nov 2013 13:35:42 GMT

Hi,

It did not work, i tried to write same command, it did not accept

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

object service 80

service tcp destination eq www

object service 8080

service tcp source eq 8080

object network R1

host 192.168.2.1

ciscoasa(config)# nat (inside,ouside) source static ?

configure mode commands/options:
WORD Specify object or object-group name for real source
any Abbreviation for source address and mask of 0.0.0.0

ciscoasa(config)# nat (inside,ouside) source static R1 ?

configure mode commands/options:
WORD Specify object or object-group name for mapped source
interface Specify interface NAT

how to write it ?

Port to application mapping on asa

Jouni Forss — Tue, 05 Nov 2013 13:39:58 GMT

Hi,

You did not enter the commands I suggested.

The NAT configuration should be

object network R1

host 192.168.1.1

nat (inside,outside) static 192.168.1.1 service tcp 80 8080

You are trying to add the "nat" configuration in the global configuration space and not under the "object network R1"

So enter these in order wihtout entering any other command in between

object network R1

host 192.168.1.1

nat (inside,outside) static 192.168.1.1 service tcp 80 8080

The first one will create the "object" and move under its configuration space. The next one will add the "host" address under the "object". The last command will add the actual "nat" command under the "object" we created

Then you need the ACL to allow the traffic as described in my first reply. Naturally you will have to use an ACL that is attached with the "access-group" to your "outside" interface

- Jouni

Port to application mapping on asa

alkabeer80 — Tue, 05 Nov 2013 13:48:26 GMT

Hi, i manage to write command, but i am getting

R1#telnet 192.168.1.1 8080

Trying 192.168.1.1, 8080 ...

% Connection refused by remote host

Port to application mapping on asa

Jouni Forss — Tue, 05 Nov 2013 14:00:09 GMT

Hi,

Post your ACL configuration

show run access-list

show run access-group

If you have no ACL configured you could add

access-list OUTSIDE-IN permit tcp any object R1 eq 80

access-group OUTSIDE-IN in interface outside

But I presume you have an existing ACL attached to interface "outside" like in my above example so you could use that ACL to allow what I have allowed above.

Let me know if it works. Otherwise post the configurations so I can check what is needed

- Jouni

Port to application mapping on asa

alkabeer80 — Tue, 05 Nov 2013 14:08:52 GMT

hi,

ciscoasa(config)# sh run access-list
access-list l extended permit tcp any object R1 eq www
access-list l extended permit ip any any

ciscoasa# sh run access-group
access-group l in interface ouside

Thanks for all your help

Port to application mapping on asa

alkabeer80 — Tue, 05 Nov 2013 14:11:00 GMT

%ASA-6-302013: Built outbound TCP connection 44 for ouside:192.168.2.1/8080 (192.168.2.1/8080) to inside:192.168.1.1/29489 (192.168.1.1/29489)

%ASA-6-302014: Teardown TCP connection 44 for ouside:192.168.2.1/8080 to inside:192.168.1.1/29489 duration 0:00:00 bytes 0 TCP Reset-O

Port to application mapping on asa

alkabeer80 — Tue, 05 Nov 2013 14:11:44 GMT

%ASA-6-302013: Built inbound TCP connection 46 for ouside:192.168.2.1/42377 (192.168.2.1/42377) to inside:192.168.1.1/8080 (192.168.1.1/8080)

%ASA-6-302014: Teardown TCP connection 46 for ouside:192.168.2.1/42377 to inside:192.168.1.1/8080 duration 0:00:00 bytes 0 TCP Reset-I

Port to application mapping on asa

Jouni Forss — Tue, 05 Nov 2013 14:11:50 GMT

Hi,

The connection should work if you are connecting from R2 to R1 with the destination IP 192.168.1.1 and port TCP/8080. Or that is how I understood the original request below

Now i want to configure ASA to port map 80 to 8080,  telnet from R2 to R1 ( telnet 192.168.1.1 8080) , how can i do it ?

Your above example seems to be you connecting from the R1 to itself?

R1#telnet 192.168.1.1 8080

Trying 192.168.1.1, 8080 ...

% Connection refused by remote host

So test this from R2

- Jouni

Port to application mapping on asa

alkabeer80 — Tue, 05 Nov 2013 14:20:59 GMT

Hi, same thing i am getting

R2#telnet 192.168.1.1 8080

Trying 192.168.1.1, 8080 ...

% Connection refused by remote host

%ASA-6-302013: Built outbound TCP connection 53 for ouside:192.168.1.1/8080 (192.168.1.1/8080) to inside:192.168.2.1/55789 (192.168.2.1/55789)

%ASA-6-302014: Teardown TCP connection 53 for ouside:192.168.1.1/8080 to inside:192.168.2.1/55789 duration 0:00:00 bytes 0 TCP Reset-O

%ASA-7-609002: Teardown local-host inside:192.168.2.1 duration 0:00:00

%ASA-7-609002: Teardown local-host ouside:192.168.1.1 duration 0:00:00

Re: Port to application mapping on asa

Jouni Forss — Tue, 05 Nov 2013 14:24:45 GMT

Hi,

The logs dont match your original posts topology at all.

The log says R1 192.168.1.1 is located "outside" and the R2 192.168.2.1 is located "inside"?

Can you share the complete firewall configuration

Actually seems your other interface is called "ouside" and not "outside".

- Jouni

Port to application mapping on asa

alkabeer80 — Tue, 05 Nov 2013 14:34:03 GMT

ciscoasa# sh run

: Saved

ASA Version 8.4(2)

interface GigabitEthernet0

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

interface GigabitEthernet1

nameif outside

security-level 0

ip address 192.168.2.2 255.255.255.0

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

ftp mode passive

object network out

host 192.168.2.1

object network in

host 192.168.1.1

object service 80

service tcp destination eq www

object service 8080

service tcp source eq 8080

object network R1

host 192.168.2.1

access-list l extended permit ip any any

pager lines 24

logging enable

logging buffered debugging

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

object network R1

nat (outside,inside) static 192.168.2.1 service tcp www 8080

access-group l in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

Port to application mapping on asa

Jouni Forss — Tue, 05 Nov 2013 14:38:03 GMT

Hi,

There is different IP address used in the NAT configuration? The IP address of R2 even though you wanted to do the NAT for R1 IP address 192.168.1.1 to my understanding so that R2 could connec to 192.168.1.1 port TCP/8080 to reach the actual port TCP/80 on the R1 192.168.1.1?

If so then you would need to issue these commands which I suggested originally

object network R1

host 192.168.1.1

nat (inside,outside) static 192.168.1.1 service tcp 80 8080

- Jouni

Port to application mapping on asa

alkabeer80 — Tue, 05 Nov 2013 14:40:51 GMT

thx Jouni,

can u share good tutorial for such config ?

thxxxxxxxxxxxxxxxxxx

Port to application mapping on asa

Jouni Forss — Tue, 05 Nov 2013 14:42:28 GMT

Hi,

You could take a look at the document I have made here on the forums. It contains some examples of basic NAT configurations. It still work in progress

Here is the link

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

- Jouni