topic Re: Port Forwarding ASA 5505 in Network Security

Port Forwarding ASA 5505

Amir Eskandari — Tue, 12 Mar 2019 02:38:44 GMT

Hi there,

I have a test lab at home.

Verizon => Verizon Firewall => ASA 5505 => Computers

Right now I have access to the Internet from my computers after the ASA

I have installed ASDM 7.1 with ASA 9.1.2 but it is a shame for me I cannot work with it.

I would like to setup a port forwarding to remote desktop to one of my computers after the ASA.

Would you please advise me how can I do it through ASDM OR Putty

There is not any help for the new version of ASDM on the web

Thank You in Advance for Your Time

My ASA configuration:

=====================================

CiscoASA5505(config)# show run

: Saved

ASA Version 9.1(2)

hostname CiscoASA5505

domain-name xyx.com

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

boot system disk0:/asa912-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name xyx.com

object network obj-192.168.20.0

subnet 192.168.20.0 255.255.255.0

object-group network static-pat

access-list outside_in extended permit icmp any4 any4 echo-reply

access-list outside_in extended deny ip any4 any4 log

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network obj-192.168.20.0

nat (inside,outside) dynamic interface

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.20.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.20.5-192.168.20.36 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username sarparast password Hs/tIupNYaeztJyS encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:5d50f214ec6a6a34d3186bc61e63bc09

: end

=======================================

Port Forwarding ASA 5505

Jouni Forss — Sun, 15 Sep 2013 15:26:50 GMT

Hi,

You would need to configure something like this

object network PC

host 192.168.20.x

nat (inside,outside) static interface service tcp 3389 3389

access-list outside_in line 1 remark Allow RDP

access-list outside_in line 2 permit tcp any object PC eq 3389

The problem to me seems to be that you might have another device in front of the ASA which holds the actual public IP address?

If that is the case then you would have to do Static PAT (Port Forward) on that device too.

- Jouni

Port Forwarding ASA 5505

Amir Eskandari — Sun, 15 Sep 2013 16:39:30 GMT

Hi Jouni,

Thank you so much for your reply.

Actually I knew the part between my home firewall and the ASA

it is working now.

Again Thanks a lot

Re: Port Forwarding ASA 5505

Amir Eskandari — Mon, 02 Dec 2013 04:05:36 GMT

Hello Jouni,

Someting strange happend in my place, suddenly I lost my internet connection. I reboot my firewall, and after 10 minutes I checked my test network after ASA5505

my computers do not have access to internet !!!??????

I guess when I applied your instruction previously I did not save my runnig config.

I added your instruction again but still I do not have access to internet.

Map:

Verrizon -> Firewall -> ASA -> My Test Lab (No Internet)

|--> My other devicess (Have Internet)

I have checked the cables and they are fine.

I am not sure if my ip address for the command below is correct

object network PC
host 192.168.20.1

=========================================

My Setting in the ASA is:

CiscoASA5505# show run
: Saved
:
ASA Version 9.1(2)
!
hostname CiscoASA5505
domain-name abc.com
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name abc.com
object network obj-192.168.20.0
subnet 192.168.20.0 255.255.255.0
object network PC
host 192.168.20.1
object-group network static-pat
access-list outside_in remark Allow RDP
access-list outside_in extended permit tcp any object PC eq 3389
access-list outside_in extended permit icmp any4 any4 echo-reply
access-list outside_in extended deny ip any4 any4 log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-192.168.20.0
nat (inside,outside) dynamic interface
object network PC
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sarparast password Hs/tIupNYaeztJyS encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e2b6b49bfe5ac8fe1c8c359e845f4350
: end

=========================

CiscoASA5505(config)# show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside_in; 3 elements; name hash: 0xc5896c24

access-list outside_in line 1 remark Allow RDP

access-list outside_in line 2 remark Allow RDP

access-list outside_in line 3 extended permit tcp any object PC eq 3389 (hitcnt=0) 0xde73064f

access-list outside_in line 3 extended permit tcp any host 192.168.20.1 eq 3389 (hitcnt=0) 0xde73064f

access-list outside_in line 4 extended permit icmp any4 any4 echo-reply (hitcnt=0) 0x166f77cb

access-list outside_in line 5 extended deny ip any4 any4 log informational interval 300 (hitcnt=0) 0xb1248d92

Re: Port Forwarding ASA 5505

Amir Eskandari — Tue, 03 Dec 2013 02:07:30 GMT

Any idea?

Re: Port Forwarding ASA 5505

Vincent Lê — Tue, 03 Dec 2013 03:33:13 GMT

I can see the problem from your config is your vlan1 ip the same with object network PC

interface Vlan1
nameif inside
security-level 100
ip 192.168.20.1 255.255.255.0

object network PC
host 192.168.20.1

Sent from Cisco Technical Support iPhone App

Re: Port Forwarding ASA 5505

Amir Eskandari — Tue, 03 Dec 2013 13:44:41 GMT

Hello,

Thank you so much for your reply.

Would you please advise me know what should the IP address be instead of ?

object network PC

host 192.168.20.?

Thank you in advance for your time

Amir

Port Forwarding ASA 5505

Jouni Forss — Tue, 03 Dec 2013 13:47:51 GMT

Hi,

The IP address should be the IP address of your actual PC behind the ASA. Not the ASA interface IP address.

The IP address defined under the object defines the IP address for which we want to do the NAT translation for.

I dont think your PCs actual local IP address was mentioned at any point so I dont know what that is.

- Jouni

Re: Port Forwarding ASA 5505

Amir Eskandari — Tue, 03 Dec 2013 13:51:22 GMT

Hello Jouni,

Thank you so much for your reply.

Now I know what the number should be.

Let me fix it tonight I will update you for the result as soon as I modified it.

Thank you for your time

Amir

Re: Port Forwarding ASA 5505

Amir Eskandari — Wed, 04 Dec 2013 02:22:03 GMT

Hello Jouni,

Please be informed I decided to erase my ASA and reconfigure it.

I did not know that NAT command after version 8.3 has been changed. so all of my instructions are worthless now

I found the link below to translate the NAT command:

https://supportforums.cisco.com/docs/DOC-9129

global (outside) 10 interface

nat (inside) 10 192.168.20.0 255.255.255.0

I thought the command below is equal to the above

object network obj-192.168.20.5_192.168.20.36
   range 192.168.20.5 192.168.20.36
 object network obj-192.168.20.0
   subnet 192.168.20.0 255.255.255.0
   nat (inside,outside) dynamic 
            obj-192.168.20.5_192.168.20.36 interface

Now inside does not have access to outside

At the moment I am lost.

Amir

=====================

CiscoASA5505(config)# show run

: Saved

ASA Version 9.1(2)

hostname CiscoASA5505

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ftp mode passive

object network obj-19

object network obj-192.168.20.5_192.168.20.36

range 192.168.20.5 192.168.20.36

object network obj-192.168.20.0

subnet 192.168.20.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

object network obj-192.168.20.0

nat (inside,outside) dynamic obj-192.168.20.5_192.168.20.36 interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.20.5-192.168.20.36 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:ba24bb28656db6af40b0efd20166b2fa

: end

Re: Port Forwarding ASA 5505

Vincent Lê — Wed, 04 Dec 2013 03:43:13 GMT

Hello Amir

This will help you at least have access to outside, and afterward you can configured your firewall by your need.

interface vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

interface vlan2

nameif outside

security-level 0

ip address dhcp setroute

interface eth0/0

description "Connect to ISP"

switchport access vlan2

object network internal_lan.obj

subnet 192.168.20.0 255.255.255.0

nat (inside,outside) dynamic interface

Best regards,

Re: Port Forwarding ASA 5505

Amir Eskandari — Wed, 04 Dec 2013 13:23:09 GMT

Hello mynet4lab,

Thank you so much for your reply.

let me try it tonight, I will update the disccusion as soon as I apply the new command.

Again Thank you

Amir

Re: Port Forwarding ASA 5505

Amir Eskandari — Sun, 08 Dec 2013 04:21:10 GMT

My Friends,

Thank you so much for your helps.

Right now I find out what happend to my system.

Last week Verizon has changed my IP address and I did not pay attention to this matter.

So I wiped out amy ASA (how silly was I)

1- I had to reconfigure the ASA and then fix the issue to connect inside and outside see the link below:

https://supportforums.cisco.com/message/4111695#4111695

Good experience again

2- Then set the boot image to 912 (how? refer to the link above JouniForss' email dated Dec 5, 2013 12:49 AM)

3 - Then run the commands base on JouniFross' instruction (this link (go above to) dated Sep 15, 2013 9:26 AM)

Note: the commands run when the boot system is:912 (please correct me if I am wrong)

4- Then reset my new IP on my host.

5- Reset my new IP on my firewall.

Now everything is working

Thank you so much Jouni for your fantastic support. God Bless you.

Amir