topic Help with port forwarding ASA5505 v8.2 in Network Security

Help with port forwarding ASA5505 v8.2

paul.awad — Tue, 12 Mar 2019 01:29:35 GMT

Hi,

Having an issue doing a port translation on an ASA5505 for RDP.

I have a /29 allocated by ISP and when I port forward the address assigned to the outside interface RDP works perfectly, however when I try to use another IP within the /29 range, I get nothing.

I am only new to ASA so please forgive if this is something obvious...

Relevant config is:

interface Vlan1

nameif inside

security-level 100

ip address 10.1.12.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.217 255.255.255.248

access-list OUTSIDE-IN extended permit tcp any host X.X.X.218 eq 3389

static (inside,outside) X.X.X.218 10.1.12.10 netmask 255.255.255.255 sh run acces

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group OUTSIDE-IN in interface outside

When I used the outside IP address and it worked perfectly, config difference was only

access-list OUTSIDE-IN extended permit tcp any host X.X.X.217 eq 3389

static (inside,outside) tcp X.X.X.217 3389 10.1.12.10 3389 netmask 255.255.255.255

Any help would be greatly appreciated

Re: Help with port forwarding ASA5505 v8.2

Jouni Forss — Tue, 16 Apr 2013 20:01:24 GMT

Hi,

The only 2 reasons that come to mind fast is that you either

Have this configuration enabled

sysopt noproxyarp outside

In which case insert this command

no sysopt noproxyarp outside

The ISP has done something wrong on their end

So can you first check "show run sysopt" and share the output with us

- Jouni

Re: Help with port forwarding ASA5505 v8.2

paul.awad — Tue, 16 Apr 2013 20:10:53 GMT

Thanks Jouni for the quick response...

Wish that were the answer... a sh run sysopt gives nothing... I added the no sysopt command and still no joy.

I had thought about calling the ISP however this ASA is a replacement of an PIX which I only just put into place. Under the PIX, that IP address responded.

Do you know what else could be causing this...?

Help with port forwarding ASA5505 v8.2

Jouni Forss — Tue, 16 Apr 2013 20:20:05 GMT

Hi,

Well you can check the ASA configurations fast with the "packet-tracer" command

packet-tracer intput outside tcp 1.2.3.4 12345 x.x.x.218 3389

This would simulate a connection coming from behind "outside" interface from source address 1.2.3.4 with source port 12345 to your Static NAT IP address of the server.

This should tells us if the ASA configuration are fine for the most part.

If you have a host outside your network that can be used to test connectivity I would check if the ACL rule gets any hits

Also when testing configurations and frequently changing NAT configurations I would suggest using "clear xlate local " to clear any possible old NAT translations active on the firewall (they may remain even if the commands have been removed)

You can also use "show xlate | inc " to check the active translations for your host

- Jouni

Re: Help with port forwarding ASA5505 v8.2

paul.awad — Tue, 16 Apr 2013 20:30:20 GMT

Jouni,

OK..., packet tracer output shows allow on all points which is confusing

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

After the packet tracer there was 1 match on my outside access list... cleared the counters and tried to connect via an external IP... and 0 matches!!!

Have also cleared the xlate and still nothing...

Help with port forwarding ASA5505 v8.2

Jouni Forss — Tue, 16 Apr 2013 20:36:06 GMT

Yes, the "packet-tracer" command generates hitcounts on the ACLs when used.

There shouldnt really be many possibilities why this would not work.

If indeed you have not disabled Proxy ARP on the "outside" (which seemed to be ok) and have cleared Xlates and allowed the traffic and the "packet-tracer" goes through then I cant see any other reasons other than the ISP.

Wonder if doing Trace Route from a Internet host towards both the ASA interface IP address and this extra IP used for the Static NAT would show up differently. This could perhaps provide some information if the ISP has indeed messed up something.

- Jouni

Help with port forwarding ASA5505 v8.2

paul.awad — Tue, 16 Apr 2013 21:25:58 GMT

Hi Jouni,

Traceroute follows the same path up until the interface IP address and does not go any further, although I am not allowing ping/traceroute to the other IP addresses, only the outside interface IP...

Seems like it is routed to the right place from ISP point of view.

Any other suggestions? Really appreciate your help and quick repsonses on this.

Help with port forwarding ASA5505 v8.2

Jouni Forss — Tue, 16 Apr 2013 21:33:42 GMT

Hi,

Just to be sure, would it be possible to see your ASAs whole configuration (with masked public IP addresses ofcourse)

To be able to go through them.

You can also use traffic capture on the ASA itself to confirm if ANY traffic is coming towards the extra public IP address

access-list CAPTURE permit ip any host x.x.x.218

access-list CAPTURE permit ip host x.x.x.218 any

capture CAPTURE type raw-data access-list CAPTURE interface outside buffer 1000000

Then test from the Internet and use the commands

show capture

and

show capture CAPTURE

To see if any traffic reaches your ASA. If not I cant think of anything else at the moment than ISP configurations or some device infront of the ASA causing problems.

- Jouni

Help with port forwarding ASA5505 v8.2

paul.awad — Tue, 16 Apr 2013 22:04:16 GMT

Hey Jouni,

Packet capture gave me this output which didnt have any TCP 3389... but had some random UDP ports only?

1: 21:54:55.108377 802.1Q vlan#2 P0 X.X.X.218.63420 > 208.67.222.222.53: udp 44

2: 21:54:58.751929 802.1Q vlan#2 P0 X.X.X.218.63420 > 208.67.220.220.53: udp 44

3: 21:54:59.492238 802.1Q vlan#2 P0 X.X.X.218.63976 > 208.67.222.222.53: udp 45

4: 21:55:02.807468 802.1Q vlan#2 P0 X.X.X.218.63207 > 216.239.34.10.53: udp 55

5: 21:55:02.807651 802.1Q vlan#2 P0 X.X.X.218.63976 > 208.67.220.220.53: udp 45

6: 21:55:06.863495 802.1Q vlan#2 P0 X.X.X.218.63414 > 199.253.183.183.53: udp 56

7: 21:55:24.599563 802.1Q vlan#2 P0 X.X.X.218.65039 > 208.67.222.222.53: udp 42

Config is below:

ASA Version 8.2(5)

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 3

interface Ethernet0/2

description TO LAN

interface Ethernet0/3

description TO LAN

interface Ethernet0/4

description TO LAN

interface Ethernet0/5

description TO LAN

interface Ethernet0/6

description TO LAN

interface Ethernet0/7

description TO LAN

interface Vlan1

description TO LAN

nameif inside

security-level 100

ip address 10.1.12.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.217 255.255.255.248

interface Vlan3

shutdown

no forward interface Vlan2

nameif backup

security-level 0

ip address X.X.X.42 255.255.255.252

ftp mode passive

dns server-group DefaultDNS

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group icmp-type ICMP

description ICMP types permitted

icmp-object echo

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list OUTSIDE-IN remark TRAFFIC PERMITTED TO ENTER THE OUTSIDE INTERFACE

access-list OUTSIDE-IN extended permit tcp any host X.X.X.218 eq 3389

access-list OUTSIDE-IN extended permit icmp any interface outside object-group ICMP

access-list INSIDE-IN remark INSIDE ACCESS

access-list INSIDE-IN extended permit tcp any any

access-list INSIDE-IN extended permit ip any any

access-list INSIDE-IN extended permit icmp any any

access-list BACKUP-IN remark TRAFFIC PERMITTED TO ENTER THE BACKUP INTERFACE

access-list BACKUP-IN extended permit icmp any interface backup object-group ICMP

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (backup) 1 interface

nat (inside) 0 access-list NO-NAT

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) X.X.X.218 10.1.12.10 netmask 255.255.255.255

access-group INSIDE-IN in interface inside

access-group OUTSIDE-IN in interface outside

access-group BACKUP-IN in interface backup

route outside 0.0.0.0 0.0.0.0 X.X.X.222 1 track 1

route backup 0.0.0.0 0.0.0.0 X.X.X.41 254

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho X.X.X.X interface outside

num-packets 3

frequency 10

sla monitor schedule 1 life forever start-time now

track 1 rtr 1 reachability

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

Re: Help with port forwarding ASA5505 v8.2

Jouni Forss — Tue, 16 Apr 2013 22:11:40 GMT

Hi,

So we are only seeing the host using the Static NAT IP address is trying to do DNS querys but receives no reply.

I would still bet that some device in front of the ASA is causing this or the ISP has configured something wrong.

Sometimes when replacing the firewall it might be possible that the ISP still has an old ARP table marking for the IP address (Public IP -> PIX MAC address).

If the setting is at its default it would mean that it would take 4 hours to clear and after that update with the MAC of the new ASA (instead of the PIX MAC) Naturally you could test this with the PIX if it indeed had this Static NAT also.

Then again the interface IP address is functioning ok so I am not sure about that. The way a device might update the upsteam devices ARP is Gratuitous ARP. I am not sure if ASA does this.

- Jouni

Help with port forwarding ASA5505 v8.2

paul.awad — Wed, 17 Apr 2013 14:49:32 GMT

Hi Jouni,

Still the same... I am going to give up on this for the time being as I cant be bothered trying to explain this to customer service at the ISP... will end up wasting more time. I have forwarded all RDP to the interface IP and all works there so there is no need at this point to continue. Whn in fact I need another IP from the /29, will chase up the ISP then...

Thanks very much for your help.

Help with port forwarding ASA5505 v8.2

Jouni Forss — Wed, 17 Apr 2013 15:14:25 GMT

Ok,

Shame we couldnt get this to work.

Unless there is somekind of misstype/typo in the IP addresses then I dont know what the problem could have been on your side.

Maybe if you get this solved at some point with the ISP you could let us know that the problem was if it indeed was on the ISP side.

- Jouni