topic PAT with a single public IP and several servers behind firewall in Network Security

PAT with a single public IP and several servers behind firewall

moogeboo1 — Tue, 12 Mar 2019 00:26:49 GMT

Hi,

New to the ASA 5505 8.4 software version, but here is what I'm trying to do:

Single static public IP: 16.2.3.4

Need to PAT several ports to three separate servers behind firewall

One server houses email, pptp server, ftp server and web services: 10.1.20.91

One server houses drac management (port 445): 10.1.20.92

One server is the IP phone server using a range of ports: 10.1.20.156

Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.

Here is what I have. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?

ASA Version 8.4(4)1

hostname kaa-pix

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 10.1.20.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 16.2.3.4 255.255.255.0

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network server_smtp

host 10.1.20.91

object service Port_25

service tcp source eq smtp

object service Port_3389

service tcp source eq 3389

object service Port_1723

service tcp source eq pptp

object service Port_21

service tcp source eq ftp

object service Port_443

service tcp source eq https

object service Port_444

service tcp source eq 444

object network drac

host 10.1.20.92

object service Port_445

service tcp source eq 445

access-list acl-out extended permit icmp any any echo-reply

access-list acl-out extended permit icmp any any

access-list acl-out extended permit tcp any interface outside eq pptp

access-list acl-out extended permit tcp any object server_smtp eq smtp

access-list acl-out extended permit tcp any object server_smtp eq pptp

access-list acl-out extended permit tcp any object server_smtp eq 3389

access-list acl-out extended permit tcp any object server_smtp eq ftp

access-list acl-out extended permit tcp any object server_smtp eq https

access-list acl-out extended permit tcp any object server_smtp eq 444

access-list acl-out extended permit tcp any object drac eq 445

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static server_smtp interface service Port_25 Port_25

nat (inside,outside) source static server_smtp interface service Port_3389 Port_

3389

nat (inside,outside) source static server_smtp interface service Port_1723 Port_

1723

nat (inside,outside) source static server_smtp interface service Port_21 Port_21

nat (inside,outside) source static server_smtp interface service Port_443 Port_4

nat (inside,outside) source static server_smtp interface service Port_444 Port_4

nat (inside,outside) source static drac interface service Port_445 Port_445

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 16.2.3.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

prompt hostname context

no call-home reporting anonymous

Re: PAT with a single public IP and several servers behind firew

lcambron — Thu, 22 Nov 2012 19:40:18 GMT

Hello,

The configuration looks good for SMTP.

PPTP also uses GRE which cannot be configured with port forward since it doesn't use a specific port or range of ports.

Which ones are not working?

Have you tried packet tracer for the nonworking ones?

packet in outside tcp 8.8.8.8 1025 16.2.3.4 25

Regards,

Felipe

Security Team

Re: PAT with a single public IP and several servers behind firew

moogeboo1 — Fri, 14 Dec 2012 07:48:08 GMT

Thanks Lcambron...I got PPTP to work. Everything else works fine. I can access email, access my web server, FTP server, and PPTP server. However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445. So I have th following lines:

object network drac

host 10.1.20.92

object service Port_445

service tcp source eq 445

access-list acl-out extended permit tcp any object drac eq 445

nat (inside,outside) source static drac interface service Port_445 Port_445

Am I missing something here? Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening. However, externally, i cannot telnet to my external ip address of the ASA through port 445.

Thanks

PAT with a single public IP and several servers behind firewall

Jouni Forss — Fri, 14 Dec 2012 15:33:46 GMT

Hi,

I personally configure the Port Forward NATs with a different way.

For example the above mentioned case i would configure in the following way (while removing the old one)

object network DRAC

host 10.1.20.92

nat (inside,outside) static interface service tcp 445 445

access-list OUTSIDE-IN permit tcp any object DRAC eq 445

Same type of format could be applied to any Port Forward configured (if needed)

- Jouni

PAT with a single public IP and several servers behind firewall

moogeboo1 — Sat, 15 Dec 2012 18:32:17 GMT

Thanks JouniForss.

I implemented your commands and removed the ones from my configuration, and yet I still cannot reach the DRAC interface over port 445. I know the DRAC is listening on port 445, as i can access the DRAC interface internally at https://10.1.20.92:445. However, when trying to telnet to port 445 on the external IP address, I get connection failed.

Any other ideas?

Thanks

PAT with a single public IP and several servers behind firewall

Jouni Forss — Sat, 15 Dec 2012 21:29:00 GMT

Hi,

Even though you stated that everything else works, I just have to ask, have you attached the ACL to the outside interface? I cant see the "access-group" command in the above configuration which would attach the ACL in question to the interface. (Then again I guess theres some other configurations that hasnt been attached there?)

Since looking at the configurations it seems that all the other Port Forwards are done to another server, is this server configured with a correct default gateway so the return traffic for the test from Internet would find a route back? It wouldnt need this default route for the connections to work inside the same subnet/LAN.

Can you connect to the firewall with ASDM and use the Monitor/Logging on it and at the sametime test the connection from Internet? See what the logs say and copy/paste them here. Make sure the ASDM logging is set to "informational" atleast

This can be done with "logging asdm infromational" from CLI or from the ASDM settings themselves.

- Jouni

PAT with a single public IP and several servers behind firewall

Peter Koltl — Sat, 15 Dec 2012 21:42:43 GMT

watch

show conn detail long | i 10.1.20.92

output while connecting

Are you sure it is 445 and not 443?

PAT with a single public IP and several servers behind firewall

moogeboo1 — Mon, 17 Dec 2012 08:22:55 GMT

Yes, I have the following command:

access-group acl-out in interface outside

When viewing ADSM and logging, when I try to access Https:\\16.2.3.4:445 from the internet, it doesn't even show an entry in the log coming from the machine on the internet.

I know port 445 is on, because internally, i can go to https://10.1.20.92:445 and access the DRAC interface. The gateway is correct at 10.1.20.1.

Thanks,

PAT with a single public IP and several servers behind firewall

moogeboo1 — Mon, 17 Dec 2012 08:24:22 GMT

Peter,

Yes, it is on port 445, rather than 443, because another internal server is listening on 443 (10.1.20.91) so this server (10.1.20.92) had to be changed to use port 445. I know it is correct, because internally, I can access https://10.1.20.92:445 just fine.

Thanks,

PAT with a single public IP and several servers behind firewall

Jouni Forss — Mon, 17 Dec 2012 08:55:28 GMT

Hi,

Usually port TCP/445 is used for something totally different than you are using.

Is the possibility that your ISP is blocking the said port on their side as you said you never even see the connection attempt?

Could you try Port Forward some other random port and try again with the new port?

- Jouni

PAT with a single public IP and several servers behind firewall

moogeboo1 — Tue, 18 Dec 2012 05:53:57 GMT

Thanks Jouni...You were right. The ISP was blocking port 445, thus it did not work. Thanks for the pointer...I was puzzled as to why the config was not working when everything looked correct. Changing the port on the DRAC side did the trick. Thanks again!

Mooge

PAT with a single public IP and several servers behind firewall

Jouni Forss — Tue, 18 Dec 2012 07:02:48 GMT

Hi,

Glad it worked out.

I have recently run into this issue a couple of times when old devices previously (or even currently) used for "gathering" DSLAMs have had filter configurations in them to limit the ports used by Windows machines for file sharing etc. This has caused some problems between customers connection between branches. Whats made the situation even more wierd has been that usually they've been L2 directly connected to the firewall and yet firewall sees even no connection attempts

Had to scratch my head a bit when this first happened

- Jouni