topic Re: Port Forwarding Issue in Network Security

Port Forwarding Issue

hadisharifi — Mon, 11 Mar 2019 21:03:31 GMT

Hi,

I am trying to port forward multiple ports on the same server using a single public IP address. The address is routable and not used elsewhere.

My configuration is as follows:

object network Layton

host 10.0.22.52

object service Feed1

service tcp destination eq 49152

object service Feed2

service tcp source range 43215 43216 destination range 43215 43216

object network Public

host 2.2.2.2

nat (DMZ,outside) source static Layton Public service Feed1 Feed1

nat (DMZ,outside) source static Layton Public service Feed2 Feed2

access-list outside_access_in extended permit object Feed1 any object Layton

access-list outside_access_in extended permit object Feed2 any object Layton

access-group outside_access_in in interface outside

This works when tested in Packet tracer but only with the source port as 49152 and not any other source port, even though I haven't configured any source port in the object service.

The log shows below:

Inbound TCP connection denied from x.x.x.x/57090 2.2.2.2/49152 flags SYN on interface outside.

Thanks

Port Forwarding Issue

varrao — Tue, 26 Jul 2011 06:36:17 GMT

Could you please take captures between the host and the server, it would meake it clear, where the connectionis being dropped:

https://supportforums.cisco.com/docs/DOC-1222

Thanks,

Varun

Port Forwarding Issue

hadisharifi — Wed, 27 Jul 2011 00:54:49 GMT

My aim is to port forward multiple ports on the same IP address:

I want ports 43215, 43216 and 49152 and going forward many other ports to 2.2.2.2 which is then forwarded to 10.0.22.52.

My original config in my first post doesn't work, however if I configure static nat for each port it does work.

object network Public

host 2.2.2.2

object network Layton43215

host 10.0.22.52

object Layton43215

nat (DMZ,outside) static Public service tcp 43215 43215

object Layton43216

nat (DMZ,outside) static Public service tcp 43216 43216

This means that I have to create a network bject for every port, any other solutions that will be better than this?

Thanks

Re: Port Forwarding Issue

varrao — Wed, 27 Jul 2011 03:15:52 GMT

Hi Hadi,

Could you please try this statement:

object service Feed2

service tcp destination range 43215 43216

object network Public

host 2.2.2.2

object network Layton

host 10.0.22.52

nat (outside,inside) source static any any destination static Public Layton service Feed2 Feed2

access-list outside_access_in extended permit object Feed2 any object Layton

access-group outside_access_in in interface outside

Can you try it and let me know??

Thanks,

Varun

Re: Port Forwarding Issue

hadisharifi — Fri, 29 Jul 2011 04:54:28 GMT

Thanks for your help. I haven't tried you last suggestion yet because I had to get this working. I created static auto nat and it woks like a charm.

However this means I have to create a new network object for every port and this could mean dozen of network object for the same host with different ports.

Looking at the log messages, I see that with the policy nat as in my original post. The traffic is denied because its destination IP is the NATed address and not the real address. Where as with every other log messages it's the real address as the destination. The access list is configured to allow traffic on those ports to the real address and not the nated address. I have tested this with both and the same result. When I use packet tracer, it first UNNATs and then allows the packet.

I hope the above makes sense. There must be something that I am doing wrong.

Thanks

Port Forwarding Issue

varrao — Fri, 29 Jul 2011 08:41:33 GMT

Hi Hadi,

All your concerns are correct and genuine. With post 8.3, there are many changes in the syntax as well as logic with NAT and ACL. Pre 8.3 you are right, you would open ports for your Natted IP in the ACL but post 8.3, the packet flow has changed a bit, whenever a packet hits the firewall, it would first hit the NAT rule and after translating the natted ip to real ip , then the ACL is hit, and thats y u open ports for the real ip. Now you would be confused what was the need for it, so I'll say, consider a situation where, you have changed the ISP and the new ISP gives you another range of ip's to be used, so before 8.3, you would have to change the ACL and NAT both, but post 8.3 you just need to change the NAT rules and you are done So it does have adavantages.

Moreover, if you have to add multiple ports, you need not create an object each time, just create an object-group and keep adding ports if you need it for a particular host.

Let me know if you have any more questions for me.

Hope this was helpful.

Thanks,

Varun

Port Forwarding Issue

hadisharifi — Fri, 29 Jul 2011 09:28:38 GMT

Thanks for the calrification, I have read further and your post cleared it up, so thanks. However the original config still doesn't work and I still need to get that solution working where I have a single object with the real IP and one for translated IP, and I will add the ports as necessarry. However this doesn't work and the syslog shows that the ACL is blocking connection to the translated IP and not the real IP. This to my limited knowledge means there is something wrong with NAT. Every other ACL in the syslog shows that the ACL is checking the connection against the real IP address and not the translated.

Thanks