topic Port Range Forwarding on post 8.3 ASA in Network Security

Port Range Forwarding on post 8.3 ASA

sam — Mon, 11 Mar 2019 20:42:00 GMT

I have an ASA 5505 on a job. It is a smaller business that would have done better with an RV082, but they have what they have. It is running firmware 8.4. The client needed ports forwarded for their FTP server. The port range in this config is tcp 43333-43339. The FTP server ip is 192.168.1.2. The topology is:

Modem >> ASA >> Switch (unmanaged) >> FTP_Server

I need a more concise way of port forwarding a range if that exists.

---- Redacted

object network obj-nat_any

subnet 0.0.0.0 0.0.0.0

object network obj-FTP43333

host 192.168.1.2

object network obj-FTP43334

host 192.168.1.2

object network obj-FTP43335

host 192.168.1.2

object network obj-FTP43336

host 192.168.1.2

object network obj-FTP43337

host 192.168.1.2

object network obj-FTP43338

host 192.168.1.2

object network obj-FTP43339

host 192.168.1.2

object network obj-192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object-group service PassiveFTP tcp

port-object range 43333 43339

access-list outside_access_in extended permit tcp any host 192.168.1.2 object-group PassiveFTP

---- Redacted

object network obj-nat_any

nat (inside,outside) dynamic interface

object network obj-FTP43333

nat (inside,outside) static interface service tcp 43333 43333

object network obj-FTP43334

nat (inside,outside) static interface service tcp 43334 43334

object network obj-FTP43335

nat (inside,outside) static interface service tcp 43335 43335

object network obj-FTP43336

nat (inside,outside) static interface service tcp 43336 43336

object network obj-FTP43337

nat (inside,outside) static interface service tcp 43337 43337

object network obj-FTP43338

nat (inside,outside) static interface service tcp 43338 43338

object network obj-FTP43339

nat (inside,outside) static interface service tcp 43339 43339

object network obj-192.168.1.0_24

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

---- Redacted

The only other thing to point out is this the changed syntax, so alot of help out there is more or less useless on this topic.

I had to throw this together and it is working, but a headache to work with.

Let me know if more detail or clarification is needed. Thanks!

Background: I have my CCNA as a networking base, then went the way of server administration.

Re: Port Range Forwarding on post 8.3 ASA

varrao — Thu, 02 Jun 2011 19:05:27 GMT

Hi Sam,

Instead of creating multiple objects for your FTP server, you would just need one object group.

object network obj-FTP

host 192.168.1.2

object service PassiveFTP tcp

service tcp destination range 43333 43339

nat (outside,inside) source static any any destination static interface obj-FTP services PassiveFTP tcp PassiveFTP tcp

access-list outside_access_in extended permit tcp any host 192.168.1.2 range 43333 43339

access-list outside_access_in in interface outside.

and this should work for you.

Hope this helps.

Thanks,

Varun

Re: Port Range Forwarding on post 8.3 ASA

sam — Thu, 02 Jun 2011 20:30:21 GMT

Thank you for the response!

Removing the prior config I had, and using the following did not work.

object network obj-FTP

host 192.168.1.2

object service PassiveFTP

service tcp destination range 43333 43339

nat (outside,inside) source static any any destination static interface obj-FTP services PassiveFTP tcp

access-list outside_access_in extended permit tcp any host 192.168.1.2 range 43333 43339

access-group outside_access_in in interface outside

When typing in the nat command I revieved a syntax error on the bold errors on the following commands:

object service PassiveFTP tcp

nat (outside,inside) source static any any destination static interface obj-FTP services PassiveFTP tcp PassiveFTP tcp

access-list outside_access_in in interface outside

I changed them to the following:

object service PassiveFTP

nat (outside,inside) source static any any destination static interface obj-FTP services PassiveFTP tcp

access-group outside_access_in in interface outside

However this did not allow me to connect to the FTP. Restoring my startup-config brought everything back online.

One thing I would like to note is shouldn't the nat command actually be:

nat (inside,outside) source static any any destination static interface obj-FTP services PassiveFTP tcp

Trying this did not work either. But I believe it is correct as (inside,outside), am I wrong?

Re: Port Range Forwarding on post 8.3 ASA

varrao — Fri, 03 Jun 2011 06:08:23 GMT

Hi Sam,

The complete and correct commands to be entered is :

object network obj-FTP

host 192.168.1.2

object service Passive_FTP

service tcp destination range 43333 43339

nat (outside,inside) source static any any destination static interface obj-FTP services Passive_FTP Passive_FTP

access-list outside_access_in extended permit tcp any host 192.168.1.2 range 43333 43339

access-list outside_access_in in interface outside

and the above nat command is same or equal to:

nat (inside,outside) source static obj-FTP interface services Passive_FTP Passive_FTP

ASA 8.3 natting is flow based, so both commands hold true.

Both the nat statements are same, if you are still getting any syntax error kindly copy paste the command that you are typing along with the error message.

Thanks,

Varun

Re: Port Range Forwarding on post 8.3 ASA

sam — Fri, 03 Jun 2011 15:22:01 GMT

No thats it. That worked great. I saw the error in the commands as well.

I was able to adapt it with the desired results in a few areas, so I believe I understand the commands now.

Guess I should have looked into 8.3 nat commands a little more than focus on IPv6, like any business will ever switch to that!

Thanks

Port Range Forwarding on post 8.3 ASA

savi.thomas — Sun, 25 Dec 2011 22:10:26 GMT

Hi Varun

I am trying to setup port fording for my ASA 5505 running ASDM 8.4 for our Asterisk Server. I tried to follow your configurations and it looks like the settings dosen't works well for me. I entered following commands.

object network obj-RTP

host 10.10.0.3

object service Passive_RTP

service udp destination range 10000 20000

nat (outside,inside) source static any any destination static interface obj-RTP service Passive_RTP Passive_RTP

nat (inside,outside) source static obj-RTP interface service Passive_RTP Passive_RTP

I had to change services to service for the command to work, with services I was getting following error

nat (outside,inside) source static any any destination static interface obj-FTP

services Passive_RTP Passive_RTP

ERROR: % Invalid input detected at '^' marker. nat (outside,inside) source static any any destination static interface obj-FTP
services Passive_RTP Passive_RTP
^
ERROR: % Invalid input detected at '^' marker.

My expertise with CLI is minimal to nothing, can you help me on how to configure it using ASDM. Creating NAT obj using ASDM works great as I am able to create entries for SIP and HTTP. But creating individual entries for 10000 ports is not practical.

Thanks in advance

Savi

Port Range Forwarding on post 8.3 ASA

genivos1976 — Mon, 17 Dec 2012 07:35:39 GMT

I've been struggling with the same issue here. I'm running the 9.0.x version on my ASA5505. The given solutions don't work. I've tried the following to setup secure FTP (tried non-secure FTP as well, with the same negative result):

object network obj-FTP

host 192.168.1.2

object service PassiveFTP tcp

service tcp destination range 43333 43339

nat (outside,inside) source static any any destination static interface obj-FTP service PassiveFTP tcp PassiveFTP tcp

access-list outside_access_in extended permit tcp any host 192.168.1.2 range 43333 43339

access-list outside_access_in in interface outside

I have tried sereval options in one NAT rule with a port range without success. The only thing how I could get this to work is to make separate NAT rules for each passive port. Since I need only 10 passive ports to be opened, it is not really a problem but .. it doesn't seem like a desirable solution. Imagine when you have to open 500 ports. I'm curious what is the cause that it won't work with a port range and if someone ever found a proper solution for this (to compare, on a LinkSys E4200 I got this to work without any problem, specified a port range for passive FTP and it worked like a charm, I know this is a completely different device but .. hard to believe it won't work on an ASA).

Re: Port Range Forwarding on post 8.3 ASA

Jay Johnston — Mon, 17 Dec 2012 15:03:43 GMT

Remco, this is due to a new bug we've found with the 9.0 and 9.1 versions of software.

CSCud70110 Manual NAT rule with service port range not matched correctly

The workarounds are:

1) Create an individual port map NAT statement for each port in the range (you've already discovered this)

-or-

2) Downgrade to version 8.4 until we have the bug fixed

Here are the full details of the bug:

Symptom 
Traffic that should match a configured manual NAT rule that uses a range of service ports will fail to match correctly. This results in connections not completing.

Conditions
This problem is seen if a manual NAT configuration includes a service object with a range of ports. Below is an example:

!
object network test_local
 host 192.168.1.4
object network test_global
 host 10.0.0.5
object service test_service_range
 service tcp source range 5000 5005 
!
nat (inside,outside) source static test_local test_global service test_service_single test_service_single
!

Traffic arriving on the outside interface destined to the IP 10.0.0.5 and with destination TCP ports between 5000 and 5005 will not match this translation.

Workaround
Downgrade to version 8.4

-or-

Change the NAT rule so that it uses a single port, instead of a range of ports. This might require adding multiple service objects, as well as more NAT rules.

Example:
!
object network test_local
 host 192.168.1.4
object network test_global
 host 10.0.0.5
object service test_service_5000
 service tcp source range 5000 
object service test_service_5001
 service tcp source range 5001
object service test_service_5002
 service tcp source range 5002 
object service test_service_5003
 service tcp source range 5003 
object service test_service_5004
 service tcp source range 5004 
object service test_service_5005
 service tcp source range 5005 
!
nat (inside,outside) source static test_local test_global service test_service_5000 test_service_5000
nat (inside,outside) source static test_local test_global service test_service_5001 test_service_5001
nat (inside,outside) source static test_local test_global service test_service_5002 test_service_5002
nat (inside,outside) source static test_local test_global service test_service_5003 test_service_5003
nat (inside,outside) source static test_local test_global service test_service_5004 test_service_5004
nat (inside,outside) source static test_local test_global service test_service_5005 test_service_5005
!

The bug is being worked on now. Once we get it fixed, the range of ports in the NAT configuration should work.

Port Range Forwarding on post 8.3 ASA

genivos1976 — Mon, 17 Dec 2012 21:10:18 GMT

Thank you kindly. Makes things more clear why it isn't working at the moment. I've been looking for this specific problem with the 9.0 version but obviously on the wrong places.

For me it works atm with seperate NAT rules, I can live with it till it's fixed.

Hi folks

jesper_petersen — Fri, 14 Nov 2014 23:20:57 GMT

Hi folks

I simply just cannot get this to work and I need some help to figure out what I am missing:
ASA 5505 - v9.2(2)8

My config:

object network PC
 host 10.45.132.2

object service NAT-Range_TCP
 service tcp destination range 25600 25616

nat (outside,inside) source static any any destination static interface PC service NAT-Range_TCP NAT-Range_TCP

access-list outside-in extended permit tcp any host 10.45.132.2 range 25600 25616

Packet-tracer output:

ASA5505#packet-tracer input outside tcp 212.242.48.3 1088 10.45.132.2 25600

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   10.45.132.0     255.255.255.240 via 10.45.128.2, inside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 212.x.x.1, outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit tcp any host 10.45.132.2 range 25600 25616
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside,inside) source static any any destination static interface PC service NAT-Range_TCP NAT-Range_TCP
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Jason,

truenetworkengineer — Wed, 06 Apr 2016 20:53:52 GMT

Jason,

Did you ever get this going? I have the same code version and I want to make sure this is working on 9.2.(2)8. Below is my configs, all objects have been created on the firewall.

object-group service 172.20.5.5_PORTS

service-object tcp destination range 42990 42999

service-object tcp destination range 43000 43518

service-object tcp destination range 43519 43520

service-object tcp destination eq 40022

service-object tcp destination range 940 990

service-object tcp destination eq 14970

service-object tcp destination range 20000 20050

object-group service 172.20.3.3_PORTS

service-object tcp destination range 47824 47830

service-object tcp destination range 47831 47837

service-object tcp destination range 5887 5893

service-object tcp destination range 47809 47815

service-object tcp destination range 47817 47823

service-object tcp destination range 47840 47850

nat (outside,Prod-SAAS) source static any any destination static obj-64.4.6.6 obj-172.20.5.5 service 172.20.5.5_PORTS 172.20.5.5_PORTS

nat (outside,Prod-SAAS) source static any any destination static obj-64.4.6.6 obj-172.20.3.3 service 172.20.3.3_PORTS 172.20.3.3_PORTS

access-list acl-out extended permit tcp any object obj-172.20.5.5 object-group 172.20.5.5_PORTS

access-list acl-out extended permit tcp any object obj-172.20.3.53 object-group 172.20.3.3_PORTS

I finally manage to get port

david — Thu, 23 Feb 2017 13:52:06 GMT

I finally manage to get port range to work with ASA 5505. It took me 7 hours but mainly because of a known bug in ASA 9.0 and 9.1 that will block port range to work properly! After I upgraded to 9.2(4) it started to work.

I used ASDM but here are the ASA commands:
object network FTP-Passive
host 192.168.1.50
object service Passive_FTP
service tcp destination range 32900 33000
nat (outside,inside) source static any any destination static interface FTP-Passive service Passive_FTP Passive_FTP
access-list inbound extended permit tcp any host 192.168.1.50 range 31900 32000
access-group inbound in interface outside