topic Re: Port Forwarding in Network Security

Port Forwarding

Adnan Khan — Fri, 21 Feb 2020 16:38:05 GMT

Hi,

I want to configure port forwarding on the firewall for all traffic coming on inside interface going to the internet with destination port 5222 I want to forward this port to 443 instead. What could be the syntax on ASA firewall from any source IP from inside to any destination on the outside?

Re: Port Forwarding

balaji.bandi — Sun, 06 Jan 2019 08:41:56 GMT

These are high ports, most cases user not going to type http or ftp with that port as per i know.

can you explain more use case here..

belo document reference :

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

Re: Port Forwarding

Karsten Iwen — Sun, 06 Jan 2019 11:46:11 GMT

Do I understand you right that you want the following:

Whenever a client on the inside network accesses any IP on the outside network with the port TCP/5222, then the destination port has to be changed to TCP/443?

the you need to configure manual or twice NAT:

object service TCP-5222
 service tcp destination eq 5222
object service TCP-443
 service tcp destination eq https
object network ANY
 subnet 0.0.0.0 0.0.0.0
!
nat (inside,outside) after-auto source dynamic any interface destination static ANY any service TCP-5222 TCP-443

Here the source IP is changed to the ASA interface IP as the client typically has a private IP and for any destination the port is changed from 5222 to 443.

Re: Port Forwarding

Moaz.Elzhrawey — Sun, 06 Jan 2019 18:45:40 GMT

as they mentioned, configuration is straight forward, it's all about static nat with ports, wither to do it from CLI or using ASDM.

Re: Port Forwarding

Adnan Khan — Mon, 07 Jan 2019 08:53:21 GMT

Thank Bajaji and Karsten.I can be more spesifec. I would like all traffic reaching the firewall inside interface with destination port 5222 should immediately forward to port 443 because 5222 port is block on ISP side and application take so much time to connect because it tries to initiate connection first on port 5222.

Re: Port Forwarding

Karsten Iwen — Mon, 07 Jan 2019 09:00:38 GMT

Ok, the NAT-solution will work, but is not the best way to solve this problem. Better configure your firewall to deny this port. The ASA will send a TCP reset and the client will/should try the alternate port directly after that.

Re: Port Forwarding

Sheraz.Salim — Mon, 07 Jan 2019 10:17:35 GMT

@Karsten Iwenwill this rule wont come in section 1 instead of section 3 ? also if Adnan already have a rule in section 3 than he must have to define on top of the rule. where 1 give a priority to other rules in section 3 or either in section 1.

i understand as the section 3 will be last to check in.

(inside,outside) after-auto 1 source dynamic any interface destination static ANY any service TCP-5222 TCP-443

Re: Port Forwarding

Karsten Iwen — Mon, 07 Jan 2019 10:21:26 GMT

As always: it depends ... 😉

Putting this rule in section three gives the easy possibility to overwrite this behavior for clients with "normal" NAT-needs.

In section three it has to be above the general PAT-rule which is done with the number "1" in the nat-statement. But it all depends on the rest of the NAT-config and has to be evaluated accordingly.

Re: Port Forwarding

Sheraz.Salim — Mon, 07 Jan 2019 10:28:37 GMT

cheers Karsten. Appropriated for the quick reply.