topic Re: asa5505 / Port forwarding in Network Security

asa5505 / Port forwarding

godinerik — Mon, 11 Mar 2019 14:30:42 GMT

Hi,

I'm using a 5505 in routed mode. I currently have the following nat, global and static statements:

Firewall# show run nat

nat (inside) 1 0.0.0.0 0.0.0.0

Firewall# show run global

global (outside) 1 interface

static (inside,outside) 74.213.XXX.XXX 192.168.100.2 netmask 255.255.255.255

Plus a few more internal IPs routed to different external IPs. As it stands, each internal IP has it's own external IP. Translation occurs between the internal and the internal IPs, ports remaining unchanged.

For the above external IP, one exception needs to be made. I'd like to have port 12345 re-directed to 192.168.100.2 port 22 (so in other words I'd like to close port 22 to the public and instead use a high-numbered port)

All the other ports can remain the same. I've already tried the obvious (adding another static entry) but I get an error message saying it overlaps with an existing entry. I've even tried assigning another internal IP to the host and creating a new NATid, but I still run into the same problem. Surely this goal doesn't require it's own external IP!?

Thanks in advance for the help!

Re: asa5505 / Port forwarding

Collin Clark — Tue, 30 Dec 2008 14:02:58 GMT

Since your using 1-to-1 NATs it will require a new public IP. Try using a new public IP, but doing a port translation-

static (inside,outside) tcp 74.213.X.Y 12345 192.168.100.X 22 netmask 255.255.255.255

You can then add other high ports pointing to other boxes (but the same public IP).

static (inside,outside) tcp 74.213.X.Y 23456 192.168.100.Z 22 netmask 255.255.255.255

static (inside,outside) tcp 74.213.X.Y 34567 192.168.100.A 22 netmask 255.255.255.255

Hope that helps.

Re: asa5505 / Port forwarding

godinerik — Tue, 30 Dec 2008 19:23:17 GMT

Hi Collin,

Thanks for your help!

Re: asa5505 / Port forwarding

cisco24x7 — Tue, 30 Dec 2008 19:49:40 GMT

Why do need to waste extra public IP addresses for that? There is a much simpler way

to accomplish this. It's called policy NAT.

Private host IP: 192.168.100.2

Public NAT IP: 1.2.3.4

Objective: you want to NAT 192.168.100.2 to 1.2.3.4 and keep everything the same on the

port usage except that you want to port 12345 for IP address 1.2.3.4 to be translated to

port 22 on 192.168.100.2

Now you have to read the syntax on the ASA for this. I do not have one in front of me

but I will use Checkpoint NAT as an example:

Rule # Src Dst Service Trans-Src Trans-Dst Service

1 Any 1.2.3.4 12345 Original 192.168.100.2 22

2 Any 1.2.3.4 any Original 192.168.100.2 Original

The idea here is that the NAT rule #1 will take care of the SSH translation while rule #2

will take care of the rest for NAT. This is a much efficient use of public IP addresses.

There is no need to use additional public IP addresses in this situation.

Re: asa5505 / Port forwarding

godinerik — Wed, 31 Dec 2008 05:31:50 GMT

Could anyone possibly give an example of what the parent post stated, in the context of an ASA5500? I've tried a few different things however I'm having no such luck. Also, I'm presuming that if I'd be doing policy nat, I should remove the static NAT entry?

Re: asa5505 / Port forwarding

sdoremus33 — Wed, 31 Dec 2008 21:25:35 GMT

In regards to the parent post you can try something like this

ACCESS LIST NAME permit tcp any 192.168.100.2 eg 22

global outside 1 1.2.3.4 netmask xx.xx.xx.xx eq 1234

nat inside 1 access-list ACLName . HTH

Also check out this web link for examples of Policy Based NAT

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#IN1

Re: asa5505 / Port forwarding

godinerik — Wed, 31 Dec 2008 21:32:20 GMT

Thanks for your suggestion, unfortunately this isn't possible on an ASA5505. Looking at the example in the reference guide for the5505, I see that the address we want the real address mapped to is specified by the global commad, but unfortunately that command doesn't have an "eq" parm which lets you specify the port. Although it seems like you can easily re-write the mapped addr based on source/dst, it doesn't look like the port can be re-written. I was really hoping for a solution similar to what the checkpoint post refers to.

Re: asa5505 / Port forwarding

John Blakley — Fri, 02 Jan 2009 14:47:18 GMT

You can try this:

static (inside,outside) interface 12345 192.168.100.2 22 netmask 255.255.255.255

This will use ANY address that you have specified or assigned by the ISP. Us the word "interface" where I have it, and don't use an address there.

HTH,

John

Re: asa5505 / Port forwarding

godinerik — Sun, 04 Jan 2009 08:24:22 GMT

Hi Collin,

Just wanted to let you know that your solution was definitely the best solution. I looked in to policy NAT, however it doesn't do what I'm trying to accomplish. One of my initial concerns with your suggestion is that every outgoing connection would have to be defined in a static statement, however by testing out this solution, I found out this wasn't the case. I'm not sure why this doesn't need to happen (if you can explain to me the reason/concept/logic it would be much appreciated!) but what counts is that it doesn't.

Thanks again,

Erik

Re: asa5505 / Port forwarding

godinerik — Sun, 04 Jan 2009 23:28:59 GMT

After further testing, I realize that:

global (outside) 1 interface

ensures that all my outgoing connections are translated to outside vlan's address and that's why it works.

Hooray 🙂

Erik