Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1386
Views
5
Helpful
6
Replies

ASA 5505 Stupid Simple Problem but I can't get it

Go to solution
Ryan Huff
Level 4
Level 4

‎09-06-2016 06:46 PM - edited ‎03-12-2019 01:14 AM

ASA 5505 9.2 (ASDM 7.6)

Outside = ip address dhcp setroute

Inside = 192.168.95.0 255.255.255.240

On the inside network I have a single host with a static IP address  ( 192.168.95.5 ), its an IP camera. The camera can be accessed from the outside and requires 5 various ports to be open on the outside.

I understand the concept perfectly; I need the outside interface to port redirect (forward) traffic on those specific ports into the inside interface for that specific inside host.  What has me perplexed, is. the. syntax.

I am a Collaboration engineer .... I blame firewalls most of the time, not work on or configure them :). Can any one help this poor collab guy out with the syntax?

Thanks,

Ryan

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Ryan Huff

‎09-06-2016 08:04 PM

Hi Ryan,

Yes you can either create a new network object or if the ports are continuous then you can use the range keyword for it.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Ryan Huff

‎09-07-2016 06:11 AM

Hi Ryan,

Yes you are correct.

So lets remove the existing PAT for the rtsp traffic and configure a manual NAT statement like this and test:

object service rtsp
service tcp source eq rtsp
object service rtsp-1
service tcp source eq rtsp

nat (inside,out) 1 source static obj_192.168.95.5A interface service rtsp rtsp-1

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎09-06-2016 07:19 PM

Hi Ryan,

You can use the following syntax for Static port translation:

 object network obj-10.1.1.16----REAL IP of the inside server
   host 10.1.1.16
   nat (inside,outside) static interface service tcp 8080 www

where interface keyword is used for outside interface IP and service keyword is used for tcp ports.

You can check this link for further clarity ( check Regular Static PAT section) :

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Go to solution
Ryan Huff
Level 4
Level 4
In response to Aditya Ganjoo

‎09-06-2016 07:47 PM

Thanks for the reply Aditya!

It seems though, this is only allowing one source and destination port for the PAT. I actually need to translate 5 different ports coming in from the outside into the inside.

So do I just create a new network object (with a different name) using the same host, for each of the 5 PATs?

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Ryan Huff

‎09-06-2016 08:04 PM

Hi Ryan,

Yes you can either create a new network object or if the ports are continuous then you can use the range keyword for it.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Ryan Huff
Level 4
Level 4
In response to Aditya Ganjoo

‎09-07-2016 05:54 AM

Aditya, thanks!

I added the PAT and it seemed to work. Packet tracer showed it clearing and an external NMAP on the outsdie interface showed the port open. Then, something change; but I am not sure what.

I used to work at a managed services provider and I did a lot of ASA work .... but that was pre 8.3 and a long time ago .... I am finding quite a bit has changed, so thanks for your help!

Now, packet tracer (incoming on the outside interface) shows it failing on the reverse-path NAT. Typically, that would mean it is matching the wrong rule in the egress direction and reordering the rules would fix it.

The issue is when I run a detailed output of packet tracer, it shows that it is matching the correct NAT. This is a very basic firewall config so there isn't much that could be tripping it up ... I just am not seeing it.

I have attached a show-run if you don't mind lookin, I would appreciate it.

Thanks,

Ryan

Preview file
6 KB
0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Ryan Huff

‎09-07-2016 06:11 AM

Hi Ryan,

Yes you are correct.

So lets remove the existing PAT for the rtsp traffic and configure a manual NAT statement like this and test:

object service rtsp
service tcp source eq rtsp
object service rtsp-1
service tcp source eq rtsp

nat (inside,out) 1 source static obj_192.168.95.5A interface service rtsp rtsp-1

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Ryan Huff
Level 4
Level 4
In response to Aditya Ganjoo

‎09-08-2016 05:50 PM

I have got to the bottom of the issue ...

nat (inside,outside) dynamic interface

It seems that no matter what manual NAT or PAT i enter in, as long as that dynamic nat for the inside hosts is there ... it is always matached for the reverse path.

My ultimate goal is this; all hosts on the 192.168.95.0 255.255.255.240 network be able to access the Internet via the outside interface without port restriction.

Then, also have the 5th host of that network (.5) have specific TCP and UDP ports mapped to it from the outside.

So I removed the dynamic NAT and entered a manual NAT like;

nat (inside,outside) 2 static (network obj for the inside network) interface any any which seems to work fine (generates a warning about all services on the outside mapped to the inside) .... which I guess is OK?

Now, shouldn't I be able to create additional, more specific manual NATs at a higher priority and have it match the more specific NAT?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card