cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2345
Views
0
Helpful
20
Replies

Challenge on port to port forwarding on ASA 5512-X

bashiru.bayonle
Level 1
Level 1

Hello House,

Please i need help on port to port forwarding on ASA 5512-X. Below is the config and the port redirection is working but the range of ports and other ports permitted in the access-list are not opening. Kindly HELP pls....

object network TEST_PUBLIC_IP

host 10.10.10.10

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

access-group Outside_IN in interface outside

20 Replies 20

Hi

What is the output of:

packet-tracer input OUTSIDE tcp 4.4.4.4 23432 10.10.10.10 8085

You will have to create NAT statement for the rest of the ports if you want them to work too.

@Henrik, Thanks so much for taken your precious time to read my post. I was thinking its access-list that should permit those ports. However, i would appreciate if you can help with the NAT statement for the rest of the ports.

Hi

This is how I would have done it. One static NAT statement per port, note that I'm using manual NAT and not object NAT, which makes it easier to see which order the NAT statements gets processed. Then I would try and reuse as many objects as I could in the access-list so you know which access-list entry and NAT statement is working together.

objekt service TCP-EQ-80
service tcp
source eq 80

object service TCP-EQ-443
service tcp
source eq 22

object service TCP-EQ-22
service tcp
source eq 22

object service TCP-EQ-8000
service tcp
source eq 8000

object service TCP-EQ-8001
service tcp
source eq 8001

object service TCP-EQ-8002
service tcp
source eq 8002

object network SERVER1
host 1.1.1.1

object network SERVER_PUBLIC_IP
host 209.88.9.35

nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service tcp TCP-EQ-80 TCP-EQ-8000
nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service tcp TCP-EQ-443 TCP-EQ-8001
nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service tcp TCP-EQ-22 TCP-EQ-8002

access-list OUTSIDE permit tcp any object SERVER1 object TCP-EQ-80
access-list OUTSIDE permit tcp any object SERVER1 object TCP-EQ-443
access-list OUTSIDE permit tcp any object SERVER1 object TCP-EQ-22

Thanks for your swift response, but the port range is from 8000 to 8200. Doing this in 200 places is gonna be too cumbersome. And Applications are listening on those 200 ports...

Do you need to translate the port or can it be a one-to-one relationship? For example: The connection is from the client is done to TCP/8043 to the ASA and the server is listening to TCP/8043?

what i need is to open those port range on the firewall so that application on the server can be listening to it. Also, ssh port so that i can be able to ssh remotely to the server

Is it only one server that is mapped to the public IP? If so you could do just a standard static NAT statement without port forwarding and then control the access with the ACL.

It is only one server that is mapped to the public IP and i have done static NAT with port redirection because of security reason. that is if one accessess the domain name on the server on default port 80 web traffic, Firewall redirects the default port to 8085 internally because 8085 has been binded to the private IP of the server and its working perfectly. However, the challenge is with the access-list that permits range of ports that the application is listening to on the server that is not working. so, also telnet to the server. I think the focus should be on the access-list that is permitting the port ranges. See the config below:

object network TEST_PUBLIC_IP

host 10.10.10.10

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

access-group Outside_IN in interface outside

NOTE: If i remove service tcp 8085 www of the NAT, the domain name will be opening with port no 8085 and the access-list that permits all the range of ports will be working perfectly. Thus, we need the port redirection from default 80 to 8085 for security reason and  also, we cannot be giving people our domain name with port no 8085 before they can be able to access it. Do you get the logic?

It looks correct. What is the output of this packet trace?

packet-tracer input OUTSIDE tcp 4.4.4.4 23432 10.10.10.10 80

TFW/sec/actNoFailover# packet-tracer input OUTSIDE tcp 4.4.4.4 23432 10.10.10.10 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network TEST_PRIVATE_IP
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP
Additional Information:
NAT divert to egress interface PRODUCTION
Untranslate 10.10.10.10/80 to 1.1.1.1/80

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: PRODUCTION
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Pls note that its only NAT that is configured now. Port redirection aspect has been removed (service tcp 8085 www) and the domain name is being access with port 8085.

@Henrik, Pls am still awaiting your feedback.Thanks in anticipation for your kind gesture.

Do you have the access rules in place? If so try wto implement just one of the port forwarding rules:

objekt service TCP-EQ-80
service tcp
source eq 80

object
service TCP-EQ-8085
service tcp
source eq 8085

nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service tcp TCP-EQ-8085 TCP-EQ-80

And then try the same packet-tracer command as before

There is access rule in place that is why port redirection is working but port range declared and allowed are not opening... I think the emphasis should be laid on how to ensure range of ports are opening after the redirection.

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

This config seems to be equivalent to the one currently working for redirection.

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www

objekt service TCP-EQ-80
service tcp source eq 80

object service TCP-EQ-8085
service tcp source eq 8085

nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service tcp TCP-EQ-8085 TCP-EQ-80

Hello,

You can map a range of port like this:

object service TCP-RA-8000_8200
service tcp source range 8000 8200
nat (PRODUCTION,OUTSIDE) source static SERVER1 SERVER_PUBLIC_IP service TCP-RA-8000_8200 TCP-RA-8000_8200

Mind that this will be 1-to-1 mapping of ports (8000 > 8000 etc).

If you want inside 8000 to be accessed by outside lets say 1025 you need multiple NAT statements.

Hope this helps.

//Cristian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: