Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1420
Views
0
Helpful
3
Replies

Simple Port Forwarding, Single Public IP to Many Servers

Go to solution
metalglue
Level 1
Level 1

‎07-16-2013 08:17 AM - edited ‎03-11-2019 07:12 PM

Hi, I'm very new to ASA's in general, and I could use a little help. I think I have it mostly figured out but I'm still not able to open more than one port on my ASA. I'm running 8.4(1), so I'm having trouble finding guides that do not refer to pre-8.3

My topology is as simple as can be. One public address, several servers in the internal network, no DMZ. Anyway, baby steps, so to begin, I'm trying to open one port, 1111 to point to internal host 192.168.2.3, using public IP 1.1.1.1 (Not the real addresses of course). This is what I'm entering:

object network host-192.168.2.3

host 192.168.2.3

object network host-192.168.2.3-tcp1111

host 192.168.2.3

nat (inside,outside) dynamic interface

object-group service svcgrp-192.168.2.3-tcp tcp

port-object eq 1111

access-list outside_access_in extended permit tcp any object host-192.168.2.3 object-group svcgrp-192.168.2.3-tcp

access-group outside_access_in in interface outside

The above produces no errors, but the traffic gets discarded. I know the issue is in the nat command for

host-192.168.2.3-tcp1111, since on the guide I found it said to use the following line instead:

nat (inside,outside) static 1.1.1.1 service tcp 1111 1111

But that line produces the error:

ERROR: Address 1.1.1.1 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

I understand that I can't assign a static NAT to the outside interface because it will block all other services, but the dynamic statement is yielding no results either. I know this because I actually got it work for one port but it would ignore all other ACLs and NAT rules that I created for the other ports. So I deleted everything and I'm starting from scratch. This is not a production IP address, so I am free to try things. Anyway, I would appreciate some guidance. Thanks!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-16-2013 08:28 AM

Hi,

There is only a minor error in the configuration.

If you only have the IP address that is configured on the "outside" interface of the ASA then you wont use the IP address in the Static PAT configurations. You rather use the parameter "interface" instead. This will tell the ASA to use the interface IP address as the NAT IP address (whatever that might be at the time).

So for example you configure the following

object network STATIC-PAT-TCP1111

host 192.168.2.3

nat (inside,outside) static interface service tcp 1111 1111

accesss-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP1111 eq 1111

If you want to read something more about the 8.3+ NAT format then you could take a look a document I wrote here on the CSC

https://supportforums.cisco.com/docs/DOC-31116

This is also a great document for those that have used 8.2 and now want to know how to configure the corresponding NAT configurations in the new software

https://supportforums.cisco.com/docs/DOC-9129

Hope this helps

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

0 Helpful

Go to solution
eddie.harmoush
Level 1
Level 1

‎07-16-2013 08:31 AM

Hello Alejandro,

You are really close   The answer is to use the interface keyword instead of manually typing in the IP address 1.1.1.1:

ciscoasa(config)# object network host-192.168.2.3-tcp1111

ciscoasa(config-network-object)# host 192.168.2.3

ciscoasa(config-network-object)# nat (in,out) static 1.1.1.1 service tcp 1111 1111

ERROR: Address 1.1.1.1 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

ciscoasa(config-network-object)# nat (in,out) static interface service tcp 1111 1111

ciscoasa(config-network-object)# exit

Since the address 1.1.1.1 (or whatever it is in your case) is configured as the Outside interface's IP address, the Firewall will force you to use the "interface" keyword to use it as a mapped address.  This is to prevent you from accidentally configuring a translation for the Firewall's outside address unintentionally.  The idea is, if you use the "interface" keyword, you must have intended to use that interface's IP address.

Additionally, you want to create a "static" translation, so that port 1111 on the Outside interface to will be staticly translated to port 1111 on the Inside interface.  A Dynamic translation would serve only to translate multiple IP addresses on the Inside interface to a single IP address on the Outside interface -- without any consistent usage of port numbers, they will be randomized by the Firewall through the Dynamic NAT, which you don't want).

The access-list entry to allow this traffic would resemble the following:

access-list 101 permit tcp any object host-192.168.2.3-tcp1111 eq 1111

Hope this helps!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-16-2013 08:28 AM

Hi,

There is only a minor error in the configuration.

If you only have the IP address that is configured on the "outside" interface of the ASA then you wont use the IP address in the Static PAT configurations. You rather use the parameter "interface" instead. This will tell the ASA to use the interface IP address as the NAT IP address (whatever that might be at the time).

So for example you configure the following

object network STATIC-PAT-TCP1111

host 192.168.2.3

nat (inside,outside) static interface service tcp 1111 1111

accesss-list OUTSIDE-IN permit tcp any object STATIC-PAT-TCP1111 eq 1111

If you want to read something more about the 8.3+ NAT format then you could take a look a document I wrote here on the CSC

https://supportforums.cisco.com/docs/DOC-31116

This is also a great document for those that have used 8.2 and now want to know how to configure the corresponding NAT configurations in the new software

https://supportforums.cisco.com/docs/DOC-9129

Hope this helps

Please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

0 Helpful

Go to solution
eddie.harmoush
Level 1
Level 1

‎07-16-2013 08:31 AM

Hello Alejandro,

You are really close   The answer is to use the interface keyword instead of manually typing in the IP address 1.1.1.1:

ciscoasa(config)# object network host-192.168.2.3-tcp1111

ciscoasa(config-network-object)# host 192.168.2.3

ciscoasa(config-network-object)# nat (in,out) static 1.1.1.1 service tcp 1111 1111

ERROR: Address 1.1.1.1 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

ciscoasa(config-network-object)# nat (in,out) static interface service tcp 1111 1111

ciscoasa(config-network-object)# exit

Since the address 1.1.1.1 (or whatever it is in your case) is configured as the Outside interface's IP address, the Firewall will force you to use the "interface" keyword to use it as a mapped address.  This is to prevent you from accidentally configuring a translation for the Firewall's outside address unintentionally.  The idea is, if you use the "interface" keyword, you must have intended to use that interface's IP address.

Additionally, you want to create a "static" translation, so that port 1111 on the Outside interface to will be staticly translated to port 1111 on the Inside interface.  A Dynamic translation would serve only to translate multiple IP addresses on the Inside interface to a single IP address on the Outside interface -- without any consistent usage of port numbers, they will be randomized by the Firewall through the Dynamic NAT, which you don't want).

The access-list entry to allow this traffic would resemble the following:

access-list 101 permit tcp any object host-192.168.2.3-tcp1111 eq 1111

Hope this helps!

0 Helpful

Go to solution
metalglue
Level 1
Level 1

‎07-16-2013 08:52 AM

It looks like that did it! I'm going to have to run a  mor thorough test after hours since although the firewall is not in production, the machines behind it are, and I can't go about chaging their gateway to point back to the ASA. I can tell it's working because instead of the packet getting discarded, it's getting a SYN timeout error, so it just can't make it back, but as long as it makes it in, I'm a happy camper.

One thing I'm doing a little different is that I'm grouping the ports instead of doing one at a time. It doesn't make sense on servers that only have one port open, but I have a few that have several ports open. Hence the different syntax on both of your access-list statements.

See? You CAN learn from the internet.

Thank you both!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card