Solved: ASA 5505 8.3, Port mapping to different internal port number

bene · ‎03-04-2015

I've been racking my brain lately trying to map one single port on the outside of my ASA: TCP 200, to an internal host TCP 22. I've done this countless times on previous routers and my old PIX, but this ASA is really frustrating me.

I've already made sure my nat statement matches the suggestion here for 8.3 code:

https://supportforums.cisco.com/discussion/12281796/cisco-asa-5505-port-mapping

<

object network SSH-SERVER
host 192.168.7.200

#(config-network-object)# nat (inside,outside) static interface service tcp 200 22
ERROR: NAT unable to reserve ports.

access-list outside-access-in extended permit tcp any object SSH-SERVER eq ssh log

>

# sh asp table socket

Protocol Socket Local Address Foreign Address State
SSL 200c1daf 209.x.x.x:443 0.0.0.0:* LISTEN
TCP 200f525f 209.x.x.x:22 0.0.0.0:* LISTEN
TCP 8b88e6f8 209.x.x.x:22 209.x.x.x:35162 ESTAB

....since TCP 200 is not in use I should not be getting this error. I can invert the ports successfully, but per the link supplied, the mapping would then be backwards. Any help with this would be greatly appreciated.

Jon Marshall · ‎03-04-2015

That example you linked to has the ports the wrong way round as far as I can tell ie. the syntax is -

nat (inside,outside) static interface service <real port> <mapped port>

Jon

View solution in original post

Jon Marshall · ‎03-04-2015

That example you linked to has the ports the wrong way round as far as I can tell ie. the syntax is -

nat (inside,outside) static interface service <real port> <mapped port>

Jon

bene · ‎03-04-2015

Thank you for the clarification. The example seemed backwards to me too. I have corrected it and I'm still not able to ssh to the host on port 200. The issue I'm assuming is now with my ACL:

object network SSH-SERVER
host 192.168.7.200

object network SSH-SERVER
nat (inside,outside) static interface service tcp ssh 200

access-list outside-access-in extended permit tcp any object SSH-SERVER eq 200 log

access-group outside-access-in in interface outside

Jon Marshall · ‎03-04-2015

Yes, try using the real port number in your acl and retest.

Jon

bene · ‎03-04-2015

I did try all these iterations before posting to no avail. I appreciate the guidance.

I've corrected the ACL, saved and reloaded the ASA:

access-list outside-access-in extended permit tcp any object SSH-SERVER eq ssh log

Still no access. I've verified that the internal server is available on 192.168.7.200, and is accepting ssh on TCP 22.

Jon Marshall · ‎03-04-2015

It could be the order of your NAT.

Can you run this command -

"packet-tracer input outside tcp 8.8.8.8 12345 <outside interface IP> 200"

and post results together with the NAT configuration on your ASA.

Jon

bene · ‎03-04-2015

# packet-tracer input outside tcp 8.8.8.8 12345 209.x.x.x 200

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SSH-SERVER
nat (inside,outside) static interface service tcp ssh 200
Additional Information:
NAT divert to egress interface inside
Untranslate 209.x.x.x/200 to 192.168.7.200/22

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

-----------------------------------------------------------------------

nat (inside,outside) dynamic interface
nat (inside,outside) static interface service tcp ssh 200

# sh nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static SSH-SERVER interface service tcp ssh 200
translate_hits = 0, untranslate_hits = 7
2 (inside) to (outside) source dynamic obj_any interface
translate_hits = 2658, untranslate_hits = 508

Jon Marshall · ‎03-04-2015

Can you post the full configuration of your ASA or at least the acls ?

Jon

bene · ‎03-05-2015

Thanks for the help Jon. I didn't notice that the access-group fell out when I tore out the access-list to correct the port number. All is well.

bene · ‎03-04-2015

# sh run
: Saved
:
ASA Version 8.3(2)
!
hostname xxxxxxx
domain-name xxxxxxxxxx
enable password xxxxxx encrypted
passwd xxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.7.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group acs
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxxxx
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network INSIDE-SUBNET
subnet 192.168.7.0 255.255.255.0
object network SSH-SERVER
host 192.168.7.200
access-list outside_access_in extended permit icmp any any
access-list outside-access-in extended permit tcp any object SSH-SERVER eq ssh log
pager lines 24
logging enable
logging monitor warnings
logging buffered errors
logging asdm informational
logging class auth monitor warnings
mtu inside 1460
mtu outside 1460
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network SSH-SERVER
nat (inside,outside) static interface service tcp ssh 200
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.7.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.7.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group acs request dialout pppoe
vpdn group acs localname xxxxxxxxxxx
vpdn group acs ppp authentication pap
vpdn username xxxxxxxxx password ***** store-local
dhcpd address 192.168.7.100-192.168.7.120 inside
dhcpd dns xxxxxxxxxx interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username xxxx password xxxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxxxxxxxxx
: end

Jon Marshall · ‎03-04-2015

You haven't applied the acl to the outside interface ie. -

"access-group outside-access-in in interface outside"

note you have two different acls, make sure you use the right one.

Jon