ASA 5505 Multiple Port Forwarding

QUINN MATTHEWS · ‎01-15-2014

I am working with a customer that already has an ASA 5505 V 7.2 installed with port forwarding configured for database updates to their app server. This port forwarding is working fine. Trying to setup a second port forwarding for remote IP phones to connect to a VOIP server. I have read several articles on port forwarding and believe my config is good. Created the TCP and UDP service object groups, access list and static inside/outside, but we are unable to connect the remote phones. Unfortunately this customer only has one (1) usable external IP to work with. Is this possible to do? And if so, where is my mistake? Below is an edited copy of the current config I am running on. Any help is greatly appreciated, this is driving me batty!

names

name 192.168.1.8 Toshiba

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 66.X.X.X 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

object-group service ToshibaUDP udp

port-object range 21000 27999

port-object range 30000 33279

port-object eq 1718

port-object eq 1719

port-object eq sip

object-group service ToshibaTCP tcp

port-object eq 2944

port-object eq 8080

port-object eq 10000

port-object eq 8768

port-object eq 8769

access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.224

access-list acl_out extended permit tcp host 67.211.161.74 host 66.X.X.X eq 1706

access-list acl_out extended permit tcp host 64.254.142.196 host 66.X.X.X eq 1706

access-list acl_out extended permit udp any host 66.X.X.X object-group ToshibaUDP

access-list acl_out extended permit tcp any host 66.X.X.X object-group ToshibaTCP

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 1706 192.168.1.5 1706 netmask 255.255.255.255

static (inside,outside) 66.X.X.X Toshiba netmask 255.255.255.255

access-group acl_out in interface outside

route inside 192.168.2.0 255.255.255.0 192.168.1.1 1

route outside 0.0.0.0 0.0.0.0 66.X.X.X 1

Jouni Forss · ‎01-15-2014

Hi,

From what I see the configuration contains the following NAT configurations

Dynamic PAT (nat/global commands)
Static PAT (static with the port specified)
Static NAT

Especially the Static NAT makes me wonder

You said there is only one public IP address but there is a Static NAT IP address that binds the whole public IP address to a single internal host? Is the public IP address used in the command the interface IP address? I can't exactly remember this older NAT configuration format but to my understanding the device would not even accept entering the interface IP address in to a NAT configurations but instead you would have to use the parameter "interface"

Considering the above I am wondering where you have forwarded the multiple ports as there is only a Static PAT configuration for one port and the above Static NAT.

To test the ASA configurations you can always use "packet-tracer".

For example

packet-tracer input outside tcp 1.1.1.1 12345 66.x.x.x

The output would tell if the ASA configurations allow the packet or drop it at some stage.

- Jouni

QUINN MATTHEWS · ‎01-15-2014

JouniForss,

Thanks for the response! I will try the packet tracer on the unit when I am back on site with the customer. Should be tomorrow. Is there any documentation or sample configs that show how to go about port forwarding to two different internal IPs? I can make any changes needed to the ASA to get this working. Most everything I read only show port forwarding to one internal IP. I am sure this is where I'm getting lost. Again thanks for helping!!

Jouni Forss · ‎01-15-2014

Hi,

In the software level you are using the basic configuration format for a Static PAT (Port Forward) is this

static (source,destination) tcp interface netmask 255.255.255.255

static (source,destination) udp interface netmask 255.255.255.255

The "source" and "destination" above simply refer to the source interface of the internal host and the destination interface towards which the NAT is supposed to be performed. In most typical cases they would simply be "inside" and "outside".

You would simply add these commands to the ASA with the correct public/internal ports and internal IPs as you have the need for and naturally allow the connections to those public ports on the ACL attached to the external interface of the ASA.

As I said I am not sure about the Static NAT configuration above. If there truly is one public IP address in use and that Static NAT is actually present in the configuration then if you entered these Static PAT configurations without removing the Static NAT them the Static PAT simply would not get matched by the ASA and would not work (Static NAT configured before them in the configuration would override on all ports as it forwards all TCP/UDP ports to the single internal host)

- Jouni

QUINN MATTHEWS · ‎01-15-2014

If I am understanding you correctly this is not best way to accomplish what I am trying to do. The config example is the config on the unit. The only thing I did when posting was “X” out the last three octets of the public IP and route outside statement, the subnet is correct on the outide interface, 255.255.255.252, which leaves me with one usable IP. The port forwarding for TCP port 1706 to 192.168.1.5 is working and has been as part of the original setup of the 5505. If there is better way to configure the ASA to port forward to two internal IPs I can write erase the unit and start over. I just need an understanding of how to configure this.

static (source,destination) tcp interface netmask 255.255.255.255

static (source,destination) udp interface netmask 255.255.255.255

I found config examples/documentation that showed the above lines, but they only allow for a single port, where I have big ranges that need forwarded. I have to admit, I am really confused. I have never had to setup an ASA in this manner. Thanks for all the help, just bear with me!!

Jouni Forss · ‎01-15-2014

Hi,

Sadly the software level you are using doesnt enable forwarding multipe ports in a single configuration command.

This means that every port you would need to be forwarded would need to have its own statement which could possibly result in a very large NAT configuration.

On the newer software levels where the NAT configuration format has changed completely you are able to forward a range of ports. Though there is no way to group a lot of ports in a single command. I mean you can use a single command to forward a single range of ports what ever the range might be but for single ports you will still be adding one NAT configuration per port so it might still be a bit messy configuration.

Naturally when you need to host services to the public network the ideal situation is to have a public IP address dedicated to each internal host. In many cases this seems to be too costly option for the user when reading the posts here or the ISP in question has some other limitations preventing this.

So to my understanding your option is to either

Configure multiple "static" configurations for each of the port needed to be forwarded (The configuration can naturally be easily generated for example by using some copy/paste and excel to generate the command for each port in a big range of ports)
Update the firewall to 8.3+ software level. In your case there might be multiple problems.
- Judging by the current software level your ASA is probably several years old and doesnt have enough RAM to support the new software. The newer manufactured models come with more memory. I think this was from 2010 Feb onwards.
- Also the problem is naturally the completely new NAT format but as you configuration currently is pretty simple it wouldnt be that hard to convert.
Request addiotional public IP addresses from the local ISP

- Jouni