I am working with a customer that already has an ASA 5505 V 7.2 installed with port forwarding configured for database updates to their app server. This port forwarding is working fine. Trying to setup a second port forwarding for remote IP phones to connect to a VOIP server. I have read several articles on port forwarding and believe my config is good. Created the TCP and UDP service object groups, access list and static inside/outside, but we are unable to connect the remote phones. Unfortunately this customer only has one (1) usable external IP to work with. Is this possible to do? And if so, where is my mistake? Below is an edited copy of the current config I am running on. Any help is greatly appreciated, this is driving me batty!
name 192.168.1.8 Toshiba
ip address 192.168.1.2 255.255.255.0
ip address 66.X.X.X 255.255.255.252
switchport access vlan 2
object-group service ToshibaUDP udp
port-object range 21000 27999
port-object range 30000 33279
port-object eq 1718
port-object eq 1719
port-object eq sip
object-group service ToshibaTCP tcp
port-object eq 2944
port-object eq 8080
port-object eq 10000
port-object eq 8768
port-object eq 8769
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.224
access-list acl_out extended permit tcp host 18.104.22.168 host 66.X.X.X eq 1706
access-list acl_out extended permit tcp host 22.214.171.124 host 66.X.X.X eq 1706
access-list acl_out extended permit udp any host 66.X.X.X object-group ToshibaUDP
access-list acl_out extended permit tcp any host 66.X.X.X object-group ToshibaTCP
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 1706 192.168.1.5 1706 netmask 255.255.255.255
static (inside,outside) 66.X.X.X Toshiba netmask 255.255.255.255
access-group acl_out in interface outside
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route outside 0.0.0.0 0.0.0.0 66.X.X.X 1
From what I see the configuration contains the following NAT configurations
Especially the Static NAT makes me wonder
You said there is only one public IP address but there is a Static NAT IP address that binds the whole public IP address to a single internal host? Is the public IP address used in the command the interface IP address? I can't exactly remember this older NAT configuration format but to my understanding the device would not even accept entering the interface IP address in to a NAT configurations but instead you would have to use the parameter "interface"
Considering the above I am wondering where you have forwarded the multiple ports as there is only a Static PAT configuration for one port and the above Static NAT.
To test the ASA configurations you can always use "packet-tracer".
packet-tracer input outside tcp 126.96.36.199 12345 66.x.x.x
The output would tell if the ASA configurations allow the packet or drop it at some stage.
Thanks for the response! I will try the packet tracer on the unit when I am back on site with the customer. Should be tomorrow. Is there any documentation or sample configs that show how to go about port forwarding to two different internal IPs? I can make any changes needed to the ASA to get this working. Most everything I read only show port forwarding to one internal IP. I am sure this is where I'm getting lost. Again thanks for helping!!
In the software level you are using the basic configuration format for a Static PAT (Port Forward) is this
static (source,destination) tcp interface
static (source,destination) udp interface
The "source" and "destination" above simply refer to the source interface of the internal host and the destination interface towards which the NAT is supposed to be performed. In most typical cases they would simply be "inside" and "outside".
You would simply add these commands to the ASA with the correct public/internal ports and internal IPs as you have the need for and naturally allow the connections to those public ports on the ACL attached to the external interface of the ASA.
As I said I am not sure about the Static NAT configuration above. If there truly is one public IP address in use and that Static NAT is actually present in the configuration then if you entered these Static PAT configurations without removing the Static NAT them the Static PAT simply would not get matched by the ASA and would not work (Static NAT configured before them in the configuration would override on all ports as it forwards all TCP/UDP ports to the single internal host)
If I am understanding you correctly this is not best way to accomplish what I am trying to do. The config example is the config on the unit. The only thing I did when posting was “X” out the last three octets of the public IP and route outside statement, the subnet is correct on the outide interface, 255.255.255.252, which leaves me with one usable IP. The port forwarding for TCP port 1706 to 192.168.1.5 is working and has been as part of the original setup of the 5505. If there is better way to configure the ASA to port forward to two internal IPs I can write erase the unit and start over. I just need an understanding of how to configure this.
I found config examples/documentation that showed the above lines, but they only allow for a single port, where I have big ranges that need forwarded. I have to admit, I am really confused. I have never had to setup an ASA in this manner. Thanks for all the help, just bear with me!!
Sadly the software level you are using doesnt enable forwarding multipe ports in a single configuration command.
This means that every port you would need to be forwarded would need to have its own statement which could possibly result in a very large NAT configuration.
On the newer software levels where the NAT configuration format has changed completely you are able to forward a range of ports. Though there is no way to group a lot of ports in a single command. I mean you can use a single command to forward a single range of ports what ever the range might be but for single ports you will still be adding one NAT configuration per port so it might still be a bit messy configuration.
Naturally when you need to host services to the public network the ideal situation is to have a public IP address dedicated to each internal host. In many cases this seems to be too costly option for the user when reading the posts here or the ISP in question has some other limitations preventing this.
So to my understanding your option is to either