ASA 5505 Port forwarding Question

Andy Golden · ‎12-01-2014

Hello there! I'm stuck on something that should be painfully obvious to me, but I can' t seem to identify it in my config. I am somewhat of a router CLI novice, and haven't mastered ASDM. Note: I've changed around some names and public IP's for security.

My current issue is that I need a few ports (35101-35105) assigned to a local server IP 192.168.12.20 on VLAN 120 using the public IP address 69.67.62.68 (harborstatic3). I'll probably continue to use that IP address to forward to other ports in the future for other servers (assuming I can do that across different VLANs, i.e. use RDP on some future server on vlan 130 using the same public static). That last detail isn't as important right now though.

I know I can connect externally to those ports if I add the following line, but I know that it's not secure:

access-list outside_access_in2 extended permit ip any host 192.168.12.20

Any idea what commands I need to put in to fix this? I have the tcp service objects added, but I'm missing something that's keeping them from being applied.

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport trunk allowed vlan 1-2,110,120,130
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 69.67.62.66 255.255.255.248
!
interface Vlan110
description careco
nameif sub110
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Vlan120
nameif sub120
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface Vlan130
nameif sub130
security-level 100
ip address 192.168.13.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name sdbllp.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network harborstatic2
host 69.67.62.67
object network harborstatic3
host 69.67.62.68
object network harborstatic4
host 69.67.62.69
object network harborstatic5
host 69.67.62.70
object network sub110route
subnet 192.168.11.0 255.255.255.0
object network h_192.168.11.25
host 192.168.11.25
object service tcp_3389
service tcp source eq 3389
object service tcp_3389_0ut
service tcp destination eq 3389
object service vpn_1701_udp
service udp source eq 1701
object service vpn_1701_udp_0ut
service udp destination eq 1701
object service vpn_4500_udp
service udp source eq 4500
object service vpn_4500_udp_0ut
service udp destination eq 4500
object service vpn_500_udp
service udp source eq isakmp
object service vpn_500_udp_0ut
service udp destination eq isakmp
object network h_192.168.12.20
host 192.168.12.20
object service tcp_35101
service tcp source eq 35101
object service tcp_35102
service tcp source eq 35102
object service tcp_35103
service tcp source eq 35103
object service tcp_35104
service tcp source eq 35104
object service tcp_35105
service tcp source eq 35105
access-list sub110_out extended permit ip 192.168.11.0 255.255.255.0 any
access-list in_internet extended permit udp any host 192.168.11.25 eq 1701
access-list in_internet extended permit udp any host 192.168.11.25 eq isakmp
access-list in_internet extended permit udp any host 192.168.11.25 eq 4500
access-list in_internet extended permit tcp any host 192.168.11.25 eq 3389
access-list in_internet remark CARE VPN
access-list outside_access_in extended permit ip any host 192.168.11.25
access-list in_internet2 extended permit tcp any host 192.168.12.20 eq 35101
access-list in_internet2 extended permit tcp any host 192.168.12.20 eq 35102
access-list in_internet2 extended permit tcp any host 192.168.12.20 eq 35103
access-list in_internet2 extended permit tcp any host 192.168.12.20 eq 35104
access-list in_internet2 extended permit tcp any host 192.168.12.20 eq 35105
access-list in_internet2 remark BACKUPSERVER

pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu management 1500
mtu outside 1500
mtu sub110 1500
mtu sub120 1500
mtu sub130 1500

no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (sub110,outside) source static h_192.168.11.25 harborstatic2
nat (sub120,outside) source static h_192.168.12.20 harborstatic3
!
object network obj_any
nat (management,outside) dynamic interface
object network sub110route
nat (sub110,outside) dynamic harborstatic2
access-group outside_access_in2 in interface outside
access-group sub110_out in interface sub110
route outside 0.0.0.0 0.0.0.0 69.67.62.65 1

Murali · ‎12-01-2014

hi ,

change your nat statements as below and try , thanks !

no nat (sub120,outside) source static h_192.168.12.20 harborstatic3

object network h_192.168.12.20

nat(sub120,outside) static 69.67.62.68

HTH

Murali

Marius Gunnerud · ‎12-02-2014

" I know I can connect externally to those ports if I add the following line, but I know that it's not secure:
access-list outside_access_in2 extended permit ip any host 192.168.12.20 "

To allow access to the 192.168.12.20 server you need to apply an ACL entry on the outside interface to allow this traffic in addition to the NAT.

Currently you are NATing all ports that are going to the 69.67.62.68 public IP, and this is OK if you do not intend to forward other ports to other servers.

To make your ACL a little more secure than just permitting all traffic to all ports you could add a more specific ACL entry that restricts access to the range of ports you want to allow access to.

access-list outside_access_in2 extended permit ip any host 192.168.12.20 range 35101 35105

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts