Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3856
Views
0
Helpful
6
Replies

ASA 5506 port forwarding from INSIDE to OUTSIDE

Go to solution
yuri.suslov
Level 1
Level 1

‎03-27-2018 06:05 AM - edited ‎02-21-2020 07:34 AM

Hi Experts,

 

For the moment we have PC-based firewall (Debian + iptables) to segregate 2 private networks but there is a demand from management to use Cisco instead.

 

Unfortunately our configuration is a bit unusual so for the moment I'm stuck with moving port translation to ASA 5506 v9.8 ASDM v7.8

 

Existing firewall has INSIDE address 172.16.8.201/21 and OUTSIDE address 10.3.117.1/24.

 

All hosts from INTERNAL network connects to different ports of single INSIDE address above and firewall divers them to dedicated host/port on EXTERNAL network, for example:

# RDP to external Windows PC
iptables -t nat -A PREROUTING -p TCP -d 172.16.8.201 --dport 12119 -j DNAT --to-destination 10.3.117.211:3389
# Return all outgoing packets back to requester 
iptables -t nat -A POSTROUTING -o eth1 -p TCP -j SNAT --to-source 10.3.117.201

Which means when internal user creates an RDP session to 172.16.8.201:12119 he's connected to external host 10.3.117.211

 

Could you please help me how to implement the same forwarding in Cisco?

 

Thanks,

Yuri

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to yuri.suslov

‎03-28-2018 01:00 AM

Hi Yuri,

In my first reply I thought that the inside and outside interface are the other way around, taking that into consideration the simpler nat get's a bit more complicated, just use whichever makes more sense to you.

Also because  you are using the 172.16.8.201 configured on the interface, you would need to use the interface keyword.

!FIRST EXAMPLE:
!
nat (INSIDE,OUTSIDE) source static any any destination static interface obj_10.3.117.211 service tcp_12119 tcp_3389 no-proxy-arp
!
!SECOND EXAMPLE:
!
object network obj_10.3.117.211
 host 10.3.117.211
 nat (OUTSIDE,INSIDE) static interface service tcp 3389 12119

 Also I noticed you are using bridge groups, which tends to complicate the nat config. For overload nats you would simply have a nat rule for every bridge interface or use the all keyword ,but for static nat it seems you have to configure only the interface to which the host is connected. So for instance in your case if 10.3.117.211 is connected to inside_1, you should have a static nat rule only for that interface or the rule should be before similar rules , but different interfaces.

Here is a thread where the issue is explained in more details:

https://supportforums.cisco.com/t5/firewalling/asa-5506-in-routed-mode-with-bvi-nat-statements/m-p/3353802#M167572

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎03-27-2018 07:05 AM

Hi Yuri,

 

There are multiple ways of configuring a destination pat, for instance a config similar to the iptables one would be:

object network obj_172.16.8.201
 host 172.16.8.201
object network obj_10.3.117.211
 host 10.3.117.211
object service tcp_12119
 service tcp destination eq 12119
object service tcp_3389
 service tcp destination eq 3389
!
nat (outside,inside) source static any any destination static obj_172.16.8.201 obj_10.3.117.211 service tcp_12119 tcp_3389 no-proxy-arp

, but a simpler config could be:

object network obj_10.3.117.211
 host 10.3.117.211
 nat (inside,outside) static 172.16.8.201 service tcp 3389 12119

 

HTH

Bogdan

0 Helpful

Go to solution
yuri.suslov
Level 1
Level 1
In response to Bogdan Nita

‎03-27-2018 07:35 AM

Hi Bogdan,

 

The simple config does not work. Do I need to define route from INSIDE to OUTSIDE?

 

I deleted all changes and now have default config, see below. May be something else is wrong?

 

ASA Version 9.8(1)
!
hostname TA-FWL-ASA1
domain-name KHALDA-DCS.local
enable password xxx
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 10.3.117.1 255.255.255.0
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_2
 security-level 100
!
interface GigabitEthernet1/4
 bridge-group 1
 nameif inside_3
 security-level 100
!
interface GigabitEthernet1/5
 bridge-group 1
 nameif inside_4
 security-level 100
!
interface GigabitEthernet1/6
 bridge-group 1
 nameif inside_5
 security-level 100
!
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_6
 security-level 100
!
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_7
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 description WiMax subnet
 nameif inside
 security-level 100
 ip address 172.16.8.201 255.255.248.0
!
banner login ###########################################################################
banner login #
banner login # UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
banner login #
banner login # You must have explicit permission to access this device in any way as
banner login # it is restricted to authorized users for business purposes only.
banner login #
banner login # Unauthorized attempts and actions to access or use this device
banner login # is a violation of company policy.
banner login #
banner login # This system may be monitored for administrative and security reasons.
banner login #
banner login # By proceeding you acknowledge that you've read and understand this notice
banner login # otherwise press Ctrl-C now to quit.
banner login #
banner login ###########################################################################
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Fri Apr 0:00 last Fri Sep 0:00
dns server-group DefaultDNS
 domain-name KHALDA-DCS.local
same-security-traffic permit inter-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
 nat (inside_1,outside) dynamic interface
object network obj_any2
 nat (inside_2,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 172.16.8.0 255.255.248.0 inside_1
http 172.16.8.0 255.255.248.0 inside_2
snmp-server location xxx
snmp-server contact xxx
snmp-server community *****
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 172.16.8.0 255.255.248.0 inside_1
ssh 172.16.8.0 255.255.248.0 inside_2
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cd47b8417b442f88e7099164c896fbd6
: end
TA-FWL-ASA1#
0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to yuri.suslov

‎03-28-2018 01:00 AM

Hi Yuri,

In my first reply I thought that the inside and outside interface are the other way around, taking that into consideration the simpler nat get's a bit more complicated, just use whichever makes more sense to you.

Also because  you are using the 172.16.8.201 configured on the interface, you would need to use the interface keyword.

!FIRST EXAMPLE:
!
nat (INSIDE,OUTSIDE) source static any any destination static interface obj_10.3.117.211 service tcp_12119 tcp_3389 no-proxy-arp
!
!SECOND EXAMPLE:
!
object network obj_10.3.117.211
 host 10.3.117.211
 nat (OUTSIDE,INSIDE) static interface service tcp 3389 12119

 Also I noticed you are using bridge groups, which tends to complicate the nat config. For overload nats you would simply have a nat rule for every bridge interface or use the all keyword ,but for static nat it seems you have to configure only the interface to which the host is connected. So for instance in your case if 10.3.117.211 is connected to inside_1, you should have a static nat rule only for that interface or the rule should be before similar rules , but different interfaces.

Here is a thread where the issue is explained in more details:

https://supportforums.cisco.com/t5/firewalling/asa-5506-in-routed-mode-with-bvi-nat-statements/m-p/3353802#M167572

 

0 Helpful

Go to solution
yuri.suslov
Level 1
Level 1
In response to Bogdan Nita

‎03-28-2018 04:35 AM

Hi Bogdan,

 

For sure I do not need bridge groups because will be using only 2 ports (Gigabit 1/1 for outside & Gigabit 1/2 for inside) between 2 networks. However if I delete BVI interface from CLI and assign 172.16.8.201 to Gigabit 1/2 then I could not connect via ASDM anymore.

 

Do you know if reset to factory default configuration will clear BVI settings so I could start from scratch?

 

Thanks,

Yuri

0 Helpful

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni
In response to yuri.suslov

‎03-28-2018 05:40 AM

The ASA 5506 comes with the bridge groups config by default, so I do not think reset would help.

You should be able to connect with asdm to the interface after removing it form bridge group and assigning the ip to the interface, just make sure you have:

http 172.16.8.0 255.255.248.0 <new-interface-name>

 

0 Helpful

Go to solution
yuri.suslov
Level 1
Level 1
In response to Bogdan Nita

‎03-28-2018 07:16 AM

Yes, it did help. I made "write erase", reloaded ASA and declined proposal to restore to factory defaults.

Once ASA looks clean I've put your configuration and it works perfectly!

 

Thanks a lot for your help on this matter, please have a look at final configuration below, may be you could advise what else I should configure.

 

ASA Version 9.8(1)
!
hostname TA-FWL-ASA1
domain-name KHALDA-DCS.local
enable password xxx
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names

!
interface GigabitEthernet1/1
 description WiMax
 nameif outside
 security-level 0
 ip address 10.3.117.1 255.255.255.0
!
interface GigabitEthernet1/2
 description PCN
 nameif inside
 security-level 100
 ip address 172.16.8.201 255.255.248.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone EEST 2
dns server-group DefaultDNS
 domain-name KHALDA-DCS.local
object network RTU-06-80
 host 10.3.117.6
object network RTU-06-502
 host 10.3.117.6
object network PC-211-3389
 host 10.3.117.211
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network RTU-06-80
 nat (outside,inside) static interface service tcp www 8888
object network RTU-06-502
 nat (outside,inside) static interface service tcp 502 502
object network PC-211-3389
 nat (outside,inside) static interface service tcp 3389 12119
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 172.16.8.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
no service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxx
: end
TA-FWL-ASA1#

scan from outsidescan from outside

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card