Solved: ASA 8.4.2 Port forwarding outside interface to DMZ server

bennethos1982 · ‎03-18-2015

Hello,

I'm a student and could use some guidance.

I have a test lab setup to test WAN - DMZ capabilities

My setup is very simple :

* WAN internet if 1.1.1.50

* DMZ Server 10.0.50.10 real ip that needs to be icmp reachable when I ping on the outside interface of the ASA 1.1.1.50

* DMZ Server needs to be reachable on udp 53 on 1.1.1.50 outside address ( In the future I would like to add a rule like TCP 22, 21, 80,443)

I'm struggling a lot to get this working and would like some assistance from the experts :)

* Right now I can ping from DMZ to outside but my source address doesn't get translated from 10.0.50.10 to 1.1.1.50

* I can not reach udp 53 from an external server, an nmap shows me port 53 is filteren, a packet tracer shows me the ACL is blocking it but I configured any any so I don't see the problem.

Here is my config :

ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
mac-address a4b5.a5b5.a5b5
nameif WAN
security-level 0
ip address 1.1.1.50 255.255.255.0
ipv6 address 2001:6a8:2940:101::50/64
!
interface GigabitEthernet1
nameif DMZ
security-level 50
ip address 10.0.50.1 255.255.255.0
ipv6 address 2001:6a8:2940:1b5::1/64
ipv6 address 2001:6a8:2940:1b5::50/64
ipv6 enable
!
interface GigabitEthernet2
nameif LAN
security-level 100
ip address 192.168.50.1 255.255.255.0
ipv6 address 2001:6a8:2940:1a5::1/64
ipv6 enable
!
interface GigabitEthernet3
nameif management
security-level 0
ip address 172.16.0.2 255.255.255.0
!
ftp mode passive
object network DMZ_Host_IPV6
host 2001:6a8:2940:1b5::51
object network DMZ_int
host 2001:6a8:2940:1b5::50
object network DMZ-Host
host 10.0.50.10
object service ssh
service tcp source eq ssh
object service dns_udp
service udp source eq domain
object network DMZ-network
object network dmzdnsserver
host 10.0.50.10
access-list global_access extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list LAN_access_in extended permit ip any any
pager lines 24
mtu WAN 1500
mtu DMZ 1500
mtu LAN 1500
mtu management 1500
ipv6 icmp permit any DMZ
ipv6 route WAN ::/0 2001:6a8:2940:101::1
ipv6 access-list global_access_ipv6 permit ip any any
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
icmp permit any DMZ
icmp permit any LAN
icmp permit any management
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (LAN,WAN) source dynamic any interface
!
object network dmzdnsserver
nat (DMZ,WAN) static interface service udp domain domain
access-group DMZ_access_in in interface DMZ
access-group LAN_access_in in interface LAN
access-group global_access global
access-group global_access_ipv6 global
route WAN 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.16.0.1 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.50.2-192.168.50.10 LAN
dhcpd dns 10.0.50.10 interface LAN
dhcpd option 3 ip 192.168.50.1 interface LAN
dhcpd enable LAN
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:1d2732a8216a162ebeee6727703e40ed
: end

thanks a bunch for your guidance

Adeolu Owokade · ‎03-19-2015

Hi,

What you need is a static NAT configuration and the ACL applied on the outside interface should permit access to the ports you want.

If you were using another IP address apart from the ASA's WAN IP, then a simple configuration like this will work:

object network DMZ-SERVER-MAPPED

host 1.1.1.51

object network DMZ-SERVER-REAL

host 10.0.50.10

nat (LAN,WAN) static DMZ-SERVER-MAPPED

access-list WAN-IN permit udp any host 10.0.50.10 eq 53

access-list WAN-IN permit icmp any host 10.0.50.10

access-group WAN-IN in interface WAN

Note: Post ASA version 8.3, you need to use the real IP address in your access-list, not the mapped one.

If you are bent of using the ASA's IP address for the NAT, then you will have to use Twice-NAT, else the ASA will not be accessible (for other services) on that WAN interface.

object network DMZ-SERVER-REAL

host 10.0.50.10

object service DNS

service udp source eq 53

object service FTP

service tcp source eq 21

nat (LAN,WAN) source static DMZ-SERVER-REAL interface service DNS DNS

nat (LAN,WAN) source static DMZ-SERVER-REAL interface service FTP FTP

access-list WAN-IN permit udp any host 10.0.50.10 eq 53

access-list WAN-IN permit tcp any host 10.0.50.10 eq 21

access-group WAN-IN in interface WAN

This one will not allow ICMP though as you can only do static-NAT-port-translation for TCP or UDP ports.

More information available here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html

View solution in original post

Adeolu Owokade · ‎03-19-2015

Hi,

What you need is a static NAT configuration and the ACL applied on the outside interface should permit access to the ports you want.

If you were using another IP address apart from the ASA's WAN IP, then a simple configuration like this will work:

object network DMZ-SERVER-MAPPED

host 1.1.1.51

object network DMZ-SERVER-REAL

host 10.0.50.10

nat (LAN,WAN) static DMZ-SERVER-MAPPED

access-list WAN-IN permit udp any host 10.0.50.10 eq 53

access-list WAN-IN permit icmp any host 10.0.50.10

access-group WAN-IN in interface WAN

Note: Post ASA version 8.3, you need to use the real IP address in your access-list, not the mapped one.

If you are bent of using the ASA's IP address for the NAT, then you will have to use Twice-NAT, else the ASA will not be accessible (for other services) on that WAN interface.

object network DMZ-SERVER-REAL

host 10.0.50.10

object service DNS

service udp source eq 53

object service FTP

service tcp source eq 21

nat (LAN,WAN) source static DMZ-SERVER-REAL interface service DNS DNS

nat (LAN,WAN) source static DMZ-SERVER-REAL interface service FTP FTP

access-list WAN-IN permit udp any host 10.0.50.10 eq 53

access-list WAN-IN permit tcp any host 10.0.50.10 eq 21

access-group WAN-IN in interface WAN

This one will not allow ICMP though as you can only do static-NAT-port-translation for TCP or UDP ports.

More information available here: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html

bennethos1982 · ‎03-20-2015

Thank you kind sir, it's working and I can continue my studies & homework.

I will have to read up on the difference between ICMP & TCP , I had questions about natting & icmp but you made that clear now, ICMP is not nattable with static nat.

I will read up on the link you provided me.

have a nice day

Adeolu Owokade · ‎03-20-2015

You are welcome.

ICMP and Port Translation is not possible on the Cisco ASA. If you do a normal static NAT like the first one I sent to you, then ICMP will work.