Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
988
Views
0
Helpful
12
Replies

ASA cluster port address translation (Port forwarding)

Go to solution
Konstantopoulos Konstantinos
Level 5
Level 5

‎12-09-2016 05:11 AM - edited ‎03-12-2019 01:38 AM

Hello.

I have the below problem that I am trying to solve. In an ASA cluster of two 5545-X I am trying to publish an internal server on the Internet by using a different port from the one that the service is listening. In detail I want external users to connect via RDP on port 65000 will the port on the internal server will be 3389. Although I've created static port address translation on the object and tried to make the same thing as ordinary NAT statement the connection cannot be established. If I change the respective access list and port address translation by using the same port (3389) it works fine. Is there something missing or the functionality is not supported on ASA cluster? Below are the commands that where used (Public IPs are the fake):

Commands not working

Static port address translation

access-list out-in line 1 extended permit object 65001 any object 172.31.255.4

nat (OUTSIDE,INSIDE) source static any any destination static 1.1.1.1 172.31.255.4 service 65001 3389

Object NAT port address translation

access-list out-in line 1 extended permit object 65001 any object 172.31.255.4

object network 172.31.255.4
nat (INSIDE,OUTSIDE) static 1.1.1.1 service tcp 65001 3389

Commands working

Static port address translation

access-list out-in line 1 extended permit object 3389 any object 172.31.255.4

nat (OUTSIDE,INSIDE) source static any any destination static 1.1.1.1 172.31.255.4 service 3389 3389

Object NAT port address translation

access-list out-in line 1 extended permit object 3389 any object 172.31.255.4

object network 172.31.255.4
nat (INSIDE,OUTSIDE) static 1.1.1.1 service tcp 3389 3389

Your help is much appreciated.

Thank you.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Ajay Saini
Level 7
Level 7
In response to Konstantopoulos Konstantinos

‎12-21-2016 03:53 AM

The good part is that NAT is happening the way we need it. Can you please make sure that we have the correct NAT statement or if already present, make sure its preferred over the . or add below NAT and test:

access-list out-in line 1 extended permit tcp any host 172.31.255.4 eq 3389

-

AJ

View solution in original post

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to Konstantopoulos Konstantinos

‎12-21-2016 05:09 AM

Yes, thats expected. For inbound access, we need to open access-list for real ip (172.31.255.4) and real port 3389. It will not work for port 65001 which is the mapped port.

HTH

-

AJ

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Ajay Saini
Level 7
Level 7

‎12-12-2016 02:07 AM

Hello,

The NAT syntax is incorrect, please modify as below:

object network 172.31.255.4
nat (INSIDE,OUTSIDE) static 1.1.1.1 service tcp  3389 65001

HTH

-

AJ

0 Helpful

Go to solution
Konstantopoulos Konstantinos
Level 5
Level 5
In response to Ajay Saini

‎12-21-2016 03:08 AM

Hello AJ

Thanks for your reply.

I've tested the configuration that you've posted but with no success.

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to Konstantopoulos Konstantinos

‎12-21-2016 03:20 AM

Could you please attach a packet-tracer output for traffic being initiated from wan hitting the public ip address 1.1.1.1 on port 65001. Lets see where it drops. 

-

AJ

0 Helpful

Go to solution
Konstantopoulos Konstantinos
Level 5
Level 5
In response to Ajay Saini

‎12-21-2016 03:31 AM

Please find below the output. IPs are for reference.

packet-tracer input OUTSIDE tcp 2.2.2.2 1025 194.177.215.12$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network ektathdc01.ektdom.local
nat (INSIDE,OUTSIDE) static EKT_ATHDCs_PAT service tcp 3389 65001
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 194.177.215.124/65001 to 172.16.0.100/3389

Phase: 2
Type: CLUSTER-EVENT
Subtype:
Result: ALLOW
Config:
Additional Information:
Input interface: 'OUTSIDE'
Flow type: NO FLOW
I (0) got initial, attempting ownership.

Phase: 3
Type: CLUSTER-EVENT
Subtype:
Result: ALLOW
Config:
Additional Information:
Input interface: 'OUTSIDE'
Flow type: NO FLOW
I (0) am becoming owner

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group out-in in interface OUTSIDE
access-list out-in extended deny ip any any log disable
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Although it states that it is being denied from the out-in access list there is a corresponding ACE on this ACL

Thank you.

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to Konstantopoulos Konstantinos

‎12-21-2016 03:53 AM

The good part is that NAT is happening the way we need it. Can you please make sure that we have the correct NAT statement or if already present, make sure its preferred over the . or add below NAT and test:

access-list out-in line 1 extended permit tcp any host 172.31.255.4 eq 3389

-

AJ

0 Helpful

Go to solution
Konstantopoulos Konstantinos
Level 5
Level 5
In response to Ajay Saini

‎12-21-2016 04:06 AM

I've tested the access list with 3389 as the destination port and left the object NAT statement with same number for real and mapped port (3389) and works. When I change the access list and the object NAT to support 65001 there is no connection.

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to Konstantopoulos Konstantinos

‎12-21-2016 05:09 AM

Yes, thats expected. For inbound access, we need to open access-list for real ip (172.31.255.4) and real port 3389. It will not work for port 65001 which is the mapped port.

HTH

-

AJ

0 Helpful

Go to solution
Konstantopoulos Konstantinos
Level 5
Level 5
In response to Ajay Saini

‎12-21-2016 05:16 AM

Still doesn't work. The config is currently the below:

object network 172.31.255.4
nat (INSIDE,OUTSIDE) static 1.1.1.1 service tcp 3389 65001

access-list out-in line 1 extended permit tcp any host 172.31.255.4 eq 3389

It works only when I have the below:

object network 172.31.255.4
nat (INSIDE,OUTSIDE) static 1.1.1.1 service tcp 3389 3389

access-list out-in line 1 extended permit tcp any host 172.31.255.4 eq 3389

Which is not what I want to achieve.

Than you.

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to Konstantopoulos Konstantinos

‎12-21-2016 05:20 AM

NAT is not a problem which is clear from packet-tracer output. The issue is access-list.

Could you please attach output of show run access-group and show run access-list out-in

HTH

-

AJ

0 Helpful

Go to solution
Konstantopoulos Konstantinos
Level 5
Level 5
In response to Ajay Saini

‎12-21-2016 05:24 AM

Here is the abbreviated output of the show access-group

access-group out-in in interface OUTSIDE

and below is the abbreviated output of the show access-list out-in

access-list out-in extended permit tcp any host 172.31.255.4 eq 3389

Thank you.

0 Helpful

Go to solution
Konstantopoulos Konstantinos
Level 5
Level 5

‎12-21-2016 05:54 AM

It worked as you've suggested. It was a miss configuration from my side.

From what I understand ASA (for inbound packets) first checks if there is any NAT statement that matches and then checks if there is an ACE.

While for the outbound is the reverse.

Thank you very much for your help and Marry Christmas!!!

0 Helpful

Go to solution
Ajay Saini
Level 7
Level 7
In response to Konstantopoulos Konstantinos

‎12-21-2016 10:01 PM

Hello,

For both inbound and outbbound connections, the destination NAT happens first and then acl is checked. Source NAT is performed after acl check.

Merry Christmas!!

-

AJ

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card