cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2819
Views
65
Helpful
15
Replies

ASA5505 - Help Needed with inbound Port Forwarding please

Cormac Champion
Level 1
Level 1

Hi all,

 

I need help with Port Forwarding.  It's working but only when I also include the original port on the outside access.  I have a server inside listening on port 443.  I want outside clients to connect using port 50443.  I can connect on port 50443 only when I ALSO have port 443 included in my Outside Interface ACL.  How can I block port 443 access from the outside and allow 443 access to my server only via outside port 50443 ?

 

[code]

object service LOCAL-HTTPS
service tcp source eq https
object service REMOTE-50443
service tcp source eq 50443
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq 50443
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https      **** Once Disabled, Inbound on 50443 does NOT work ****
nat (INSIDE,ISP) source static any any destination static obj-MY_Server obj-MY_Server
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
access-group INSIDE_access_in_1 in interface INSIDE control-plane
access-group INSIDE_access_in in interface INSIDE
access-group ISP_access_in_1 in interface ISP control-plane
access-group ISP_access_in in interface ISP
[/code]

 

I think that includes all relevant code.  The first NAT statement fixed my first problem which was with RPF errors

 

Thanks in advance

15 Replies 15

bhargavdesai
Spotlight
Spotlight
The below mentioned rule is mandatory. When you apply ACL you always use the real IP(Private) and real port in the ACL. Hoping the obj-CCTV_Server is your real IP (Private).

access-list ISP_access_in extended permit tcp any object obj-CCTV_Server eq https

However, I don't think you need below entry in ACL.

access-list ISP_access_in extended permit tcp any object obj-CCTV_Server eq 50443

To give you more details, I would suggest you to go through below links.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html
https://www.petenetlive.com/KB/Article/0001087
https://www.petenetlive.com/KB/Article/0000691



HTH
### RATE ALL HELPFUL RESPONSES ###

As I said, once I put the (mandatory) rule

access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https

I can indeed access the server via port 443

 

yes, obj-MY_Server has a private 10.x.x.x address

 

But this is NOT what I want.  I want to hide the server from the Internet.  I want the external user to connect with 

https://MY_Server:50443

 

Without the following

access-list ISP_access_in extended permit tcp any object obj-MY_Server eq 50443

I could not connect with port 50443 at all.  And with this ACL ONLY, I could also not connect.

 

So I want to allow connections only incoming on port 50443 and BLOCKING 443

Provide output of show nat (to check nat sequencing) moreover provide necessary show object details as well.

I suspect that you have NAT sequencing issue.

Also post the output for the below mentioned packet tracer

packet-tracer input Primary tcp 1.1.1.1 1234 "PUBLIC IP OF SERVER" 50443

packet-tracer input Primary tcp 1.1.1.1 1234 "PUBLIC IP OF SERVER" 443


HTH
### RATE ALL HELPFUL RESPONSES ###

[code]

ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP

Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

[/code]

 

[code]

ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.yy/50443 to 10.10.xx.xx/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ISP_access_in in interface ISP control-plane
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https
access-list ISP_access_in remark Remote Server Access
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
Static translate 1.1.1.1/1234 to 1.1.1.1/1234

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
Additional Information:

Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map INSIDE-class
match access-list INSIDE_mpc
policy-map INSIDE-policy
class INSIDE-class
police input 5000000 2500 conform-action transmit exceed-action transmit
police output 5000000 2500 conform-action transmit exceed-action transmit
service-policy INSIDE-policy interface INSIDE
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3238152, packet dispatched to next module

Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow

[/code]

 

HOWEVER

 

If I disable the rule - access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https inactive

 

[code]

ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xx/50443 to 10.10.xx.xx/443

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

[/code]

One thing is clear from your output is that no one from outside can access server on Public IP on port 443.

Next your server is accessible on Public IP on port 50443 while both ACL applied.

The ACL with 443 inactive you are not able to access which is the way it should be as per my earlier post.

Now what happens when the ACL 50443 is inactive? Can you post packet tracer for the same.

I hope all these exercises make sense and clear your mind and help you solve your problem.

HTH
### RATE ALL HELPFUL RESPONSES ###

Unfortunately that's not entirely true.

 

Both Rules active = Access to Server on BOTH ports

443 Only inactive = NO Access to Server on BOTH ports

50443 Only inactive = Access to Server on BOTH ports

 

[code]

ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xx/52443 to 10.10.xx.xx/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ISP_access_in in interface ISP-NEXT control-plane
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https
access-list ISP_access_in remark Remote Server Access
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
Static translate 1.1.1.1/1234 to 1.1.1.1/1234

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
Additional Information:

Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map INSIDE-class
match access-list INSIDE_mpc
policy-map INSIDE-policy
class INSIDE-class
police input 5000000 2500 conform-action transmit exceed-action transmit
police output 5000000 2500 conform-action transmit exceed-action transmit
service-policy INSIDE-policy interface INSIDE
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3260732, packet dispatched to next module

Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow

[/code]

 

 

Inactive 50443 and then Can you post packet tracer for 443?
Moreover from which host you are accessing the server.

HTH
### RATE ALL HELPFUL RESPONSES ###

ASA5505# packet-tracer input ISP-NEXT tcp 1.1.1.1 1234 88.148.xx.xx 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP

Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

 

ASA5505# sh runn | incl inactive
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https inactive

 

I test access from Chrome from my office and from my house

I want you to test only inactive below ACL with all other ACL and NAT in place.

access-list ISP_access_in extended permit tcp any object obj-MY_Server eq 50443 inactive

Now run same packet tracer for both ports 443 and 50443 and post output. It should succeed with 50443 and fail with 443. If it does than the configuration seems ok to allow access to server on 50443 port only.

If you test from INSIDE host or over the VPN than whole scenario is different. Make sure you are testing this over the INTERNET. All this is to restrict access to only port 50443 via Internet.

HTH
### RATE ALL HELPFUL RESPONSES ###

Thanks again for all your efforts to get this working.  Your assistance is greatly appreciated.

 

I can confirm that I do NOT use a VPN

 

So with the 443 rule inactive, here are the results

 

ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP

Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xxx 50443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xx/50443 to 10.10.xx.xx/443

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

Need to disable 50443 rule not the 443.

HTH
### RATE ALL HELPFUL RESPONSES ###

Sorry

 

ASA5505# sh runn | incl inactive
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq 50443 inactive

 

ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 192.168.1.1, ISP

Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: ISP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

ASA5505# packet-tracer input ISP tcp 1.1.1.1 1234 88.148.xx.xx 50443

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 88.148.xx.xxx/52443 to 10.10.xx.xx/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ISP_access_in in interface ISP control-plane
access-list ISP_access_in extended permit tcp any object obj-MY_Server eq https
access-list ISP_access_in remark Remote Server Access
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,ISP) after-auto source static obj-MY_Server obj-ISP service LOCAL-HTTPS REMOTE-50443
Additional Information:
Static translate 1.1.1.1/1234 to 1.1.1.1/1234

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,ISP) source static obj-MY_Server interface service LOCAL-HTTPS REMOTE-50443
Additional Information:

Phase: 9
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map INSIDE-class
match access-list INSIDE_mpc
policy-map INSIDE-policy
class INSIDE-class
police input 5000000 2500 conform-action transmit exceed-action transmit
police output 5000000 2500 conform-action transmit exceed-action transmit
service-policy INSIDE-policy interface INSIDE
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3476816, packet dispatched to next module

Result:
input-interface: ISP
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow

The output shows that server through public IP 88.148.X.X from outside is not accessible on port 443 and accessible on 50443. I think this is what you want to achieve as per my understanding.

If you still having problems please elaborate what you want to achieve, how you test and what is the issue.

HTH
### RATE ALL HELPFUL RESPONSES ###

It appears therefore that what is happening from the packet-tracer perspective is different to reality.

 

Maybe I could PM you with the public IP Address to try it yourself ?

 

Once the rule for port 443 was disabled, the server wasn't accessible on port 50443.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: