Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1926
Views
0
Helpful
3
Replies

ASA5506 - port redirection is not working as expected

Go to solution
swscco001
Level 3
Level 3

‎10-02-2020 07:41 AM

Hello everybody,

 

today I need your advice regarding a port redirection on ASA5506 running 9.12(4)2.


The customer wants give access to an internal server 192.168.100.33 on the inside interface

on port 443 and 3478 to outside users by accessing a second public IP address x.y.z.91

by using the same port numbers.

Relevant configuration lines:

interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.100.3 255.255.255.0 
!
interface GigabitEthernet1/8
 nameif connectip
 security-level 0
 ip address x.y.z.90 255.255.255.248 
!
...
object network connectip-x.y.z.91
 host x.y.z.91
...
object network obj-host-nat-192.168.100.33-443
 host 192.168.100.33
...
object network obj-host-nat-192.168.100.33-3478
 host 192.168.100.33
...
object network obj-host-nat-192.168.100.33-443
 nat (inside,connectip) static connectip-x.y.z.91 service tcp https https 
...
object network obj-host-nat-192.168.100.33-3478
 nat (inside,connectip) static connectip-x.y.z.91 service tcp 3478 3478 
...
access-list connectip_access_in extended permit ip any any 
...
access-group connectip_access_in in interface connectip

The second public IP address is in the range given by the ISP x.y.z.90 255.255.255.248.
My questions:

1. Is this possible at all?

2. Is it not necessary to have a separate public IP address for each port he want to redirect?

3. Can you see a configuration mistake?

I have attached the whole configuration in the hope you can give advice.

Thanks a lot for every hint!!!



Bye
T.

Preview file
42 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-02-2020 07:49 AM

Hi @swscco001 

The configuration you provided looks ok and should work. Are you experiencing an issue? If you are run packet-tracer from the CLI and provide the output for review.

 

You do not need a separate public IP address for each port to be redirected.

 

HTH

View solution in original post

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to swscco001

‎10-07-2020 11:51 AM

I would be very worried if i have this rule in my firewall.

interface GigabitEthernet1/8
 nameif connectip
 security-level 0
 ip address x.y.z.90 255.255.255.248 
!
access-list connectip_access_in extended permit ip any any 
access-list connectip_access_in extended permit object-group DM_INLINE_SERVICE_2 any any 
access-list connectip_access_in extended deny tcp any any object-group Netbios-TCP 
access-list connectip_access_in extended deny udp any any object-group Netbios-UDP  
!
access-group connectip_access_in in interface connectip

have you tested this with packet tracer..

packet-tracer input connectip tcp 8.8.8.8 12345 a.b.c.138 443 transmit

 

looking in to your capture you are receving RST. i could be the server at your end resting the connection.

please do not forget to rate.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎10-02-2020 07:49 AM

Hi @swscco001 

The configuration you provided looks ok and should work. Are you experiencing an issue? If you are run packet-tracer from the CLI and provide the output for review.

 

You do not need a separate public IP address for each port to be redirected.

 

HTH

0 Helpful

Go to solution
swscco001
Level 3
Level 3
In response to Rob Ingram

‎10-07-2020 05:23 AM

Hi Rob,

 

thanks for the hints!

When I trace on the outside interface "connectip" I see that when the remote public IP a.b.c.138 sends a TCP SYN
the second public IP address x.y.z.91 of the ASA answers with TCP RST,ACK immediately! (see attached screen dump)

If the access is coming from the public IP-Adr. outside to the second public IP address x.y.z.91 is the nat
command not wrong in this case?

Should it not be:

object network connectip-x.y.z.91
 nat (connectip,inside) static obj-host-nat-192.168.100.33-443 service tcp https https
...
object network connectip-x.y.z.91
 nat (connectip,inside) static obj-host-nat-192.168.100.33-3478 service tcp 3478 3478


I'd like to hear you opinion!

Thanks a lot!



Bye

T.

 

Preview file
114 KB
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to swscco001

‎10-07-2020 11:51 AM

I would be very worried if i have this rule in my firewall.

interface GigabitEthernet1/8
 nameif connectip
 security-level 0
 ip address x.y.z.90 255.255.255.248 
!
access-list connectip_access_in extended permit ip any any 
access-list connectip_access_in extended permit object-group DM_INLINE_SERVICE_2 any any 
access-list connectip_access_in extended deny tcp any any object-group Netbios-TCP 
access-list connectip_access_in extended deny udp any any object-group Netbios-UDP  
!
access-group connectip_access_in in interface connectip

have you tested this with packet tracer..

packet-tracer input connectip tcp 8.8.8.8 12345 a.b.c.138 443 transmit

 

looking in to your capture you are receving RST. i could be the server at your end resting the connection.

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card