ASA5515X NAT/PORT Forwarding failing for ports 8088, 8090 and 61616

Chris Campbell · ‎05-25-2016

Hi

I am not sure what is happening here.

Ok first my setup, i have Cisco ASA 5515X, ASA software version 9.5(1) ASDM software version 7.5(1)90.

I have 2 new webservers on a dmz and i wish to forward incoming connections to them.

The internal servers listen on ports: first on 8088 and 8090, and the other on port 61616.

When i create nat rules to permit traffic through from my public address to them, it does not work.

But when i change the ports to 80, 443, or 8443, it works and i can make an incoming connection.

I have used the packet-tracker command, and it shows traffic is permitted through using any of the ports.

The only thing that might confuse the matter is i have 2 external port, outside1 and outside2 with 2 different public addresses.

Outside1 is my default gateway.

I am using outside2 for these connections, i have created a static route to address the incoming connections, i.e. added a static route pointing to outside2 for the public address of the device making incoming connections.

In production this connection will be made from a static public address, so this should work for me.

To rule this out, i moved the devices to another firewall (same model and software version) which i could use the default gateway and not add static routes, no success there either.

There is no IPS on this firewall, the firewalls on the Windows 2012 R2 servers are disabled for the domains, there is no other firewall in-between them.

Anybody any thoughts, ideas, is there some policy will only allow certain ports for http traffic?

Any helps would be much appricated

ankojha · ‎05-25-2016

Hi Chris,

Could you share the nat that you have created in both cases, also make sure you have allowed port in access list created for allowing the traffic.

Thanks,

Ankita

Chris Campbell · ‎05-25-2016

Hi Ankita,

Thanks for the quick reply.

These are the current nat rules in place which work to allow ports 80, 443 and 8443 through the firewall.

nat (outside2,dmz1) source static any any destination static public_address webserver service http_1 http_1 unidirectional
nat (outside2,dmz1) source static any any destination static public_address webserver service http_2 http_2 unidirectional
nat (outside2,dmz1) source static any any destination static public_address webserver service http_3 http_3 unidirectional

Note:
public_address is in same subnet as outside2
webserver resides in dmz1
http_1 is port 80
http_2 is port 443
http_3 is port 8443

In my attempts to get nat working for ports 8088, 8090 and 61616, first i tried 1 port at a time from within the object like this:
object network webserver

nat (outside2,dmz1) static public_address service tcp 8088 8088

Then i did it like the current nat rules, where http_1, http_2 and http_3 are ports 8088, 8090 and 61616, as below:
nat (outside2,dmz1) source static any any destination static public_address webserver service http_1 http_1 unidirectional
nat (outside2,dmz1) source static any any destination static public_address webserver service http_2 http_2 unidirectional
nat (outside2,dmz1) source static any any destination static public_address webserver service http_3 http_3 unidirectional

The outside2 and dmz1 interfaces have the access lists to permit access i.e. specific ip addresses allowed to connect to each other with ip as the service.
I configured these rules initially using the asdm and after the issues occurred i used the cli to confirm the rules were being applied correctly.

For example when i had the above current (first set) set of nat rules in place for ports 80, 443 and 8443, i was connecting to the webserver, then i just changed the ports in the nat rules to the other ports 8088, 8090 and 61616 and was not then able to make connections, xlate was carried out when the ports were changed.

Thanks

Chris