08-22-2016 05:11 AM - edited 03-12-2019 01:09 AM
Hello House,
Please i need help on port to port forwarding on ASA 5512-X. Below is the config and the port redirection is working but the range of ports and other ports permitted in the access-list are not opening. Kindly HELP pls....
object network TEST_PUBLIC_IP
host 10.10.10.10
object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200
object network TEST_PRIVATE_IP
host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www
access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101
access-group Outside_IN in interface outside
08-26-2016 07:05 AM
@Cristian. Thanks for your effort. But, existing NAT is doing both NAT and port redirection very well with this config below.
object network TEST_PRIVATE_IP
host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www
However, the below config is not allowing access to the server
object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200
access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101.
Pls are you saying i should also use NAT to allow access to the server through all the ports-objects declared?. Because access to the server via all the ports is the challenge now.
08-26-2016 07:49 AM
Hello,
Unfortunaly i dont think that service groups can be used in NAT statements.
- not static facts here, but i find it hard for ASA to figure out if its source or destination port as it is not an option to specify.
It should work in ACL thou.
//Cristian
08-26-2016 08:58 AM
see...lemme explain this fully. With the below config, i can access abc.com.ng:8085 for example because 8085 has been binded to the locap IP of the server.Thus, it is not ideal to be giving client because of the port no. Also, i can ssh in to the server and as well all the ports used internally for the application on the server are opened. (port-object range 8000 8200)
object network TEST_PUBLIC_IP
host 10.10.10.10
object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200
object network TEST_PRIVATE_IP
host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP
access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101
access-group Outside_IN in interface outside
However, with the below config, when i added service tcp 8085 www to the NAT for the redirection, then i can access abc.com.ng without the port 8085 added which is ideal and it shows port redirection is working. But, the challenge now is that with the below config, i can not ssh in to the server and as well all the ports used internally for the application on the server are not opening.
object network TEST_PUBLIC_IP
host 10.10.10.10
object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200
object network TEST_PRIVATE_IP
host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www
access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101
access-group Outside_IN in interface outside
KINDLY HELP PLS.
08-26-2016 09:09 AM
Hello,
If you want to use twice-nat you cannot use a service group as it wouldnt understand what port to map to which.
This should be what you are looking for:
object network TEST_PUBLIC_IP
host 10.10.10.10
object network TEST_PRIVATE_IP
host 1.1.1.1
object-group service PROD_101 tcp
port-object eq ssh
port-object eq https
port-object range 8000 8200
object service TCP-SOURCE-8443
service tcp source eq 8443
object service TCP-SOURCE-443
service tcp source eq 443
object service TCP-SOURCE-922
service tcp source eq 922
object service TCP-SOURCE-22
service tcp source eq 22
object service TCP-SOURCE-8000_8200
service tcp source range 8000 8200
nat (PRODUCTION,OUTSIDE) <seq no> static TEST_PRIVATE_IP TEST_PUBLIC_IP destination any any service TCP-SOURCE-8443 TCP-SOURCE-443
nat (PRODUCTION,OUTSIDE) <seq no> static TEST_PRIVATE_IP TEST_PUBLIC_IP destination any any service TCP-SOURCE-922 TCP-SOURCE-22
nat (PRODUCTION,OUTSIDE) <seq no> static TEST_PRIVATE_IP TEST_PUBLIC_IP destination any any service TCP-SOURCE-8000_8200 TCP-SOURCE-8000_8200
access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101
access-group Outside_IN in interface outside
//Cristian
08-26-2016 10:09 AM
I really appreciate your effort...I will check it out and get back you next week...Thanks a lot...
09-01-2016 09:05 AM
@Cristian, Thanks-a-million for your great support. The clue you gave me really worked for the SSH and port range declared. I just added the below config to the one that is doing the port redirection.
object service TCP-SOURCE-22
service tcp source eq 22
nat (PRODUCTION,OUTSIDE) source static TEST_PRIVATE_IP TEST_PUBLIC_IP service TCP-SOURCE-22 TCP-SOURCE-22
object service TCP-SOURCE-8000_8200
service tcp source range 8000 8200
nat (PRODUCTION,OUTSIDE) source static TEST_PRIVATE_IP TEST_PUBLIC_IP service TCP-SOURCE-8000_8200 TCP-SOURCE-8000_8200
Next is to implement SSL certificate and change the config so that the domain name is opening on https://...
I have not done the implementation before but i believed with someone like you, it shall be successful...If you dont mind you can add me on skype as my ID is isiaka.bashiru Once again, thanks a million....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide