Challenge on port to port forwarding on ASA 5512-X - Page 2

bashiru.bayonle · ‎08-22-2016

Hello House,

Please i need help on port to port forwarding on ASA 5512-X. Below is the config and the port redirection is working but the range of ports and other ports permitted in the access-list are not opening. Kindly HELP pls....

object network TEST_PUBLIC_IP

host 10.10.10.10

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

access-group Outside_IN in interface outside

bashiru.bayonle · ‎08-26-2016

@Cristian. Thanks for your effort. But, existing NAT is doing both NAT and port redirection very well with this config below.

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www

However, the below config is not allowing access to the server

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101.

Pls are you saying i should also use NAT to allow access to the server through all the ports-objects declared?. Because access to the server via all the ports is the challenge now.

Cristian Nilsson · ‎08-26-2016

Hello,

Unfortunaly i dont think that service groups can be used in NAT statements.

- not static facts here, but i find it hard for ASA to figure out if its source or destination port as it is not an option to specify.

It should work in ACL thou.

//Cristian

bashiru.bayonle · ‎08-26-2016

see...lemme explain this fully. With the below config, i can access abc.com.ng:8085 for example because 8085 has been binded to the locap IP of the server.Thus, it is not ideal to be giving client because of the port no. Also, i can ssh in to the server and as well all the ports used internally for the application on the server are opened. (port-object range 8000 8200)

object network TEST_PUBLIC_IP

host 10.10.10.10

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

access-group Outside_IN in interface outside

However, with the below config, when i added service tcp 8085 www to the NAT for the redirection, then i can access abc.com.ng without the port 8085 added which is ideal and it shows port redirection is working. But, the challenge now is that with the below config, i can not ssh in to the server and as well all the ports used internally for the application on the server are not opening.

object network TEST_PUBLIC_IP

host 10.10.10.10

object-group service PROD_101 tcp
port-object eq 8443
port-object eq 922
port-object eq ssh
port-object eq https
port-object range 8000 8200

object network TEST_PRIVATE_IP

host 1.1.1.1.
nat (PRODUCTION,OUTSIDE) static TEST_PUBLIC_IP service tcp 8085 www

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

access-group Outside_IN in interface outside

KINDLY HELP PLS.

Cristian Nilsson · ‎08-26-2016

Hello,

If you want to use twice-nat you cannot use a service group as it wouldnt understand what port to map to which.

This should be what you are looking for:

object network TEST_PUBLIC_IP
 host 10.10.10.10

object network TEST_PRIVATE_IP
 host 1.1.1.1

object-group service PROD_101 tcp
 port-object eq ssh
 port-object eq https
 port-object range 8000 8200

object service TCP-SOURCE-8443
 service tcp source eq 8443

object service TCP-SOURCE-443
 service tcp source eq 443

object service TCP-SOURCE-922
 service tcp source eq 922

object service TCP-SOURCE-22
 service tcp source eq 22

object service TCP-SOURCE-8000_8200
 service tcp source range 8000 8200

nat (PRODUCTION,OUTSIDE) <seq no> static TEST_PRIVATE_IP TEST_PUBLIC_IP destination any any service TCP-SOURCE-8443 TCP-SOURCE-443

nat (PRODUCTION,OUTSIDE) <seq no> static TEST_PRIVATE_IP TEST_PUBLIC_IP destination any any service TCP-SOURCE-922 TCP-SOURCE-22

nat (PRODUCTION,OUTSIDE) <seq no> static TEST_PRIVATE_IP TEST_PUBLIC_IP destination any any service TCP-SOURCE-8000_8200 TCP-SOURCE-8000_8200

access-list Outside_IN extended permit tcp any object TEST_PRIVATE_IP object-group PROD_101

access-group Outside_IN in interface outside

//Cristian

bashiru.bayonle · ‎08-26-2016

I really appreciate your effort...I will check it out and get back you next week...Thanks a lot...

bashiru.bayonle · ‎09-01-2016

@Cristian, Thanks-a-million for your great support. The clue you gave me really worked for the SSH and port range declared. I just added the below config to the one that is doing the port redirection.

object service TCP-SOURCE-22
service tcp source eq 22
nat (PRODUCTION,OUTSIDE) source static TEST_PRIVATE_IP TEST_PUBLIC_IP service TCP-SOURCE-22 TCP-SOURCE-22

object service TCP-SOURCE-8000_8200
service tcp source range 8000 8200
nat (PRODUCTION,OUTSIDE) source static TEST_PRIVATE_IP TEST_PUBLIC_IP service TCP-SOURCE-8000_8200 TCP-SOURCE-8000_8200

Next is to implement SSL certificate and change the config so that the domain name is opening on https://...

I have not done the implementation before but i believed with someone like you, it shall be successful...If you dont mind you can add me on skype as my ID is isiaka.bashiru Once again, thanks a million....