cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2599
Views
5
Helpful
10
Replies

Cisco ASA 5505 - Port forwarding - NAT

CSCO12801420
Level 1
Level 1

Hi All, 

 

I'm currently trying to setup static NAT's in my home-lab to do port-forwarding using my public IP. I've done this previously with the my router without any issues, but I'm currently unable to get this running on my ASA5505. Currently my PAT(Hide NAT) is working perfectly, just not my port-forwarding. 

 

Any help will be greatly appreciated !!!

 

I've attached the running-config for the ASA

 

NAT's configured previously on my 897-Router (I'm trying to replicate on ASA)
ip nat inside source static tcp 10.10.10.10 22 <Public IP> 22 extendable
ip nat inside source static tcp 192.168.0.10 80 <Public IP> 80 extendable
ip nat inside source static 10.10.10.11 <Public IP> extendable

 

Thanks All

 

Pierre

 

1 Accepted Solution

Accepted Solutions

Even once you have corrected the interface name issue your port forwarding will still not work due to misconfigured NAT rules and the following command:

nat (any,INTERNET) source dynamic LAN-Subnets interface

 

You need to move this to "after-auto" and the commands that are in "after-auto" into section 1 (manual).

 

no nat (any,INTERNET) source dynamic LAN-Subnets interface
!
nat (LAN,INTERNET) source static LAN-MikroTik interface service SSH SSH
nat (DMZ,INTERNET) source static Raspberry interface service HTTP-80 HTTP-80
nat (LAN,INTERNET) source static EVE-SERVER interface  <--- This will mess up your internet traffic. make sure to specify ports or remove this.

 

nat (any,INTERNET) after-auto dynamic LAN-Subnets interface

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

10 Replies 10

Ajay Saini
Level 7
Level 7

Hello,

 

The NAT statements are incorrect, the source and destination interfaces needs to be different. There is an example of the static pat which you are trying to create:

 

https://community.cisco.com/t5/security-documents/asa-pre-8-3-to-8-3-nat-configuration-examples/ta-p/3116375

 

Look for regular static pat example:

object network obj-10.1.1.16
   host 10.1.1.16
   nat (inside,outside) static 192.168.100.100 service tcp 8080 www


 

HTH
AJ

 

Even once you have corrected the interface name issue your port forwarding will still not work due to misconfigured NAT rules and the following command:

nat (any,INTERNET) source dynamic LAN-Subnets interface

 

You need to move this to "after-auto" and the commands that are in "after-auto" into section 1 (manual).

 

no nat (any,INTERNET) source dynamic LAN-Subnets interface
!
nat (LAN,INTERNET) source static LAN-MikroTik interface service SSH SSH
nat (DMZ,INTERNET) source static Raspberry interface service HTTP-80 HTTP-80
nat (LAN,INTERNET) source static EVE-SERVER interface  <--- This will mess up your internet traffic. make sure to specify ports or remove this.

 

nat (any,INTERNET) after-auto dynamic LAN-Subnets interface

--
Please remember to select a correct answer and rate helpful posts

Hi All, 

 

Thanks for the assistance and help, unfortunately I'm still not having any luck. I've implemented your NAT statements and understand where I went wrong, (run config attached) but still unable to browse to internal device on the respective ports. 

 

Further testing: 

1) ACL's allow ip any any 

2) Disabled all internal host firewalls/ports

3) Run packet-tracer which indicates the NAT is working as expected

4) Tested the host on the respective ports from the firewall. 

 

Packet-Tracer

ASA# packet-tracer input interNET tcp 8.8.8.8 https <Public IP> https

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,INTERNET) source static EVE-SERVER interface
Additional Information:
NAT divert to egress interface LAN
Untranslate 196.45.18.108/443 to 10.10.10.11/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group global_access global
access-list global_access extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,INTERNET) source static EVE-SERVER interface
Additional Information:
Static translate 8.8.8.8/443 to 8.8.8.8/443

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,INTERNET) source static EVE-SERVER interface
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 164241, packet dispatched to next module

Result:
input-interface: INTERNET
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: allow

 

Checking the host and port is reachable: 

ASA# ping tcp 10.10.10.11 443
Type escape sequence to abort.
No source specified. Pinging from identity interface.
Sending 5 TCP SYN requests to 10.10.10.11 port 443
from 10.10.10.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

 

Thanks for all the help so far !!

 

P

you have no default route on your ASA pointing to your ISP.

** edit ** nevermind I see you have the setroute command on the interface.

--
Please remember to select a correct answer and rate helpful posts

Do you have the security plus license installed on the ASA5505?  

How are you testing? Packet tracer indicates that this traffic is allowed.  Does this work when on the LAN network?  Are you using a URL when testing? Is the DNS record correctly updated if you are using a URL?

--
Please remember to select a correct answer and rate helpful posts

Hi Marius, 

 

If I'm connected on the LAN, I can browse to the respective servers. If I replace the firewall with my router with source NAT's (provided in original post) I can browse to servers without any issues from the Internet.

 

I'm using a IP when going all testing (even though the my Domain A-record is setup correctly)

 

In regards to the license, the device is running ASA 5505 Security Plus license with a permanent activation key. 

 

Would it be worth downgrading to a previous version ?

Again any help will be greatly appreciated !

P

You config looks fine (other than I am not a big fan of using the global ACL).  And packet-tracer states that the traffic is allowed.

Could you issue the command show nat 10.10.10.11 or show nat object EVE-SERVER

 

Also you could do a packet capture on the LAN interface to see if the traffic is actually exiting the LAN interface and to see if you are getting any return traffic

capture capLAN interface LAN match IP host 10.10.10.11 host <external IP you are testing from>

show cap capLAN

Then run a test from an external IP and see if you see the traffic exiting and entering the LAN interface.  If you see the traffic exiting but you see no return traffic then the problem is either on the server itself, or perhaps a routing issue on the server or between the server and the ASA.

--
Please remember to select a correct answer and rate helpful posts

Hi Marius, 

 

I've created an inbound and outbound capture on the firewall. I can see translations happening but the capture do not show any inbound traffic or outbound traffic. 

 

ASA# sh cap
capture INCOMING type raw-data interface INTERNET [Capturing - 0 bytes]
match tcp any host <public IP> eq https
match tcp any host 10.10.10.11 eq https
capture OUTBOUND type raw-data interface LAN [Capturing - 0 bytes]
match tcp host 10.10.10.11 any eq https
match tcp any host 10.10.10.11 eq https

 

ASA# show nat 10.10.10.11
Manual NAT Policies (Section 1)
3 (LAN) to (INTERNET) source static EVE-SERVER interface
translate_hits = 363, untranslate_hits = 15073

 

The Next step would be to connect a laptop the the DMZ and see if I can see any captured packets.

 

Any suggestions will be a great help :) 

Well we are seeing that the NAT rule is being hit.  How are you testing this connection?  I find it odd that we are seeing NAT translate / un-translate hits but nothing in the capture.  Try capturing against IP and not a specific port, perhaps traffic is being sent on a port other than TCP/443.

--
Please remember to select a correct answer and rate helpful posts

Hi Marius, 

 

After hours of troubleshooting I finally got in touch with my ISP, which confirmed the rolled out new Firewall rules in their infrastructure. I requested my Public IP be white-listed and I can successfully browse to my servers via domain or Public IP. 

 

I suspect the translated packets seen in the NAT was outgoing and not incoming packets.

 

Thanks for all the help guys !! 

 

P

Review Cisco Networking for a $25 gift card