Solved: Cisco ASA 5506 Basic Port Forwarding Help

fretcat_56 · ‎11-29-2019

Hello, I'm new to Cisco ASA and trying to replace an older Netgear firewall. This is my initial attempt to configure some very basic port forwarding on a newly purchased 5506 running ASA v9.8. It has the factory BVI configuration modified for the inside address (192.168.16.0). The outside interface is a single IP (DHCP) assigned by the ISP. Currently a simple network; everything on the private net is connected to inside_1. I had previously configured port forwarding on the existing older Netgear firewall for a DVR on the private net at 192.168.16.32 with ports 8000, 9000, and 9090. Users from outside can target the outside IP address and are able to use the DVR viewing and control application remotely. Initially, I had started to configure the 5506 for outside access to the DVR IP address port 8000 and test using Portcheckers without positive results.

I've now pulled the 5506 and I'm testing it at home with outside host Putty Telnet to port 8000 targeting the outside interface and a host configured to the DVR IP address with a TCP listener running connected to inside_1. Although it appears I can get a successful packet trace in ASDM targeting the outside IP and port 8000 in both directions, I can't get through the outside interface and hit the listener on port 8000. I'm currently in the process of trying to configure syslog and res-test to bring forth any clues as to why the current acl and nat config is not working.

I keep thinking that the ACL is not working and that I've missed something fundamental. This continues to be learning curve for me, and it seems some basics with the 5506 have been problematic for many out there as well. Any help and pointers on this from the Cisco Community would be greatly appreciated!!

The current inside address is 192.168.16.1 and the outside interface address for testing is 192.168.10.10. Here is the output from a show running-config, show nat, and show translate:

Iselinfire# show running-config
: Saved

:
: Serial Number: JAD231919ZG
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname Iselinfire
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network DVR_Host
host 192.168.16.32
object service DVR8000
service tcp source eq 8000 destination eq 8000
access-list outside_access_in extended permit object DVR8000 any object DVR_Host
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
object network DVR_Host
nat (inside_1,outside) static interface net-to-net service tcp 8000 8000
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.16.0 255.255.255.0 inside_1
http 192.168.16.0 255.255.255.0 inside_2
http 192.168.16.0 255.255.255.0 inside_3
http 192.168.16.0 255.255.255.0 inside_4
http 192.168.16.0 255.255.255.0 inside_5
http 192.168.16.0 255.255.255.0 inside_6
http 192.168.16.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
no service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 192.168.16.0 255.255.255.0 inside_1
telnet 192.168.16.0 255.255.255.0 inside_7
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map icmp-class
match default-inspection-traffic
!
!
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
!
service-policy icmp_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9bf4d390a79c9a97b093ce28fca7461e
: end
Iselinfire# show nat detail

Auto NAT Policies (Section 2)
1 (inside_1) to (outside) source static DVR_Host interface service tcp 8000 8000 net-to-net
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.16.32/32, Translated: 192.168.10.10/24
Service - Protocol: tcp Real: 8000 Mapped: 8000
2 (inside_1) to (outside) source dynamic obj_any1 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.10.10/24
3 (inside_2) to (outside) source dynamic obj_any2 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.10.10/24
4 (inside_3) to (outside) source dynamic obj_any3 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.10.10/24
5 (inside_4) to (outside) source dynamic obj_any4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.10.10/24
6 (inside_5) to (outside) source dynamic obj_any5 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.10.10/24
7 (inside_6) to (outside) source dynamic obj_any6 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.10.10/24
8 (inside_7) to (outside) source dynamic obj_any7 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 192.168.10.10/24
Iselinfire#
Iselinfire# show xlate detail
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from inside_1:192.168.16.32 8000-8000 to outside:192.168.10.10 8000-8000
flags srN idle 0:24:03 timeout 0:00:00 refcnt 0 xlate id 0x7f0566d73140

Iselinfire#

ASA Novice

Francesco Molino · ‎11-30-2019

Hi

First of all, to test if you're config allows your port forwarding, you can use a command called packet-tracer. If the traffic will not go through, it'll tell your what rule denies the traffic.

The port object on your outside acl should be destination and not source. The source port can be anything but the destination must be port 8000.

For the nat, it should looks like:
object network DVR_Host
nat (inside_1,outside) static interface service tcp 8000 8000

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎11-30-2019

Hi

First of all, to test if you're config allows your port forwarding, you can use a command called packet-tracer. If the traffic will not go through, it'll tell your what rule denies the traffic.

The port object on your outside acl should be destination and not source. The source port can be anything but the destination must be port 8000.

For the nat, it should looks like:
object network DVR_Host
nat (inside_1,outside) static interface service tcp 8000 8000

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

fretcat_56 · ‎12-01-2019

The destination port only for the outside ACL entry did the trick. I understand now, thank you Francesco. I've made a service group for the ACL with services for 8000, 9000, and 9090 destination ports only. I now need to redo the NAT configuration so all 3 ports are translated to DVR_Host. I appreciate your help, thanks again.

ASA Novice

Francesco Molino · ‎12-02-2019

You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question