Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5427
Views
30
Helpful
6
Replies

Cisco ASA 9.4 Port-forwarding issue using multiple ports to same inside host

Go to solution
trylvis123
Level 1
Level 1

‎03-01-2017 04:26 AM - edited ‎03-12-2019 01:59 AM

Greetings everyone,

I'm trying to set up a port-forward through Cisco ASA running version 9.4.3.8.

I want to use one public IP, and forward different ports coming to this IP, into one or more internal servers on the same port.

I also want the clients on this subnet to be PAT'ed outwards on the same IP.

We do have multiple public IP's in this subnet the Outside interface, used for different purposes.

Example scenario, public IP address 9.9.9.9 - internal address 10.0.0.20 for server A and 10.0.0.30 for server B.

Internet -> Outside interface - IP 9.9.9.9:tcp6881 ->NAT-> Inside server 10.0.0.20:tcp6881

Internet -> Outside interface - IP 9.9.9.9:udp6882 ->NAT-> Inside server 10.0.0.20:udp6882

Internet -> Outside interface - IP 9.9.9.9:tcp7881 -> NAT-> Inside server 10.0.0.30:tcp7881

Internet -> Outside interface - IP 9.9.9.9:udp7882 ->NAT-> Inside server 10.0.0.30:udp7882

I'm currently working on getting host A(10.0.0.20) to work, and I've used the following commands:

access-list Outside_access_in extended permit udp any4 object 10.0.0.20 eq 6881
access-list Outside_access_in extended permit tcp any4 object 10.0.0.20 eq 6881


object service TCP_6881
service tcp source eq 6881
object service UDP_6881
service udp source eq 6881

nat (InternalNetworkX,Outside) source static 10.0.0.20 Outside_9.9.9.9 destination static Outside_9.9.9.9 Outside_9.9.9.9 service TCP_6881 TCP_6881
nat (InternalNetworkX,Outside) source static 10.0.0.20 Outside_9.9.9.9 destination static Outside_9.9.9.9 Outside_9.9.9.9 service UDP_6881 UDP_6881


object network InternalNetworkX
nat (InternalNetworkX,Outside) dynamic 9.9.9.9

Now we get incoming UDP traffic(hits in access rules get updated), but no TCP traffic.

However, if I run a packet tracer, it says that both UDP and TCP should be dropped:

UDP packet-tracer:

packet-tracer input Outside udp 8.8.8.8 6881 10.0.0.20 6881

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.20 using egress ifc InternalNetworkX

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit udp any4 object hostA eq 6881
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network InternalNetworkX
nat (InternalNetworkX,Outside) dynamic 9.9.9.9
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: InternalNetworkX
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

TCP packet-trace:

packet-tracer input Outside tcp 8.8.8.8 6881 10.0.0.20 6881

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.20 using egress ifc InternalNetworkX

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit tcp any4 object hostA eq 6881

Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network InternalNetworkX
nat (InternalNetworkX,Outside) dynamic 9.9.9.9
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: InternalNetworkX
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Any ideas on this?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎03-01-2017 05:24 AM

You are configuring it in a too complicated way ...

object network SRV-10.0.0.20-6881
 host 10.0.0.20
 nat (InternalNetworkX,Outside) static 9.9.9.9 service tcp 6881 6881
!
object network SRV-10.0.0.20-6882
 host 10.0.0.20
 nat (InternalNetworkX,Outside) static 9.9.9.9 service udp 6882 6882
!
object network SRV-10.0.0.30-7881
 host 10.0.0.30
 nat (InternalNetworkX,Outside) static 9.9.9.9 service tcp 7881 7881
!
object network SRV-10.0.0.30-7882
 host 10.0.0.30
 nat (InternalNetworkX,Outside) static 9.9.9.9 service udp 7882 7882
!
object network InternalNetworkX
 nat (InternalNetworkX,Outside) dynamic 9.9.9.9

And you need to allow the traffic in your outside ACL:

access-list OUTSIDE-IN permit tcp any host 10.0.0.20 eq 6881
access-list OUTSIDE-IN permit udp any host 10.0.0.20 eq 6882
access-list OUTSIDE-IN permit tcp any host 10.0.0.30 eq 7881
access-list OUTSIDE-IN permit udp any host 10.0.0.30 eq 7882

View solution in original post

6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎03-01-2017 05:24 AM

You are configuring it in a too complicated way ...

object network SRV-10.0.0.20-6881
 host 10.0.0.20
 nat (InternalNetworkX,Outside) static 9.9.9.9 service tcp 6881 6881
!
object network SRV-10.0.0.20-6882
 host 10.0.0.20
 nat (InternalNetworkX,Outside) static 9.9.9.9 service udp 6882 6882
!
object network SRV-10.0.0.30-7881
 host 10.0.0.30
 nat (InternalNetworkX,Outside) static 9.9.9.9 service tcp 7881 7881
!
object network SRV-10.0.0.30-7882
 host 10.0.0.30
 nat (InternalNetworkX,Outside) static 9.9.9.9 service udp 7882 7882
!
object network InternalNetworkX
 nat (InternalNetworkX,Outside) dynamic 9.9.9.9

And you need to allow the traffic in your outside ACL:

access-list OUTSIDE-IN permit tcp any host 10.0.0.20 eq 6881
access-list OUTSIDE-IN permit udp any host 10.0.0.20 eq 6882
access-list OUTSIDE-IN permit tcp any host 10.0.0.30 eq 7881
access-list OUTSIDE-IN permit udp any host 10.0.0.30 eq 7882

Go to solution
trylvis123
Level 1
Level 1
In response to Karsten Iwen

‎03-01-2017 05:27 AM

Thanks for your reply!

That seems alot easier, but how will that be if we use port 6881 for both TCP and UDP, can I create two objects with the same IP, but different ports? 

Like:

object network SRV-10.0.0.20-TCP6881
 host 10.0.0.20
 nat (InternalNetworkX,Outside) static 9.9.9.9 service tcp 6881 6881
!
object network SRV-10.0.0.20-UDP6881
 host 10.0.0.20
 nat (InternalNetworkX,Outside) static 9.9.9.9 service udp 6881 6881
!
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to trylvis123

‎03-01-2017 05:31 AM

Yes, exactly like that.

Go to solution
trylvis123
Level 1
Level 1
In response to Karsten Iwen

‎03-01-2017 06:10 AM

This looks very promising, by the hits in the Access Rule list, it seem to translate correctly. I've yet only configured one host, "10.0.0.20".

I'm a bit curious about my packet-tracer tho. This still drop's the packet, have I entered the wrong information here?

I've run the following in packet-tracer (I do use 8.8.8.8 in the actual packet-tracer):

packet-tracer input Outside tcp 8.8.8.8 6881 10.0.0.20 6881

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.0.20 using egress ifc InternalNetworkX

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Outside_access_in in interface Outside
access-list Outside_access_in extended permit tcp any4 object SRV-10.0.0.20 eq 6881

Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network SRV-10.0.0.20-TCP6881
nat (InternalNetworkX,Outside) static 9.9.9.9 service tcp 6881 6881
Additional Information:

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: InternalNetworkX
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The same goes for UDP.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to trylvis123

‎03-01-2017 06:37 AM

The packet-tracer has to be used with the packet-information as it enters the ASA:

packet-tracer input Outside tcp 8.8.8.8 6881 9.9.9.9 6881

Go to solution
trylvis123
Level 1
Level 1
In response to Karsten Iwen

‎03-02-2017 04:33 AM

Exactly, that seems to work perfectly.

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card