Solved: Forwarding a single port

greggeesaman · ‎01-23-2012

Is there a way to forward a single port, while leaving the others alone? For instance I want to forward all https traffic on a public IP to an internal server on port 4443. At the same time traffic on all other ports for this IP needs to be forwarded on the original port. It looks like creating a Network Object will allow a single port to be forwarded, but what happens to the remaining traffic? I attempted to create Service Objects that I then assigned to NAT statements. For example:

object service HTTPS_Translation

service tcp source eq https destination eq 4443

nat (any,any) source static [External IP] [Internal IP] service HTTPS_Translation HTTPS_Translation

Basically I just want to do this:

443->firewall->4443

80->firewall->80

25->firewall->25

etc

Is it possible to do what I'm attempting and if so how?

I have an ASA 5510 with version 8.4(1) software.

Julio Carvajal · ‎01-23-2012

Hello Greg,

I would do it like this:

Object service HTTPS_real

service tcp source eq https

Object service HTTPS_fake

service tcp source eq 4443

object network inside_host

host 10.1.1.1

object network outside_host

host 4.2.2.2

nat (inside,outside) source static inside_host outside_host service HTTPS_real HTTPS_fake

You will need the ACL pointing to 10.1.1.1 on port 443

That is all you need!

Hope this helps

Julio

Rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

ajay chauhan · ‎01-24-2012

Hi Greg,

Please follow what Julio said-

This should be your configuration- Considered your real server is part of Inside.

object network obj-204.x.x.185

host 204.x.x.185

object network NAT_TEST

host 192.168.1.101

object service tcp-443

service tcp source eq 443

object service tcp-80

service tcp source eq 80

object service tcp-25

service tcp source eq 25

object service tcp-4443

service tcp source eq 4443

nat (inside,outside) source static NAT_TEST obj-204.x.x.185 service tcp-4443 tcp-443

nat (inside,outside) source static NAT_TEST obj-204.x.x.185 service tcp-80 tcp-80

nat (inside,outside) source static NAT_TEST obj-204.x.x.185 service tcp-25 tcp-25

Ofcourse ACL as well.

Thanks
Ajay

View solution in original post

ajay chauhan · ‎01-23-2012

object network INSIDE_HOST

host 10.100.130.5

nat (INSIDE,OUTSIDE) static interface/ip service 26883 26883

You need to do this way .use IP if you have static IP else go for interface -this will use your outside interface IP for port forwarding.

For multiple port repeat the sameprocess or configure another object group for next real IP adsress.

Do not forget to configured outside ACL for real IP address.

Thanks

Ajay

greggeesaman · ‎01-23-2012

Thanks for the reply.

This is what I'm entering:

object network NAT_TEST

host 192.168.1.101

nat (inside,outside) static 204.x.x.185 service tcp 443 4443

nat (inside,outside) static 204.x.x.185 service

The second NAT statement overwrites the first. I think I'm missing something. I have a service group with multiple service object that relate to all the ports I need to forward. Should I be relying on that?

Julio Carvajal · ‎01-23-2012

Hello Greg,

I would do it like this:

Object service HTTPS_real

service tcp source eq https

Object service HTTPS_fake

service tcp source eq 4443

object network inside_host

host 10.1.1.1

object network outside_host

host 4.2.2.2

nat (inside,outside) source static inside_host outside_host service HTTPS_real HTTPS_fake

You will need the ACL pointing to 10.1.1.1 on port 443

That is all you need!

Hope this helps

Julio

Rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ajay chauhan · ‎01-24-2012

Hi Greg,

Please follow what Julio said-

This should be your configuration- Considered your real server is part of Inside.

object network obj-204.x.x.185

host 204.x.x.185

object network NAT_TEST

host 192.168.1.101

object service tcp-443

service tcp source eq 443

object service tcp-80

service tcp source eq 80

object service tcp-25

service tcp source eq 25

object service tcp-4443

service tcp source eq 4443

nat (inside,outside) source static NAT_TEST obj-204.x.x.185 service tcp-4443 tcp-443

nat (inside,outside) source static NAT_TEST obj-204.x.x.185 service tcp-80 tcp-80

nat (inside,outside) source static NAT_TEST obj-204.x.x.185 service tcp-25 tcp-25

Ofcourse ACL as well.

Thanks
Ajay

greggeesaman · ‎01-24-2012

Thank you both for the help; it is working great.