Solved: Re: Help with static NAT statements that use multiple port ranges

tlayers@liberty.edu · ‎09-07-2018

Good Morning,

I am pretty early in my career, and the Cisco ASA CLI is still a bit difficult for me, so I am posting my questions here at your mercy. Please forgive me if I use the wrong terminology here. I have a Cisco ASA 5505 and I am trying to map connections originating from outside of my network to a single server inside of my network on several different ranges of ports. What I mean by range of ports is say TCP 4500-4502, and say 7500-7505, and then UDP 69, 200001, and then blocks such as 40001 to 40504. This aren't the actual ports but it gives you the idea. I need to open several different blocks of ports, for TCP and UDP that aren't in a single range and I can't figure out what I need to create to make this happen. I have poured countless hours researching and reading the ASA manuals but most of what I have seen only talks about a single range of ports going to an address, not multiple blocks of ports. The steps I have tried so far is this:

1. I created a network object using Object Network obj-x.x.x.10, host x.x.x.10

2. I created network service objects using Object-Group Service Service-Name, port-object range <ports>.

3. I created a large container using object-group service Service-Name, and then used service-objects tcp source range <ports> <ports> destination range <ports> <ports>

4. I attempted to attach the ports within the object network obj-x.x.x.10 using the nat statements in there which works, but I can't seem to figure out how to attach a range of ports inside of these statements and the object service objects don't seem to be able to be used in here. Maybe it is because I am using the ASA 9.1 software version.

5. I used just about every type of NAT statement inside the network objects that I can think of, I tried to make XLate statements for each port range, and I tried several different variations of the NAT statements outside of network objects just using regular nat statements.

This is where my knowledge of Cisco falls off pretty hard so any help and/or explanations would be awesome. I love to learn the why's behind this so I understand for next time why I need to do something a certain way so any explanations, and especially corrections on anything I worded or explained incorrectly would be great!

I know my ACL's are working correctly because I did get this service to work once by using the commands

object network obj-x.x.x.10

host x.x.x.10

nat (inside,outside) static interface

However when I used that command it routed all outside traffic to my host and our anyconnect and a couple other services stopped working so I had to take that command out of course.

Thanks!

Travis Ayers

evlaa1990 · ‎09-12-2018

Looks like this is for Mitel kit? I work with Mitel day-in, day-out, looks like you're allowing ports for Teleworker or MiCollab. best practice is a dedicated IP Address. Especially if you start to use SIP endpoints on the same IP because it uses a tonne of ports.

I am just in the middle of swapping an old Sonicwall Firewall for an ASA and having to rewrite all of our rules, I'll share the config with you once I've done. Should be complete tomorrow afternoon.

View solution in original post

Ben Walters · ‎09-07-2018

Alright let's go through your scenario and see if we can get something that might work for you, or at least give you something to go off to get it working.

Lets break this down, all hypothetically.

- Your server address is 192.168.1.10 you created a network object called SERVER

- Your external address is 4.8.16.32 you created a network object called WAN

- You have 2 interfaces inside (192.168.1.x network) and outside (internet)

- The service is TCP 4500-4502 and you created a service object for that called SVC-OBJ

Now you want external clients to be able to reach the server (192.168.1.10) on ports 4500-4502 (SVC-OBJ)

A static NAT rule to accomplish this would look like this:

nat (Outside,Inside) 1 source static any any destination static WAN SERVER service SVC-OBJ SVC-OBJ

Here is how the rule breaks down.

Traffic coming in on the outside interface destined for the inside network from any IP address trying to reach 4.8.16.32 on ports 4500-4502 - translates to 192.168.1.10 keeping the original source IP and ports.

With this rule in place you would still need an ACL to allow the traffic coming in on the outside interface on the specified ports.

Then you just do the same thing for each other service object group that you require.

Hopefully this is at least helpful in trying to get a working config going for you.

tlayers@liberty.edu · ‎09-07-2018

I had tried something similar to this statement before but I hadn't tried doing outside,inside because I had read somewhere that the traffic goes both ways and that if it translates from the inside to the outside it will translate from the outside to the inside as well. Anyway I tried putting in exactly what you said and I got this error:

ERROR: Address 4.8.16.32 overlaps with outside interface address.

ERROR: Nat Policy is not downloaded.

Our outside interface is setup on a Vlan that has our public IP set on it with a /24 mask.

the nat statement I used was

nat (outside,inside) 1 source static any any destination WAN SERVER service SVC-OBJ SVC-OBJ

Thanks!

tlayers@liberty.edu · ‎09-10-2018

After doing some research I was again pointed to do the NAT statements inside of the object network. so doing this:

object network obj-x.x.x.75

host x.x.x.75

nat (inside,outside) source static service 80 80

as an example which would be fine except for the fact that I have about 600 ports that need to be opened. Is there a way to include an object service in these nat statements? That would be the preferred and easiest methods since from what I have read you cannot NAT to the outside interface's IP address and we only have one public.
Thanks!

Travis Ayers

evlaa1990 · ‎09-10-2018

There is a pretty good explanation here of (outside,inside) (inside,outside) NAT.
If you're still struggling please post a full running configuration if possible.

evlaa1990 · ‎09-10-2018

There is a pretty good explanation here of (outside,inside) (inside,outside) NAT.
If you're still struggling please post a full running configuration.

tlayers@liberty.edu · ‎09-11-2018

That is a pretty good explanation but it doesn't solve my issue unfortunately. I will include a modified version of my entire config at the end of this post. To restate the issue I am trying to expose a server to the public address on a certain range of ports. It is different blocks for TCP and UDP. IE 6800-6802 and then 4800-4802 on TCP, UDP would be 69, 20001, 50001 to 50508. If it was one range, or just a handful of ports this wouldn't be giving me issues but I am trying to figure out how to accomplish this without putting in over 500 lines of code into our ASA :P I have tried making network objects and placing the nat statements inside of the individual objects but I cannot figure out how to make service objects work inside of network objects, and network objects seem to only be able to NAT one port at a time so that won't work without 500 lines of code. I tried the NAT statement listed above but I cannot do this because it tells me that the WAN ip address overlaps with the outside interface IP address(which it does... it is the same address) but we only have that one public address so that is where I am stuck. I got the service working once by making an object network and listing my servers inside host address, and then I did a NAT statement inside that object like this - nat (inside,outside) static interface but that routed all outside traffic straight to my server and cut off our VPN and other services so that was not an acceptable method, however it showed me that the service does work.

Do I just need to get another IP address to make this work?

Thanks for the help guys!

Travis Ayers

Ben Walters · ‎09-11-2018

I think there was some confusion originally, it isn't possible to reference service-object groups in NAT rules. You are only able to reference service objects, but they can at least be a range of ports.

So you would need several NAT rules for the services you require.

That said to avoid the overlap, you should be able to reference the actual interface being used for the external source instead of the interface's address when creating the NAT rules. I should have also mentioned the numbers after the (outside,inside) are sequence numbers much like firewall rules.

nat (outside,inside) 1 source static any any destination static interface outside service Mitel-Ports-tcp Mitel-Ports-tcp

nat (outside,inside) 2 source static any any destination static interface outside service Mitel-Ports-udp Mitel-Ports-udp

That said you could NAT everything to the internal server requiring several ports and create NAT rules above for the VPN/Other services. Getting another IP would reduce the configuration burden, just NAT everything and let ACLs handle the services allowed.

evlaa1990 · ‎09-12-2018

Looks like this is for Mitel kit? I work with Mitel day-in, day-out, looks like you're allowing ports for Teleworker or MiCollab. best practice is a dedicated IP Address. Especially if you start to use SIP endpoints on the same IP because it uses a tonne of ports.

I am just in the middle of swapping an old Sonicwall Firewall for an ASA and having to rewrite all of our rules, I'll share the config with you once I've done. Should be complete tomorrow afternoon.

tlayers@liberty.edu · ‎09-19-2018

I marked your solution as correct however most of the posters in here were correct. I can honestly say that from this experience I have gained a VERY VERY deep understanding of NAT rules and ACL's rofl. It turns out that the ports that were supplied to me by my Mitel technician were outdated, and once I got ahold of the correct ports I was able to get the config working as intended. Thank you all so very much for your time and knowledge.

Regards,

Travis Ayers

evlaa1990 · ‎09-12-2018

But if you don't want to wait for my full config and want to try with a single IP see below. Unfortunately you do need to have different NAT rules for each service you want to use but you can use ranges within each object service.

object network HOST_MITELMBG_INSIDE_IP
host 192.168.XXX.XXX
object network HOST_MITELMBG_OUTSIDE_IP
host 193.117.XXX.XXX

object service SVC_RTP
service udp destination range 20000 31000

object service SVC_SIPSIGNALLING_UDP
service udp destination range sip 5061

object service SVC_SIPSIGNALLING_TCP
service tcp destination range sip 5061

nat (inside,outside) source static HOST_MITELMBG_INSIDE_IP HOST_MITELMBG_OUTSIDE_IP service SVC_RTP SVC_RTP

nat (inside,outside) source static HOST_MITELMBG_INSIDE_IP HOST_MITELMBG_OUTSIDE_IP service SVC_SIPSIGNALLING_TCP SVC_SIPSIGNALLING_TCP

nat (inside,outside) source static HOST_MITELMBG_INSIDE_IP HOST_MITELMBG_OUTSIDE_IP service SVC_SIPSIGNALLING_UDP SVC_SIPSIGNALLING_UDP