11-22-2012 11:13 AM - edited 03-11-2019 05:26 PM
Hi,
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
Single static public IP: 16.2.3.4
Need to PAT several ports to three separate servers behind firewall
One server houses email, pptp server, ftp server and web services: 10.1.20.91
One server houses drac management (port 445): 10.1.20.92
One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.
Here is what I have. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
ASA Version 8.4(4)1
!
hostname kaa-pix
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 16.2.3.4 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network server_smtp
host 10.1.20.91
object service Port_25
service tcp source eq smtp
object service Port_3389
service tcp source eq 3389
object service Port_1723
service tcp source eq pptp
object service Port_21
service tcp source eq ftp
object service Port_443
service tcp source eq https
object service Port_444
service tcp source eq 444
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit icmp any any echo-reply
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any interface outside eq pptp
access-list acl-out extended permit tcp any object server_smtp eq smtp
access-list acl-out extended permit tcp any object server_smtp eq pptp
access-list acl-out extended permit tcp any object server_smtp eq 3389
access-list acl-out extended permit tcp any object server_smtp eq ftp
access-list acl-out extended permit tcp any object server_smtp eq https
access-list acl-out extended permit tcp any object server_smtp eq 444
access-list acl-out extended permit tcp any object drac eq 445
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server_smtp interface service Port_25 Port_25
nat (inside,outside) source static server_smtp interface service Port_3389 Port_
3389
nat (inside,outside) source static server_smtp interface service Port_1723 Port_
1723
nat (inside,outside) source static server_smtp interface service Port_21 Port_21
nat (inside,outside) source static server_smtp interface service Port_443 Port_4
43
nat (inside,outside) source static server_smtp interface service Port_444 Port_4
44
nat (inside,outside) source static drac interface service Port_445 Port_445
!
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
Solved! Go to Solution.
12-17-2012 12:55 AM
Hi,
Usually port TCP/445 is used for something totally different than you are using.
Is the possibility that your ISP is blocking the said port on their side as you said you never even see the connection attempt?
Could you try Port Forward some other random port and try again with the new port?
- Jouni
11-22-2012 11:40 AM
Hello,
The configuration looks good for SMTP.
PPTP also uses GRE which cannot be configured with port forward since it doesn't use a specific port or range of ports.
Which ones are not working?
Have you tried packet tracer for the nonworking ones?
packet in outside tcp 8.8.8.8 1025 16.2.3.4 25
Regards,
Felipe
Security Team
12-13-2012 11:48 PM
Thanks Lcambron...I got PPTP to work. Everything else works fine. I can access email, access my web server, FTP server, and PPTP server. However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445. So I have th following lines:
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit tcp any object drac eq 445
nat (inside,outside) source static drac interface service Port_445 Port_445
Am I missing something here? Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening. However, externally, i cannot telnet to my external ip address of the ASA through port 445.
Thanks
12-14-2012 07:33 AM
Hi,
I personally configure the Port Forward NATs with a different way.
For example the above mentioned case i would configure in the following way (while removing the old one)
object network DRAC
host 10.1.20.92
nat (inside,outside) static interface service tcp 445 445
access-list OUTSIDE-IN permit tcp any object DRAC eq 445
Same type of format could be applied to any Port Forward configured (if needed)
- Jouni
12-15-2012 10:32 AM
Thanks JouniForss.
I implemented your commands and removed the ones from my configuration, and yet I still cannot reach the DRAC interface over port 445. I know the DRAC is listening on port 445, as i can access the DRAC interface internally at https://10.1.20.92:445. However, when trying to telnet to port 445 on the external IP address, I get connection failed.
Any other ideas?
Thanks
12-15-2012 01:29 PM
Hi,
Even though you stated that everything else works, I just have to ask, have you attached the ACL to the outside interface? I cant see the "access-group" command in the above configuration which would attach the ACL in question to the interface. (Then again I guess theres some other configurations that hasnt been attached there?)
Since looking at the configurations it seems that all the other Port Forwards are done to another server, is this server configured with a correct default gateway so the return traffic for the test from Internet would find a route back? It wouldnt need this default route for the connections to work inside the same subnet/LAN.
Can you connect to the firewall with ASDM and use the Monitor/Logging on it and at the sametime test the connection from Internet? See what the logs say and copy/paste them here. Make sure the ASDM logging is set to "informational" atleast
This can be done with "logging asdm infromational" from CLI or from the ASDM settings themselves.
- Jouni
12-17-2012 12:22 AM
Yes, I have the following command:
access-group acl-out in interface outside
When viewing ADSM and logging, when I try to access Https:\\16.2.3.4:445 from the internet, it doesn't even show an entry in the log coming from the machine on the internet.
I know port 445 is on, because internally, i can go to https://10.1.20.92:445 and access the DRAC interface. The gateway is correct at 10.1.20.1.
Thanks,
12-15-2012 01:42 PM
watch
show conn detail long | i 10.1.20.92
output while connecting
Are you sure it is 445 and not 443?
12-17-2012 12:24 AM
Peter,
Yes, it is on port 445, rather than 443, because another internal server is listening on 443 (10.1.20.91) so this server (10.1.20.92) had to be changed to use port 445. I know it is correct, because internally, I can access https://10.1.20.92:445 just fine.
Thanks,
12-17-2012 12:55 AM
Hi,
Usually port TCP/445 is used for something totally different than you are using.
Is the possibility that your ISP is blocking the said port on their side as you said you never even see the connection attempt?
Could you try Port Forward some other random port and try again with the new port?
- Jouni
12-17-2012 09:53 PM
Thanks Jouni...You were right. The ISP was blocking port 445, thus it did not work. Thanks for the pointer...I was puzzled as to why the config was not working when everything looked correct. Changing the port on the DRAC side did the trick. Thanks again!
Mooge
12-17-2012 11:02 PM
Hi,
Glad it worked out.
I have recently run into this issue a couple of times when old devices previously (or even currently) used for "gathering" DSLAMs have had filter configurations in them to limit the ports used by Windows machines for file sharing etc. This has caused some problems between customers connection between branches. Whats made the situation even more wierd has been that usually they've been L2 directly connected to the firewall and yet firewall sees even no connection attempts
Had to scratch my head a bit when this first happened
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide