Solved: port forwading

Benjamin Saito · ‎08-20-2013

Hello,

I am trying to set up a simple port forwarding rule and cannot get it to work. We basically have a setup with 2 one-to-one nat rules:

10.40.140.164 <-> 1.1.1.1

10.40.140.165 <-> 2.2.2.2

I need to set up a rule so that anything going to 1.1.1.1 over port 8080 gets redirected to 10.40.140.165. Here is the nat rule i put in for this:

nat (outside,inside) source static any any destination static 1.1.1.1 10.40.140.165 service 8080 8080

I am watching the logs and this NAT rule isn't getting used, it just gets skipped over and uses the one-to-one static nat rule. This was very simple on code version 8.2 but cannot figure it out on 8.4(5). Any help would be appreciated.

Thanks!

Jouni Forss · ‎08-20-2013

Hi,

Well this might be a bit messy setup.

I would probably try use one Manual NAT configuration and 2 Auto NAT configurations OR alternatively 3 Manual NAT configurations.

Here are the examples

object network HOST-165

host 10.40.140.165

object network PUBLIC-1.1.1.1

host 1.1.1.1

object service TCP8080

service tcp source eq 8080

nat (inside,outside) source static HOST-165 PUBLIC-1.1.1.1 service TCP8080

object network STATIC-1

host 10.40.140.164

nat (inside,outside) static 1.1.1.1

object network STATIC-2

host 10.40.140.165

nat (inside,outside) static 2.2.2.2

To my understanding in the above case the Manual NAT Static PAT configuration should be matched first and otherwise the Auto NAT Static NAT configurations would apply for all other ports on these public destination IP addresses.

The other alternative was to use Manual NAT only

object network HOST-165

host 10.40.140.165

object network HOST-164

host 10.40.140.164

object network PUBLIC-1.1.1.1

host 1.1.1.1

object network PUBLIC-2.2.2.2

host 2.2.2.2

object service TCP8080

service tcp source eq 8080

nat (inside,outside) source static HOST-165 PUBLIC-1.1.1.1 service TCP8080

nat (inside,outside) source static HOST-164 PUBLIC-1.1.1.1

nat (inside,outside) source static HOST-165 PUBLIC-2.2.2.2

The above configurations should accomplish the same as the first example but the ordering of all the NAT configurations would be higher as all are configured as Section 1 Manual NAT.

But to be honest the 3x Manual NAT might end you up in a situation where you would have to keep an eye on the order of the NAT configurations you insert a lot more closely as to not override any other desired behaviour

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

View solution in original post

Jouni Forss · ‎08-20-2013

Hi,

The problem is that you define the "destination eq 8080"

Remove that and leave the "source eq 8080" under the "object service 8080"

object service 8080

service tcp source eq 8080

Then it should match.

- Jouni

View solution in original post

Jouni Forss · ‎08-20-2013

Hi,

Are you saying that you are going to use Static NAT for both hosts and you also want to use Static PAT for certain ports.

I atleast notice that you use a different local IP address for the NAT IP 1.1.1.1 in the Static PAT. Is this a typo or on purpose?

Also I dont see all the needed configurations. The "nat" configuration always contains objects so would need to see their exact configurations also.

I WOULDNT personally configure the Static NAT and Static PAT in the mentioned way.

- Jouni

EDIT: Major typo

Karsten Iwen · ‎08-20-2013

Make your life easier and use object-NAT:

object network PUB-1.1.1.1

host 1.1.1.1

object network HOST-10.40.140.164

host 10.40.140.164

nat (inside,outside) static PUB-1.1.1.1 service tcp 8080 8080

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Benjamin Saito · ‎08-20-2013

Thanks for the quick responses!

That wasn't a typo. The nat rules are set up as it states in my original post, but the customer wants anything with a destination of 1.1.1.1 over port 8080 to get redirected to 10.40.140.65. I am not sure why they don't just have all traffic go straight to 2.2.2.2, but that's what they want. As I said, this was a very simple set up on version 8.2 but this is proving to be very difficult on version 8.4.

Karsten, that rule isn't what i am looking for. I try to put this in:

object network PUB-1.1.1.1

host 1.1.1.1

object network HOST-10.40.140.165

host 10.40.140.165

nat (inside,outside) static PUB-1.1.1.1 service tcp 8080 8080

This overlaps with the one-to-one nat, and the NAT rule gets placed below the one-to-one nat (1.1.1.1 <-> 10.40.140.164) and the rule never gets hit.

Jouni Forss · ‎08-20-2013

Hi,

Well this might be a bit messy setup.

I would probably try use one Manual NAT configuration and 2 Auto NAT configurations OR alternatively 3 Manual NAT configurations.

Here are the examples

object network HOST-165

host 10.40.140.165

object network PUBLIC-1.1.1.1

host 1.1.1.1

object service TCP8080

service tcp source eq 8080

nat (inside,outside) source static HOST-165 PUBLIC-1.1.1.1 service TCP8080

object network STATIC-1

host 10.40.140.164

nat (inside,outside) static 1.1.1.1

object network STATIC-2

host 10.40.140.165

nat (inside,outside) static 2.2.2.2

To my understanding in the above case the Manual NAT Static PAT configuration should be matched first and otherwise the Auto NAT Static NAT configurations would apply for all other ports on these public destination IP addresses.

The other alternative was to use Manual NAT only

object network HOST-165

host 10.40.140.165

object network HOST-164

host 10.40.140.164

object network PUBLIC-1.1.1.1

host 1.1.1.1

object network PUBLIC-2.2.2.2

host 2.2.2.2

object service TCP8080

service tcp source eq 8080

nat (inside,outside) source static HOST-165 PUBLIC-1.1.1.1 service TCP8080

nat (inside,outside) source static HOST-164 PUBLIC-1.1.1.1

nat (inside,outside) source static HOST-165 PUBLIC-2.2.2.2

The above configurations should accomplish the same as the first example but the ordering of all the NAT configurations would be higher as all are configured as Section 1 Manual NAT.

But to be honest the 3x Manual NAT might end you up in a situation where you would have to keep an eye on the order of the NAT configurations you insert a lot more closely as to not override any other desired behaviour

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

Benjamin Saito · ‎08-20-2013

Hi Jouni,

I just don't understand why this isn't working. I put in the rules like you said but it just skips over the manual nat rule and uses the static nat rule instead. I just can't figure out what I am doing incorrect. Here is how I have it set up:

object network 10.40.140.164

host 10.40.140.164

object network 10.40.140.165

host 10.40.140.165

object service 8080

service tcp source eq 8080 destination eq 8080

object network 1.1.1.1

host 1.1.1.1

object network 2.2.2.2

host 2.2.2.2

nat (inside,outside) source static 10.40.140.165 1.1.1.1 service 8080 8080

!

object network 10.40.140.164

nat (inside,outside) static 1.1.1.1

object network 10.40.140.165

nat (inside,outside) static 2.2.2.2

It looks like it should be working, but I can't figure out why the first nat rule isn't getting used. Any help is greatly appreciated!

Jouni Forss · ‎08-20-2013

Hi,

The problem is that you define the "destination eq 8080"

Remove that and leave the "source eq 8080" under the "object service 8080"

object service 8080

service tcp source eq 8080

Then it should match.

- Jouni

Benjamin Saito · ‎08-20-2013

Thanks so much Jouni, I was just starting to mess around with the object service group when you replied. That did it. I had everything set up correctly from the beginning except that. Thanks again.