Solved: Port Forward 46611 on ASA 5515

chris.hall6777 · ‎10-15-2015

I work mainly with Barracuda firewalls and my Cisco command line is bad bad.

I have a cisco 5515 at 216.x.x.39 and I need to forward port 46611 to an internal ip address 10.10.3.7 port 9000

my inside interface is nas-main

oustide interface is twtc

I tried using ASDM and it didn't work and currently I am trying command line, but I keep getting error messages with my nat command.

Also, please detailed help would be appreciated, as I said my cisco command line experience is lacking.

Thanks in adavance.

Jon Marshall · ‎10-16-2015

You are not open at all because you have no acl on your TWTC interface so nothing can come in except return traffic to clients.

Basically all traffic is allowed from a higher interface to a lower interface by default so NAS-Main should be allowed out.

You can configure interface acls or global acls which apply to all interfaces and interface acls take precedence.

By the looks of it the global_access acl was created for the server access that you mentioned was working.

What you should have done was to create the acl and apply it to the TWTC interface inbound just allowing that port.

But you created a global acl and applied it inbound only allowing that port to your server.

But a global acl applies inbound to all interfaces including the NAS-Main interface so you effectively blocked all traffic.

When you rebooted the device any new connections were then blocked.

By taking it off traffic is now allowed by default from the NAS-Main interface to the TWTC interface.

So don't worry about any access from outside because like I say you would need an acl on the TWTC interface applied inbound for traffic to be initiated from outside.

If you want access back to your server then just create a new acl copying the global_access acl but probably with a better name eg.

TWTC_access_in

and apply it to your TWTC interface -

"access-group TWTC_access_in in interface TWTC"

make sure you only allow the ports you need so basically a copy of the global_access acl.

Does all that make sense ?

Any queries, clarifications please ask.

Jon

View solution in original post

Henrik Grankvist · ‎10-15-2015

Hi

The configuration could be quite tricky, but this would work:

object network obj-10.10.3.7
 host 10.10.3.7

object service tcp-eq-9000
 service tcp source eq 9000

object service tcp-eq-46611
 service tcp source eq 46611

nat (nas-main,twtc) source static obj-10.10.3.7 interface service tcp-eq-46611 tcp-eq-9000

chris.hall6777 · ‎10-15-2015

Henrik

Thank you, but when I typed that in I got an overlay message for that ip on port 9000

so what would it take to move the configuration to ip 216.x.x.42 (which is an ip address in my external pool) Still the same internal ip address and ports. Just need it to use a different external ip address.

Sorry, but the guys needing this are not that forth coming on info and they don't know what is setup already on the cisco. I have verified there is nothing programmed for 216.x.x.42.

Thanks again for the help

Rishabh Seth · ‎10-15-2015

Hi,

Use the same config as Henrik has suggested with one small change.

nat (nas-main,twtc) source static obj-10.10.3.7 216.x.x.42 service tcp-eq-46611 tcp-eq-9000

Hope it answers your query

Thanks,

R.Seth

Rate if ti helps!!!

chris.hall6777 · ‎10-16-2015

thank you for the help but I am still unable to get through. A thought occurred while doing this. could it be https causing the problem?

This is how I am accessing the internal server https://216.x.x.39

I was able to setup a 1 to 1 nat on https and get to the internal server. But, I am still unable to get the port 46611 part of this to work.

Jon Marshall · ‎10-16-2015

Chris

What was the NAT command you used for https and was this the only static NAT command relating to the server ?

Jon

chris.hall6777 · ‎10-16-2015

yes it was only related to the server.

if you look at the link in the first reply with the full config. the comands are there,

it was a PAT with an acl for tcp/http/https

but I have since deleted that command

chris.hall6777 · ‎10-16-2015

ok...well I thought I was smart but now, no one can get to the internet our out outside interface twtc.

I rebooted the router and got an error message about a nat command. I have attached the jpg for it.

Also here is the listing of nat commands in config

Help??!!!

Manual NAT Policies (Section 1)
1 (NAS-Main) to (TWTC) source static any interface unidirectional
translate_hits = 0, untranslate_hits = 0
2 (NAS-QA1) to (TWTC) source static any interface unidirectional
translate_hits = 0, untranslate_hits = 0
3 (NAS-QA2) to (TWTC) source static any interface unidirectional
translate_hits = 0, untranslate_hits = 0
4 (BTC) to (TWTC) source static BTC-ClearOS BTC-Email inactive
translate_hits = 0, untranslate_hits = 0
5 (BTC) to (TWTC) source static BTC-Metric-Private BTC-Metric-Public service E
ncryptedMail EncryptedMail
translate_hits = 0, untranslate_hits = 0
6 (BTC) to (TWTC) source static BTC-Email-Private BTC-Email-Public service BTC
-EmailPort25 BTC-EmailPort25
translate_hits = 0, untranslate_hits = 0
7 (BTC) to (TWTC) source static BTC-Email-Private BTC-Email-Public service BTC
-ICMP BTC-ICMP
translate_hits = 0, untranslate_hits = 0
8 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR-
VPN-UDP-1194 ENGR-VPN-UDP-1194
translate_hits = 0, untranslate_hits = 0
9 (NAS-Main) to (TWTC) source static ENGR-OpenVPN DM_INLINE_NETWORK_1 service
ENGR-VPN-1194 ENGR-VPN-1194
translate_hits = 0, untranslate_hits = 0
10 (NAS-Main) to (TWTC) source static GIt-SERVER NASMAIN-Public service SSH SS
H
translate_hits = 0, untranslate_hits = 0
11 (NAS-Main) to (TWTC) source static Terastation BTC-Email service SSH SSH
translate_hits = 0, untranslate_hits = 0
12 (NAS-Main) to (TWTC) source static ENGR-OpenVPN NASMAIN-Public service ENGR
-VPN-443 ENGR-VPN-443
translate_hits = 0, untranslate_hits = 0
13 (NAS-Main) to (TWTC) source static TS3000-Build NASMAIN-Public service TSbu
ild-4343-2 TSbuild-4343-2
translate_hits = 0, untranslate_hits = 0
14 (NAS-Main) to (TWTC) source static WEBAccess-FW interface service WEBAccess
-FW-Port-2 WEBAccess-FW-Port-2
translate_hits = 0, untranslate_hits = 0
15 (NAS-Main) to (TWTC) source static TestRail-private NASMAIN-Public service
TestRAil-80-2 TestRAil-80-2
translate_hits = 0, untranslate_hits = 0
16 (NAS-Main) to (TWTC) source static TS-WEbAccess-Test-private interface serv
ice Web-Access-Test-2 Web-Access-Test-2
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (BTC) to (TWTC) source static BTC-ClearOS BTC-Public
translate_hits = 0, untranslate_hits = 1
2 (VideoConference) to (TWTC) source static VC VideoConferencePublic
translate_hits = 0, untranslate_hits = 2

Manual NAT Policies (Section 3)
1 (BTC) to (TWTC) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
BAEng#

chris.hall6777 · ‎10-16-2015

so from I can see from the full config I have removed all my nat and acl commands, so I am wondering if I by chance deleted something extra while doing it.

Jon Marshall · ‎10-16-2015

Chris

Is the most important thing at the moment to get the users up and running rather than the server ?

If so, what interface does the internal traffic from the users come in on ?

Looking at your NAT statements did you add the first 3 lines ?

Do you know what they are for ?

It would help if you could post the full configuration and tell us what is the most important thing to get working.

Jon

chris.hall6777 · ‎10-16-2015

Here is the full config

nas-main is the main group to get fixed

twtc is the outside interface

commands for https

I used the ADSM commands from this link

and added the https protcol

http://www.petenetlive.com/KB/Article/0000691.htm

Jon Marshall · ‎10-16-2015

Chris

Is general internet access for internal users on the NAS-Main interface the most important thing because I think we need a list of priorities.

If so then can you run from the CLI -

"packet-tracer input inside tcp 10.10.0.2 12345 8.8.8.8 80"

and post the results.

Or do you just want to try and fix the server in your initial request ?

Jon

chris.hall6777 · ‎10-16-2015

the general internet access for internal users is my main concern, the other I will deal with next week

Jon Marshall · ‎10-16-2015

Okay, can you run that command and post the results here.

Jon

chris.hall6777 · ‎10-16-2015

BAEng# packet-tracer input nas-main tcp 10.10.0.2 12345 8.8.8.8 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 TWTC

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: NAS-Main
input-status: up
input-line-status: up
output-interface: TWTC
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

BAEng#