Port Forward

erikgrissom · ‎11-07-2011

Hi. im having problem to portforward a RANGE of ports to 1 single internal server.

i can portforward single ports but i guess for range forward its different.

this is the working config today exept no portforward working on the range.

Saved

:

ASA Version 8.0(4)

!

hostname ASA-******

domain-name *******.local

enable password alpAW2tEmckQnbKO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 80.83.208.0 telavox

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.60.253 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address *.*.*.* 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name ******.local

object-group service AllowSip_TCP tcp

port-object range 16000 16100

port-object eq sip

object-group service AllowSip_UDP udp

port-object range 16000 16100

port-object eq sip

access-list Outside_access_in extended permit icmp any any echo-reply

access-list Outside_access_in extended permit icmp any any source-quench

access-list Outside_access_in extended permit icmp any any unreachable

access-list Outside_access_in extended permit icmp any any time-exceeded

access-list Outside_access_in extended permit tcp any host *.*.*.* eq smtp

access-list Outside_access_in extended permit tcp any host *.*.*.* eq https

access-list Outside_access_in extended permit tcp any host *.*.*.* eq 35300

access-list Outside_access_in extended permit tcp telavox 255.255.255.0 host *.*.*.* object-group AllowSip_TCP

access-list Outside_access_in extended permit udp telavox 255.255.255.0 host *.*.*.* object-group AllowSip_UDP

access-list Split_Tunnel_List_ACL remark ****** NAT Access List ******

access-list Split_Tunnel_List_ACL remark ****** Split Tunnel Encrypted Traffic ******

access-list Split_Tunnel_List_ACL standard permit 192.168.60.0 255.255.255.0

access-list inside_nat0_outside extended permit ip any 10.0.0.0 255.255.255.0

access-list inside_out extended permit tcp host 192.168.60.1 any eq smtp

access-list inside_out extended deny tcp any any eq smtp

access-list inside_out extended permit ip any any

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

ip local pool mypool 10.0.0.100-10.0.0.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outside

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 192.168.60.1 smtp netmask 255.255.255.255 dns

static (inside,outside) tcp interface https 192.168.60.1 https netmask 255.255.255.255

access-group inside_out in interface inside

access-group Outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 *.*.*.* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable 8443

http 0.0.0.0 0.0.0.0 outside

http 192.168.60.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec df-bit clear-df outside

crypto dynamic-map dynmap 10 set pfs

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map dynmap 10 set security-association lifetime seconds 86400

crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 192.168.60.0 255.255.255.0 inside

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.60.254-192.168.60.254 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

port 444

group-policy vpnclientgroup internal

group-policy vpnclientgroup attributes

dns-server value 192.168.60.1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List_ACL

default-domain value *****.local

username nordiclo password L.JhbZhL/SmPj96Q encrypted

username nordiclo attributes

service-type remote-access

username admhenko password cdQRwUUCVQrNcELX encrypted privilege 15

username admerik password RtGfXNzv09UdQwvP encrypted privilege 15

tunnel-group vpnclientgroup type remote-access

tunnel-group vpnclientgroup general-attributes

address-pool mypool

default-group-policy vpnclientgroup

tunnel-group vpnclientgroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e48ca6d944943dd8582f37eddc916c26

: end

asdm image disk0:/asdm-615.bin

asdm location telavox 255.255.255.0 inside

no asdm history enable

//:Erik

Julio Carvajal · ‎11-07-2011

Hello Erick,

In the version you are currenty running, you will need to create one port forwarding nat for each port.

The other think you can do is just to do a nat one to one so it can cover all the ports.

This is a limitation of the version ( you can use the range command only on acls) but if you go to 8.3 you can use range on the nat statements as well.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

erikgrissom · ‎11-07-2011

Hi.

and thanks for the quick reply. will try this and see what happens.

//:Erik

Julio Carvajal · ‎11-07-2011

Hello Erick,

I have updated the first reply I sent you, please checked it because the information I gave you at the beginning was not the right one for your scenario.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

erikgrissom · ‎11-07-2011

OK, but just to be sure i have to update to 8.3 version and after i do that what does the acl and static nat look like

for my scenario?

//:Erik

Julio Carvajal · ‎11-07-2011

Hello Erik,

Correct, as I told you you can do a one to one translation on the version you are currently on and is going to work.

For example:

static(inside,outside) 63.63.63.63 192.168.60.3

access-list Outside_access_in permit tcp any host 63.63.63.63 range 2000 2001

I do not know if you have any Public IP address available that you can use for this but it definetly work.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

erikgrissom · ‎11-07-2011

OK, i have a static public ip address do i replace the 63.63.63.63 in your example?

and does this work with the newer version.

access-list port_forwarding_range permit tcp host 192.168.50.3 any range 2000 2100

static (inside,outside) 63.63.63.63 access-list port_forwarding_range

access-list Outside_access_in permit tcp any host 63.63.63.63 range 2000 2100

Julio Carvajal · ‎11-07-2011

Hello Erick,

Yes, it will work with the newer version but the configuration its completely different.

This configuration its incorrect :

access-list port_forwarding_range permit tcp host 192.168.50.3 any range 2000 2100

static (inside,outside) 63.63.63.63 access-list port_forwarding_range

access-list Outside_access_in permit tcp any host 63.63.63.63 range 2000 2100

So please do not consider to configure that.

If you want to set this up in 8.2 or older versions you need to do the following:

static(inside,outside) 63.63.63.63 192.168.60.3

access-list Outside_access_in permit tcp any host 63.63.63.63 range 2000 2001

Now if you want to use 8.3 let me know and I will show you how to do it.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

erikgrissom · ‎11-08-2011

hi and thanks for all the info. i would be greatful if you could provide me with the correct access-list and static for the 8.3 version beacuse the range i need to port-forward is 16000-16100 and i dont think adding 100 access list is fun.

//:Erik

Julio Carvajal · ‎11-08-2011

Hello Erik,

Lets say you are on 8.3 so the configuration would be the following:

object network 192.168.50.3-host

host 192.168.50.3

object network 63.63.63.63-host

host 63.63.63.63

object service ports-16000_16100

service tcp source range 16000 16100

nat (inside,outside) source static 192.168.50.3-host 63.63.63.63-host ports-16000_16100 ports-16000_16100

Now the access-list

access-list outside_in permit tcp any host 192.168.50.3 range 16000 16100

As you can see there are major changes from one version to the other one, the Nat statement changes and also the syntax of the Access-list

Hope this helps.

Please rate helpful comments.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC