cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1047
Views
5
Helpful
6
Replies

Port forwarding ASA5505 need help with ACL/NAT rules

Lucas Kane
Level 1
Level 1

I have a block of 5 IPs from my ISP. I have given one to the outside interface of my firewall and need to forward ports from the other IPs through the firewall to internal IPs.

I have created ACL and NAT rules for this but an unable to get it to work correctly.

Strange thing is, I currently have 3 separate physical networks with cisco 800 routers each with a connection to the internet on the same ISP subnet. (the ASA will eventually be used to replace this setup). I am able to access the servers on the ports I forward though the firewall from each of these other networks but not from anywhere else on the internet.

I must be missing something here.

Here is are the relevant pieces of my config:

interface Vlan1

nameif inside

security-level 100

ip address 10.86.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.85 255.255.255.0

!

access-list outside_access extended permit tcp any host x.x.x.83 eq 15000

access-list outside_access extended permit tcp any host x.x.x.83 eq 15001

access-list outside_access extended permit tcp any host x.x.x.83 eq 10000

access-list outside_access extended permit tcp any host x.x.x.83 eq https

access-list outside_access extended permit tcp any host x.x.x.83 eq www

access-list outside_access extended permit tcp any host x.x.x.83 eq ssh

access-list outside_access extended permit tcp any host x.x.x.83 eq ftp

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp x.x.x.83 10000 10.86.20.20 10000 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.83 ssh 10.86.20.20 ssh netmask 255.255.255.255

static (inside,outside) tcp x.x.x.83 https 10.86.20.20 https netmask 255.255.255.255

static (inside,outside) tcp x.x.x.83 www 10.86.20.20 www netmask 255.255.255.255

static (inside,outside) tcp x.x.x.83 ftp 10.86.20.50 ftp netmask 255.255.255.255

static (inside,outside) tcp x.x.x.83 15001 10.86.20.50 15001 netmask 255.255.255.255

static (inside,outside) tcp x.x.x.83 15000 10.86.20.50 15000 netmask 255.255.255.255

access-group outside_access in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.1 1

6 Replies 6

julomban
Level 3
Level 3

Lucas,

At this point we need to confirm if the packet is getting to the outside interface of your ASA from any source on the Internet.

If the packet is not arriving the ISP is the problem. But first you can play with captures.

Please set a capture on the outside interface:

access-lit cap1 permit tcp any host x.x.x.83 eq www

access-lit cap1 permit tcp host x.x.x.83 eq www any

cap cap1 access-list cap1 interface outside

Once the above commands are added please try a connection from the outside on port 80 and check the capture. Please issue the "show cap cap1"

Let see if after trying connection you see packets on the outside interface.

Regards,

Juan Lombana

Please rate helpful posts.

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I only see 2 different LAN hosts that are used in the Port Forward configurations. Wouldnt it be better at this point simply assing both of the LAN hosts with their own public IP address? Or are there some other uses that are taking all the 5 public IPs already?

Regarding the actual connection problem from Internet...

Seems your "outside" network to ISP is with network mask /24. If the whole /24 isnt assigned to you I would think the IP addresses are routed towards your connection separately with static routes and the ISP hasnt done that routing.

If you say that you have routers and the ASA all connected by their WAN interface on that same /24 subnet then naturally the ISPs missing routes wouldnt matter as they can see eachother in the directly connected network without any additional routing.

So seems to me that there is chance that the ISP hasnt configured routing for the new IPs. Then again you could try attaching some device with one of those new IPs in front of the ASA if possible and test connection that way.

Have you confirmed that the ASA doesnt see any TCP SYN when someones attempting connection from the Internet?

- Jouni

Ive tried giving a couple of the new addresses to outside interface of the ASA. I can ping each one.

The trouble arises when i try to forward any of the other IPs in my block through the firewall. I watch the logs when trying to connect from across the internet. There are no hits on the firewall.

I've gone as far as opening all ip and a static ip nat (not ports) to just a single host with no success.

I have been thinking there could be some issue with the isp gateway router only seeing the IP of the firewall and not any of the translations.

Hi,

I work at my local ISP though I mostly configure firewall and VPN services. This does require me to configure additional IP addresses to customer firewalls and sometimes on some DSL lines without an actual firewall service.

We have a setup where we have several /24 networks but each host address requires separate static route for it to actually start routing from the ISP network to the Internet. Otherwise it leads nowhere.

If you have configured a Static NAT for a new public IP address thats part of the /24 network to which your ASAs outside interface belongs, have made ACL rules and confirmed that the ASA doesnt see any connections from the Internet I would contact the ISP to confirm that everything is configured on their part.

An access-list on the outside interface should be getting hitcount if the ASA seens any TCP SYNs (or any other protocol connections). Other way to confirm this is to configure a packet capture on the ASA itself like Juan suggested above.

- Jouni

I think i solved this, although it does not explain the problem.

I changed all my NAT/ACL entries to the .86 address instead of the .83 and all seems to work. Now i will just have to change some DNS records.

I'm a little confused to why 86 works and not 83. I know my address block is .82-86 and i have had devices working on the .83 in the past. Am also 100% sure there is no IP conflict

When has the .83 IP address been in use the last time when there has been no problem with connections to it from Internet?

To me it seems that you have not been assigned with your own small network (that we for example register with RIPE) or thats just different from us. Its just that you have a /24 mask on the outside network which just led me to believe that you have just been assigned with some public IPs from their range that are a continuous "block"

ARP sometimes causes problems in these cases but I can't really be sure...

Have you tried using a computer outside your own network (I mean outside this public IP address range even) to trace route for all the IPs that are assigned to you? Is there any differences in the traceroutes?

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: