Solved: Port forwarding for a single IP address

patrick.hurley · ‎05-29-2013

I need the following ports forwarded for a single ip address

Port 88 (UDP)
Port 3074 (UDP and TCP)
Port 53 (UDP and TCP)
Port 80 (TCP)

Is there an easy way to to it with service objects/groups?

Jouni Forss · ‎05-29-2013

Hi,

You didnt mention your firewall software level (since the NAT format has changed in the newer ones)

I am afraid you are bound to configure multiple Static PAT configurations whatever your software might be.

All the below configurations presume we are using the "outside" interface IP address as the public IP address. If a separate IP address is used you need to replace the "interface" with the public IP address. Also using a example local IP address and interface names.

For ASA software level 8.3+

object network STATIC-UDP88

host 10.10.10.10

nat (inside,outside) static interface service udp 88 88

object network STATIC-UDP3074

host 10.10.10.10

nat (inside,outside) static interface service udp 3074 3074

object network STATIC-TCP3074

host 10.10.10.10

nat (inside,outside) static interface service tcp 3074 3074

object network STATIC-UDP53

host 10.10.10.10

nat (inside,outside) static interface service udp 53 53

object network STATIC-TCP53

host 10.10.10.10

nat (inside,outside) static interface service tcp 53 53

object network STATIC-TCP80

host 10.10.10.10

nat (inside,outside) static interface service tcp 80 80

The below "object network" is just created to give a simple object to be used in the ACL

object network SERVER

host 10.10.10.10

object-group service SERVER-SERVICES

service-object udp destination eq 88

service-object udp destination eq 3074

service-object tcp destination eq 3074

service-object udp destination eq 53

service-object tcp destination eq 53

service-object tcp destination eq 80

access-list OUTSIDE-IN permit object-group SERVER-SERVICES any object SERVER

For ASA software level 8.2 and earlier

static (inside,outside) udp interface 88 10.10.10.10 88 netmask 255.255.255.255

static (inside,outside) udp interface 3074 10.10.10.10 3074 netmask 255.255.255.255

static (inside,outside) tcp interface 3074 10.10.10.10 3074 netmask 255.255.255.255

static (inside,outside) udp interface 53 10.10.10.10 53 netmask 255.255.255.255

static (inside,outside) tcp interface 53 10.10.10.10 53 netmask 255.255.255.255

static (inside,outside) tcp interface 80 10.10.10.10 80 netmask 255.255.255.255

object-group service SERVER-SERVICES

service-object udp destination eq 88

service-object udp destination eq 3074

service-object tcp destination eq 3074

service-object udp destination eq 53

service-object tcp destination eq 53

service-object tcp destination eq 80

access-list OUTSIDE-IN permit object-group SERVER-SERVICES any interface outside

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Or ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎05-29-2013

Hi,

You didnt mention your firewall software level (since the NAT format has changed in the newer ones)

I am afraid you are bound to configure multiple Static PAT configurations whatever your software might be.

All the below configurations presume we are using the "outside" interface IP address as the public IP address. If a separate IP address is used you need to replace the "interface" with the public IP address. Also using a example local IP address and interface names.

For ASA software level 8.3+

object network STATIC-UDP88

host 10.10.10.10

nat (inside,outside) static interface service udp 88 88

object network STATIC-UDP3074

host 10.10.10.10

nat (inside,outside) static interface service udp 3074 3074

object network STATIC-TCP3074

host 10.10.10.10

nat (inside,outside) static interface service tcp 3074 3074

object network STATIC-UDP53

host 10.10.10.10

nat (inside,outside) static interface service udp 53 53

object network STATIC-TCP53

host 10.10.10.10

nat (inside,outside) static interface service tcp 53 53

object network STATIC-TCP80

host 10.10.10.10

nat (inside,outside) static interface service tcp 80 80

The below "object network" is just created to give a simple object to be used in the ACL

object network SERVER

host 10.10.10.10

object-group service SERVER-SERVICES

service-object udp destination eq 88

service-object udp destination eq 3074

service-object tcp destination eq 3074

service-object udp destination eq 53

service-object tcp destination eq 53

service-object tcp destination eq 80

access-list OUTSIDE-IN permit object-group SERVER-SERVICES any object SERVER

For ASA software level 8.2 and earlier

static (inside,outside) udp interface 88 10.10.10.10 88 netmask 255.255.255.255

static (inside,outside) udp interface 3074 10.10.10.10 3074 netmask 255.255.255.255

static (inside,outside) tcp interface 3074 10.10.10.10 3074 netmask 255.255.255.255

static (inside,outside) udp interface 53 10.10.10.10 53 netmask 255.255.255.255

static (inside,outside) tcp interface 53 10.10.10.10 53 netmask 255.255.255.255

static (inside,outside) tcp interface 80 10.10.10.10 80 netmask 255.255.255.255

object-group service SERVER-SERVICES

service-object udp destination eq 88

service-object udp destination eq 3074

service-object tcp destination eq 3074

service-object udp destination eq 53

service-object tcp destination eq 53

service-object tcp destination eq 80

access-list OUTSIDE-IN permit object-group SERVER-SERVICES any interface outside

Hope this helps

Please remember to mark the reply as the correct answer if it answered your question.

Or ask more if needed

- Jouni

patrick.hurley · ‎05-30-2013

I have 8.4 so Isn't there a way to just apply the object-group service SERVER-SERVICES to a single nat statement instead of listing them out sepearately? Weren't they trying to make it easier? That seems like more to do than the earlier version.

Jouni Forss · ‎05-30-2013

Yeah,

It does indeed seem that you end up "cluttering" the CLI configuration even more than in the older format.

But sadly, you CANT use an "object-group service" in the NAT configurations

For example if I created and "object-group service SERVICES" which contained ports TCP/80 and UDP/53 and attempted to use them in a NAT configuration command I get the following error

ERROR: SERVICES is not a valid service object name

- Jouni

patrick.hurley · ‎05-30-2013

How do I check that it's working? How can I see if it's applied correctly to an interface? I used the example for 8.3+ and above.

I don't see this command applied to an interface like the one you have for earlier version of software:

access-list OUTSIDE-IN permit object-group SERVER-SERVICES any object SERVER

When I look in the gui, it doesn't show up anywhere, under access rules.

patrick.hurley · ‎05-30-2013

Do I really need all the nat statements you listed? Why can't I open the services to the ip address and apply it inbound on the outside interface as you showed in the 2nd part?

object network STATIC-UDP88

host 10.10.10.10

nat (inside,outside) static interface service udp 88 88

object network STATIC-UDP3074

host 10.10.10.10

nat (inside,outside) static interface service udp 3074 3074

object network STATIC-TCP3074

host 10.10.10.10

nat (inside,outside) static interface service tcp 3074 3074

object network STATIC-UDP53

host 10.10.10.10

nat (inside,outside) static interface service udp 53 53

object network STATIC-TCP53

host 10.10.10.10

nat (inside,outside) static interface service tcp 53 53

object network STATIC-TCP80

host 10.10.10.10

nat (inside,outside) static interface service tcp 80 80

Jouni Forss · ‎05-30-2013

Hi,

The "access-list" configuration I included in the configuration were just examples.

If you DONT have an existing ACL on the "outside" interface then you would need to use the command

access-group OUTSIDE-IN in interface outside

If you have a spare public IP address you could naturally configure Static NAT instead of all these Static PAT (Port Forward) configurations.

It would simply be

object network SERVER

host 10.10.10.10

nat (inside,outside) static x.x.x.x

object-group service SERVER-SERVICES

service-object udp destination eq 88

service-object udp destination eq 3074

service-object tcp destination eq 3074

service-object udp destination eq 53

service-object tcp destination eq 53

service-object tcp destination eq 80

access-list OUTSIDE-IN permit object-group SERVER-SERVICES any object SERVER

access-group OUTSIDE-IN in interface outside

- Jouni

Jouni Forss · ‎05-30-2013

Also,

If you wanted to test that the ports are open you could use the "packet-tracer" command

For example

packet-tracer input outside tcp 1.2.3.4 12345 80

Where

outside = Is the input interface of the packet as we are testing traffic coming from the Internet
1.2.3.4 = Is just a random IP address
12345 = Is just a random source port
= Is the public IP address you are using for the NAT
80 = Is the destination port TCP/80

Changing the above "tcp" to "udp" and the destination port to something else will naturally let you test the other opened services against the ASAs configurations and see if they are configured correctly.

- Jouni