06-02-2011 11:51 AM - edited 03-11-2019 01:42 PM
I have an ASA 5505 on a job. It is a smaller business that would have done better with an RV082, but they have what they have. It is running firmware 8.4. The client needed ports forwarded for their FTP server. The port range in this config is tcp 43333-43339. The FTP server ip is 192.168.1.2. The topology is:
Modem >> ASA >> Switch (unmanaged) >> FTP_Server
I need a more concise way of port forwarding a range if that exists.
---- Redacted
object network obj-nat_any
subnet 0.0.0.0 0.0.0.0
object network obj-FTP43333
host 192.168.1.2
object network obj-FTP43334
host 192.168.1.2
object network obj-FTP43335
host 192.168.1.2
object network obj-FTP43336
host 192.168.1.2
object network obj-FTP43337
host 192.168.1.2
object network obj-FTP43338
host 192.168.1.2
object network obj-FTP43339
host 192.168.1.2
object network obj-192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object-group service PassiveFTP tcp
port-object range 43333 43339
access-list outside_access_in extended permit tcp any host 192.168.1.2 object-group PassiveFTP
---- Redacted
object network obj-nat_any
nat (inside,outside) dynamic interface
object network obj-FTP43333
nat (inside,outside) static interface service tcp 43333 43333
object network obj-FTP43334
nat (inside,outside) static interface service tcp 43334 43334
object network obj-FTP43335
nat (inside,outside) static interface service tcp 43335 43335
object network obj-FTP43336
nat (inside,outside) static interface service tcp 43336 43336
object network obj-FTP43337
nat (inside,outside) static interface service tcp 43337 43337
object network obj-FTP43338
nat (inside,outside) static interface service tcp 43338 43338
object network obj-FTP43339
nat (inside,outside) static interface service tcp 43339 43339
object network obj-192.168.1.0_24
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
06-02-2011 12:05 PM
Hi Sam,
Instead of creating multiple objects for your FTP server, you would just need one object group.
object network obj-FTP
host 192.168.1.2
object service PassiveFTP tcp
service tcp destination range 43333 43339
nat (outside,inside) source static any any destination static interface obj-FTP services PassiveFTP tcp PassiveFTP tcp
access-list outside_access_in extended permit tcp any host 192.168.1.2 range 43333 43339
access-list outside_access_in in interface outside.
and this should work for you.
Hope this helps.
Thanks,
Varun
06-02-2011 01:30 PM
Thank you for the response!
Removing the prior config I had, and using the following did not work.
object network obj-FTP
host 192.168.1.2
object service PassiveFTP
service tcp destination range 43333 43339
nat (outside,inside) source static any any destination static interface obj-FTP services PassiveFTP tcp
access-list outside_access_in extended permit tcp any host 192.168.1.2 range 43333 43339
access-group outside_access_in in interface outside
When typing in the nat command I revieved a syntax error on the bold errors on the following commands:
object service PassiveFTP tcp
nat (outside,inside) source static any any destination static interface obj-FTP services PassiveFTP tcp PassiveFTP tcp
access-list outside_access_in in interface outside
I changed them to the following:
object service PassiveFTP
nat (outside,inside) source static any any destination static interface obj-FTP services PassiveFTP tcp
access-group outside_access_in in interface outside
However this did not allow me to connect to the FTP. Restoring my startup-config brought everything back online.
One thing I would like to note is shouldn't the nat command actually be:
nat (inside,outside) source static any any destination static interface obj-FTP services PassiveFTP tcp
Trying this did not work either. But I believe it is correct as (inside,outside), am I wrong?
06-02-2011 11:08 PM
Hi Sam,
The complete and correct commands to be entered is :
object network obj-FTP
host 192.168.1.2
object service Passive_FTP
service tcp destination range 43333 43339
nat (outside,inside) source static any any destination static interface obj-FTP services Passive_FTP Passive_FTP
access-list outside_access_in extended permit tcp any host 192.168.1.2 range 43333 43339
access-list outside_access_in in interface outside
and the above nat command is same or equal to:
nat (inside,outside) source static obj-FTP interface services Passive_FTP Passive_FTP
ASA 8.3 natting is flow based, so both commands hold true.
Both the nat statements are same, if you are still getting any syntax error kindly copy paste the command that you are typing along with the error message.
Thanks,
Varun
06-03-2011 08:22 AM
No thats it. That worked great. I saw the error in the commands as well.
I was able to adapt it with the desired results in a few areas, so I believe I understand the commands now.
Guess I should have looked into 8.3 nat commands a little more than focus on IPv6, like any business will ever switch to that!
Thanks
12-25-2011 02:10 PM
Hi Varun
I am trying to setup port fording for my ASA 5505 running ASDM 8.4 for our Asterisk Server. I tried to follow your configurations and it looks like the settings dosen't works well for me. I entered following commands.
object network obj-RTP
host 10.10.0.3
object service Passive_RTP
service udp destination range 10000 20000
nat (outside,inside) source static any any destination static interface obj-RTP service Passive_RTP Passive_RTP
nat (inside,outside) source static obj-RTP interface service Passive_RTP Passive_RTP
I had to change services to service for the command to work, with services I was getting following error
nat (outside,inside) source static any any destination static interface obj-FTP
services Passive_RTP Passive_RTP
^
ERROR: % Invalid input detected at '^' marker. nat (outside,inside) source static any any destination static interface obj-FTP
services Passive_RTP Passive_RTP
^
ERROR: % Invalid input detected at '^' marker.
My expertise with CLI is minimal to nothing, can you help me on how to configure it using ASDM. Creating NAT obj using ASDM works great as I am able to create entries for SIP and HTTP. But creating individual entries for 10000 ports is not practical.
Thanks in advance
Savi
11-14-2014 03:20 PM
Hi folks
I simply just cannot get this to work and I need some help to figure out what I am missing:
ASA 5505 - v9.2(2)8
My config:
object network PC host 10.45.132.2 object service NAT-Range_TCP service tcp destination range 25600 25616 nat (outside,inside) source static any any destination static interface PC service NAT-Range_TCP NAT-Range_TCP access-list outside-in extended permit tcp any host 10.45.132.2 range 25600 25616
Packet-tracer output:
ASA5505#packet-tracer input outside tcp 212.242.48.3 1088 10.45.132.2 25600 Phase: 1 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: in 10.45.132.0 255.255.255.240 via 10.45.128.2, inside Phase: 2 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 via 212.x.x.1, outside Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group outside-in in interface outside access-list outside-in extended permit tcp any host 10.45.132.2 range 25600 25616 Additional Information: Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 6 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 7 Type: NAT Subtype: rpf-check Result: DROP Config: nat (outside,inside) source static any any destination static interface PC service NAT-Range_TCP NAT-Range_TCP Additional Information: Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
04-06-2016 01:53 PM
Jason,
Did you ever get this going? I have the same code version and I want to make sure this is working on 9.2.(2)8. Below is my configs, all objects have been created on the firewall.
object-group service 172.20.5.5_PORTS
service-object tcp destination range 42990 42999
service-object tcp destination range 43000 43518
service-object tcp destination range 43519 43520
service-object tcp destination eq 40022
service-object tcp destination range 940 990 service-object tcp destination eq 14970 service-object tcp destination range 20000 20050
|
12-16-2012 11:35 PM
I've been struggling with the same issue here. I'm running the 9.0.x version on my ASA5505. The given solutions don't work. I've tried the following to setup secure FTP (tried non-secure FTP as well, with the same negative result):
object network obj-FTP
host 192.168.1.2
object service PassiveFTP tcp
service tcp destination range 43333 43339
nat (outside,inside) source static any any destination static interface obj-FTP service PassiveFTP tcp PassiveFTP tcp
access-list outside_access_in extended permit tcp any host 192.168.1.2 range 43333 43339
access-list outside_access_in in interface outside
I have tried sereval options in one NAT rule with a port range without success. The only thing how I could get this to work is to make separate NAT rules for each passive port. Since I need only 10 passive ports to be opened, it is not really a problem but .. it doesn't seem like a desirable solution. Imagine when you have to open 500 ports. I'm curious what is the cause that it won't work with a port range and if someone ever found a proper solution for this (to compare, on a LinkSys E4200 I got this to work without any problem, specified a port range for passive FTP and it worked like a charm, I know this is a completely different device but .. hard to believe it won't work on an ASA).
12-17-2012 07:03 AM
Remco, this is due to a new bug we've found with the 9.0 and 9.1 versions of software.
CSCud70110 Manual NAT rule with service port range not matched correctly
The workarounds are:
1) Create an individual port map NAT statement for each port in the range (you've already discovered this)
-or-
2) Downgrade to version 8.4 until we have the bug fixed
Here are the full details of the bug:
Symptom Traffic that should match a configured manual NAT rule that uses a range of service ports will fail to match correctly. This results in connections not completing. Conditions This problem is seen if a manual NAT configuration includes a service object with a range of ports. Below is an example: ! object network test_local host 192.168.1.4 object network test_global host 10.0.0.5 object service test_service_range service tcp source range 5000 5005 ! nat (inside,outside) source static test_local test_global service test_service_single test_service_single ! Traffic arriving on the outside interface destined to the IP 10.0.0.5 and with destination TCP ports between 5000 and 5005 will not match this translation. Workaround Downgrade to version 8.4 -or- Change the NAT rule so that it uses a single port, instead of a range of ports. This might require adding multiple service objects, as well as more NAT rules. Example: ! object network test_local host 192.168.1.4 object network test_global host 10.0.0.5 object service test_service_5000 service tcp source range 5000 object service test_service_5001 service tcp source range 5001 object service test_service_5002 service tcp source range 5002 object service test_service_5003 service tcp source range 5003 object service test_service_5004 service tcp source range 5004 object service test_service_5005 service tcp source range 5005 ! nat (inside,outside) source static test_local test_global service test_service_5000 test_service_5000 nat (inside,outside) source static test_local test_global service test_service_5001 test_service_5001 nat (inside,outside) source static test_local test_global service test_service_5002 test_service_5002 nat (inside,outside) source static test_local test_global service test_service_5003 test_service_5003 nat (inside,outside) source static test_local test_global service test_service_5004 test_service_5004 nat (inside,outside) source static test_local test_global service test_service_5005 test_service_5005 !
The bug is being worked on now. Once we get it fixed, the range of ports in the NAT configuration should work.
12-17-2012 01:10 PM
Thank you kindly. Makes things more clear why it isn't working at the moment. I've been looking for this specific problem with the 9.0 version but obviously on the wrong places.
For me it works atm with seperate NAT rules, I can live with it till it's fixed.
02-23-2017 05:52 AM
I finally manage to get port range to work with ASA 5505. It took me 7 hours but mainly because of a known bug in ASA 9.0 and 9.1 that will block port range to work properly! After I upgraded to 9.2(4) it started to work.
I used ASDM but here are the ASA commands:
object network FTP-Passive
host 192.168.1.50
object service Passive_FTP
service tcp destination range 32900 33000
nat (outside,inside) source static any any destination static interface FTP-Passive service Passive_FTP Passive_FTP
access-list inbound extended permit tcp any host 192.168.1.50 range 31900 32000
access-group inbound in interface outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide