Port translation issues

ACStech · ‎03-07-2016

I have a very simple port translation setup problem that I'm dealing with on an ASA 5510 using the ASDM. I just want to setup a translation for a port on a public IP address to translate to a private IP and port. The one wrinkle is that I want only traffic on this particular port to translate to this particular private IP/port. All other traffic to that public IP address, I want to translate to a different IP address. So

Traffic pointed to: [Public IP Address] (no port) -> go to Private IP address "A"

Traffic pointed to [Public IP Address] (port 3001) -> go to Private IP address "B" (port 3001)

I used to do this all the time on a Watchguard Firewall with no issues. I'm sure it's possible on the ASA but it is completely confusing me. I already followed the Port Redirection (Forwarding) with Static directions in this link:

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

To create a new rule. When I run the CLI Analyzer, I get this error:

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xacf76530, priority=11, domain=permit, deny=true

hits=5036767, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=outside, output_ifc=any

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

But I can't find any rules that would deny this packet access. I think I'm just missing some step so I was hoping someone might know how to set something like this up from step one.

I called Cisco for setup assistance (I have a SmartNet agreement) but the tech was completely lost on how to do this. He was no help at all. Just out of curiosity, what action do I take in the future if I speak to a technician and they clearly do not know how to accomplish what I need help with?

Aditya Ganjoo · ‎03-07-2016

Hi,

You need to allow an access-list on the outside interface for the ports and the private IP.

You need to configure the following NAT on the ASA:

object service obj-tcp-eq-3001
service tcp destination eq 3001

object service obj-tcp-3001
service tcp source eq 3001

object network obj_privateaddA
host x.x.x.x
nat (inside,outside) static PUBLIC IP

object network obj-privaddB
host x.x.x.x
nat (inside,outside) static <public ip service> tcp obj-tcp-3001 obj-tcp-eq-3001

You would find this link useful: (Check Regular Static PAT section)

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Let me know if it works.

Regards,

Aditya

Please rate helpful posts.

ACStech · ‎03-07-2016

I wonder if it's the order of my rules on the access list? The rule to allow any traffic on the public IP address comes first. It looks like, on my trace, traffic pointed to port 3001 is all going to the Private IP address A rather than B.

Also, when you wrote <pubic ip service> is that something I am supposed to enter verbatim or is that a place-holder for something? I am getting an error on that command.

Aditya Ganjoo · ‎03-07-2016

Hi,

My bad.

The correct syntax is :

object network obj-privaddB
host x.x.x.x
nat (inside,outside) static <public ip > service tcp obj-tcp-3001 obj-tcp-eq-3001

Did you try creating the service objects before creating this NAT ?

object service obj-tcp-eq-3001
service tcp destination eq 3001

object service obj-tcp-3001
service tcp source eq 3001

Since you are using a different private IP it should go to the correct NAT statement.

Let me know if it helps.

Regards,

Aditya

ACStech · ‎03-07-2016

Just FYI, I am getting an invalid input detected on this line:

nat (inside,outside) static <public ip> tcp obj-tcp-3001 obj-tcp-eq-3001

When it gets to "tcp"

I tried changing it to

nat (inside,outside) static <public ip> service tcp obj-tcp-3001 obj-tcp-eq-3001

but now I get an error when it gets to "obj-tcp-3001"