Solved: Reverse Port Redirection with ASA5505

Patrick Werner · ‎05-17-2013

Hello Community.

We have a singe IP Address in the Internet and want to forward SMTP traffic that hits our ASA Outside Interace to the internal Mailserver.

And we like to forward Http Traffic to our Webserver.

Example.

212.23.23.23 Port 25 -> 192.168.1.100 Port 25

212.23.23.23 Port 80 -> 192 168.1.200 Port 80

How do i acomplish that. Which NAT rules do in need?

Thanks Patrick

julomban · ‎05-17-2013

Patrick,

Depends on the IOS version you are running, examples below:

Prior 8.3:

static (nside,outside) tcp 212.23.23.23 25 192.168.1.100 25 netmask 255.255.255.255

static (nside,outside) tcp 212.23.23.23 80 192.168.1.200 80 netmask 255.255.255.255

Starting in 8.3:

object network obj_192.168.1.100

host 192.168.1.100

nat (inside,outside) static 212.23.23.23 service tcp 25 25

!

object network obj_192.168.1.200

host 192.168.1.200

nat (inside,outside) static 212.23.23.23 service tcp 80 80

Regards,

Juan Lombana

Please rate helpful posts.

View solution in original post

Jouni Forss · ‎05-23-2013

Hi,

You can use the parameter "interface" instead of the IP address "212.23.23.23" in the NAT configurations and it should be fine.

- Jouni

View solution in original post

julomban · ‎05-24-2013

Hello Patrick,

Thank you for your response. If you are using your outside interface on the NAT rule then use the keyword "interface":

Prior 8.3:

static (nside,outside) tcp interface 25 192.168.1.100 25 netmask 255.255.255.255

static (nside,outside) tcp interface 80 192.168.1.200 80 netmask 255.255.255.255

Starting in 8.3:

object network obj_192.168.1.100

host 192.168.1.100

nat (inside,outside) static interface service tcp 25 25

!

object network obj_192.168.1.200

host 192.168.1.200

nat (inside,outside) static interface service tcp 80 80

Hope it helps,

Juan Lombana

Please rate helpful posts.

View solution in original post

Jouni Forss · ‎05-25-2013

Hi,

I think the Dynamic PAT is breaking the Port Forward / Static PAT

So do this

no nat (inside,outside) source dynamic 10.193.168.0 interface

nat (inside,outside) after-auto source dynamic 10.193.168.0 interface

Do notice that this will cause a minor outage in hosts connections to "outside" which use the Dynamic PAT. But this has to be changed for the Static PAT / Port Forward to work.

Adding the "after-auto" will move this Dynamic PAT configuration to the very end of the of the NAT rules called Section 3. The Network Object NAT for the Port Forward / Static PAT is Section 2. And the original Dynamic PAT rule and the others along with it are Section 1 NAT rules.

The order they are gone through is naturally from Section 1 to Section 2 to Section 3.

Hope this helps

Rememeber to mark the reply as the correct answer if it answered your question.

- Jouni

View solution in original post

Jouni Forss · ‎05-25-2013

Hi Patrick,

Sadly, atleast at the moment, you are not able to use "object-group service" in a NAT configuration command of any type.

Also, any "object network" can ONLY hold ONE "nat" configuration line or host/subnet/range configuration and any "object service" can ONLY hold one configuration line also for the service in question.

So for multiple ports I am affraid you have to use multiple "object network" with their own "nat" configuration lines. The only situation where you could manage with fewer configuration would be if you needed to forward a continuous range of ports.

But in your situation it would seem that you will have to use this format for each service/port that you need to forward

object network

host 10.193.168.12

nat (inside,outside) static interface service

Naturally if there are several local IP address involved in the port forwards then you use those IP address instead of the above mentioned one.

So you could for example create

object network HTTPS

host 10.193.168.12

nat (inside,outside) static interface service 443 443

And so on for each service.

I know its messy but sadly its the only option at the moment

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎05-25-2013

Also,

I wrote a NAT 8.3+ Document on these forums. It goes over some basic information about the new NAT format if you want to have a look

https://supportforums.cisco.com/docs/DOC-31116

Naturally when in doubt, dont hesitate to start a discussion here on the Firewall section of CSC and ask more

- Jouni

View solution in original post

Jouni Forss · ‎05-25-2013

Hi,

Glad to help

We do need a NAT configuration usually for both VPN Client and Site to Site VPN to function correctly. I guess the only exception is when a single ASA is ONLY used for VPN. Then you can actually have the ASA without ANY NAT configurations at all. But this doesnt apply to your situation.

You basically already listed the type of NAT configurations you need already.

Lets say we have a site with ASA firewall and that ASA has one Site to Site VPN and one VPN client connection configured.

The local site is 10.10.10.0/24
The remote site is 10.10.20.0/24
The VPN Pool is 10.10.100.0/24

With the above information if we wanted to make it so that both the local site and remote site and the local site and vpn pool could communicate using their original IP address, then we would configure the NAT in the following way

object network LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.20.0 255.255.255.0

object network VPN-POOL

subnet 10.10.100.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

The same logic would apply if you were to configure more Site to Site VPNs or VPN Client connections on the local firewall.

Hope this helps

Rememember to mark correct replys as the correct answer or rate helpfull answers

Ask more if needed.

- Jouni

View solution in original post

julomban · ‎05-17-2013

Patrick,

Depends on the IOS version you are running, examples below:

Prior 8.3:

static (nside,outside) tcp 212.23.23.23 25 192.168.1.100 25 netmask 255.255.255.255

static (nside,outside) tcp 212.23.23.23 80 192.168.1.200 80 netmask 255.255.255.255

Starting in 8.3:

object network obj_192.168.1.100

host 192.168.1.100

nat (inside,outside) static 212.23.23.23 service tcp 25 25

!

object network obj_192.168.1.200

host 192.168.1.200

nat (inside,outside) static 212.23.23.23 service tcp 80 80

Regards,

Juan Lombana

Please rate helpful posts.

Patrick Werner · ‎05-23-2013

Hi Julomban.

Thanks for the answer. But i have only one external IP adress, thats why i get the error:

ERROR: Address 212.23.23.23 overlaps with outside interface address

Outside Interface:

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group pppoex

ip address 212.23.23.23 255.255.255.255 pppoe setroute

Jouni Forss · ‎05-23-2013

Hi,

You can use the parameter "interface" instead of the IP address "212.23.23.23" in the NAT configurations and it should be fine.

- Jouni

julomban · ‎05-24-2013

Hello Patrick,

Thank you for your response. If you are using your outside interface on the NAT rule then use the keyword "interface":

Prior 8.3:

static (nside,outside) tcp interface 25 192.168.1.100 25 netmask 255.255.255.255

static (nside,outside) tcp interface 80 192.168.1.200 80 netmask 255.255.255.255

Starting in 8.3:

object network obj_192.168.1.100

host 192.168.1.100

nat (inside,outside) static interface service tcp 25 25

!

object network obj_192.168.1.200

host 192.168.1.200

nat (inside,outside) static interface service tcp 80 80

Hope it helps,

Juan Lombana

Please rate helpful posts.

Patrick Werner · ‎05-25-2013

Hi Jaun.

Thanks for the answer, but somehow it doesnt work. i'm using IOS 9.01. Could be a problem with the rest of the nat rules :

object network 10.193.168.12

host 10.193.168.12

nat (inside,outside) source static 10.193.168.0 10.193.168.0 destination static 10.193.169.0 10.193.169.0

nat (inside,outside) source static 10.193.168.0 10.193.168.0 destination static 10.3.0.0 10.3.0.0

nat (inside,outside) source dynamic 10.193.168.0 interface

nat (inside,outside) source static 10.193.168.0 10.193.168.0 destination static 172.16.1.1 172.16.1.1

!

object network 10.193.168.12

nat (inside,outside) static interface service tcp smtp smtp

sh nat translated interface outside
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static 10.193.168.0 10.193.168.0   destination static 10.193.169.0 10.193.169.0
    translate_hits = 205234, untranslate_hits = 206407
2 (inside) to (outside) source static 10.193.168.0 10.193.168.0   destination static 10.3.0.0 10.3.0.0
    translate_hits = 86, untranslate_hits = 86
3 (inside) to (outside) source dynamic 10.193.168.0 interface
    translate_hits = 275255, untranslate_hits = 45715
4 (inside) to (outside) source static 10.193.168.0 10.193.168.0   destination static 172.16.1.1 172.16.1.1
    translate_hits = 399, untranslate_hits = 409

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static 10.193.168.12 interface service tcp smtp smtp
translate_hits = 0, untranslate_hits = 0

Jouni Forss · ‎05-25-2013

Hi,

I think the Dynamic PAT is breaking the Port Forward / Static PAT

So do this

no nat (inside,outside) source dynamic 10.193.168.0 interface

nat (inside,outside) after-auto source dynamic 10.193.168.0 interface

Do notice that this will cause a minor outage in hosts connections to "outside" which use the Dynamic PAT. But this has to be changed for the Static PAT / Port Forward to work.

Adding the "after-auto" will move this Dynamic PAT configuration to the very end of the of the NAT rules called Section 3. The Network Object NAT for the Port Forward / Static PAT is Section 2. And the original Dynamic PAT rule and the others along with it are Section 1 NAT rules.

The order they are gone through is naturally from Section 1 to Section 2 to Section 3.

Hope this helps

Rememeber to mark the reply as the correct answer if it answered your question.

- Jouni

Patrick Werner · ‎05-25-2013

That was it, thanks for your help. Just a little question more:

I need to forward more than one port, for this I've created an service-group:

object-group service ExchangePorts

description Exchange Ports

service-object object IMAP

service-object object POP3Secure

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq smtp

But i can't add this group to the nat rule

object network 10.193.168.12

nat (inside,outside) static interface service tcp ExchangePorts ExchangePorts

And if I add more than one nat rule under the object network 10.193.168.12 the last one will be overwrite. I can add only one rule under object network 10.193.168.12.

Patrick

Jouni Forss · ‎05-25-2013

Hi Patrick,

Sadly, atleast at the moment, you are not able to use "object-group service" in a NAT configuration command of any type.

Also, any "object network" can ONLY hold ONE "nat" configuration line or host/subnet/range configuration and any "object service" can ONLY hold one configuration line also for the service in question.

So for multiple ports I am affraid you have to use multiple "object network" with their own "nat" configuration lines. The only situation where you could manage with fewer configuration would be if you needed to forward a continuous range of ports.

But in your situation it would seem that you will have to use this format for each service/port that you need to forward

object network

host 10.193.168.12

nat (inside,outside) static interface service

Naturally if there are several local IP address involved in the port forwards then you use those IP address instead of the above mentioned one.

So you could for example create

object network HTTPS

host 10.193.168.12

nat (inside,outside) static interface service 443 443

And so on for each service.

I know its messy but sadly its the only option at the moment

Hope this helps

- Jouni

Jouni Forss · ‎05-25-2013

Also,

I wrote a NAT 8.3+ Document on these forums. It goes over some basic information about the new NAT format if you want to have a look

https://supportforums.cisco.com/docs/DOC-31116

Naturally when in doubt, dont hesitate to start a discussion here on the Firewall section of CSC and ask more

- Jouni

Patrick Werner · ‎05-25-2013

Thanks guys, it works now. Great support, i'm so happy :-)

Little side question. Is it right that if you use remote vpn oder site-to-site vpn you have to nat both network. Thats means the remote vpn network and the local lan network. Or the site a network and the site b network?

Example:
nat (inside,outside) source static 'Site A' 'Site A' destination static 'Site B' 'Site B'
nat (inside,outside) source static Local LAN' 'Local LAN' destination static 'Remote VPN network' 'Remote VPN network'

Sent from Cisco Technical Support iPhone App

Jouni Forss · ‎05-25-2013

Hi,

Glad to help

We do need a NAT configuration usually for both VPN Client and Site to Site VPN to function correctly. I guess the only exception is when a single ASA is ONLY used for VPN. Then you can actually have the ASA without ANY NAT configurations at all. But this doesnt apply to your situation.

You basically already listed the type of NAT configurations you need already.

Lets say we have a site with ASA firewall and that ASA has one Site to Site VPN and one VPN client connection configured.

The local site is 10.10.10.0/24
The remote site is 10.10.20.0/24
The VPN Pool is 10.10.100.0/24

With the above information if we wanted to make it so that both the local site and remote site and the local site and vpn pool could communicate using their original IP address, then we would configure the NAT in the following way

object network LAN

subnet 10.10.10.0 255.255.255.0

object network REMOTE-LAN

subnet 10.10.20.0 255.255.255.0

object network VPN-POOL

subnet 10.10.100.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static REMOTE-LAN REMOTE-LAN

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

The same logic would apply if you were to configure more Site to Site VPNs or VPN Client connections on the local firewall.

Hope this helps

Rememember to mark correct replys as the correct answer or rate helpfull answers

Ask more if needed.

- Jouni

Patrick Werner · ‎05-26-2013

Thanks. I'hereby ask you if you can help me out in another thread.

https://supportforums.cisco.com/message/3947029#3947029

The Cisco 1941 was installed with cisco professional tool. But the nat rule was missing. The remote vpn works and is up. But we cant reach the local lan. The vpn pool has just one address. Thats why i try to nat this only address to one address in the local lan. But if if i set this nat rule the vpn doesnt work because the pool cant handout this address anymore. If you like check the thread.

Many thanks patrick
Sent from Cisco Technical Support iPhone App