Solved: Unable to Port Forward on ASA 5512-X ver. 9.1

Eyasu · ‎10-20-2017

Hey, guys.

i am kind of new to this forums. And, now, i need your expertise about PORT FORWARDING ASA 5512-X ver.9.1 based on the topology and my detail ASA configuration. All port forwarded worked on Router 2600 series. now, we just remove the Router and replace it with ASA .

My detail topology is below. Further clarification, there is an EPON bridge in between ASA and ISP-Router

DETAIL OF ASA CONFIGURATION:

===============================================================================

ASA Version 9.1(2)
!
hostname CORE-FW
domain-name
enable password encrypted
names
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 10.130.80.2 255.255.255.252
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 172.24.10.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 80
ip address 172.24.16.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif Management
security-level 90
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name
object network PUBLIC_IPS
range 196.188.28.217 196.188.28.218
object network PUBLIC_IP1
host 196.188.28.217
object network PUBLIC_IP2
host 196.188.28.218
object network INSIDE_NET
subnet 172.24.10.0 255.255.255.0
object network DMZ_NET
subnet 172.24.16.0 255.255.255.0
object network SERVER_IP
host 172.24.16.8
access-list ALLOW-SERVER extended permit icmp any any echo log
access-list ALLOW-SERVER extended permit icmp any any echo-reply
access-list ALLOW-SERVER extended permit tcp any object SERVER_IP eq 3306
access-list ALLOW-SERVER extended permit tcp any object SERVER_IP range 2004 2005
access-list ALLOW-SERVER extended permit tcp any object SERVER_IP range 8020 8030
access-list ALLOW-SERVER extended permit tcp any object SERVER_IP range 52460 52470
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu Management 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network INSIDE_NET
nat (INSIDE,OUTSIDE) dynamic pat-pool PUBLIC_IPS
object network DMZ_NET
nat (DMZ,OUTSIDE) dynamic pat-pool PUBLIC_IPS
object network SERVER_IP
nat (DMZ,OUTSIDE) static PUBLIC_IP1
access-group ALLOW-SERVER in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 10.130.80.1 1
route INSIDE 172.24.0.0 255.255.240.0 172.24.10.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 172.24.10.0 255.255.255.0 INSIDE
telnet 192.168.1.0 255.255.255.0 Management
telnet timeout 5
ssh 172.24.10.0 255.255.255.0 INSIDE
ssh 192.168.1.0 255.255.255.0 Management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username password encrypted
!
class-map inspection_default
match default-inspection-traffic
class-map inspection_defualt
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
dns-guard
protocol-enforcement
nat-rewrite
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
policy-map global-policy
!
service-policy global_policy global

andre.ortega · ‎10-23-2017

Flow export is not related with port-forwarding.

View solution in original post

mikael.lahtela · ‎10-20-2017

Hi,

I think the best way to solve this is to do packet capture on the outside and dmz interfaces.
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

br, Micke

andre.ortega · ‎10-20-2017

Here it is an example:

object network obj-10.1.1.16

host 10.1.1.16

nat (inside,outside) static 192.168.100.100 service tcp www www

You will also need to allow the access on acl.

access-list ALLOW-SERVER extended permit tcp any obj-10.1.1.16 eq www

Eyasu · ‎10-23-2017

hello andre,

thanks for your support.

the solution you gave me is simply perfect. but, i didn't work for me.

i just cleared out and just only add the way you showed me.

Should I use flow-export command??? and, how can i accomplish that too???

andre.ortega · ‎10-23-2017

Flow export is not related with port-forwarding.

Eyasu · ‎10-23-2017

Thanks for support guys. But, i still wounder, why CISCO will not allow us to natting and port-forwarding a RANGE of ports for simplicity.

i use this CLI:

network service ALLO_PORT

service tcp source range 2010 2015

and, add that service to the end of access-list

but, doesn't respond. why is that?