cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1453
Views
0
Helpful
4
Replies

Port Forwarding external request accessing port 445 to internal ip with port 22

mritter9139
Level 1
Level 1

Idea

We are trying to set up a simple Port-Forwarding rule on our Cisco ASA 5512. Our goal is to forward requests on port 445 that arrive on our external IP xxx.xxx.129.237 to our internal IP xx.xx.77.237.

We have tried a lot and used Coogle and cisco Forums for troubleshooting. Unfortunately, we could not get a solution that works. I have tried both methods to create the rule (CLI/ASDM).

CLI Perspective

The provided values in this file should give you an overview on our current configuration.

ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.6(1)2
!
hostname ciscoasa
enable password xxxxxxx encrypted
passwd xxxxxxx encrypted
names
!
interface GigabitEthernet0/0
 nameif internal
 security-level 90
 ip address xx.xx.77.1 255.255.255.0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 security-level 50
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 security-level 25
 no ip address
!
interface GigabitEthernet0/3
 description External Interface
 nameif external
 security-level 0
 ip address xxx.xxx.129.237 255.255.255.0
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NET_INSIDE_NETWORK
 subnet xx.xx.77.0 255.255.255.0
 description Internet Access from Internal Network
object network NET_VPN
 subnet xx.xx.82.0 255.255.255.0
object network HOST_VROUTER
 host xx.xx.77.99
object network NET_VIRTUAL_10
 subnet xx.xx.10.0 255.255.255.0
 description openNebulaNetwork10
object network NET_VIRTUAL_20
 subnet xx.xx.20.0 255.255.255.0
 description openNebulaNetwork20
object network NET_VIRTUAL_30
 subnet xx.xx.30.0 255.255.255.0
 description virtualLAN_30
object network NET_VIRTUAL_40
 subnet xx.xx.40.0 255.255.255.0
 description virtualLAN_40
object network NET_VIRTUAL_50
 subnet xx.xx.50.0 255.255.255.0
 description virtualLAN_50
object network HOST_DEBIAN_ACCESS_SRV
 host xx.xx.77.237
 description Debian Access Server
object network HOST_ASA_IP_INTERNAL
 host xx.xx.77.1
 description Internal IP Address of ASA
object network HOST_LOGSERVER
 host xx.xx.10.14
 description Alienvault Logserver (SIEM)
object service SSH_Nat_to_445
 service tcp destination eq 445
 description SSHEXT
object network HOST_EXTERNAL_IP
 host xx.xx.129.237
 description IP Address of the external interface
object service SSH_Ext
 service tcp destination eq ssh
object network STATIC-PAT
 host xx.xx.77.237
 description DEBIAN ACCESS
object-group network NET-VPNPOOL
object-group network DM_INLINE_NETWORK_1
 network-object object NET_INSIDE_NETWORK
 network-object object NET_VIRTUAL_10
 network-object object NET_VIRTUAL_20
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp

access-list external_access_in extended permit icmp any any
access-list external_access_in extended permit tcp any object HOST_DEBIAN_ACCESS_SRV eq 445
access-list external_access_in extended permit ip any object HOST_DEBIAN_ACCESS_SRV
access-list internal_access_in extended permit ip any any

pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host internal xx.xx.10.14 format emblem
logging permit-hostdown
mtu internal 1500
mtu external 1500

ip local pool VPN_POOL_SUBNET xx.xx.82.100-xx.xx.82.200 mask xx.xx.82.0
icmp unreachable rate-limit 1 burst-size 1

icmp deny any external

nat (external,external) source dynamic NET_VPN interface description Internet for VPN

nat (internal,external) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NET_VPN NET_VPN no-proxy-arp route-lookup
!

object network NET_INSIDE_NETWORK
 nat (internal,external) dynamic interface

object network HOST_DEBIAN_ACCESS_SRV
 nat (internal,external) static interface service tcp ssh 445

access-group internal_access_in in interface internal
access-group outside_access_in in interface external

route external 0.0.0.0 0.0.0.0 87.193.129.233 2
route internal xx.xx.10.0 255.255.255.0 xx.xx.77.99 1
route internal xx.xx.20.0 255.255.255.0 xx.xx.77.99 1
route internal xx.xx.30.0 255.255.255.0 xx.xx.77.99 1
route internal xx.xx.40.0 255.255.255.0 xx.xx.77.99 1
route internal xx.xx.50.0 255.255.255.0 xx.xx.77.99 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http xx.xx.77.0 255.255.255.0 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5
ssh xx.xx.77.0 255.255.255.0 internal
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns xxxx.xxx.129.10 xxxx.xxx.130.10
!
dhcpd address xx.xx.77.100-xx.xx.77.200 internal
dhcpd enable internal
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1 aes256-sha1
webvpn
 anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 1
 anyconnect profiles client disk0:/client.xml
 anyconnect enable
group-policy LaborVPNGroup internal
group-policy LaborVPNGroup attributes
 dns-server value xxxxx.xxxx.129.10 xxxx.xxxx.130.10
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
 default-domain none
 webvpn
  anyconnect profiles value client type user
  always-on-vpn profile-setting

 

 

Perspective CISCO ASDM GUI

Screenshot 1.1 shows the access rules (background) and the NAT Objects settings for our Access Server.

1.1

 

In Screenshot 1.2 you can see the error we get.

1.2

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Can you run "packet-tracer input outside tcp 8.8.8.8 12345 x.x.129.237 445"

and post the results.

Also can you post the out of "sh nat" from the ASA.

Jon

Thank you already for your help i found an error.

In the config i posted in my previous post.

Error was

access-group outside_access_in in interface external
corrected to
access-group external_access_in in interface external

However, even with this being corrected I still get the following output on your advised commands.

ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (external) to (external) source dynamic NET_VPN interface   description Internet for VPN
    translate_hits = 346145, untranslate_hits = 6985
2 (internal) to (external) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1   destination static NET_VPN NET_VPN no-proxy-arp route-lookup
    translate_hits = 198, untranslate_hits = 5359115

Auto NAT Policies (Section 2)
1 (internal) to (external) source static HOST_DEBIAN_ACCESS_SRV interface   service tcp ssh 445
    translate_hits = 0, untranslate_hits = 0
2 (any) to (external) source dynamic HOST_VROUTER interface
    translate_hits = 1756, untranslate_hits = 1
3 (internal) to (external) source dynamic NET_VIRTUAL_10 interface
    translate_hits = 616810, untranslate_hits = 8155
4 (internal) to (external) source dynamic NET_VIRTUAL_20 interface
    translate_hits = 0, untranslate_hits = 0
5 (internal) to (external) source dynamic NET_VIRTUAL_30 interface
    translate_hits = 0, untranslate_hits = 0
6 (internal) to (external) source dynamic NET_VIRTUAL_40 interface
    translate_hits = 0, untranslate_hits = 0
7 (internal) to (external) source dynamic NET_VIRTUAL_50 interface
    translate_hits = 0, untranslate_hits = 0
8 (internal) to (external) source dynamic NET_INSIDE_NETWORK interface
    translate_hits = 273078, untranslate_hits = 71123

ciscoasa(config)# packet-tracer input external tcp 8.8.8.8 12345 xx.xx.129.23$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   xx.xx.129.237  255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: external
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

The packet-tracer output suggests that it is not finding a NAT rule.

Both your dynamic NAT and static PAT translations are in section 2 from the "sh nat" output and according to that output the static PAT is used first so it should work as far as I can see.

What you can try doing is moving your general dynamic NAT for the internal users to section 3 which would mean your static PAT would definitely take precedence.

Like I say you shouldn't have to do this but it's the only thing I can think of at the moment.

So you would remove this -

object network NET_INSIDE_NETWORK
 nat (internal,external) dynamic interface

and replace it with this -

nat (inside,external) after-auto source dynamic NET_INSIDE_NETWORK interface

Jon

.