Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2725
Views
10
Helpful
5
Replies

Cisco ASA 5505 Port forwarding

Go to solution
JB-TX
Level 1
Level 1

‎11-16-2017 01:11 PM - edited ‎03-12-2019 04:44 AM

Hello Everyone,

 

 I am having some trouble getting port forwarding to work. ASA 5505 CLI Version 8.2(5).

I've tried a few different configs, but I can't seem to get it to work. I am trying to configured RDP access for one specific public IP only.

Using 50.1.1.1 as an external IP that is trying to gain RDP access. 105.1.1.1 as the office network public IP and 192.0.0.1 as the private RDP IP.

 

Config 1.

access-group INBOUND in interface outside

access-list INBOUND extended permit tcp host 50.1.1.1 eq 3389 host 105.1.1.1 eq 3389

static (inside,outside) tcp interface 3389 192.0.0.1 3389 netmask 255.255.255.255

 

Config 2

access-group INBOUND in interface outside 

object-group network RDP
 network-object 50.1.1.1 255.255.255.255

access-list inbound extended permit tcp object-group RDP eq 3389 host 105.1.1.1 eq 3389

static (inside,outside) tcp interface 3389 192.0.0.1 3389 netmask 255.255.255.255

 

 

Thanks for any assistance on this.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP
In response to JB-TX

‎11-16-2017 05:27 PM

Yes.

  I'm considering that the source IP is 50.1.1.1, let´s say it is your home PC. Then, you want only your home PC to access the 105.1.1.1  IP address on RDP port and this connection should be forwarded to 192.0.0.1 on port RDP internally.

  What I am trying to say is that when you open up the Remote desktop on your home PC and type the 105.1.1.1 IP address  and port 3389, the Remote Desktop client will create a packet where the source IP address will be his own IP address 50.1.1.1 and the source port will be a random port between 1024 to 65535. The destination IP address will be 105.1.1.1 and the destination port will be 3389.

 Then, this packet is sent. When it gets to the firewall, if your ACL has the source port as 3389 but your client used let´s say 1025, firewall will block the packet.

 The thing is, you can not control the Client´s source port, by default it is a random port. So, you need to keep it any or specify a range.

 Is that make sense?

 

-If I helped you somehow, please, rate it as useful.-

 

 

 

View solution in original post

5 Replies 5

Go to solution
Flavio Miranda
VIP
VIP

‎11-16-2017 02:34 PM

Hi @JB-TX

If you specify the source port the ACL will match only if connection is started on that port. However, source ports are usually random ports above 1024.

 You can create an object and add port from 1024 to 65535 and then use this object as source port.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
JB-TX
Level 1
Level 1
In response to Flavio Miranda

‎11-16-2017 04:27 PM

Thanks for the information. I understand what you are saying.

 

I would like to clarify my question to make sure I was clear and didn't confuse anyone.

But I am trying to have the port 3389 open only to the  external public ip 50.1.1.1

A port passthrough with restrictions to just certain external IPs which can only access the internal IP on the designated port.

Does your reference still apply?

Thanks again!

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to JB-TX

‎11-16-2017 05:27 PM

Yes.

  I'm considering that the source IP is 50.1.1.1, let´s say it is your home PC. Then, you want only your home PC to access the 105.1.1.1  IP address on RDP port and this connection should be forwarded to 192.0.0.1 on port RDP internally.

  What I am trying to say is that when you open up the Remote desktop on your home PC and type the 105.1.1.1 IP address  and port 3389, the Remote Desktop client will create a packet where the source IP address will be his own IP address 50.1.1.1 and the source port will be a random port between 1024 to 65535. The destination IP address will be 105.1.1.1 and the destination port will be 3389.

 Then, this packet is sent. When it gets to the firewall, if your ACL has the source port as 3389 but your client used let´s say 1025, firewall will block the packet.

 The thing is, you can not control the Client´s source port, by default it is a random port. So, you need to keep it any or specify a range.

 Is that make sense?

 

-If I helped you somehow, please, rate it as useful.-

 

 

 

Go to solution
JB-TX
Level 1
Level 1
In response to Flavio Miranda

‎11-16-2017 07:00 PM - edited ‎11-16-2017 07:13 PM

I believe I understand.

I just attempted to change things up and I still didn't get anywhere.

 

So what if this is not an RDP and say a random application port like 5555 that is communicating with an internal application? Would the same principal apply? So how do you make the ASA accept an incoming request from a specific port and from a specific external IP? Or you can't?

 

EDIT: I got it to work properly. CLI below. I am still curious about my question above though. Thanks so much for the help and explanation!

access-list inbound extended permit tcp host 50.1.1.1 host 105.1.1.1 eq 3389

static (inside,outside) static (inside,outside) tcp interface 3389 192.0.0.1 3389 netmask 255.255.255.255

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to JB-TX

‎11-17-2017 05:53 AM

Hi @JB-TX. I'm glad it works and thanks for rating.

 

About your question, yes it is possible to open a flow just like you tried. However, usually application does not allow us to determine on which source port they will works. Sometimes they don't allows to choose even the destination port like Windows Remote Desktop Application. That´s why we have the concept of Well-known ports, Dynamic, private or ephemeral ports, etc.

 If the application allows you to determine on which source  port it will works, then, the rule can follow the syntax you created. 

 However, keep in mind that this is not a security flaw. The source port is on the host of origin and don't matter which port will be. The important is the destination port.

  when the application allows you to change the destination port you can also use a different port on your outside mapping to a well-known port on your inside network. Let´s say, you can use port 9999 outside mapping to 3389 inside. This way someone using a nmap-like software wouldn't be able to figure out which service you are running inside as port 9999 is a random ports. But, as I said, this is only possible when you are able to change the destination port on the application.

 For example, Putty SSH Client allows you to point to any port and not only 22 for SSH connections. So you can map port XXXX outside to 22 inside and on the Pytty send request to IP Y.Y.Y.Y on port XXXX and it will get to port 22 on inside server.

Hope that helps.

 

-If I helped you somehow, please, rate it as useful.-

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents