Port Forwarding Configuration

Unanswered Question
Dec 1st, 2010

Hi,

I have a Cisco ASA 5520. I need to configure port forwarding on the vpn tunnel. Eg. i have almost 100 L2L vpn tunnels. Any clients hitting my LAN ip 192.168.1.1 on port 21, my ASA should forward that port 21 traffic to 192.168.2.1. Is it possible on the VPN? Please let me the configuration. If that doesn't work, lemme know any you suggestions on this. Please note that, any other traffic if client is hitting 192.168.1.1:80 it should not forward.

Requirement

172.16.1.1 (client) -----> 192.168.1.1:21 -----> 192.168.2.1:21

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
coto.fusionet Wed, 12/01/2010 - 10:30

Hi,

Port forwarding will work over VPN if you're NATing through the tunnel (VPN traffic not included in NAT exemption)

static (in,out) tcp 192.168.1.1 21 192.168.2.1 21

The above will redirect all TCP 21 coming to 192.168.1.1 to 192.168.2.1

If the VPN client uses 192.168.1.1 to reach 192.168.2.1, it should work.

Federico.

anandanarayana Wed, 12/01/2010 - 18:52

Thanks for the response. Let me try this in my lab in a day or two before configuring them on LIVE. But as mentioned, any other traffic if client is hitting

192.168.1.1:80, it should be forwarding to a different server say 192.168.3.1:80 or may be i can use it on some other server to re-direct. That should also work.

Let me know if that too is possible

If port port 21 port forwarding rule is applied, there will be no change in the existing access-list on the vpn tunnel (which  is already in place) as this rule will forward only when it receives port  21 traffic from the client isn't?

or

any change required in the access-list?

ie.

while my existing configuration (which you have suggested) is in place, Client ----> 192.168.1.1:21 ----> 192.168.2.1:21

when i do port forwarding on the same server using different port say port 80 (as mentioned below) should also work

Client -----> 192.168.1.1:80 (this will open the web page on this server itself without re-directing to any other)

or

Client -----> 192.168.1.1:80 -----> 192.168.3.1:80 (which has to re-direct to any other server)

coto.fusionet Thu, 12/02/2010 - 05:51

Yes.

You can use port forwarding to define other ports using the same IP as you mentioned.

For this to work is because you are doing NAT through the tunnel... meaning the access-list for VPN is directed to the NAT IP.

Federico.

anandanarayana Thu, 12/02/2010 - 06:11

Thanks. Could you just provide me a sample configuration of the access-list which i need to use on the vpn tunnel or any other configuration required for port forwarding?

Below is my vpn configuration in addition to your suggested port forwarding configuration (PAT) for your understand of my current configuration.

interface GigabitEthernet0/0
description OUTSIDE INTERFACE
speed 100
duplex full
nameif outside
security-level 0
ip address 124.123.122.254 255.255.255.0

interface GigabitEthernet0/1
description INSIDE INTERFACE
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0

access-list VPN-CLIENT extended permit ip host 192.168.1.1 host 172.16.1.1

access-list NONAT extended permit ip host 192.168.1.1 host 172.16.1.1

access-list in2out extended permit ip any any


static (inside,outside) tcp 192.168.1.1 21 192.168.2.1 21

global (outside) 1 124.123.122.1 netmask 255.255.255.255

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.1.0 255.255.255.0

access-group out2in in interface outside

access-group in2out in interface inside

Client IP - 172.16.1.1

My Server - 192.168.1.1

My FTP Server ip - 192.168.2.1

coto.fusionet Thu, 12/02/2010 - 10:40

The problem that I see is the following:

Client IP - 172.16.1.1

My Server - 192.168.1.1

My FTP Server ip - 192.168.2.1

The ASA will receive the VPN traffic from 172.16.1.1

The ASA have a NAT exemption rule to forward the traffic to 192.168.1.1

After the ASA forwards the packets to 192.168.1.1, the ASA is not going to manipulate the packets again to be able to redirect the packets to 192.168.2.1

ie.

If the ASA receives a packet on its outside interface, it can redirect those packets to an internal IP using port forwarding.

The difference here is that you're telling the ASA to send the packets to a host already on the inside 192.168.1.1 and the redirect those packets again.

Federico.

anandanarayana Thu, 12/02/2010 - 19:16

Does it mean that it will work only when i have 192.168.2.1 server on the DMZ port on the same ASA?

Actions

Login or Register to take actions

This Discussion

Posted December 1, 2010 at 10:24 AM
Stats:
Replies:6 Avg. Rating:
Views:1327 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard