I am working with a customer that already has an ASA 5505 V 7.2 installed with port forwarding configured for database updates to their app server. This port forwarding is working fine. Trying to setup a second port forwarding for remote IP phones to connect to a VOIP server. I have read several articles on port forwarding and believe my config is good. Created the TCP and UDP service object groups, access list and static inside/outside, but we are unable to connect the remote phones. Unfortunately this customer only has one (1) usable external IP to work with. Is this possible to do? And if so, where is my mistake? Below is an edited copy of the current config I am running on. Any help is greatly appreciated, this is driving me batty!
name 192.168.1.8 Toshiba
ip address 192.168.1.2 255.255.255.0
ip address 66.X.X.X 255.255.255.252
switchport access vlan 2
object-group service ToshibaUDP udp
port-object range 21000 27999
port-object range 30000 33279
port-object eq 1718
port-object eq 1719
port-object eq sip
object-group service ToshibaTCP tcp
port-object eq 2944
port-object eq 8080
port-object eq 10000
port-object eq 8768
port-object eq 8769
access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.224
From what I see the configuration contains the following NAT configurations
Dynamic PAT (nat/global commands)
Static PAT (static with the port specified)
Especially the Static NAT makes me wonder
You said there is only one public IP address but there is a Static NAT IP address that binds the whole public IP address to a single internal host? Is the public IP address used in the command the interface IP address? I can't exactly remember this older NAT configuration format but to my understanding the device would not even accept entering the interface IP address in to a NAT configurations but instead you would have to use the parameter "interface"
Considering the above I am wondering where you have forwarded the multiple ports as there is only a Static PAT configuration for one port and the above Static NAT.
To test the ASA configurations you can always use "packet-tracer".
Thanks for the response! I will try the packet tracer on the unit when I am back on site with the customer. Should be tomorrow. Is there any documentation or sample configs that show how to go about port forwarding to two different internal IPs? I can make any changes needed to the ASA to get this working. Most everything I read only show port forwarding to one internal IP. I am sure this is where I'm getting lost. Again thanks for helping!!
The "source" and "destination" above simply refer to the source interface of the internal host and the destination interface towards which the NAT is supposed to be performed. In most typical cases they would simply be "inside" and "outside".
You would simply add these commands to the ASA with the correct public/internal ports and internal IPs as you have the need for and naturally allow the connections to those public ports on the ACL attached to the external interface of the ASA.
As I said I am not sure about the Static NAT configuration above. If there truly is one public IP address in use and that Static NAT is actually present in the configuration then if you entered these Static PAT configurations without removing the Static NAT them the Static PAT simply would not get matched by the ASA and would not work (Static NAT configured before them in the configuration would override on all ports as it forwards all TCP/UDP ports to the single internal host)
If I am understanding you correctly this is not best way to accomplish what I am trying to do. The config example is the config on the unit. The only thing I did when posting was “X” out the last three octets of the public IP and route outside statement, the subnet is correct on the outide interface, 255.255.255.252, which leaves me with one usable IP. The port forwarding for TCP port 1706 to 192.168.1.5 is working and has been as part of the original setup of the 5505. If there is better way to configure the ASA to port forward to two internal IPs I can write erase the unit and start over. I just need an understanding of how to configure this.
I found config examples/documentation that showed the above lines, but they only allow for a single port, where I have big ranges that need forwarded. I have to admit, I am really confused. I have never had to setup an ASA in this manner. Thanks for all the help, just bear with me!!
Sadly the software level you are using doesnt enable forwarding multipe ports in a single configuration command.
This means that every port you would need to be forwarded would need to have its own statement which could possibly result in a very large NAT configuration.
On the newer software levels where the NAT configuration format has changed completely you are able to forward a range of ports. Though there is no way to group a lot of ports in a single command. I mean you can use a single command to forward a single range of ports what ever the range might be but for single ports you will still be adding one NAT configuration per port so it might still be a bit messy configuration.
Naturally when you need to host services to the public network the ideal situation is to have a public IP address dedicated to each internal host. In many cases this seems to be too costly option for the user when reading the posts here or the ISP in question has some other limitations preventing this.
So to my understanding your option is to either
Configure multiple "static" configurations for each of the port needed to be forwarded (The configuration can naturally be easily generated for example by using some copy/paste and excel to generate the command for each port in a big range of ports)
Update the firewall to 8.3+ software level. In your case there might be multiple problems.
Judging by the current software level your ASA is probably several years old and doesnt have enough RAM to support the new software. The newer manufactured models come with more memory. I think this was from 2010 Feb onwards.
Also the problem is naturally the completely new NAT format but as you configuration currently is pretty simple it wouldnt be that hard to convert.
Request addiotional public IP addresses from the local ISP
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...