Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASA 5505 port fowarding

Hi,

I would like to migrate configuration of ADSL modem port fowarding into ASA 5505. Attached is the diagram. Is it configurable?

I concern on the range port.

Is ASDM able to do such config?

port_fowarding.jpg

15 REPLIES
Super Bronze

ASA 5505 port fowarding

Hi,

This depends a lot of your software level of the ASA5505.

Though by now if you arent buying an old ASA5505 I would imagine that it comes with a newer software already (software 8.3+)

The reason is that there is a big change in the NAT configuration format and operation when going from 8.2 to 8.3 (or anything above). Also forwarding a range of ports is only possible in the newer softwares, in the old one you have to do them separately for each port.

In the software level 8.2 and below the NAT configuration format for Port Forward / Static PAT

  • Below presumes the interfaces are named "outside" and "inside" and the there is no ACL attached to "outside" and we create a new ACL called "OUTSIDE-IN" for it.

static (inside,outside) tcp interface netmask 255.255.255.255

static (inside,outside) udp interface netmask 255.255.255.255

access-list OUTSIDE-IN remark Allow traffic

access-list OUTSIDE-IN permit tcp any host eq

access-list OUTSIDE-IN permit udp any host eq

access-group OUTSIDE-IN in interface outside

Sadly there is no way to configure a range of ports (atleast to my understanding) so you would have to make a separate statement for each port which naturally will get messy but should work.

In the software level 8.3 and after the NAT configuration format for Port Forward / Static PAT

  • Below presumes the interfaces are named "outside" and "inside" and the  there is no ACL attached to "outside" and we create a new ACL called  "OUTSIDE-IN" for it.

Option 1

object network STATIC-PAT-TCP

host

nat (inside,outside) static interface service tcp

object network STATIC-PAT-UDP

host

nat (inside,outside) static interface service udp

access-list OUTSIDE-IN remark Allow traffic

access-list OUTSIDE-IN permit tcp any host object STATIC PAT-TCP eq

access-list OUTSIDE-IN permit udp any host object STATIC-PAT-UDP eq

access-group OUTSIDE-IN in interface outside

Option 2

object service TCP-XX

service tcp source eq xx

object service UDP-XX

service udp source eq xx

object network SERVER

host

nat (inside,outside) source static SERVER interface service TCP-XX TCP-XX

nat (inside,outside) source static SERVER interface service UDP-XX UDP-XX

access-list OUTSIDE-IN remark Allow traffic

access-list OUTSIDE-IN permit tcp any host object SERVER eq

access-list OUTSIDE-IN permit udp any host object SERVER eq

access-group OUTSIDE-IN in interface outside

In the above you have to notice that there is a major change in the NAT and ACL. In the older software we open traffic in the ACL towards the NAT IP address (public) and the public port. In the newer software however we open the traffic towards the local IP address and the local port. This change is caused by the change in the NAT configurations and operation in the new software.

If you wanted to forward a range of ports in the new software you could use this kind of configuration

object service RANGE

service tcp source range 1000 2000

object network SERVER

host

nat (inside,outside) source static SERVER interface service RANGE RANGE

access-list OUTSIDE-IN remark Allow traffic

access-list OUTSIDE-IN permit tcp any host object SERVER range 1000 2000

access-group OUTSIDE-IN in interface outside

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

ASA 5505 port fowarding

Hi,

Thanks a lot

Below is my software version

I will try to configure 1st and see the result..

---------------------------------------------

Cisco Adaptive Security Appliance Software Version 8.4(5)

Device Manager Version 7.1(1)52

Compiled on Mon 29-Oct-12 10:13 by builders

System image file is "disk0:/asa845-k8.bin"

Config file at boot was "startup-config"

----------------------------------------------

Re: ASA 5505 port fowarding

Hi,

I could not get RDP from outside with this config, why is it??

----

ASA Version 8.4(5)

!

hostname ciscoasa

enable password xabmwV2RnXLd5nLW encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 175.142.54.174 255.255.255.252

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network gst_sap

host 192.168.1.200

object-group service rdp tcp

port-object eq 3389

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any interface outside object-group rdp

access-list outside_access_in extended permit ip any any

access-list rdp-in extended permit tcp any host 192.168.1.200 eq 3389

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface dns

object network gst_sap

nat (inside,outside) static interface service tcp 3389 3389

access-group inside_access_in in interface inside

access-group rdp-in in interface outside

route outside 0.0.0.0 0.0.0.0 175.142.54.173 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.151-192.168.1.170 inside

dhcpd dns 202.188.0.133 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 1

Cryptochecksum:3f04b7466717e034e987754625a3c63b

: end

Super Bronze

ASA 5505 port fowarding

Hi,

I dont see a problem with the configuration atleast.

Could you issue this command to test the configurations

packet-tracer input outside tcp 8.8.8.8 12345 3389

At the moment it would seem to me that the problem is probably somewhere behind the ASA. Maybe on the actual server/host. Though I imagine this worked before the ASA already.

Have you monitored logs while attempting the connections? They should tell the reason why the connection is failing.

Does your Internet connection work after youve installed the ASA in place of the old device?

You should also mask your public IP address in the posts since this is a public forum. Or use some IP address as an example that isnt your actual public IP address

- Jouni

Re: ASA 5505 port fowarding

hi

the result

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   175.142.x.x  255.255.255.252 outside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Re: ASA 5505 port fowarding

This is the ACL

Super Bronze

ASA 5505 port fowarding

Hi,

It would seem to me that the wrong public IP address must have been used as the destination IP address of the "packet-tracer" command as the "input" and "output" interface SHOULDNT be the same in the above output.

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Are you sure you used the IP address that is configured on your ASAs "outside" interface?

The first thing you should see in the "packet-tracer" is

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network gst_sap

nat (inside,outside) static interface service tcp 3389 3389

Additional Information:

NAT divert to egress interface inside

Untranslate /3389 to 192.168.1.200/3389

The Dynamic PAT rule you have shouldnt cause problems since both of your NAT rules are Network Object NAT. The ASA should handle their ordering and priotity automatically.

But you could always try to change these

nat (inside,outside) after-auto source dynamic any interface

no object network obj_any

- Jouni

ASA 5505 port fowarding

hi

try to change the public ip (use the outside IP address).

Can u help?

ciscoasa# packet-tracer input outside tcp 8.8.8.8 12313 175.142.54.174 3389

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network gst_sap

nat (inside,outside) static interface service tcp 3389 3389

Additional Information:

NAT divert to egress interface inside

Untranslate 175.142.54.174/3389 to 192.168.1.200/3389

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Super Bronze

ASA 5505 port fowarding

Hi,

Can you post the output of

show run access-list

show run access-group

- Jouni

ASA 5505 port fowarding

Hi,

Thanks,

here it is

ciscoasa# sh run access-list

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any interface outside object-group rdp

access-list rdp-in extended permit tcp any interface outside eq 3389

ciscoasa# sh run access-group

access-group inside_access_in in interface inside

access-group rdp-in in interface outside

Super Bronze

ASA 5505 port fowarding

Hi,

Do these changes and try again

access-list rdp-in extended permit tcp any object gst_sap eq 3389

no access-list rdp-in extended permit tcp any interface outside eq 3389

- Jouni

ASA 5505 port fowarding

Hi,

Same. Couldt RDP from outside.

Please help coz now Im stuck

Super Bronze

ASA 5505 port fowarding

Hi,

Well the ACL rule before was atleast wrong.

Can you post the same "packet-tracer" commands output again.

- Jouni

ASA 5505 port fowarding

Hi,

I input "packet-tracer input outside tcp 8.8.8.8 12313 175.142.54.174 3389"

The RDP is OK but why need to use x.x.x.174. (outside interface)

My public IP is x.x.x.173

------

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

object network gst_sap

nat (inside,outside) static interface service tcp 3389 3389

Additional Information:

NAT divert to egress interface inside

Untranslate 175.142.54.174/3389 to 192.168.1.200/3389

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group rdp-in in interface outside

access-list rdp-in extended permit tcp any object gst_sap eq 3389

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) after-auto source dynamic any interface

Additional Information:

Phase: 5

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

object network gst_sap

nat (inside,outside) static interface service tcp 3389 3389

Additional Information:

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2144, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

Super Bronze

ASA 5505 port fowarding

Hi,

Everything seems to be fine with regards to the ASA configurations as the connections goes through just fine.

Are you sure that the default gateway of the server you are trying to reach is set to use the ASA "inside" interface as its gateway?

I am not sure have you completely replaced the old device with the ASA and did the old device have the same gateway IP address on its "inside" interface.

You should go to the Monitor -> Logging section of the ASDM and attempt the connection from the Internet to the server and see what the logs say.

- Jouni

296
Views
0
Helpful
15
Replies