03-24-2012 10:16 AM - edited 03-11-2019 03:46 PM
Ive migrated from my lab pix to a lab asa and am trying to open certain ports to my internal network.
in my confg on my pix i had acls to open port 51413 to an inside host along with the static nat rule.
what i am trying to accomplish is same on my asa, however the nat rules seem to be slightly different, and i'm not completely sure how to do it.
My ACL and nat rule is below. I'm pretty certain my acl is correct,but i am not sure as to what to do with my NAT rules to allow a translation for the tcp service. any help would be apprecaited.....
access-list outside-in extended permit object tcp51413 any object outside
nat (inside,outside) source dynamic all-inside-nat interface
03-25-2012 07:38 AM
Assuming single WANIP 24.333.23.77 (outside interface)
ISP gateway IP 24.333.23.48
LAN 192.168.1.1 (inside interface)
single server RDP 3389 for example
server host PC 192.168.1.44
a.NEED two ACL rules
NEED one static nat rule (port forwarding)
NEED one dynamic nat rule (allows users behind router to get to the net, ie inbound to outbound)
NEED one routing rule.
notes for Adsm gui:
(1) Ensure use ACCESS RULES in gui for the ACL rules in order to associate its for the OUTSIDE interface. This is done by ensuring you put your rule under the OUTSIDE submenu selection in the popup. By doing so it creates two rules one would manually insert for CLI. Runtime config looks the same for both. ACL manager is only for post editing and review (not initial config).
(2) For NAT rules use network-objects and the nat menu selection at the bottom of the popup. The NAT Rules main menu selection is more for post editing and review (NOT initial config). Be advised in the gui, when you make the NAT rule it creates an object rule as well.
You will note in my NAT rules for portforwarding you do specify the LANIP of the server but avoid using the same name for this embedded nat rule as you do for the server itself. (two reasons, you may have more than one server on that pc and second you need the serverpc by itself as an object for acl rules).
Excerpts from runconfig to get an idea of placement.
(dynamic pat rule to allow outbound initiated connections from the LAN, applies SNAT. Default setup of asa 5505 includes this automagically)
object network obj_any_inside
subnet 0.0.0.0 0.0.0.0
(allowed external users object rules)
object network TrustedInternetUsers
subnet 24.333.23.0 255.255.255.0
object network Corporate-user
host 171.26.424.24
object-group network AuthUsers-Group
network-object object TrustedInternetUsers
network-object object Corporate-user
(network object rule identify the server PC - aka the host)
object network server-pcIP
host 192.168.1.44
(service object rule for RDP)
object service RDP
service tcp destination eq 3389
(1st output of NAT rule creates an object)
object network NAT4RDP
host 192.168.1.44
(acl rule first output is for access to the server allowing the group of permitted users for that service. ACL rules come before NAT rules in sequence)
access-list outside_access_in extended permit object RDP object-group AuthUsers-Group object server-pcIP
(second output of NAT rule is the nat rule)
object network NAT4RDP
nat (main-lan,outside) static interface service tcp 3389 3389
(The second ACL output is automatically created (access-group rule) and appears after NAT rules and before the next hop outbound route rule for any outgoing traffic from the inside interface)
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.333.23.48 1
timeout xlate 3:00:00
03-26-2012 10:27 PM
Thanks Alex. I feel like i have it set up right. but for whatever reason my client on the inside still thinks the port is not open. Here are my packet traces and config snips. Note i dont actually expect to connect to 8.8.8.8 on port 51413, its really just meant to serve as a real world outside address that I know exists. In all reality i could be connecting to anything. Yes i am trying to open up ports for torrents on my lab. But really this would provide me a template for other things in the future. feedback would be appreciated.
Config snipet
description Inside User Subnets
object network vlan201
subnet 10.10.201.0 255.255.255.0
object network vlan203
subnet 10.10.203.0 255.255.255.0
object-group network all-inside-nat
network-object object vlan201
network-object object vlan203
object service torrent
service tcp source eq 51413
access-list outside-in extended permit object torrent any object-group all-inside-nat
access-list outside-in extended permit icmp any any
access-list outside-in extended deny ip any any log
access-list inside-in extended permit ip any any
nat (inside,outside) source static all-inside-nat all-inside-nat service torrent torrent
nat (inside,outside) source dynamic all-inside-nat interface
access-group outside-in in interface outside
access-group inside-in in interface inside
ciscoasa# packet-tracer input inside tcp 10.10.201.4 51413 8.8.8.8 51413
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside-in in interface inside
access-list inside-in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static all-inside-nat all-inside-nat service torrent torrent
Additional Information:
Static translate 10.10.201.4/51413 to 10.10.201.4/51413
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 969599, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ciscoasa# packet-tracer input outside tcp 8.8.8.8 51413 10.10.201.4 51413
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static all-inside-nat all-inside-nat service torrent torrent
Additional Information:
NAT divert to egress interface inside
Untranslate 10.10.201.4/51413 to 10.10.201.4/51413
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside-in in interface outside
access-list outside-in extended permit object torrent any object-group all-inside-nat
object-group network all-inside-nat
network-object object vlan201
network-object object vlan203
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static all-inside-nat all-inside-nat service torrent torrent
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 969732, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
03-27-2012 08:52 PM
Let me caveat that what I thought you were doing was allowing external users access servers behind the ASA.
I may be very wrong in this assumption and if so can disregard the rest of this post LOL. In fact the more I read its like you want users behind the ASA but on a separate lan to access a server on a different lan??
(1) Not sure why you have this rule? I dont have it and my setup works.
access-group inside-in in interface inside
(2) Not keen on your ACL rule structure.
access-list outside-in extended permit object torrent any object-group all-inside-nat
I would likely try to put in.
access-list outside-in extended permit object torrent object-group all-inside-nat object server-pcIP
Assuming definitions exist
object network server-pcIP
host 8.8.8.8
object service torrent
service tcp destination eq 51413
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide