07-10-2014 12:36 PM - edited 03-11-2019 09:27 PM
I'm trying to optimize my nat rules for port forwarding on my ASA 5505 but it's not comming along.
I have a server which runs imap and a website - port 25 and 80.
I would like to create a service for each port, join them in a service group, and let outside traffic flow in.
So what I have is as follow:
!My server
object network testServer
host 192.168.1.110
!My ports
object service myImap
service tcp source eq 25 destination eq 25
object service http
service tcp source eq 80 destination eq 80
!A service group
object-group service testServerPorts
service-object object myImap
service-object object http
!NAT'ing
nat (inside,outside) source static testServer interface service myImap myImap
nat (inside,outside) source static testServer interface service http http
!Access-list
access-list outside_access_in permit object-group testServerPorts object testServer any
access-group outside_access_in in interface outside
However there's no love from the unit.
Anyone care to take a shot at it?
07-10-2014 11:53 PM
Hi,
You can not use those same "object" in both the ACL and the NAT configuration as in the NAT configuration you would only need the "source" parameter while in the ACL you would need the "destination" parameter.
To clarify, in the NAT configuration you are using we need to configure only the "source" sections port which might naturally sound a bit wierd depending how you think of the NAT configuration.
Essentially the NAT commands format is
nat (sourceint,destint) source <static/dynamic> <real source> <mapped source> destination static <mapped destination> <real destination> service <real service> <mapped service>
So if you again look at your "object service" configurations you will notice that you have mentioned both "source" and "destination" parameters. This would essentially mean that only traffic sourced and destined for those ports will match this NAT rule. To my understanding these connections dont use identical ports as their source and destination.
In the above configuration format your will notice that the first 2 sections where you configure eithe an "object" or "object-group" relate to the real source address and the mapped source address. When you think about it from that perspective you will notice that you would only want to modify/match the real port on the server and the mapped port on the firewall. Hope I made any sense :)
For the NAT configuration you have the following options in format
object service HTTP
service tcp source eq 80
object service SMTP
service tcp source eq 25
object network SERVER
host 192.168.1.110
nat (inside,outside) source static SERVER interface service HTTP HTTP
nat (inside,outside) source static SERVER interface service SMTP SMTP
Or you could do
object network SERVER-HTTP
host 192.168.1.110
nat (inside,outside) static interface service tcp 80 80
object network SERVER-SMTP
host 192.168.1.110
nat (inside,outside) static interface service tcp 25 25
In the above configuration we use Auto NAT / Network Object NAT where you configure the local IP address and the "nat" command under an "object network". I will it to you to device which format you use. Your original NAT configuration is a Manual NAT / Twice NAT format which uses different objects but is not configured UNDER any object.
For the ACL you could do for example
object-group service SERVER-PORTS
service-object tcp destination eq www
service-object tcp destination eq smtp
object network SERVER
host 192.168.1.110
access-list outside_access_in permit object-group SERVER-PORTS any object SERVER
Hope this helps :)
Let me know how it goes
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide