Solved: Policy based nat help needed

Robert Mogan · ‎12-21-2011

Hi there

I'm struggling to configure an ASA firewall - vers 8.31

Dmz contains a group of servers. A new application has been put onto one of the servers and assigned a port number, it is to be accessible from the internet.

I have been asked to open a port on the firewall and to configure nat for the specific port.

I have a book which seems to refer to the old way of doing things (as the commands don't work) and I've been looking at the following document:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp112714

But I'm stuck - I spent all day yesterday trying to sort this and I'm no further forward so any help is appreciated.

Thanks

ajay chauhan · ‎12-21-2011

These are basically two diffrent things -

one is using PAT and another one we are talking about is port translation.

Confirm me what would be the public IP you would be using to hit this box with new app.

This is PAT config- As you said its new app on same server - I would add one more entry under object group thats all.

nat (dmz,outside) static 80.x.x.x service tcp 44580 44580

Now if you hit 80.x.x.x this IP on 44580 will get redirected to .80 on same port.

Thanks

Ajay

View solution in original post

Robert Mogan · ‎12-21-2011

Probably should mention that all the other configurations are policy based and I inherited this firewall from an engineer who left in a hurry so the configs not documented.

ajay chauhan · ‎12-21-2011

are you talking about port forwarding configuration for new sever with specific port ? better to post your configuration here mentioning new IP of server and what exactly you are looking for.

Thanks

Ajay

Robert Mogan · ‎12-21-2011

Hi Ajay

Yes, I think its port forwarding. Machines on the internet (there's only one at the moment but expected to grow to maybe as many as 50 within a few years) will connect to a database on the server using port 44500. TCP and UDP connections.

So I think I want to translate global addresses with port number 44500 in the header that enter from "outside" interface. When they come into the internal network through to the "dmz" interface then they should have a new source address but keep the same port number. (not sure?)

Port: 44500 tcp-udp

The server address is 192.168.182.80 (it's not new)

Internet is on interface name "Outside"

DMZ is on interface name "DMZ"

so far I've got:

object-group network EXT-FAR-ASL

network-object host 192.168.184.80

object-group service PAT-192.168.184.80-pt44500

service-object tcp-udp destination eq 44500

I think the syntax for the translation is:

nat (outside,dmz) static source any any destination static EXT-FAR-ASL EXT-FAR-ASL service PAT-192.168.184.80-pt44500 PAT-192.168.184.80-pt44500

but I'm not sure

Thanks again

ajay chauhan · ‎12-21-2011

Hi Robert,

Can you please post full config ?

Thanks

Ajay

Robert Mogan · ‎12-21-2011

Hi Ajay

Thanks for beaing with me - I had to trim it down abit but here you are:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.12.21 13:02:01 =~=~=~=~=~=~=~=~=~=~=~=

FIREWALL#

FIREWALL# sho run

: Saved

:

ASA Version 8.3(1)

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.186.252 255.255.255.0

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/2

nameif dmz

security-level 80

ip address 192.168.184.253 255.255.255.0

!

interface Ethernet0/3

nameif pcndmz

security-level 70

ip address 192.168.187.252 255.255.255.0

!

interface Management0/0

nameif outside

security-level 0

ip address 80.x.x.x 255.255.255.192

!

ftp mode passive

dns server-group DefaultDNS

domain-name ourco.biz

object network 192.168.184.0-LOCAL-NONAT

subnet 192.168.184.0 255.255.255.0

object network 192.168.184.0-LOCAL-NAT

subnet 192.168.184.0 255.255.255.0

object network PAT-192.168.184.37-WWW

host 192.168.184.37

object network PAT-192.168.184.37-HTTPS

host 192.168.184.37

object network PAT-192.168.184.43-WWW:82

host 192.168.184.43

object network PAT-192.168.184.43-FTP

host 192.168.184.43

object network PAT-192.168.184.35-WWW

host 192.168.184.35

object network PAT-192.168.187.44-WWW

host 192.168.187.44

object network PAT-192.168.187.44-HTTPS

host 192.168.187.44

object network PAT-192.168.184.80-WWW:8799

host 192.168.184.80

object network PAT-192.168.184.80-port44580

object network ASL

host 192.168.184.80

object service PAT-ASL-445800

service tcp destination eq 44580

object-group network DMZ

network-object 192.168.184.0 255.255.255.0

object-group network EXT-FAR-ASL

network-object host 192.168.184.80

object-group service EXT-FAR-ASL-TCP-IN tcp

port-object eq www

port-object eq 8799

port-object eq 44500

object-group network NAT

network-object host 80.x.x.x

object-group network FHAM-NET

network-object 192.168.184.0 255.255.255.0

network-object 192.168.185.0 255.255.255.0

network-object 192.168.186.0 255.255.255.0

network-object 192.168.187.0 255.255.255.0

object-group network WEBSERVERS

network-object host 192.168.184.43

network-object host 192.168.184.34

network-object host 192.168.184.37

network-object host 192.168.184.80

network-object host 192.168.184.60

network-object host 192.168.184.110

object-group service DMZ-TCP-SERVICES-OUT tcp

port-object eq domain

port-object eq netbios-ssn

port-object eq ftp-data

port-object eq 10000

port-object eq 42

port-object eq 135

port-object eq ldap

port-object eq ldaps

port-object eq 88

port-object eq 445

port-object eq 1025

port-object eq www

port-object eq smtp

port-object eq ftp

port-object eq https

port-object eq 8080

object-group service DMZ-UDP-SERVICES-OUT udp

port-object eq domain

port-object eq ntp

port-object eq netbios-dgm

port-object eq netbios-ns

port-object eq 389

port-object eq 88

object-group service PAT-192.168.184.80-44500

service-object tcp-udp destination eq 44580

object-group service PAT-192.168.184.80-pt44500

object-group service asl44580 tcp-udp

port-object eq 44580

object-group network outsideint

network-object host 80.x.x.x

access-list OUTSIDE extended permit icmp any any

access-list OUTSIDE extended permit tcp any object-group EXT-FAR-ASL object-group EXT-FAR-ASL-TCP-IN

access-list DMZ extended permit icmp object-group DMZ any

access-list DMZ extended permit tcp object-group WEBSERVERS object-group DBSERVERS object-group MSSQL

access-list DMZ extended permit tcp object-group DMZ any object-group DMZ-TCP-SERVICES-OUT

access-list DMZ extended permit udp object-group DMZ any object-group DMZ-UDP-SERVICES-OUT

access-list DMZ extended deny ip any any

nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.176.0-DEST-NONAT 192.168.176.0-DEST-NONAT

nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.177.0-DEST-NONAT 192.168.177.0-DEST-NONAT

nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.178.0-DEST-NONAT 192.168.178.0-DEST-NONAT

nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.181.0-DEST-NONAT 192.168.181.0-DEST-NONAT

nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.183.0-DEST-NONAT 192.168.183.0-DEST-NONAT

nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.190.0-DEST-NONAT 192.168.190.0-DEST-NONAT

object network 192.168.184.0-LOCAL-NAT

nat (dmz,outside) dynamic 80.x.x.x

object network PAT-192.168.184.50-SMTP

nat (dmz,outside) static 80.x.x.x service tcp smtp smtp

nat (dmz,outside) static 80.x.x.x service tcp www www

object network PAT-192.168.184.37-HTTPS

nat (dmz,outside) static 80.x.x.x service tcp https https

object network PAT-192.168.184.43-WWW:82

nat (dmz,outside) static 80.x.x.x service tcp 82 www

object network PAT-192.168.184.43-FTP

nat (dmz,outside) static 80.x.x.x service tcp ftp ftp

object network PAT-192.168.184.35-WWW

nat (dmz,outside) static 80.x.x.x service tcp www www

object network PAT-192.168.184.80-WWW:8799

nat (dmz,outside) static 80.x.x.x service tcp www 8799

object network ASL

nat (outside,dmz) static interface service udp 44500 44500

access-group INSIDE in interface inside

access-group DMZ in interface dmz

access-group PCNDMZ in interface pcndmz

access-group OUTSIDE in interface outside

Thanks again

ajay chauhan · ‎12-21-2011

Looking at your ACL-

access-list OUTSIDE extended permit tcp any object-group EXT-FAR-ASLAN object-group EXT-FAR-ASLAN-TCP-IN

ject-group network EXT-FAR-ASLAN

network-object host 192.168.184.80

Seems to be only one server on which port forwarding this working using ports

object-group service EXT-FAR-ASLAN-TCP-IN tcp

port-object eq www

port-object eq 8799

port-object eq 44580

Not sure how many things are working as of now in your config- but here it should be like this .

object network dmz-webserver1

host 192.168.184.80

nat (dmz,outside) static interface service tcp 8000 www

object network dmz-webserver2

host 192.168.184.81

nat (dmz,outside) static interface service tcp 8080 www

In DMZ two server 80 and 81 once you are hitting outside interface ip with 8000 it will redirect it to .80 server on www. Once you hit external ip with 8080 redirection on server 81 on port www.

According to this you can modify what next you are looking for .

Thanks

Ajay

Robert Mogan · ‎12-21-2011

Hi Ajay

The bit I'm trying to get working is the port forwarding for port 44580. There is a similar application on the same server that uses port 8799 and from the config above I've extracted the following:

+++++++++++++++++++++++++++++++++++++++++

object network PAT-192.168.184.80-WWW:8799

host 192.168.184.80

object-group network EXT-FAR-ASLAN

network-object host 192.168.184.80

object-group service EXT-FAR-ASLAN-TCP-IN tcp

port-object eq www

port-object eq 8799

port-object eq 44580

access-list OUTSIDE extended permit tcp any object-group EXT-FAR-ASLAN object-group EXT-FAR-ASLAN-TCP-IN

object network PAT-192.168.184.80-WWW:8799

nat (dmz,outside) static 80.x.x.x service tcp www 8799

+++++++++++++++++++++++++++++++++++++++++

So what I want to do is to have the same config except for a different port number - 44580.

Sorry if I'm not explaining myself very well.

Cheers

Robert

ajay chauhan · ‎12-21-2011

These are basically two diffrent things -

one is using PAT and another one we are talking about is port translation.

Confirm me what would be the public IP you would be using to hit this box with new app.

This is PAT config- As you said its new app on same server - I would add one more entry under object group thats all.

nat (dmz,outside) static 80.x.x.x service tcp 44580 44580

Now if you hit 80.x.x.x this IP on 44580 will get redirected to .80 on same port.

Thanks

Ajay

Robert Mogan · ‎12-21-2011

Hi Ajay

I've got this working now. I think stripping it down to present to you has made it a bit clearer in my head. I was abit out on the syntax and the order of things - I'm still not overly sure but I added

object network PAT-192.168.184.80-44580:44580-tcp

nat (dmz,outside) static 80.x.x.x service tcp 44580 44580

I haven't done anything for udp but it works so I'm ok.

Thank you for taking the time to help me, it gets very lonely when your stuck!

Robert

ajay chauhan · ‎12-21-2011

Good to hear that.