12-21-2011 02:10 AM - edited 03-11-2019 03:04 PM
Hi there
I'm struggling to configure an ASA firewall - vers 8.31
Dmz contains a group of servers. A new application has been put onto one of the servers and assigned a port number, it is to be accessible from the internet.
I have been asked to open a port on the firewall and to configure nat for the specific port.
I have a book which seems to refer to the old way of doing things (as the commands don't work) and I've been looking at the following document:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp112714
But I'm stuck - I spent all day yesterday trying to sort this and I'm no further forward so any help is appreciated.
Thanks
Solved! Go to Solution.
12-21-2011 07:06 AM
These are basically two diffrent things -
one is using PAT and another one we are talking about is port translation.
Confirm me what would be the public IP you would be using to hit this box with new app.
This is PAT config- As you said its new app on same server - I would add one more entry under object group thats all.
nat (dmz,outside) static 80.x.x.x service tcp 44580 44580
Now if you hit 80.x.x.x this IP on 44580 will get redirected to .80 on same port.
Thanks
Ajay
12-21-2011 02:23 AM
Probably should mention that all the other configurations are policy based and I inherited this firewall from an engineer who left in a hurry so the configs not documented.
12-21-2011 03:07 AM
are you talking about port forwarding configuration for new sever with specific port ? better to post your configuration here mentioning new IP of server and what exactly you are looking for.
Thanks
Ajay
12-21-2011 04:13 AM
Hi Ajay
Yes, I think its port forwarding. Machines on the internet (there's only one at the moment but expected to grow to maybe as many as 50 within a few years) will connect to a database on the server using port 44500. TCP and UDP connections.
So I think I want to translate global addresses with port number 44500 in the header that enter from "outside" interface. When they come into the internal network through to the "dmz" interface then they should have a new source address but keep the same port number. (not sure?)
Port: 44500 tcp-udp
The server address is 192.168.182.80 (it's not new)
Internet is on interface name "Outside"
DMZ is on interface name "DMZ"
so far I've got:
object-group network EXT-FAR-ASL
network-object host 192.168.184.80
object-group service PAT-192.168.184.80-pt44500
service-object tcp-udp destination eq 44500
I think the syntax for the translation is:
nat (outside,dmz) static source any any destination static EXT-FAR-ASL EXT-FAR-ASL service PAT-192.168.184.80-pt44500 PAT-192.168.184.80-pt44500
but I'm not sure
Thanks again
12-21-2011 04:44 AM
Hi Robert,
Can you please post full config ?
Thanks
Ajay
12-21-2011 05:46 AM
Hi Ajay
Thanks for beaing with me - I had to trim it down abit but here you are:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.12.21 13:02:01 =~=~=~=~=~=~=~=~=~=~=~=
FIREWALL#
FIREWALL# sho run
: Saved
:
ASA Version 8.3(1)
!
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.186.252 255.255.255.0
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif dmz
security-level 80
ip address 192.168.184.253 255.255.255.0
!
interface Ethernet0/3
nameif pcndmz
security-level 70
ip address 192.168.187.252 255.255.255.0
!
interface Management0/0
nameif outside
security-level 0
ip address 80.x.x.x 255.255.255.192
!
ftp mode passive
dns server-group DefaultDNS
domain-name ourco.biz
object network 192.168.184.0-LOCAL-NONAT
subnet 192.168.184.0 255.255.255.0
object network 192.168.184.0-LOCAL-NAT
subnet 192.168.184.0 255.255.255.0
object network PAT-192.168.184.37-WWW
host 192.168.184.37
object network PAT-192.168.184.37-HTTPS
host 192.168.184.37
object network PAT-192.168.184.43-WWW:82
host 192.168.184.43
object network PAT-192.168.184.43-FTP
host 192.168.184.43
object network PAT-192.168.184.35-WWW
host 192.168.184.35
object network PAT-192.168.187.44-WWW
host 192.168.187.44
object network PAT-192.168.187.44-HTTPS
host 192.168.187.44
object network PAT-192.168.184.80-WWW:8799
host 192.168.184.80
object network PAT-192.168.184.80-port44580
object network ASL
host 192.168.184.80
object service PAT-ASL-445800
service tcp destination eq 44580
object-group network DMZ
network-object 192.168.184.0 255.255.255.0
object-group network EXT-FAR-ASL
network-object host 192.168.184.80
object-group service EXT-FAR-ASL-TCP-IN tcp
port-object eq www
port-object eq 8799
port-object eq 44500
object-group network NAT
network-object host 80.x.x.x
object-group network FHAM-NET
network-object 192.168.184.0 255.255.255.0
network-object 192.168.185.0 255.255.255.0
network-object 192.168.186.0 255.255.255.0
network-object 192.168.187.0 255.255.255.0
object-group network WEBSERVERS
network-object host 192.168.184.43
network-object host 192.168.184.34
network-object host 192.168.184.37
network-object host 192.168.184.80
network-object host 192.168.184.60
network-object host 192.168.184.110
object-group service DMZ-TCP-SERVICES-OUT tcp
port-object eq domain
port-object eq netbios-ssn
port-object eq ftp-data
port-object eq 10000
port-object eq 42
port-object eq 135
port-object eq ldap
port-object eq ldaps
port-object eq 88
port-object eq 445
port-object eq 1025
port-object eq www
port-object eq smtp
port-object eq ftp
port-object eq https
port-object eq 8080
object-group service DMZ-UDP-SERVICES-OUT udp
port-object eq domain
port-object eq ntp
port-object eq netbios-dgm
port-object eq netbios-ns
port-object eq 389
port-object eq 88
object-group service PAT-192.168.184.80-44500
service-object tcp-udp destination eq 44580
object-group service PAT-192.168.184.80-pt44500
object-group service asl44580 tcp-udp
port-object eq 44580
object-group network outsideint
network-object host 80.x.x.x
access-list OUTSIDE extended permit icmp any any
access-list OUTSIDE extended permit tcp any object-group EXT-FAR-ASL object-group EXT-FAR-ASL-TCP-IN
access-list DMZ extended permit icmp object-group DMZ any
access-list DMZ extended permit tcp object-group WEBSERVERS object-group DBSERVERS object-group MSSQL
access-list DMZ extended permit tcp object-group DMZ any object-group DMZ-TCP-SERVICES-OUT
access-list DMZ extended permit udp object-group DMZ any object-group DMZ-UDP-SERVICES-OUT
access-list DMZ extended deny ip any any
nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.176.0-DEST-NONAT 192.168.176.0-DEST-NONAT
nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.177.0-DEST-NONAT 192.168.177.0-DEST-NONAT
nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.178.0-DEST-NONAT 192.168.178.0-DEST-NONAT
nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.181.0-DEST-NONAT 192.168.181.0-DEST-NONAT
nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.183.0-DEST-NONAT 192.168.183.0-DEST-NONAT
nat (dmz,outside) source static 192.168.184.0-LOCAL-NONAT 192.168.184.0-LOCAL-NONAT destination static 192.168.190.0-DEST-NONAT 192.168.190.0-DEST-NONAT
object network 192.168.184.0-LOCAL-NAT
nat (dmz,outside) dynamic 80.x.x.x
object network PAT-192.168.184.50-SMTP
nat (dmz,outside) static 80.x.x.x service tcp smtp smtp
nat (dmz,outside) static 80.x.x.x service tcp www www
object network PAT-192.168.184.37-HTTPS
nat (dmz,outside) static 80.x.x.x service tcp https https
object network PAT-192.168.184.43-WWW:82
nat (dmz,outside) static 80.x.x.x service tcp 82 www
object network PAT-192.168.184.43-FTP
nat (dmz,outside) static 80.x.x.x service tcp ftp ftp
object network PAT-192.168.184.35-WWW
nat (dmz,outside) static 80.x.x.x service tcp www www
object network PAT-192.168.184.80-WWW:8799
nat (dmz,outside) static 80.x.x.x service tcp www 8799
object network ASL
nat (outside,dmz) static interface service udp 44500 44500
access-group INSIDE in interface inside
access-group DMZ in interface dmz
access-group PCNDMZ in interface pcndmz
access-group OUTSIDE in interface outside
Thanks again
12-21-2011 06:15 AM
Looking at your ACL-
access-list OUTSIDE extended permit tcp any object-group EXT-FAR-ASLAN object-group EXT-FAR-ASLAN-TCP-IN
ject-group network EXT-FAR-ASLAN
network-object host 192.168.184.80
Seems to be only one server on which port forwarding this working using ports
object-group service EXT-FAR-ASLAN-TCP-IN tcp
port-object eq www
port-object eq 8799
port-object eq 44580
Not sure how many things are working as of now in your config- but here it should be like this .
object network dmz-webserver1
host 192.168.184.80
nat (dmz,outside) static interface service tcp 8000 www
object network dmz-webserver2
host 192.168.184.81
nat (dmz,outside) static interface service tcp 8080 www
In DMZ two server 80 and 81 once you are hitting outside interface ip with 8000 it will redirect it to .80 server on www. Once you hit external ip with 8080 redirection on server 81 on port www.
According to this you can modify what next you are looking for .
Thanks
Ajay
12-21-2011 06:51 AM
Hi Ajay
The bit I'm trying to get working is the port forwarding for port 44580. There is a similar application on the same server that uses port 8799 and from the config above I've extracted the following:
+++++++++++++++++++++++++++++++++++++++++
object network PAT-192.168.184.80-WWW:8799
host 192.168.184.80
object-group network EXT-FAR-ASLAN
network-object host 192.168.184.80
object-group service EXT-FAR-ASLAN-TCP-IN tcp
port-object eq www
port-object eq 8799
port-object eq 44580
access-list OUTSIDE extended permit tcp any object-group EXT-FAR-ASLAN object-group EXT-FAR-ASLAN-TCP-IN
object network PAT-192.168.184.80-WWW:8799
nat (dmz,outside) static 80.x.x.x service tcp www 8799
+++++++++++++++++++++++++++++++++++++++++
So what I want to do is to have the same config except for a different port number - 44580.
Sorry if I'm not explaining myself very well.
Cheers
Robert
12-21-2011 07:06 AM
These are basically two diffrent things -
one is using PAT and another one we are talking about is port translation.
Confirm me what would be the public IP you would be using to hit this box with new app.
This is PAT config- As you said its new app on same server - I would add one more entry under object group thats all.
nat (dmz,outside) static 80.x.x.x service tcp 44580 44580
Now if you hit 80.x.x.x this IP on 44580 will get redirected to .80 on same port.
Thanks
Ajay
12-21-2011 07:19 AM
Hi Ajay
I've got this working now. I think stripping it down to present to you has made it a bit clearer in my head. I was abit out on the syntax and the order of things - I'm still not overly sure but I added
object network PAT-192.168.184.80-44580:44580-tcp
nat (dmz,outside) static 80.x.x.x service tcp 44580 44580
I haven't done anything for udp but it works so I'm ok.
Thank you for taking the time to help me, it gets very lonely when your stuck!
Robert
12-21-2011 07:23 AM
Good to hear that.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: