Solved: Port forwarding with ASDM 6.4 for ASA

asdmquest · ‎11-28-2013

Hi, I'm stuck!

I can't seem to get port forwarding to work. I want a server in the internal network (192.168.2.39) to be accessible from the outside.

I've added a static NAT rule

Interface: inside

Source: 192.168.2.39

Translated

Interface: Outside

Used Interface IP Address

Port Address Translation (PAT)

Protocol: TCP

Original Port: 22

Translated Port: 22

And a Access rule

Interface: outside

Action: Permit

Source: any

Destination: My WAN ip address

Service: ssh/22

Enable Logging: Checked

But I get no hits when I try to connect to my server in the internal network from outside. What am I doing wrong?

Obviously I'm totally new to this!

While I'm at it I would like to make the IP address of the server (192.168.2.39) static, is it possible to make the dhcp lease infinite for (192.168.2.39) or is there a better way to do it ?

Appreciate any help

Thanks in advance

Best regards

\L

jumora · ‎11-30-2013

More information is needed, please post the configuration

Value our effort and rate the assistance!

View solution in original post

jumora · ‎12-01-2013

I get your point on the documentation what I need is the NAT rule configuration if not I don´t know how you are configuring it, or if there are other NAT rules affecting it, or or or or get my point we need the config.

If you cannot post any further detail please open a TAC case-

Value our effort and rate the assistance!

View solution in original post

Jouni Forss · ‎12-02-2013

Hi,

If you want the CLI format configuration from the ASDM then you should be able to get it like this

Tools - menu (at the top) -> Command Line Interface -> Type show run in the command field -> Press the Send -button -> Copy/Paste the output here

Remember to remove/mask any sensitive information

- Jouni

View solution in original post

Jouni Forss · ‎12-02-2013

Hi,

First of all, one thing to consider here is the fact that ASA also allows management connection through SSH though you dont seem to be using it. What I mean is that if you have any plans to manage the ASA through SSH from the external network then you would be better of changing this Static PAT (Port Forward) configurations public port to something else than the default TCP/22. This would leave you room to start using SSH at some point from the external network.

The Static PAT (Port Forward) configuration and the ACL that will allow the traffic could be accomplished in the following way

static (inside,outside) tcp interface 222 192.168.2.39 22 netmask 255.255.255.255

access-list OUTSIDE-IN remark Allow SSH

access-list OUTSIDE-IN permit tcp any interface outside eq 222

access-group OUTSIDE-IN in interface outside

Notice that the above example uses a nondefault port of TCP/222 towards the external/public network. You can naturally change it to the default TCP/22 or even something else. If you change the port from the above then also remember to change the port to the "access-list" configuration above.

You can insert this configuration from the same place as I mentioned above

The only change is that when you first go to Tools -> Command Line Interface you will then need to check the section Multiple Line which will let you attach multiple lines of configurations (the configurations above) and then press the button Send.

This should send the above configurations to the device and you should be able to access the internal device through the external/public network.

You can naturally change the ACL above if you want to allow traffic only from certain IP addresses and not from "any" source IP address.

- Jouni

View solution in original post

Jouni Forss · ‎12-02-2013

Hi,

To my understanding there is no way to change the SSH port on the ASA. ASDM port is the only management connection which port can be changed freely.

Other option is naturally that you configure a VPN Client connection to the ASA and connect to the "inside" interface IP address through the VPN with SSH or Telnet. Naturally this involves more configurations (to implement) but would let you use the default SSH port for the Static PAT (Port Forward) configuration.

Otherwise it seems you would be stuck using ASDM only from the external network. Atleast to my understanding the SSH portforward will affect the SSH management connectivity of the ASA itself since you only have the one public IP address available.

Or do you actually have extra public IP addresses? I was looking at your external interfaces network mask which is /29 which would mean that you have a few public IP addresses free if you have the whole subnet to your own use. In that case you could configure Static NAT with another public IP address for this internal server and not affect the ASA SSH management at all.

- Jouni

View solution in original post

jumora · ‎11-30-2013

More information is needed, please post the configuration

Value our effort and rate the assistance!

jumora · ‎12-01-2013

I get your point on the documentation what I need is the NAT rule configuration if not I don´t know how you are configuring it, or if there are other NAT rules affecting it, or or or or get my point we need the config.

If you cannot post any further detail please open a TAC case-

Value our effort and rate the assistance!

asdmquest · ‎12-02-2013

Sorry, how do I get my configuration?

I'm a total noob when it comes to this device.

Jouni Forss · ‎12-02-2013

Hi,

If you want the CLI format configuration from the ASDM then you should be able to get it like this

Tools - menu (at the top) -> Command Line Interface -> Type show run in the command field -> Press the Send -button -> Copy/Paste the output here

Remember to remove/mask any sensitive information

- Jouni

asdmquest · ‎12-02-2013

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password XXXXXXXXX encrypted

passwd XXXXXXXXXXXX encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address XX.XXX.XXX.154 255.255.255.248

!

ftp mode passive

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 XX.XXX.XXX.153 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

http XXX.XXX.XXX.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.2.10-192.168.2.250 inside

dhcpd dns XX.XXX.XX.10 XX.XXX.XX.20 interface inside

dhcpd lease 86400 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum: ---

: end

Jouni Forss · ‎12-02-2013

Hi,

First of all, one thing to consider here is the fact that ASA also allows management connection through SSH though you dont seem to be using it. What I mean is that if you have any plans to manage the ASA through SSH from the external network then you would be better of changing this Static PAT (Port Forward) configurations public port to something else than the default TCP/22. This would leave you room to start using SSH at some point from the external network.

The Static PAT (Port Forward) configuration and the ACL that will allow the traffic could be accomplished in the following way

static (inside,outside) tcp interface 222 192.168.2.39 22 netmask 255.255.255.255

access-list OUTSIDE-IN remark Allow SSH

access-list OUTSIDE-IN permit tcp any interface outside eq 222

access-group OUTSIDE-IN in interface outside

Notice that the above example uses a nondefault port of TCP/222 towards the external/public network. You can naturally change it to the default TCP/22 or even something else. If you change the port from the above then also remember to change the port to the "access-list" configuration above.

You can insert this configuration from the same place as I mentioned above

The only change is that when you first go to Tools -> Command Line Interface you will then need to check the section Multiple Line which will let you attach multiple lines of configurations (the configurations above) and then press the button Send.

This should send the above configurations to the device and you should be able to access the internal device through the external/public network.

You can naturally change the ACL above if you want to allow traffic only from certain IP addresses and not from "any" source IP address.

- Jouni

asdmquest · ‎12-02-2013

Thank you, I will test this as soon as possible.

Is it possible to change the ssh port on the ASA to something else rather than 22 ?

I want to do this because I would like to have the default ssh port on my server in the internal network.

We use ssh on the ASA, its an outside firm that handles some configuration of it, so it's juste their ip range that is allowed to login into the ASA from the outside.

EDIT: Sorry, you've already pointed that out.

Thanks for the help

Much appreciated!

Best regards

Jouni Forss · ‎12-02-2013

Hi,

To my understanding there is no way to change the SSH port on the ASA. ASDM port is the only management connection which port can be changed freely.

Other option is naturally that you configure a VPN Client connection to the ASA and connect to the "inside" interface IP address through the VPN with SSH or Telnet. Naturally this involves more configurations (to implement) but would let you use the default SSH port for the Static PAT (Port Forward) configuration.

Otherwise it seems you would be stuck using ASDM only from the external network. Atleast to my understanding the SSH portforward will affect the SSH management connectivity of the ASA itself since you only have the one public IP address available.

Or do you actually have extra public IP addresses? I was looking at your external interfaces network mask which is /29 which would mean that you have a few public IP addresses free if you have the whole subnet to your own use. In that case you could configure Static NAT with another public IP address for this internal server and not affect the ASA SSH management at all.

- Jouni

asdmquest · ‎12-02-2013

I think we only have one ip-adress actually.

But I'll have to use a non standard port for my server then.

Thanks