04-09-2012 07:45 PM - edited 03-04-2019 03:58 PM
Hello all,
I need to nat one of my global IPs to an internal IP, and I also need to forward the ports 1720 and 60000-60001 for tcp, and ports 60000-60007 for udp.
(119.x.x.26 address to 192.168.1.100)
Can you please tell me if the config below is correct?
!
ASA Version 8.2(1)
!
hostname Firewall
enable password xxxxxx encrypted
passwd xxxxxx encrypted
names
name 192.168.6.0 GuestVLAN description GuestVLAN
name 192.168.1.0 OfficeLAN
name 192.168.4.0 ServerLAN description ServerGroup
name 192.168.0.0 Internal_LAN
name 192.168.4.16 Exchange
name 192.168.4.10 PrimaryDC
name 192.168.4.12 backupDC
name 192.168.1.40 PBX
name 192.168.1.100 VC
name 192.168.2.0 Internal_switch2
name 192.168.3.0 Internal_switch3
!
interface Ethernet0/0
description HGC_Primary
nameif Outside_0
security-level 0
ip address 119.x.x.x 255.255.255.240 standby 119.x.x.x
!
interface Ethernet0/1
description PCCW_Backup
nameif Outside_1
security-level 0
ip address 204.x.x.x 255.255.255.248 standby 204.x.x.x
!
interface Ethernet0/2
description Internal
nameif Inside
security-level 100
ip address 192.x.x.x 255.255.255.0 standby 192.x.x.x
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 10.x.x.x 255.255.255.0 standby 10.x.x.x
management-only
!
ftp mode passive
clock timezone HKST 8
dns domain-lookup Outside_0
dns server-group DefaultDNS
name-server 212.x.x.x
name-server 204.x.x.x
object-group network WEB
object-group service ExchangeGroup
description For Exchange
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
service-object icmp echo-reply
service-object icmp echo
service-object icmp6 echo
service-object icmp6 echo-reply
object-group network DM_INLINE_NETWORK_1
network-object host 119.x.x.x
network-object host 119.x.x.x
object-group network DM_INLINE_NETWORK_2
network-object host 204.x.x.x
network-object host 204.x.x.x
object-group service PBX-TCP-8000 tcp
port-object eq 8000
object-group service VC_System_tcp tcp
port-object eq 1720
port-object range 60000 60001
object-group service VC_System_udp udp
port-object range 60000 60007
access-list Inside_access_in extended permit icmp any any echo
access-list Inside_access_in extended permit ip Internal_LAN 255.255.0.0 any
access-list Outside_0_access_in extended permit icmp any any echo-reply log
access-list Outside_0_access_in extended permit object-group ExchangeGroup any host 119.x.x.x lo
g
access-list Outside_0_access_in extended permit udp any object-group DM_INLINE_NETWORK_1 eq ntp log
inactive
access-list Outside_0_access_in remark Remote access to PBX
access-list Outside_0_access_in extended permit tcp any host 119.x.x.x object-group PBX-TCP-8000
access-list Outside_0_access_in remark Port Forwarding for VC
access-list Outside_0_access_in extended permit tcp any host 119.x.x.26 object-group VC_System_tcp
access-list Outside_0_access_in extended permit udp any host 119.x.x.26 object-group VC_System_udp
access-list Outside_1_access_in extended permit icmp any any echo-reply log
access-list Outside_1_access_in extended permit object-group ExchangeGroup any host 204.x.x.x l
og
access-list Outside_1_access_in extended permit udp any object-group DM_INLINE_NETWORK_2 eq ntp log
inactive
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit udp any any eq domain
access-list IPSECVPN_splitTunnelAcl standard permit Internal_LAN 255.255.0.0
access-list IPSECVPN_splitTunnelAcl standard permit 192.168.5.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Internal_LAN 255.255.0.0 192.168.168.0 255.255.2
55.224
pager lines 40
logging enable
logging asdm informational
mtu Outside_0 1500
mtu Outside_1 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN-DHCP 192.168.168.10-192.168.168.20 mask 255.255.255.0
failover
failover lan unit secondary
failover lan interface ASAFW Ethernet0/3
failover key xxxxx
failover link ASAFW Ethernet0/3
failover interface ip ASAFW 10.10.10.1 255.255.255.252 standby 10.10.10.2
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside_0
icmp permit any Outside_1
icmp permit any Inside
no asdm history enable
arp timeout 14400
global (Outside_0) 1 interface
global (Outside_1) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside_0) 119.x.x.x Exchange netmask 255.255.255.255
static (Inside,Outside_1) 204.x.x.x Exchange netmask 255.255.255.255
static (Inside,Outside_0) 119.x.x.x PrimaryDC netmask 255.255.255.255
static (Inside,Outside_1) 204.x.x.x PrimaryDC netmask 255.255.255.255
static (Inside,Outside_0) 119.x.x.x backupDC netmask 255.255.255.255
static (Inside,Inside) 204.x.x.x backupDC netmask 255.255.255.255
static (Inside,Outside_0) 119.x.x.x PBX netmask 255.255.255.255
static (Inside,Outside_0) 119.x.x.26 VC netmask 255.255.255.255
access-group Outside_0_access_in in interface Outside_0
access-group Outside_1_access_in in interface Outside_1
access-group Inside_access_in in interface Inside
route Outside_0 0.0.0.0 0.0.0.0 119.x.x.x 1 track 1
route Outside_1 0.0.0.0 0.0.0.0 204.x.x.x
route Inside OfficeLAN 255.255.255.0 192.168.5.3 1
route Inside Internal_switch2 255.255.255.0 192.168.5.3 1
route Inside Internal_switch3 255.255.255.0 192.168.5.3 1
route Inside ServerLAN 255.255.255.0 192.168.5.3 1
route Inside GuestVLAN 255.255.255.0 192.168.5.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AAAGROUP protocol radius
aaa-server AAAGROUP (Inside) host PrimaryDC
timeout 3
key xxxxxx
aaa-server AAAGROUP (Inside) host backupDC
timeout 5
key xxxxx
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http ServerLAN 255.255.255.0 Inside
http OfficeLAN 255.255.255.0 Inside
http 10.0.0.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Outside_1
http 0.0.0.0 0.0.0.0 Outside_0
http Internal_LAN 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 212.x.x.x interface Outside_0
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-S
HA ESP-DES-MD5
crypto map Outside_0_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_0_map interface Outside_0
crypto map Outside_1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_1_map interface Outside_1
crypto isakmp enable Outside_0
crypto isakmp enable Outside_1
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet Internal_LAN 255.255.0.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy IPSECVPN internal
group-policy IPSECVPN attributes
dns-server value 192.168.4.10 192.168.4.12
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSECVPN_splitTunnelAcl
..................................................................................
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Solved! Go to Solution.
04-10-2012 09:58 AM
Kevin-
The static looks fine for regular NAT, and you have allowed the correct UDP and TCP ports through the Outside_0 interface with your Outside_0_access_in ACL. However this is not true port-forwarding/port-redirection. What are your requirements for access to this node?
For true port-redirection you can take a look at the static PAT example in this doc:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html
Paul
04-11-2012 05:45 AM
Kevin-
Are you tracing from the outside in? Let me know how you set the packet tracer and what exact message it is giving you - the tracer will tell you that the packet was dropped to to an ACL or due to a NAT rule, etc.
Paul
04-10-2012 09:58 AM
Kevin-
The static looks fine for regular NAT, and you have allowed the correct UDP and TCP ports through the Outside_0 interface with your Outside_0_access_in ACL. However this is not true port-forwarding/port-redirection. What are your requirements for access to this node?
For true port-redirection you can take a look at the static PAT example in this doc:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html
Paul
04-10-2012 02:56 PM
Hello Paul,
Thank you for your reply.
We are putting in a new Video Conferencing system and the instructions specify that if we put the system on the internal LAN, we should forward those particular ports for tcp and udp.
So I thought that since we had available/free Public IP addresses, I would try a 1-to-1 NAT and just make sure those ports were open via ACL.
Is this wrong? Should I switch to a static PAT?
04-10-2012 08:08 PM
Kevin-
I don't think that you need to change anything. Have you had a chance to try out the new system yet?
Paul
04-10-2012 09:16 PM
Paul-
Not yet. The new system comes in next Monday.
I was just wondering because whenever I try packet tracer from the CLI it shows that the packet is dropped.
(It may be a case of me incorrectly using the packet-tracer command)
Anyway, we'll know if it works or not on Monday. I may need to ask you again if it fails.
Again, Thanks for the help.
04-11-2012 05:45 AM
Kevin-
Are you tracing from the outside in? Let me know how you set the packet tracer and what exact message it is giving you - the tracer will tell you that the packet was dropped to to an ACL or due to a NAT rule, etc.
Paul
04-16-2012 05:18 AM
Thanks Paul,
Config was correct.
I still couldn't get packet-tracer to work properly, but it's ok.
Thanks again
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: