Port forwarding at router

teymur azimov · ‎01-23-2012

Hi Dears.

we have a problem. we have a router which performs NAT, and behind router we have ASA. in inside we have a server(webmail server). we need requests which come to our outside interface with port number 9000 convert to server ip with port number 443.

i copy my router and asa configuration here. at my router two ISP configurated. all them are working.

how i do requests which come to our outside interface with port number 9000 convert to server ip(192.168.10.7) with port number 443. my webmail server ip address 192.168.10.7. and i do static nat but it is not working.how i do??

ip nat inside source static 192.168.10.7 x.x.x.12 route-map MAIL-Server

ip nat inside source static 192.168.10.7 85.x.x.116 route-map MAIL-Server1

!

redundancy

!

track timer interface 5

!

track 1 interface GigabitEthernet0/0 line-protocol

!

track 2 ip sla 1 reachability

delay down 15 up 10

!

track 3 ip sla 2 reachability

delay down 15 up 10

!

crypto dynamic-map dynmap 10

reverse-route

!

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/0.116

description connected to ISP1

encapsulation dot1Q 116

ip address x.x.x.10 255.255.255.248

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/0.859

description connected to ISP2

encapsulation dot1Q 859

ip address x.x.x.114 255.255.255.240

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/1

description INSIDE

ip address 172.25.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map Classify

duplex auto

speed auto

standby 1 ip 172.25.10.3

standby 1 priority 110

standby 1 preempt

standby 1 track 1 decrement 20

!

ip forward-protocol nd

ip forward-protocol udp isakmp

ip forward-protocol udp non500-isakmp

!

no ip http server

no ip http secure-server

!

ip nat translation timeout 30

ip nat inside source route-map ISP1 interface GigabitEthernet0/0.116 overload

ip nat inside source route-map ISP2 interface GigabitEthernet0/0.859 overload

ip nat inside source static 192.168.10.7 x.x.x.12 route-map MAIL-Server

ip nat inside source static 192.168.10.7 85.x.x.116 route-map MAIL-Server1

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 0.0.0.0 0.0.0.0 y.y.y.y

ip route 192.168.10.0 255.255.255.0 172.25.10.4

ip route 192.168.16.0 255.255.240.0 172.25.10.4

!

ip sla 1

icmp-echo x1.x.x.9 source-interface GigabitEthernet0/0.116

timeout 1000

threshold 1000

frequency 2

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 8x.x.x.113 source-interface GigabitEthernet0/0.859

timeout 1000

threshold 1000

frequency 2

ip sla schedule 2 life forever start-time now

access-list 101 deny ip host 192.168.10.7 any

access-list 101 permit ip 192.168.10.0 0.0.0.127 any

access-list 101 permit ip 192.168.10.128 0.0.0.63 any

access-list 101 permit ip 192.168.10.192 0.0.0.31 any

access-list 101 permit ip 192.168.10.224 0.0.0.15 any

access-list 101 permit ip 192.168.10.240 0.0.0.7 any

access-list 102 deny ip host 192.168.10.253 any

access-list 102 permit ip 192.168.10.248 0.0.0.7 any

access-list 103 permit ip 192.168.10.0 0.0.0.127 any

access-list 103 permit ip 192.168.10.128 0.0.0.63 any

access-list 103 permit ip 192.168.10.192 0.0.0.31 any

access-list 103 permit ip 192.168.10.224 0.0.0.15 any

access-list 103 permit ip 192.168.10.240 0.0.0.7 any

access-list 104 permit ip 192.168.10.248 0.0.0.7 any

access-list 105 permit ip host 192.168.10.7 any

!

route-map MAIL-Server permit 10

match ip address 105

match interface GigabitEthernet0/0.116

!

route-map MAIL-Server1 permit 10

match ip address 105

match interface GigabitEthernet0/0.859

!

route-map Classify permit 10

match ip address 103

set ip next-hop verify-availability xxxx1 track 2

set ip next-hop verify-availability xxxx 2 track 3

!

route-map Classify permit 20

match ip address 104

set ip next-hop verify-availability xxxx 1 track 3

set ip next-hop verify-availability xxxx 2 track 2

!

route-map Classify permit 30

match ip address 105

set ip next-hop verify-availability xxxx1 track 2

set ip next-hop verify-availability xxxx 2 track 3

!

route-map ISP2 permit 20

match ip address 102 101

match interface GigabitEthernet0/0.859

!

route-map ISP1 permit 10

match ip address 101 102

match interface GigabitEthernet0/0.116

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

event manager applet Track2down

event track 2 state down

action 1 cli command "enable"

action 2 cli command "clear ip nat translation *"

event manager applet track2UP

event track 2 state up

action 1 cli command "enable"

action 2 cli command "clear ip nat translation *"

event manager applet Track3Down

event track 3 state down

action 1 cli command "enable"

action 2 cli command "clear ip nat translation *"

event manager applet Track3Up

event track 3 state up

action 1 cli command "enable"

action 2 cli command "clear ip nat translation *"

!

end

asa configuration:

ASA Version 8.2(1)

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.25.10.4 255.255.255.0 standby 172.25.10.5

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.0.1 255.255.255.0 standby 10.20.0.2

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa821-k8.bin

ftp mode passive

access-list inbound extended permit tcp any host 192.168.10.7 eq https

access-list inbound extended permit tcp any host 192.168.10.7 eq smtp

access-list inbound extended permit udp any host 192.168.10.7 eq domain

access-list inbound extended permit tcp any host 192.168.10.7 eq 465

access-list inbound extended permit tcp any host 192.168.10.7 eq www

access-list inbound extended permit tcp any host 192.168.10.7 eq domain

access-list inbound extended permit tcp any host 192.168.10.7 eq 9000

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool VPNPOOL 172.30.50.1-172.30.50.254

failover

failover lan unit primary

failover lan interface failover Ethernet0/3

failover link failover Ethernet0/3

failover interface ip failover 172.30.30.1 255.255.255.0 standby 172.30.30.2

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 172.25.10.3 1

route inside 192.168.10.0 255.255.255.0 10.20.0.3 1

route inside 192.168.16.0 255.255.240.0 10.20.0.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

service resetoutside

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp nat-traversal 30

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy risk internal

group-policy risk attributes

vpn-idle-timeout 30

username teymur password rPv8yXoba0NS97Kb encrypted

tunnel-group vpnclient type remote-access

tunnel-group vpnclient general-attributes

address-pool VPNPOOL

default-group-policy risk

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:f493b68e4266780b78498eae53c46b68

: end

cadet alain · ‎01-24-2012

Hi,

could you change these 2 static entries:

ip nat inside source static 192.168.10.7 x.x.x.12 route-map MAIL-Server

ip nat inside source static 192.168.10.7 85.x.x.116 route-map MAIL-Server1

by these 2:

ip nat inside source static tcp 192.168.10.7 443 x.x.x.12 9000 extendable

ip nat inside source static tcp 192.168.10.7 443 85.x.x.116 9000 extendable

Regards.

Alain

Don't forget to rate helpful posts.

Neeraj Arora · ‎01-24-2012

Hi Azimov,

As Alain correctly mentioned, you'd have to change the Static NAT commands to Port translation changing port 443 to 9000.

With this solution, you would be facing issues with other services hosted on 192.168.10.7. I am assuming that there are other services hosted on this Web Server because you have allowed other ports apart from 443 on your ASA for this ip.

So as per me, your configuration would look something like this:

------------------------------------------------------------------------------------------

route-map permit 10

match interface GigabitEthernet0/0.116

route-map Internet2 permit 10

match interface GigabitEthernet0/0.859

ip nat inside source static tcp 192.168.10.7 443 x.x.x.12 9000 extendable route-map

Internet1

ip nat inside source static tcp 192.168.10.7 443 85.x.x.116 9000 extendable route-map

Internet2

access-list 105 deny tcp host 192.168.10.7 eq 443 any

access-list 105 permit ip host 192.168.10.7 any

route-map MAIL-Server permit 10

match ip address 105

match interface GigabitEthernet0/0.116

route-map MAIL-Server1 permit 10

match ip address 105

match interface GigabitEthernet0/0.859

ip nat inside source static 192.168.10.7 x.x.x.12 route-map MAIL-Server

ip nat inside source static 192.168.10.7 85.x.x.116 route-map MAIL-Server1

------------------------------------------------------------------------------------------

The ACL entry in bold will avoid the NAT translation to happen using one to one mapping as we want the HTTPS return traffic to be NATed using the Port translation entry

Hope it helps. Do let us know if you got this issue resolved.

Neeraj

teymur azimov · ‎01-24-2012

thank you very much to help me.

Yes Neeraj. i have also port 25(smtp) and imaps request from outside and at inside port 25 and dns(53) is going outside.

as i understand my config like that. yes?

ip nat inside source static tcp 192.168.10.7 443 x.x.x.12 9000 extendable route-map MAIL-Server

ip nat inside source static tcp 192.168.10.7 443 85.x.x.116 9000 extendable route-map MAIL-Server1

as you see port 25 and imap destination and source port are the same.

ip nat inside source static tcp 192.168.10.7 25 x.x.x.12 25 extendable route-map MAIL-Server

ip nat inside source static tcp 192.168.10.7 imap x.x.x.12 imap extendable route-map MAIL-Server

access-list 105 deny tcp host 192.168.10.7 eq 443 any

access-list 105 deny tcp host 192.168.10.7 eq 25 any

access-list 105 deny tcp host 192.168.10.7 eq imap any

access-list 105 permit ip host 192.168.10.7 any

route-map MAIL-Server permit 10

match ip address 105

match interface GigabitEthernet0/0.116

route-map MAIL-Server1 permit 10

match ip address 105

match interface GigabitEthernet0/0.859

is this configuartion rigth????

at server port 25 and 53 is going outside. do i need additional configuration for this??

thank you very much.

Neeraj Arora · ‎01-24-2012

If you are doing Port translation using static command, then your really do not need to have an ACL in the route-map.

The NAT command will only be invoked if the source of the packet is 192.168.10.7. So if you wanna use Port translation for all the ports being hosted, then the following config would be good for you:

route-map Internet1 permit 10

match interface GigabitEthernet0/0.116

route-map Internet2 permit 10

match interface GigabitEthernet0/0.859

ip nat inside source static tcp 192.168.10.7 443 x.x.x.12 9000 extendable route-map

Internet1

ip nat inside source static tcp 192.168.10.7 443 85.x.x.116 9000 extendable route-map

Internet2

ip nat inside source static tcp 192.168.10.7 25 x.x.x.12 25 extendable route-map

Internet1

ip nat inside source static tcp 192.168.10.7 25 85.x.x.116 25 extendable route-map

Internet2

ip nat inside source static tcp 192.168.10.7 imap x.x.x.12 imap extendable route-map

Internet1

ip nat inside source static tcp 192.168.10.7 imap 85.x.x.116 imap extendable route-map

Internet2

** Rest for the traffic going out to Internet will be taken care of by the overload commands

teymur azimov · ‎01-24-2012

how our traffic(192.168.10.7) from inside with port 25 and 53 will exit to internet????

Neeraj Arora · ‎01-24-2012

well if you are talking about the DNS (53) & SMTP(25) queries to outside Internet server, then as I mentioned in my previous post, anything initiated from inside going towards Internet will be taken care by the NAT overload commands that you already have in your config, NATing the traffic either to GigabitEthernet0/0.116 or GigabitEthernet0/0.859 interface

.

This holds true even for 192.168.10.7 server. Any Internet related activity being initiated from this server will be served using the NAT overload commands (PAT)

Only when the packet coming from this server with the Source port as 443, 25 & imap (which will only happen in case of return traffic/responses from this server) the Port translation static TCP entries will be executed.

teymur azimov · ‎01-24-2012

Hi again.

As you see at my access-list i deny 192.168.10.7 traffic and there for traffic going to outside from this server will not participate in Nat overload.it only participate only static nat.(

ip nat inside source static 192.168.10.7 x.x.x.12 route-map MAIL-Server

ip nat inside source static 192.168.10.7 85.x.x.116 route-map MAIL-Server1)

At this situation how our traffic(192.168.10.7) from inside with port 25 and 53 will exit to internet????

access-list 101 deny ip host 192.168.10.7 any

access-list 101 permit ip 192.168.10.0 0.0.0.127 any

access-list 101 permit ip 192.168.10.128 0.0.0.63 any

access-list 101 permit ip 192.168.10.192 0.0.0.31 any

access-list 101 permit ip 192.168.10.224 0.0.0.15 any

access-list 101 permit ip 192.168.10.240 0.0.0.7 any

access-list 102 deny ip host 192.168.10.253 any

access-list 102 permit ip 192.168.10.248 0.0.0.7 any

access-list 103 permit ip 192.168.10.0 0.0.0.127 any

access-list 103 permit ip 192.168.10.128 0.0.0.63 any

access-list 103 permit ip 192.168.10.192 0.0.0.31 any

access-list 103 permit ip 192.168.10.224 0.0.0.15 any

access-list 103 permit ip 192.168.10.240 0.0.0.7 any

access-list 104 permit ip 192.168.10.248 0.0.0.7 any

access-list 105 permit ip host 192.168.10.7 any

!

route-map ISP2 permit 20

match ip address 102 101

match interface GigabitEthernet0/0.859

!

route-map ISP1 permit 10

match ip address 101 102

match interface GigabitEthernet0/0.116

ip nat inside source route-map ISP1 interface GigabitEthernet0/0.116 overload

ip nat inside source route-map ISP2 interface GigabitEthernet0/0.859 overload

Neeraj Arora · ‎01-25-2012

oops....my bad...didn't look at the overload ACL earlier...

See the default behaviour of NAT is: it will prefer Static NAT first and then go for Dynamic NAT and then check PAT/Overload statements

So when you already have Port translation entries for 192.168.10.7 server, you don't need to deny it in 101 ACL. We use this deny technique if NAT is not behaving properly and not giving Static NAT preference.

So I would personally suggest that you remove this line from 101 ACL:

no access-list 101 deny ip host 192.168.10.7 any

this should enable outgoing traffic to be NATed using overload statements without adding any more config.

teymur azimov · ‎01-25-2012

ok i understand that i remove deny at access-list 101.then you said it will be normal work.

if you see at my configuration i configure dual isp active active state if i change as you wrote me all them are working normally??

thanks again.

teymur azimov · ‎01-25-2012

Hi

we couldn't use overload, cose we need a static NAT to an IP address which on ISP side is written in MX records.

Neeraj Arora · ‎01-25-2012

You already have the static NAT statements for x.x.x.12 & 85.x.x.116 for the following ports: 443, 25 & imap which you can use in MX records but if you want to host more services then yes, you would prefer having a one to one Static NAT entry instead of using Overload.

another point I would like to make, although its quite late in our conversation is: You are trying to load balance traffic through the two ISP links. This is generally not recommended as you would not know which interface/link the router will send its response from, so the TCP sessions might not always work as intended. So try and use the two links as backup of each other. Both in Default routes as well as in Policy Based Routing route-map Classify

Check this thread for detailed reference:

https://supportforums.cisco.com/message/3542809#3542809

teymur azimov · ‎03-29-2012

dear Neeraj Arora i do configuartion as you write me but static nat was not work. only dynamic nat is working.

what is problem? can you help me

teymur azimov · ‎03-29-2012

dynamic mean that the 192.168.10.7 is translate at dynamic nat.