We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

ASA 5510 7.0 Port Forwarding problem

mbeckerman44
mbeckerman44 asked
on
Medium Priority
440 Views
Last Modified: 2012-05-07
I am killing myself here. Cannot Port forward for my life...
I need 4 protocols using TCP to come into one server. I placed a sniffer on to make sure.
Please help me get TCP 443, 7001, 2513 and 2515 inside my network to 192.168.111.36( Inside) from 2xxx.xxx.xxx.xx8 (Outside).
My router is  2xx.xxx.xxx.xx6
Regards,
Mark
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 2xx.xxx.xxx.xx6 255.255.255.0 
!
interface Ethernet0/1
 shutdown
 nameif DMZ
 security-level 50
 ip address 10.10.100.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.111.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
access-list MetRemote_splitTunnelAcl standard permit any 
access-list outside-entry extended permit tcp any host 2xx.xxx.xxx.96 eq 1433 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 7001 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq https 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2513 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2515 
access-list Inside_nat0_outbound extended permit ip host 192.168.111.36 host 2xx.xxx.xxx.98 
 
nat-control
global (Outside) 1 interface
global (Inside) 200 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.111.0 255.255.255.0
static (Inside,Outside) tcp interface https 192.168.111.36 https netmask 255.255.255.255 
static (Inside,Outside) tcp interface 7001 192.168.111.36 7001 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2513 192.168.111.36 2513 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2515 192.168.111.36 2515 netmask 255.255.255.255 
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 2xx.xxx.xxx.1 1

Open in new window

Comment
Watch Question

CERTIFIED EXPERT

Commented:
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2515

It should be:

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 2515


Open in new window

Author

Commented:
I tried this and still I canot see any traffic using wireshark on the 192.168.111.36 interface from either 2xx.xxx.xxx.x98 (webserver) or 2xx.xxx.xxx.xx6 (Router).

Author

Commented:
Here is what I have now.


interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 2xx.xxx.xxx.x96 255.255.255.0 
!
interface Ethernet0/1
 shutdown
 nameif DMZ
 security-level 50
 ip address 10.10.100.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.111.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
access-list MetRemote_splitTunnelAcl standard permit any 
access-list outside-entry extended permit tcp any host 2xx.xxx.xxx.x96 eq 1433 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 7001 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq https 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2513 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2515 
access-list Inside_nat0_outbound extended permit ip host 192.168.111.36 host 2xx.xxx.xxx.x98 
 
nat-control
global (Outside) 1 interface
global (Inside) 200 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.111.0 255.255.255.0
static (Inside,Outside) tcp interface https 192.168.111.36 https netmask 255.255.255.255 
static (Inside,Outside) tcp interface 7001 192.168.111.36 7001 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2513 192.168.111.36 2513 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2515 192.168.111.36 2515 netmask 255.255.255.255 
route Outside 0.0.0.0 0.0.0.0 2xx.xxx.xxx.xx1 1

Open in new window

CERTIFIED EXPERT

Commented:
Remove this:  nat (Inside) 0 access-list Inside_nat0_outbound

What do you see when you run "show access-list Outside_access_in"?  Does it show a hitcount?

Author

Commented:
Removed nat (Inside) 0 access-list Inside_nat0_outbound

Ran clear xlate. Checked website. Still not getting in.

Ran show access-list Outside_access_in"  

HITCOUNT = 0 on all acl's

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2515

Author

Commented:
On the webserver .98 I can see the packets with DST port 7001 going to .96 ( Router). But that is it.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
no access-list Outside_access_in
access-list Outside_access_in permit tcp any interface outside eq 7001
access-list Outside_access_in permit tcp any interface outside eq https
access-list Outside_access_in permit tcp any interface outside eq 2513
access-list Outside_access_in permit tcp any interface outside eq 2515

access-group Outside_access_in in interface Outside

Author

Commented:
Irmoore,
Doesn't this allow any computer on the internet to send me these protocols and forward them to my inside server? I would like to limit this if possible. I know what computer needs to get to the inside computer and the protocols needed. Maybe I do not know enough about this.
CERTIFIED EXPERT

Commented:
Is the Webserver Windows-based?

If so, try the connection, then start a command line and run "arp -a".  Does the ASA's IP address and MAC address appear?
CERTIFIED EXPERT

Commented:
lrmoore's suggestion is temporary, I think, to avoid the possibility of typos.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Yes, make sure you can pass the protocols using "any" then lock it down to sources:

access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 7001
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq https
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 2513
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 2515

Author

Commented:
Web server and Inside Server are Windows.

The outside server shows the router in the arp table.
The inside server does not show the router in the arp table.

Irmoore - thanks, no disrespect just trying to be carefull of how much I open to public.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
No problem..
The inside server will never show the router in the arp table because the router is "past" the default gateway which is the ASA. An ARP entry is a mac-address to IP mapping and your server will never ever see the mac address of any foreign endpoint. If there is a default gateway assigned to a NIC, ARP does not play because it just automagically sends the traffic to the gateway, and the gateway "is" in the arp cache.
CERTIFIED EXPERT

Commented:
The inside server should have an ARP entry for 192.168.111.1.

The outside server should have an ARP entry for 2xx.xxx.xxx.x96.



If the inside has received no traffic, then it won't have an ARP entry; if you try to ping 192.168.111.1 from the inside server then an ARP entry should appear.  (Please verify this.)

You can also look at the ARP table on the ASA ("show arp") to make sure it can see both of the servers.

Author

Commented:
Ok Network Diagram time...

(WebServer)2xxx.xxx.xxx.x98 connected to (ASA/Outside Interface)2xx.xxx.xxx.x96 connected to (ASA/Inside Interface)192.168.111.1 connected to (Application/Inside Server)192.168.111.36.

Author

Commented:
ARP.

ASA shows both
Webserver shows ASA
Inside Server shows ASA after ping only

Author

Commented:
By the way if I remove the ASA and replace with old Firewall everything works fine.
Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
CERTIFIED EXPERT
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Irmoore,
You are a genius.. LOL
Yes this worked. Oh my GOD I get to sleep tonight.

asavener.
Thank you so much for your help also.

Author

Commented:
Thanks so much for the help. Now I get to remove my straight Jacket.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.