Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 402
  • Last Modified:

ASA 5510 7.0 Port Forwarding problem

I am killing myself here. Cannot Port forward for my life...
I need 4 protocols using TCP to come into one server. I placed a sniffer on to make sure.
Please help me get TCP 443, 7001, 2513 and 2515 inside my network to 192.168.111.36( Inside) from 2xxx.xxx.xxx.xx8 (Outside).
My router is  2xx.xxx.xxx.xx6
Regards,
Mark
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 2xx.xxx.xxx.xx6 255.255.255.0 
!
interface Ethernet0/1
 shutdown
 nameif DMZ
 security-level 50
 ip address 10.10.100.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.111.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
access-list MetRemote_splitTunnelAcl standard permit any 
access-list outside-entry extended permit tcp any host 2xx.xxx.xxx.96 eq 1433 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 7001 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq https 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2513 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2515 
access-list Inside_nat0_outbound extended permit ip host 192.168.111.36 host 2xx.xxx.xxx.98 
 
nat-control
global (Outside) 1 interface
global (Inside) 200 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.111.0 255.255.255.0
static (Inside,Outside) tcp interface https 192.168.111.36 https netmask 255.255.255.255 
static (Inside,Outside) tcp interface 7001 192.168.111.36 7001 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2513 192.168.111.36 2513 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2515 192.168.111.36 2515 netmask 255.255.255.255 
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 2xx.xxx.xxx.1 1

Open in new window

0
mbeckerman44
Asked:
mbeckerman44
  • 11
  • 6
  • 4
2 Solutions
 
asavenerCommented:
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 192.168.111.36 eq 2515

It should be:

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.98 host 2xx.xxx.xxx.xx6 eq 2515


Open in new window

0
 
mbeckerman44Author Commented:
I tried this and still I canot see any traffic using wireshark on the 192.168.111.36 interface from either 2xx.xxx.xxx.x98 (webserver) or 2xx.xxx.xxx.xx6 (Router).
0
 
mbeckerman44Author Commented:
Here is what I have now.


interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 2xx.xxx.xxx.x96 255.255.255.0 
!
interface Ethernet0/1
 shutdown
 nameif DMZ
 security-level 50
 ip address 10.10.100.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.111.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
access-list MetRemote_splitTunnelAcl standard permit any 
access-list outside-entry extended permit tcp any host 2xx.xxx.xxx.x96 eq 1433 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 7001 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq https 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2513 
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2515 
access-list Inside_nat0_outbound extended permit ip host 192.168.111.36 host 2xx.xxx.xxx.x98 
 
nat-control
global (Outside) 1 interface
global (Inside) 200 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 192.168.111.0 255.255.255.0
static (Inside,Outside) tcp interface https 192.168.111.36 https netmask 255.255.255.255 
static (Inside,Outside) tcp interface 7001 192.168.111.36 7001 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2513 192.168.111.36 2513 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 2515 192.168.111.36 2515 netmask 255.255.255.255 
route Outside 0.0.0.0 0.0.0.0 2xx.xxx.xxx.xx1 1

Open in new window

0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
asavenerCommented:
Remove this:  nat (Inside) 0 access-list Inside_nat0_outbound

What do you see when you run "show access-list Outside_access_in"?  Does it show a hitcount?
0
 
mbeckerman44Author Commented:
Removed nat (Inside) 0 access-list Inside_nat0_outbound

Ran clear xlate. Checked website. Still not getting in.

Ran show access-list Outside_access_in"  

HITCOUNT = 0 on all acl's

access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 7001
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq https
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2513
access-list Outside_access_in extended permit tcp host 2xx.xxx.xxx.x98 host 2xx.xxx.xxx.x96 eq 2515
0
 
mbeckerman44Author Commented:
On the webserver .98 I can see the packets with DST port 7001 going to .96 ( Router). But that is it.
0
 
lrmooreCommented:
no access-list Outside_access_in
access-list Outside_access_in permit tcp any interface outside eq 7001
access-list Outside_access_in permit tcp any interface outside eq https
access-list Outside_access_in permit tcp any interface outside eq 2513
access-list Outside_access_in permit tcp any interface outside eq 2515

access-group Outside_access_in in interface Outside
0
 
mbeckerman44Author Commented:
Irmoore,
Doesn't this allow any computer on the internet to send me these protocols and forward them to my inside server? I would like to limit this if possible. I know what computer needs to get to the inside computer and the protocols needed. Maybe I do not know enough about this.
0
 
asavenerCommented:
Is the Webserver Windows-based?

If so, try the connection, then start a command line and run "arp -a".  Does the ASA's IP address and MAC address appear?
0
 
asavenerCommented:
lrmoore's suggestion is temporary, I think, to avoid the possibility of typos.
0
 
lrmooreCommented:
Yes, make sure you can pass the protocols using "any" then lock it down to sources:

access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 7001
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq https
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 2513
access-list Outside_access_in permit tcp host x.x.x.8 interface outside eq 2515
0
 
mbeckerman44Author Commented:
Web server and Inside Server are Windows.

The outside server shows the router in the arp table.
The inside server does not show the router in the arp table.

Irmoore - thanks, no disrespect just trying to be carefull of how much I open to public.
0
 
lrmooreCommented:
No problem..
The inside server will never show the router in the arp table because the router is "past" the default gateway which is the ASA. An ARP entry is a mac-address to IP mapping and your server will never ever see the mac address of any foreign endpoint. If there is a default gateway assigned to a NIC, ARP does not play because it just automagically sends the traffic to the gateway, and the gateway "is" in the arp cache.
0
 
asavenerCommented:
The inside server should have an ARP entry for 192.168.111.1.

The outside server should have an ARP entry for 2xx.xxx.xxx.x96.



If the inside has received no traffic, then it won't have an ARP entry; if you try to ping 192.168.111.1 from the inside server then an ARP entry should appear.  (Please verify this.)

You can also look at the ARP table on the ASA ("show arp") to make sure it can see both of the servers.
0
 
mbeckerman44Author Commented:
Ok Network Diagram time...

(WebServer)2xxx.xxx.xxx.x98 connected to (ASA/Outside Interface)2xx.xxx.xxx.x96 connected to (ASA/Inside Interface)192.168.111.1 connected to (Application/Inside Server)192.168.111.36.
0
 
mbeckerman44Author Commented:
ARP.

ASA shows both
Webserver shows ASA
Inside Server shows ASA after ping only
0
 
mbeckerman44Author Commented:
By the way if I remove the ASA and replace with old Firewall everything works fine.
0
 
lrmooreCommented:
Have you tried the access-list exactly as I demonstrated?
It will work.

access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq 7001
access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq https
access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq 2513
access-list Outside_access_in permit tcp host 2x.x.x.98 interface outside eq 2515
access-group Outside_access_in in interface Outside
0
 
asavenerCommented:
Swapping out devices like that can confuse the ARP entries.  Can you verify that the ARP entry on the outside server matches the MAC address of the ASA?
0
 
mbeckerman44Author Commented:
Irmoore,
You are a genius.. LOL
Yes this worked. Oh my GOD I get to sleep tonight.

asavener.
Thank you so much for your help also.
0
 
mbeckerman44Author Commented:
Thanks so much for the help. Now I get to remove my straight Jacket.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 11
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now