[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 856
  • Last Modified:

ASA Port Forwarding a Range

Why does it seem that Cisco makes it so difficult to forward a range of ports?  Or why can't I make a static NAT translation where the incoming port is dynamic, but the destination port is fixed?  Then again, maybe it can be done, but I haven't found a way.  Other firewall vendors make port forwarding a range a piece of cake.  Why not for Cisco?  I'm using an ASA5505.

Regards,
Scott
0
namelkcip
Asked:
namelkcip
  • 5
  • 5
1 Solution
 
Pete LongConsultantCommented:
Cisco dont make it difficult - it simply cannot be done at all
The whole statefull algorythm that ASA is built on revolves around Port Address Translation - port forwarding requires a single PAT entry and one needs doing for each port.
0
 
stsonlineCommented:
>> where the incoming port is dynamic, but the destination port is fixed

Cisco firewall OSes don't care what the source port is, all the PAT is concerned about is the destination port. For example, your server may generate a web request on a source port of 38299, but as long as the destination port is 80 you can write a PAT for it.

If you explain what you're trying to do I'm pretty sure someone can help you.
0
 
namelkcipAuthor Commented:
I am trying to expose the necessary voice ports for my phone system [Allworx] to a static outside public IP.  I tried performing a static one-to-one NAT with ACLs to permit traffic, but that didn't forward ports.  This is how it worked with my Netscreen firewall, and I thought a similar concept would apply to the ASA.  For example, my phone system needs ports 15000-15511 open in order to register to the SIP proxy.  I could not get it to register using the static one-to-one NAT with ACLs, but once I performed static NAT statements for each port individually, it worked.  Following that, I was not able to get a dial tone, and I may need to troubleshoot further with my VoIP proxy, but I figured with those ports open, as well as 5060 for call setup/tear down, I expected to at least get a dial tone.  Again, there is a list of ports that need to be open for this to work:

Outside - 66.162.x.x
Inside - 192.168.x.x

Forward ports:
UDP 5060
UDP 2088
UDP 15000-15511
UDP 16384-32767
TCP 8081

If anyone wants config posted, just let me know.

Regards,
Scott
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Pete LongConsultantCommented:
Hi Scott
>>to a static outside public IP
You  need a DIFFERENT outside IP address to the one on the outside interface, then you assign a STATIC tranlsation from that external ip address to the internal IP of your phone system - then you can allow a range.
eg Ill assume your outside IP address is 123.123.123.123 - you need another public IP (speak to your ISP if you havnt got a spare one) lets say you have 123.123.123.124
add the following to your config
name 123.123.123.124 Phone-External
name 192.168.1.100 Phone-Internal
static (inside,outside) Phone-External Phone-Internal netmask 255.255.255.255
object-group service Phone tcp udp
 port-object range 15000 15511
 port-object range 16384 32767
 port-object eq 5060
 port-object eq 2088
 port-object eq 8081
access-list inbound permit tcp any Phone-External object-group Phone
access-group inbound in interface outside

If you cant get another public IP then you HAve to port forward and that means a static for EVERY Port
You only have two options - whats above, or writing hundreds of static commands.
 
Pete
0
 
namelkcipAuthor Commented:
Pete -

I have a public Class C, so no problems with enough addresses.  However, in order to get this to work, would I then have to put a router in front of my ASA and use private addressing on my outside and inside interfaces and then route my Class C addresses through the firewall to their private internal destinations?  If that will work, I believe I'm all set.
0
 
Pete LongConsultantCommented:
No  - Im assuming you have one of those IP addresses on the outside of the ASA already?  in that case, the code I piosted above will work fine :)
0
 
namelkcipAuthor Commented:
Pete -

The outside interface is the .1 address of that public Class C, and the public address being used for the Allworx box is the first available (.2) on that same subnet.  If I am understanding that this is ok, I had already tried the static NAT with ACL and it didn't work.  I think I need to try again.  I have to wait until downtime tomorrow.  Can't futz with it during the week.
0
 
Pete LongConsultantCommented:
>>.  If I am understanding that this is ok,
Yes :)
0
 
namelkcipAuthor Commented:
Still working at it ...
0
 
namelkcipAuthor Commented:
Commands didn't translate 100% to the ASA, but that's what IOS help is for.  Thanks Pete.
0
 
Pete LongConsultantCommented:
ThanQ
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now