jerryhatt
asked on
Cisco ASA5505 port forwarding
Hi,
I am trying to open port 44111 and have a cisco ASA5505 which sits behind a BT ADSL router.
On the Cisco I have an inside address of 10.1.1.1 and an outside address of 192.168.10.253
I am configuring through ADSM 6.3 and cannot work out how to set up the correct forwarding/translation rule.
I have set up the forwarding on the ADSL router (192.168.10.252) to allow 44111 traffic to the Cisco (192.168.10.253) but with no success.
Any help would be appreciated. Thanks
I am trying to open port 44111 and have a cisco ASA5505 which sits behind a BT ADSL router.
On the Cisco I have an inside address of 10.1.1.1 and an outside address of 192.168.10.253
I am configuring through ADSM 6.3 and cannot work out how to set up the correct forwarding/translation rule.
I have set up the forwarding on the ADSL router (192.168.10.252) to allow 44111 traffic to the Cisco (192.168.10.253) but with no success.
Any help would be appreciated. Thanks
There is an answered question how to port forward traffic using ASDM
https://www.experts-exchange.com/questions/23088606/Port-Forwarding-using-ASDM.html
It is much faster and simpler to do it via console. Here is an example (also from experts exchange)
https://www.experts-exchange.com/questions/22565747/Port-forwarding-with-Cisco-ASA-5505-NAT-PAT.html
HTH
Chris
https://www.experts-exchange.com/questions/23088606/Port-Forwarding-using-ASDM.html
It is much faster and simpler to do it via console. Here is an example (also from experts exchange)
https://www.experts-exchange.com/questions/22565747/Port-forwarding-with-Cisco-ASA-5505-NAT-PAT.html
HTH
Chris
ASKER
Thanks for the responses although I am having trouble configuring perhaps because the ASA is behind an ADSL router with a 192 address.
I cannot run the packet capture command as it errors:
Result of the command: "access-list cap permit ip any any eq 44111"
access-list cap permit ip any any eq 44111
^
ERROR: % Invalid input detected at '^' marker.
I have set up 44111 forwarding from the ADSL router (192.168.1.253) to the external interface IP address of the Cisco box - 192.168.1.253
When I look at the pasted examples above they relate to an older version of adsm which has different syntax.
I will attach an image of the Add NAT Rule screen as this is puzzling me.
cisco.jpg
I cannot run the packet capture command as it errors:
Result of the command: "access-list cap permit ip any any eq 44111"
access-list cap permit ip any any eq 44111
^
ERROR: % Invalid input detected at '^' marker.
I have set up 44111 forwarding from the ADSL router (192.168.1.253) to the external interface IP address of the Cisco box - 192.168.1.253
When I look at the pasted examples above they relate to an older version of adsm which has different syntax.
I will attach an image of the Add NAT Rule screen as this is puzzling me.
cisco.jpg
Sorry - typo. Try access-list cap permit tcp any any eq 44111
Note you also have to be in config terminal mode.
Yeah I'm not familiar with the ASDM. But the packet capture will tell you if the packets are making it to the firewall. This tells you where you need to focus your attention on - being the router or the firewall. If you see the packets in the capture, the router is good and you can focus on the firewall. If it's not getting to the firewall, then we have to look at the router first.
If the cap shows it's the firewall, a config post would help tremendously.
Note you also have to be in config terminal mode.
Yeah I'm not familiar with the ASDM. But the packet capture will tell you if the packets are making it to the firewall. This tells you where you need to focus your attention on - being the router or the firewall. If you see the packets in the capture, the router is good and you can focus on the firewall. If it's not getting to the firewall, then we have to look at the router first.
If the cap shows it's the firewall, a config post would help tremendously.
ASKER
Thanks guitar7man, I have captured the packets that are arriving at the Cisco, so ADSL forwarding is correct.
All I need to do now is to add the correct NAT rule and forward it. I will attempt this now and report back.
How do I stop it capturing the port data btw?
All I need to do now is to add the correct NAT rule and forward it. I will attempt this now and report back.
How do I stop it capturing the port data btw?
To stop:
no cap out
clear conf access-l cap
To create the NAT, you could do it a couple ways, but on the CLI you could try:
static (inside,outside) tcp 1.2.3.4 44111 a.b.c.d X netmask 255.255.255.255
Where 1.2.3.4 equals the destination IP (assuming 192.168.10.253?) and a.b.c.d is the NAT'd destination IP, and X is the intended port. If you don't need to PAT (port translation, you could skip that part and just do something like:
static (inside,outside) 1.2.3.4 a.b.c.d netmask 255.255.255.255
no cap out
clear conf access-l cap
To create the NAT, you could do it a couple ways, but on the CLI you could try:
static (inside,outside) tcp 1.2.3.4 44111 a.b.c.d X netmask 255.255.255.255
Where 1.2.3.4 equals the destination IP (assuming 192.168.10.253?) and a.b.c.d is the NAT'd destination IP, and X is the intended port. If you don't need to PAT (port translation, you could skip that part and just do something like:
static (inside,outside) 1.2.3.4 a.b.c.d netmask 255.255.255.255
ASKER
Thanks, tried this:
static (inside,outside) 192.168.10.253 10.1.1.50 netmask 255.255.255.255
192.168.10.253 is the Ip of the Cisco and 10.1.1.50 is the PC behind the Cisco
It says syntax is deprecated however. I had a look at help nat and got this:
USAGE:
[no] nat [(real_ifc,mapped_ifc)]
[<line>| {after-auto [<line>]}]
source {static|dynamic} {<src-obj-or-grp>| any} {{any| <m-src-or-grp>} [interface]}| interface
[destination static {<m-dst-obj-or-grp> [interface]}| interface {<dst-obj-or-grp>| any}
[service {<src-dst-svc-obj>| any>} <m-src-dst-svc-obj>]
[dns] [unidirectional] [inactive] [description <desc>]
show nat [interface <real_ifc>] [<real_ip> <real_mask>|
object <real-obj-name>| object-group <real-obj-grp-name>]
[translated [interface <mapped_ifc>]
[<mapped_ip> <mapped_mask>| object <mapped-obj-name>|
object-group <mapped-obj-grp-name>]]
[detail]
[pool]
clear nat counters [interface <real_ifc>] [<real_ip> <real_mask>|
object <real-obj-name>| object-group <real-obj-grp-name>]
[translated [interface <mapped_ifc>]
[<mapped_ip> <mapped_mask>| object <mapped-obj-name>|
object-group <mapped-obj-grp-name>]]
DESCRIPTION:
nat Configure, display or clear NAT policy counters
SYNTAX:
<line> Position of the rule to be added within section-1
after-auto <line> Position of the rule to be added within section-3
source Beginning of source specific parameters
static | dynamic Source NAT translation mode
service Beginning of service parameters
destination Beginning of destination specific parameters
static Destination NAT translation mode
<src-obj-or-grp> Real source network object or object-group name
<msrc-obj-or-grp> Mapped source network object or object-group name
<dst-src-or-grp> Real destination network object or object-group name
<mdst-src-or-grp> Mapped destination network object or object-group name
any Keyword to match any, wildcard 0.0.0.0
<src-dst-svc-obj> Real singleton service object names,
includes both source & destination ports
<m-src-dst-svc-obj> Mapped singleton service object names,
includes both source & destination ports
dns Overwrite embedded addresses in DNS reply
unidirectional Configure per-session static NAT
inactive Disable a rule
description <desc> Short comment to describe the rule
interface Keyword to specify interface
object Keyword to specify a network/service object
object-group Keyword to specify a network object-group
translated Keyword to specify mapped parameters
pool Keyword to display NAT/ PAT pool usage
real_ifc Specify real interface to filter
real_ip Specify real IP address to filter
real_mask Specify mask for real IP address
real-obj-name Specifiy the real object name to filter
real-obj-grp-name Specify the real object-group name to filter
mapped_ifc Specify destination interface to filter
mapped_ip Specify destination IP address to filter
mapped_mask Specify mask for destination IP address
mapped-obj-name Specifiy the mapped object name to filter
mapped-obj-grp-name Specify the mapped object-group name to filter
Note:
1. Old NAT commands - static, global, alias, nat-control have been deprecated
and the functionality may be achieved by using the new 'nat' command.
Please refer to documentation for more details.
2. The interface fallback is supported only for dynamic NAT.
3. The unidirectional option is supported only for static NAT.
4. Service objects having protocols other than TCP or UDP are not supported.
see also: object, object-group
static (inside,outside) 192.168.10.253 10.1.1.50 netmask 255.255.255.255
192.168.10.253 is the Ip of the Cisco and 10.1.1.50 is the PC behind the Cisco
It says syntax is deprecated however. I had a look at help nat and got this:
USAGE:
[no] nat [(real_ifc,mapped_ifc)]
[<line>| {after-auto [<line>]}]
source {static|dynamic} {<src-obj-or-grp>| any} {{any| <m-src-or-grp>} [interface]}| interface
[destination static {<m-dst-obj-or-grp> [interface]}| interface {<dst-obj-or-grp>| any}
[service {<src-dst-svc-obj>| any>} <m-src-dst-svc-obj>]
[dns] [unidirectional] [inactive] [description <desc>]
show nat [interface <real_ifc>] [<real_ip> <real_mask>|
object <real-obj-name>| object-group <real-obj-grp-name>]
[translated [interface <mapped_ifc>]
[<mapped_ip> <mapped_mask>| object <mapped-obj-name>|
object-group <mapped-obj-grp-name>]]
[detail]
[pool]
clear nat counters [interface <real_ifc>] [<real_ip> <real_mask>|
object <real-obj-name>| object-group <real-obj-grp-name>]
[translated [interface <mapped_ifc>]
[<mapped_ip> <mapped_mask>| object <mapped-obj-name>|
object-group <mapped-obj-grp-name>]]
DESCRIPTION:
nat Configure, display or clear NAT policy counters
SYNTAX:
<line> Position of the rule to be added within section-1
after-auto <line> Position of the rule to be added within section-3
source Beginning of source specific parameters
static | dynamic Source NAT translation mode
service Beginning of service parameters
destination Beginning of destination specific parameters
static Destination NAT translation mode
<src-obj-or-grp> Real source network object or object-group name
<msrc-obj-or-grp> Mapped source network object or object-group name
<dst-src-or-grp> Real destination network object or object-group name
<mdst-src-or-grp> Mapped destination network object or object-group name
any Keyword to match any, wildcard 0.0.0.0
<src-dst-svc-obj> Real singleton service object names,
includes both source & destination ports
<m-src-dst-svc-obj> Mapped singleton service object names,
includes both source & destination ports
dns Overwrite embedded addresses in DNS reply
unidirectional Configure per-session static NAT
inactive Disable a rule
description <desc> Short comment to describe the rule
interface Keyword to specify interface
object Keyword to specify a network/service object
object-group Keyword to specify a network object-group
translated Keyword to specify mapped parameters
pool Keyword to display NAT/ PAT pool usage
real_ifc Specify real interface to filter
real_ip Specify real IP address to filter
real_mask Specify mask for real IP address
real-obj-name Specifiy the real object name to filter
real-obj-grp-name Specify the real object-group name to filter
mapped_ifc Specify destination interface to filter
mapped_ip Specify destination IP address to filter
mapped_mask Specify mask for destination IP address
mapped-obj-name Specifiy the mapped object name to filter
mapped-obj-grp-name Specify the mapped object-group name to filter
Note:
1. Old NAT commands - static, global, alias, nat-control have been deprecated
and the functionality may be achieved by using the new 'nat' command.
Please refer to documentation for more details.
2. The interface fallback is supported only for dynamic NAT.
3. The unidirectional option is supported only for static NAT.
4. Service objects having protocols other than TCP or UDP are not supported.
see also: object, object-group
It says it's deprecated on the ASA? Maybe that's just for the lower-end models? I use that command all the time on my company's ASA's without a problem. Weird. Did it still take the command though if you do a "show run static"?
Here's a Cisco ASDM walkthrough I found for NAT - http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/dmz.html. You'll need to adjust for what you're trying to do obviously.
Also, you'll want to make sure your rules allow for port 44111 inbound.
Here's a Cisco ASDM walkthrough I found for NAT - http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/dmz.html. You'll need to adjust for what you're trying to do obviously.
Also, you'll want to make sure your rules allow for port 44111 inbound.
ASKER
Thanks,
This is one of the captured packets if that helps:
24: 09:22:55.098414 802.1Q vlan#2 P0 204.152.200.186.20424 > 192.168.10.253.44111: S 1151194551:1151194551(0) win 5840 <mss 1460,sackOK,timestamp 262096470 0,nop,wscale 7>
My (incorrect nat configuration) is:
nat (outside,inside) source static any any service 44111 44111
44111 is what I called the service I added in the services section. I am not sure where to put the IPs which I probably need instead of any any
This is one of the captured packets if that helps:
24: 09:22:55.098414 802.1Q vlan#2 P0 204.152.200.186.20424 > 192.168.10.253.44111: S 1151194551:1151194551(0) win 5840 <mss 1460,sackOK,timestamp 262096470 0,nop,wscale 7>
My (incorrect nat configuration) is:
nat (outside,inside) source static any any service 44111 44111
44111 is what I called the service I added in the services section. I am not sure where to put the IPs which I probably need instead of any any
ASKER
My confusion is regarding the description of where things are going.
By 'destination' I am assuming th inside network address of the PC ?
I do not know where the 'source' is. Is this the outside interface of the Cisco or the ADSL router?
Apologies for all the questions.
By 'destination' I am assuming th inside network address of the PC ?
I do not know where the 'source' is. Is this the outside interface of the Cisco or the ADSL router?
Apologies for all the questions.
I'm not sure man... can you post the config? "Show run"
I still don't get why you can't run that static command.
I still don't get why you can't run that static command.
ASKER
This is a brand new asa and apparently the syntax has changed and you have to enter something like: nat (inside,outside) source static etc.
Perhaps you could answer a couple of questions that might help me understand how to format the command.
From your previous post:
static (inside,outside) tcp 1.2.3.4 44111 a.b.c.d X netmask 255.255.255.255
Where 1.2.3.4 equals the destination IP (assuming 192.168.10.253?) and a.b.c.d is the NAT'd destination IP, and X is the intended port. If you don't need to PAT (port translation, you could skip that part and just do something like:
What is meant by DESTINATION IP ?? Is this the final destination? i.e. my PC's ip address on the network or the outside interface of the cisco that is recieveing the packet?
What is the NAT'd destination IP? I thought this would be my computers IP address?
Where X is the intended port - I need to have port 44111 open and forwarded to my PC so could X be anything other than 44111?
Thanks again. I will post config but have removed the nat entires I have tried as they were complete rubbish.
Perhaps you could answer a couple of questions that might help me understand how to format the command.
From your previous post:
static (inside,outside) tcp 1.2.3.4 44111 a.b.c.d X netmask 255.255.255.255
Where 1.2.3.4 equals the destination IP (assuming 192.168.10.253?) and a.b.c.d is the NAT'd destination IP, and X is the intended port. If you don't need to PAT (port translation, you could skip that part and just do something like:
What is meant by DESTINATION IP ?? Is this the final destination? i.e. my PC's ip address on the network or the outside interface of the cisco that is recieveing the packet?
What is the NAT'd destination IP? I thought this would be my computers IP address?
Where X is the intended port - I need to have port 44111 open and forwarded to my PC so could X be anything other than 44111?
Thanks again. I will post config but have removed the nat entires I have tried as they were complete rubbish.
ASKER
Here's the config. I have opened the firewall to evert=ything for troubleshooting and the NAT rule works for browsing.
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.10.253 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network PC
host 10.1.1.50
object service 44111TCP
service tcp source eq 44111 destination eq 44111
object service 44111UDP
service udp source eq 44111 destination eq 44111
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service Port44111 tcp-udp
port-object eq 44111
access-list global_access extended permit ip any any
access-list cap extended permit tcp any any eq 44111
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
access-group global_access global
route outside 0.0.0.0 0.0.0.0 192.168.10.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 10.1.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.1.50-10.1.1.81 inside
dhcpd dns 192.168.10.252 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:c62ee30cc17
: end
no asdm history enable
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.10.253 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network PC
host 10.1.1.50
object service 44111TCP
service tcp source eq 44111 destination eq 44111
object service 44111UDP
service udp source eq 44111 destination eq 44111
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service Port44111 tcp-udp
port-object eq 44111
access-list global_access extended permit ip any any
access-list cap extended permit tcp any any eq 44111
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
access-group global_access global
route outside 0.0.0.0 0.0.0.0 192.168.10.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 10.1.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.1.50-10.1.1.81 inside
dhcpd dns 192.168.10.252 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:c62ee30cc17
: end
no asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the excellent explanation.
Unfortunately none of the commands work. I have done lots more reading about the new format commands and it seems everything is moving to object/group based commands. I have found lots of forums with people having the same issues but no real resolutions.
If I create a network object called outside, with 192.168.10.253 as the member, an object called MyPC with 10.1.1.50 as the member and a TCP group called 44111TCP, the command as I understand it should go:
nat (inside,outside) source static outside outside destination MyPC MyPC service 4411TCP 4411TCP
This does not work and believe me I have tried every permutation and swap araound I can muster.
The double entry for each object is apparently pre and post nat.
When testing I can see the request coming in on the correct port and ASA translates it to a random port, telling me it is not picking up the rule. gah. At least I'm not the only one. About to start on process to downgrade the asa.
Unfortunately none of the commands work. I have done lots more reading about the new format commands and it seems everything is moving to object/group based commands. I have found lots of forums with people having the same issues but no real resolutions.
If I create a network object called outside, with 192.168.10.253 as the member, an object called MyPC with 10.1.1.50 as the member and a TCP group called 44111TCP, the command as I understand it should go:
nat (inside,outside) source static outside outside destination MyPC MyPC service 4411TCP 4411TCP
This does not work and believe me I have tried every permutation and swap araound I can muster.
The double entry for each object is apparently pre and post nat.
When testing I can see the request coming in on the correct port and ASA translates it to a random port, telling me it is not picking up the rule. gah. At least I'm not the only one. About to start on process to downgrade the asa.
ASKER
Downgraded to 8.22, ran:
static (inside,outside) tcp interface 44111 10.1.1.50 44111 netmask 255.255.255.255
command and port open. 2 mins flat. thanks for all your help!
static (inside,outside) tcp interface 44111 10.1.1.50 44111 netmask 255.255.255.255
command and port open. 2 mins flat. thanks for all your help!
If you do not know, this would be handy information to find out first. If you setup the firewall to syslog to somewhere, you could look at the logs. Or you could just setup a packet capture on the outside interface and see if you're getting that traffic.
Example for packet capture:
access-list cap permit ip any any eq 44111
capture out access-list cap buffer 1000000 interface outside pac 1500
Then if you want to view the packet capture, you would run a "show cap out" on the CLI. I'm sure there is a way to do it within the ASDM, but I use that thing as little as possible so I couldn't tell you where to look in that thing.
If you're getting the packets at the ASA, then the problem is with the ASA config. If not, the problem is with the router's port forwarding.
If problem with the ASA, can you post the config?