Solved

Cisco ASA5505 port forwarding

Posted on 2010-09-22
16
1,284 Views
Last Modified: 2012-05-10
Hi,
I am trying to open port 44111 and have a cisco ASA5505 which sits behind a BT ADSL router.

On the Cisco I have an inside address of 10.1.1.1 and an outside address of 192.168.10.253

I am configuring through ADSM 6.3 and cannot work out how to set up the correct forwarding/translation rule.

I have set up the forwarding on the ADSL router (192.168.10.252)  to allow 44111 traffic to the Cisco (192.168.10.253) but with no success.

Any help would be appreciated. Thanks
0
Comment
Question by:jerryhatt
  • 9
  • 6
16 Comments
 
LVL 3

Expert Comment

by:guitar7man
ID: 33733953
Are you seeing the port 44111 traffic on the outside interface of your ASA?

If you do not know, this would be handy information to find out first. If you setup the firewall to syslog to somewhere, you could look at the logs. Or you could just setup a packet capture on the outside interface and see if you're getting that traffic.

Example for packet capture:
access-list cap permit ip any any eq 44111
capture out access-list cap buffer 1000000 interface outside pac 1500

Then if you want to view the packet capture, you would run a "show cap out" on the CLI. I'm sure there is a way to do it within the ASDM, but I use that thing as little as possible so I couldn't tell you where to look in that thing.

If you're getting the packets at the ASA, then the problem is with the ASA config. If not, the problem is with the router's port forwarding.

If problem with the ASA, can you post the config?
0
 
LVL 5

Expert Comment

by:piwowarc
ID: 33741476
There is an answered question how to port forward traffic using ASDM

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23088606.html

It is much faster and simpler to do it via console. Here is an example (also from experts exchange)

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_22565747.html

HTH

Chris
0
 

Author Comment

by:jerryhatt
ID: 33742740
Thanks for the responses although I am having trouble configuring perhaps because the ASA is behind an ADSL router with a 192 address.

I cannot run the packet capture command as it errors:
Result of the command: "access-list cap permit ip any any eq 44111"
access-list cap permit ip any any eq 44111
                                  ^
ERROR: % Invalid input detected at '^' marker.

I have set up 44111 forwarding from the ADSL router (192.168.1.253) to the external interface IP address of the Cisco box - 192.168.1.253

When I look at the pasted examples above they relate to an older version of adsm which has different syntax.

I will attach an image of the Add NAT Rule screen as this is puzzling me.


cisco.jpg
0
 
LVL 3

Expert Comment

by:guitar7man
ID: 33744164
Sorry - typo. Try access-list cap permit tcp any any eq 44111

Note you also have to be in config terminal mode.

Yeah I'm not familiar with the ASDM. But the packet capture will tell you if the packets are making it to the firewall. This tells you where you need to focus your attention on - being the router or the firewall. If you see the packets in the capture, the router is good and you can focus on the firewall. If it's not getting to the firewall, then we have to look at the router first.

If the cap shows it's the firewall, a config post would help tremendously.
0
 

Author Comment

by:jerryhatt
ID: 33745426
Thanks guitar7man, I have captured the packets that are arriving at the Cisco, so ADSL forwarding is correct.

All I need to do now is to add the correct NAT rule and forward it. I will attempt this now and report back.

How do I stop it capturing the port data btw?
0
 
LVL 3

Expert Comment

by:guitar7man
ID: 33745466
To stop:
no cap out
clear conf access-l cap

To create the NAT, you could do it a couple ways, but on the CLI you could try:

static (inside,outside) tcp 1.2.3.4 44111 a.b.c.d X netmask 255.255.255.255

Where 1.2.3.4 equals the destination IP (assuming 192.168.10.253?) and a.b.c.d is the NAT'd destination IP, and X is the intended port. If you don't need to PAT (port translation, you could skip that part and just do something like:

static (inside,outside) 1.2.3.4 a.b.c.d netmask 255.255.255.255
0
 

Author Comment

by:jerryhatt
ID: 33745688
Thanks, tried this:
static (inside,outside) 192.168.10.253 10.1.1.50 netmask 255.255.255.255

192.168.10.253 is the Ip of the Cisco and 10.1.1.50 is the PC behind the Cisco

It says syntax is deprecated however. I had a look at help nat and got this:

USAGE:
      
  [no] nat [(real_ifc,mapped_ifc)]
         [<line>| {after-auto [<line>]}]
         source {static|dynamic} {<src-obj-or-grp>| any} {{any| <m-src-or-grp>} [interface]}| interface
         [destination static {<m-dst-obj-or-grp> [interface]}| interface {<dst-obj-or-grp>| any}
         [service {<src-dst-svc-obj>| any>} <m-src-dst-svc-obj>]
         [dns] [unidirectional] [inactive] [description <desc>]

  show nat [interface <real_ifc>] [<real_ip> <real_mask>|
           object <real-obj-name>| object-group <real-obj-grp-name>]
           [translated [interface <mapped_ifc>]
           [<mapped_ip> <mapped_mask>| object <mapped-obj-name>|
           object-group <mapped-obj-grp-name>]]
           [detail]
           [pool]

  clear nat counters [interface <real_ifc>] [<real_ip> <real_mask>|
            object <real-obj-name>| object-group <real-obj-grp-name>]
            [translated [interface <mapped_ifc>]
            [<mapped_ip> <mapped_mask>| object <mapped-obj-name>|
            object-group <mapped-obj-grp-name>]]

DESCRIPTION:

nat      Configure, display or clear NAT policy counters

SYNTAX:

<line>                       Position of the rule to be added within section-1
after-auto <line>            Position of the rule to be added within section-3
source                       Beginning of source specific parameters
static | dynamic             Source NAT translation mode
service                      Beginning of service parameters
destination                  Beginning of destination specific parameters
static                       Destination NAT translation mode
<src-obj-or-grp>             Real source network object or object-group name
<msrc-obj-or-grp>            Mapped source network object or object-group name
<dst-src-or-grp>             Real destination network object or object-group name
<mdst-src-or-grp>            Mapped destination network object or object-group name
any                          Keyword to match any, wildcard 0.0.0.0
<src-dst-svc-obj>            Real singleton service object names,
                             includes both source & destination ports
<m-src-dst-svc-obj>          Mapped singleton service object names,
                             includes both source & destination ports
dns                          Overwrite embedded addresses in DNS reply
unidirectional               Configure per-session static NAT
inactive                     Disable a rule
description <desc>           Short comment to describe the rule
interface                    Keyword to specify interface
object                       Keyword to specify a network/service object
object-group                 Keyword to specify a network object-group
translated                   Keyword to specify mapped parameters
pool                         Keyword to display NAT/ PAT pool usage
real_ifc                   Specify real interface to filter
real_ip                         Specify real IP address to filter
real_mask                   Specify mask for real IP address
real-obj-name                Specifiy the real object name to filter
real-obj-grp-name            Specify the real object-group name to filter
mapped_ifc                   Specify destination interface to filter
mapped_ip                   Specify destination IP address to filter
mapped_mask                   Specify mask for destination IP address
mapped-obj-name              Specifiy the mapped object name to filter
mapped-obj-grp-name          Specify the mapped object-group name to filter

Note:
1. Old NAT commands - static, global, alias, nat-control have been deprecated
   and the functionality may be achieved by using the new 'nat' command.
   Please refer to documentation for more details.
2. The interface fallback is supported only for dynamic NAT.
3. The unidirectional option is supported only for static NAT.
4. Service objects having protocols other than TCP or UDP are not supported.

see also:   object, object-group
0
 
LVL 3

Expert Comment

by:guitar7man
ID: 33745898
It says it's deprecated on the ASA? Maybe that's just for the lower-end models? I use that command all the time on my company's ASA's without a problem. Weird. Did it still take the command though if you do a "show run static"?

Here's a Cisco ASDM walkthrough I found for NAT - http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/dmz.html. You'll need to adjust for what you're trying to do obviously.

Also, you'll want to make sure your rules allow for port 44111 inbound.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:jerryhatt
ID: 33746050
Thanks,

This is one of the captured packets if that helps:

24: 09:22:55.098414 802.1Q vlan#2 P0 204.152.200.186.20424 > 192.168.10.253.44111: S 1151194551:1151194551(0) win 5840 <mss 1460,sackOK,timestamp 262096470 0,nop,wscale 7>

My (incorrect nat configuration) is:

nat (outside,inside) source static any any service 44111 44111

44111 is what I called the service I added in the services section. I am not sure where to put the IPs which I probably need instead of any any
0
 

Author Comment

by:jerryhatt
ID: 33746079
My confusion is regarding the description of where things are going.

By 'destination' I am assuming th inside network address of the PC ?

I do not know where the 'source' is. Is this the outside interface of the Cisco or the ADSL router?

Apologies for all the questions.
0
 
LVL 3

Expert Comment

by:guitar7man
ID: 33747114
I'm not sure man... can you post the config? "Show run"

I still don't get why you can't run that static command.
0
 

Author Comment

by:jerryhatt
ID: 33748365
This is a brand new asa and apparently the syntax has changed and you have to enter something like: nat (inside,outside) source static etc.

Perhaps you could answer a couple of questions that might help me understand how to format the command.

From your previous post:
static (inside,outside) tcp 1.2.3.4 44111 a.b.c.d X netmask 255.255.255.255
Where 1.2.3.4 equals the destination IP (assuming 192.168.10.253?) and a.b.c.d is the NAT'd destination IP, and X is the intended port. If you don't need to PAT (port translation, you could skip that part and just do something like:

What is meant by DESTINATION IP ??  Is this the final destination? i.e. my PC's ip address on the network or the outside interface of the cisco that is recieveing the packet?

What is the NAT'd destination IP? I thought this would be my computers IP address?

Where X is the intended port - I need to have port 44111 open and forwarded to my PC so could X be anything other than 44111?

Thanks again. I will post config but have removed the nat entires I have tried as they were complete rubbish.
0
 

Author Comment

by:jerryhatt
ID: 33748524
Here's the config. I have opened the firewall to evert=ything for troubleshooting and the NAT rule works for browsing.

interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.10.253 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network PC
 host 10.1.1.50
object service 44111TCP
 service tcp source eq 44111 destination eq 44111
object service 44111UDP
 service udp source eq 44111 destination eq 44111
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service Port44111 tcp-udp
 port-object eq 44111
access-list global_access extended permit ip any any
access-list cap extended permit tcp any any eq 44111
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
access-group global_access global
route outside 0.0.0.0 0.0.0.0 192.168.10.252 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.1.50-10.1.1.81 inside
dhcpd dns 192.168.10.252 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:c62ee30cc17f2be2143345ad3bd4a7cd
: end
no asdm history enable
0
 
LVL 3

Accepted Solution

by:
guitar7man earned 500 total points
ID: 33753681
Traffic starts from the Internet, sourced from an unknown, destined for your public address. The router then has to NAT that destination to 192.168.10.253 so it knows to get to the firewall. That is happen according to your packet capture.

24: 09:22:55.098414 802.1Q vlan#2 P0 204.152.200.186.20424 > 192.168.10.253.44111: S 1151194551:1151194551(0) win 5840 <mss 1460,sackOK,timestamp 262096470 0,nop,wscale 7>

So then the firewall has to then take that 192.168.10.253:44111 and NAT that to 10.1.1.50:44111 which you know. The flow would look something like this:

Public IP
--------------------
|      Router      |
--------------------
192.168.10.252

|
|

192.168.10.253
--------------------
|     Firewall     |
--------------------
10.1.1.1

|
|

10.1.1.50
--------------------
|    Host          |
--------------------

Typically, on ASA's you do that with a static command. That command would look like this:

static (inside,outside) tcp 192.168.10.253 44111 10.1.1.50 44111 netmask 255.255.255.255

But your device is saying that the command is deprecated. I don't get it! I use it all the time. Must be something with version 8.3 code? But if we go by your output above that you pasted in for nat syntax, then that would mean it might take something like this:

nat (inside,outside) source static 10.1.1.50 192.168.10.253 service 44111 44111

https://supportforums.cisco.com/message/3105789

Does that get you there? If not, the above link shows something like this too:

object network obj-44111
   host 10.1.1.50
   nat (inside,outside) static 192.168.10.253 service tcp 44111 44111
0
 

Author Comment

by:jerryhatt
ID: 33765820
Thanks for the excellent explanation.

Unfortunately none of the commands work. I have done lots more reading about the new format commands and it seems everything is moving to object/group based commands. I have found lots of forums with people having the same issues but no real resolutions.

If I create a network object called outside, with 192.168.10.253 as the member, an object called MyPC with 10.1.1.50 as the member and a TCP group called 44111TCP, the command as I understand it should go:

nat (inside,outside) source static outside outside destination MyPC MyPC service 4411TCP 4411TCP

This does not work and believe me I have tried every permutation and swap araound I can muster.
The double entry for each object is apparently pre and post nat.

When testing I can see the request coming in on the correct port and ASA translates it to a random port, telling me it is not picking up the rule. gah. At least I'm not the only one. About to start on process to downgrade the asa.
0
 

Author Comment

by:jerryhatt
ID: 33766039
Downgraded to 8.22, ran:

static (inside,outside) tcp interface 44111 10.1.1.50 44111 netmask 255.255.255.255

command and port open. 2 mins flat. thanks for all your help!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now