ASA5505 portforwarding not working

Hi,

I have the following config:

Internet <> Router of provider <> ASA 5505 <> LAN
in ip:
Pub IP <> 192.168.254.1 (ip of provider router) <> 192.168.254.2 (outside ip of asa) <> 192.168.1.1 (inside ASA ip)

I'm new to these devices.  It has auto setup via dhcp (the outside) and after making some changes to the firewall all my inside clients can connect to the internet.

I have 3 services that need to be available from the outside to an internal ip.  So I went to public server and setup it up as following:

Private interface = inside
Private ip = internal ip of my server
Private services = rdp, smtp, https
Pub interface = outside
Pub ip = my public ip

I saved this config and saw it made some nat rules and extra firewall rules.  Allthough it is not working what am I doing wrong?
LVL 10
PlusITAsked:
Who is Participating?
 
Ernie BeekExpertCommented:
Ok,

For now let's not use the inside access list:

no access-group inside_access_in in interface inside

and see what happens then.
0
 
Ernie BeekExpertCommented:
Looks like the router is also doing nat. If possible you might that router to get in to bridged mode so the ASA gets the public ip on its outside interface. That should make things much easier.
0
 
PlusITAuthor Commented:
that is not possible i'm afraid.  The router in front does nat indeed, any other way i can do it?
I also see that my sbs2008 server has no internet connectivity since I plugged in the asa.  All other clients do work
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
CWCertus1Commented:
create a static route on the outside pointing to 192.168.254.1 (should sort the internet issue).

As for Port forward, you would have to ensure the ISP router is configured to port forward all services to the 192.168.254.2 address of your firewall otherwise you can do whatever config you like on the ASA but nothing will ever reach it!
0
 
PlusITAuthor Commented:
the static route to 192.168.254.1 i put it from inside with mask 255.255.255.255 what should i use as gateway ?

Also i have allowed all ip traffic, but still cannot ping to the outside.  What is with that ?

So if the ISP router is set to DMZ everything to my asa ip it should work with the settings i have now?
0
 
CWCertus1Commented:
static route should be to 0.0.0.0 with mask 0.0.0.0 and gateway 192.168.254.1

This in plain english means any request to an unknown (i.e. not local) network, send to 192.168.254.1
0
 
PlusITAuthor Commented:
and why is that?  My routing to the outside is working except for the sbs 2008, I think it does some sort of detect of connectivity.  I plugged in the old firewall and the sbs 2008 suddenly has internet again.
0
 
Ernie BeekExpertCommented:
Could you post a sanitized copy of your configuration? That will stop us from making (wrong) assumptions and might speed up the process.
0
 
CWCertus1Commented:
The static route I suggested states that for any network outside of the known networks (known to this router), the next hop is the ISP router.

If you do not state this for all networks (not just the 192.168.254.0), it will not know what to do with requests for networks outside of that.
0
 
PlusITAuthor Commented:
here you go, problems atm:

- no portforwarding possible (I'm trying to contact provider to see how router in front is setup, but seems to be full dmz to the asa)
- no ping possible from the apple devices (allthough i'm allowing everyting for them to the outside)
- no internet connection detected by the SBS2008, no ping possible, no dns resolving possible


: Saved
:
ASA Version 8.3(1) 
!
hostname ciscoasa
enable password <SECRET> encrypted
passwd <SECRET> encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.254.2 255.255.255.240 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network iMac-Marc 
 host 192.168.1.152
object network macbook-marc 
 host 192.168.1.151
object network srvbetcasbs 
 host 192.168.1.10
object network A_ 
object network PublicServer_NAT1 
 host 192.168.1.10
object network A_<PUB IP> 
 host <PUB IP>
object network PublicServer_NAT2 
 host 192.168.1.10
object network A_192.168.254.1 
 host 192.168.254.1
object-group service RDP tcp
 port-object eq 3389
object-group service SSH-2323 tcp
 port-object eq 2323
object-group service DM_INLINE_TCP_1 tcp
 group-object RDP
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
 port-object eq pop3
 port-object eq pptp
 port-object eq smtp
 port-object eq ssh
 group-object SSH-2323
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
 network-object object iMac-Marc
 network-object object macbook-marc
object-group service DM_INLINE_TCP_0 tcp
 group-object RDP
 port-object eq https
 port-object eq smtp
object-group icmp-type ping
 icmp-object echo
 icmp-object echo-reply
 icmp-object traceroute
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1 
access-list inside_access_in extended permit object-group TCPUDP any any eq domain 
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any 
access-list inside_access_in extended permit ip object srvbetcasbs any 
access-list outside_access extended permit tcp any host 192.168.1.10 object-group DM_INLINE_TCP_0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
object network PublicServer_NAT2
 nat (inside,outside) static A_<PUB IP>
access-group inside_access_in in interface inside
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 193.190.198.10 source outside prefer
ntp server 195.160.166.150 source outside
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:e6544f0fd9fa44ef5faab65e824f9d2c
: end
no asdm history enable

Open in new window

0
 
PlusITAuthor Commented:
hi i'm tankfull for your help, but could you explain how to run that command and save it as I've only been using the graphical iface.
0
 
Ernie BeekExpertCommented:
ASDM -> Tools -> command line interface -> paste the line.
0
 
PlusITAuthor Commented:
Result of the command: "no access-group inside_access_in in interface inside"

The command has been sent to the device

Then ASDM asked to refresh the config.
Nothing changed all stays the same.
0
 
PlusITAuthor Commented:
when i show running config again i do not see teh command "no access-group inside_access_in in interface inside" mentioned.  Is this correct ?
0
 
Ernie BeekExpertCommented:
That is correct, with the 'no' you removed the line: access-group inside_access_in in interface inside

For the ping, add: access-list outside_access extended permit icmp any any

After that, when trying to ping/connect, look at the logging in ASDM to see if anything shows up there.
0
 
PlusITAuthor Commented:
great clients can ping now, sbs 2008 server still has no connection.  no ping at 8.8.8.8, the connection still does not connect active internet in control panel of the server.
0
 
Ernie BeekExpertCommented:
Is the SBS by any change:
object network PublicServer_NAT2
 host 192.168.1.10
?
0
 
PlusITAuthor Commented:
yes that's him, i've reran the connect to internet wizard in sbs but that did not help.
0
 
Ernie BeekExpertCommented:
Try to remove that nat statement, then you should be able to connect to the outside.
0
 
PlusITAuthor Commented:
correct it connects now, how do i make natting work.  According to provider there's a full nat to the outside ip of the ASA
0
 
Ernie BeekExpertCommented:
Yup, but you have only 1 outside ip. So let's try PAT

object network obj-192.168.1.10_1
host 192.168.1.10
nat (inside,outside) static interface service tcp 25

object network obj-192.168.1.10_2
host 192.168.1.10
nat (inside,outside) static interface service tcp 443

object network obj-192.168.1.10_3
host 192.168.1.10
nat (inside,outside) static interface service tcp 3389

access-list outside_in extended permit tcp any host 192.168.1.10 eq 25
access-list outside_in extended permit tcp any host 192.168.1.10 eq 443
access-list outside_in extended permit tcp any host 192.168.1.10 eq 3389
0
 
Ernie BeekExpertCommented:
Oops, forgot something, should be:

host 192.168.1.10
nat (inside,outside) static interface service tcp 25 25

object network obj-192.168.1.10_2
host 192.168.1.10
nat (inside,outside) static interface service tcp 443 443

object network obj-192.168.1.10_3
host 192.168.1.10
nat (inside,outside) static interface service tcp 3389 3389

access-list outside_in extended permit tcp any host 192.168.1.10 eq 25
access-list outside_in extended permit tcp any host 192.168.1.10 eq 443
access-list outside_in extended permit tcp any host 192.168.1.10 eq 3389
0
 
PlusITAuthor Commented:
Result of the command: "object network obj-192.168.1.10_1"

The command has been sent to the device


Result of the command: "host 192.168.1.10"

The command has been sent to the device


Result of the command: "nat (inside,outside) static interface service tcp 25"

nat (inside,outside) static interface service tcp 25
ERROR: % Incomplete command


Result of the command: "object network obj-192.168.1.10_2"

The command has been sent to the device


Result of the command: "host 192.168.1.10"

The command has been sent to the device


Result of the command: "nat (inside,outside) static interface service tcp 443"

nat (inside,outside) static interface service tcp 443
ERROR: % Incomplete command


Result of the command: "object network obj-192.168.1.10_3"

The command has been sent to the device


Result of the command: "host 192.168.1.10"

The command has been sent to the device


Result of the command: "nat (inside,outside) static interface service tcp 3389"

nat (inside,outside) static interface service tcp 3389
ERROR: % Incomplete command


Result of the command: "access-list outside_in extended permit tcp any host 192.168.1.10 eq 25"

The command has been sent to the device


Result of the command: "access-list outside_in extended permit tcp any host 192.168.1.10 eq 443"

The command has been sent to the device


Result of the command: "access-list outside_in extended permit tcp any host 192.168.1.10 eq 3389"

The command has been sent to the device



tested but is not working
0
 
Ernie BeekExpertCommented:
I think you might want to do this through a telnet/ssh session.

Oh, and look at the correction I made above first.
0
 
PlusITAuthor Commented:
i think i'm making it worse now when doing the correction:

Result of the command: "host 192.168.1.10"

host 192.168.1.10
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "nat (inside,outside) static interface service tcp 25 25"

nat (inside,outside) static interface service tcp 25 25
                      ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "object network obj-192.168.1.10_2"

The command has been sent to the device


Result of the command: "host 192.168.1.10"

The command has been sent to the device


Result of the command: "nat (inside,outside) static interface service tcp 443 443"

The command has been sent to the device


Result of the command: "object network obj-192.168.1.10_3"

The command has been sent to the device


Result of the command: "host 192.168.1.10"

The command has been sent to the device


Result of the command: "nat (inside,outside) static interface service tcp 3389 3389"

The command has been sent to the device


Result of the command: "access-list outside_in extended permit tcp any host 192.168.1.10 eq 25"

WARNING: <outside_in> found duplicate element


Result of the command: "access-list outside_in extended permit tcp any host 192.168.1.10 eq 443"

WARNING: <outside_in> found duplicate element


Result of the command: "access-list outside_in extended permit tcp any host 192.168.1.10 eq 3389"

WARNING: <outside_in> found duplicate element
0
 
PlusITAuthor Commented:
tested the three no ports are open yet
0
 
Ernie BeekExpertCommented:
It looks worse than it is.

Could you post the config again so we can see what's still missing?
0
 
PlusITAuthor Commented:
: Saved
:
ASA Version 8.3(1)
!
hostname ciscoasa
enable password <SECRET> encrypted
passwd <SECRET> encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.254.2 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network iMac-Marc
 host 192.168.1.152
object network macbook-marc
 host 192.168.1.151
object network srvbetcasbs
 host 192.168.1.10
object network A_
object network PublicServer_NAT1
 host 192.168.1.10
object network A_<PUB IP>
 host <PUB IP>
object network A_192.168.254.1
 host 192.168.254.1
object network obj-192.168.1.10_1
 host 192.168.1.10
object network obj-192.168.1.10_2
 host 192.168.1.10
object network obj-192.168.1.10_3
 host 192.168.1.10
object-group service RDP tcp
 port-object eq 3389
object-group service SSH-2323 tcp
 port-object eq 2323
object-group service DM_INLINE_TCP_1 tcp
 group-object RDP
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
 port-object eq pop3
 port-object eq pptp
 port-object eq smtp
 port-object eq ssh
 group-object SSH-2323
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_1
 network-object object iMac-Marc
 network-object object macbook-marc
object-group icmp-type ping
 icmp-object echo
 icmp-object echo-reply
 icmp-object traceroute
access-list inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group TCPUDP any any eq domain
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list inside_access_in extended permit ip object srvbetcasbs any
access-list inside_access_in extended permit object-group TCPUDP object srvbetcasbs any eq domain
access-list outside_access extended permit icmp any any
access-list outside_in extended permit tcp any host 192.168.1.10 eq smtp
access-list outside_in extended permit tcp any host 192.168.1.10 eq https
access-list outside_in extended permit tcp any host 192.168.1.10 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
object network obj-192.168.1.10_2
 nat (inside,outside) static interface service tcp https https
object network obj-192.168.1.10_3
 nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 193.190.198.10 source outside prefer
ntp server 195.160.166.150 source outside
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context

: end
no asdm history enable
0
 
Ernie BeekExpertCommented:
Ah, forgot a part in my second paste. So add this:

object network obj-192.168.1.10_1
host 192.168.1.10
nat (inside,outside) static interface service tcp 25 25

access-list outside_access extended permit tcp any host 192.168.1.10 eq smtp
access-list outside_access extended permit tcp any host 192.168.1.10 eq https
access-list outside_access extended permit tcp any host 192.168.1.10 eq 3389

no access-list outside_in


Should work better then :)
0
 
PlusITAuthor Commented:
you sir have saved my life today :)  I had so much else to do at this site I could not find the time to jump in the docs.  Thank you very much sir, I owe you more then a beer :)
0
 
PlusITAuthor Commented:
Thank you very much !
0
 
Ernie BeekExpertCommented:
Just a beer would suffice (or two ;)
0
 
Ernie BeekExpertCommented:
And thank you for the points :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.