[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1076
  • Last Modified:

ASA 5510 NAT issue with port forwarding

I have an ASA 5510 and have a small issue seeing two game servers on the DMZ.

Sever 1 is port 25565
Server 2 is port 25566

I am using one external IP and doing a port map. Now the "internet" can see the servers without any issue and it appears to be working. When I try to login to the server via the game, Minecraft, it cannot join the server. If I remove the outside port mapping then its able to connect to the server, but only one and not both.

Looking through the log file i am not able to narrow down whats causing this. Searching the forums for the server it only shows the single port be available.

Any assistance would be much appreciated.

Thanks
Tom
0
TechFlyer
Asked:
TechFlyer
  • 5
  • 2
  • 2
1 Solution
 
☠ MASQ ☠Commented:
Minecraft clients connecting to your server will default to 25565 unless the user specifies the port they want to use.  yourserver.com:25566 should allow them to connect to the alternate server.  Why are you using the DMZ instead of NAT? It may be easier to portforward the separate server ports.
0
 
TechFlyerAuthor Commented:
The reason I have it in the DMZ is just so I don't have it in the same security zone as my inside network.

So when I have:
object network Minecraft_1
 nat (outside,dmz) static X.X.X.X service tcp 25565 25565

No one can connect to the server. When I remove that rule then people can connect to the server. Reading online I do not see any other ports that have to be open for this so I am at a loss as to why people can connect with a one to one port mapping.
0
 
☠ MASQ ☠Commented:
You've configured the two server.properties files separately with the correct server-port value for each?

If you're using DMZ you shouldn't need that rule.

Can players use the main (25565) server OK once it's visible externally?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
TechFlyerAuthor Commented:
If I have  nat (outside,dmz) static X.X.X.X service tcp 25565 25565  then the server is visible but you cannot connect to it. So I look at the logs when I try to connect with that then look at the logs when I delete the rule and watch a person connect, and I cannot tell any port or something else that is blocking the connection.

The DMZ is just another interface, just like "inside," correct? Where you still have to have NAT's and ACL's setup for proper flow.
0
 
Ernie BeekCommented:
So from where are they trying to connect, outside?
You say, when you remove the static you can connect...... From the in- or the outside?

Could you post the rest of your config (sanitized)?
0
 
TechFlyerAuthor Commented:
I will post the areas that pertain to these game servers and the DMZ.

Interface Ethernet0/3
 nameif d_DMZ
 security-level 50
 ip address 192.168.2.1 255.255.255.0

object network Minecraft_1
 host 192.168.2.3

object-group service Minecraft_1 tcp-udp
 port-object eq 25565

1: -
object network Minecraft_1
 nat (d_DMZ,Outside) static XXX.XXX.XXX.XXX service tcp 25565 25565

object network Minecraft_2
 host 192.168.2.5

object-group service Minecraft_2 tcp-udp
 port-object eq 25566

2: -
object network Minecraft_2
 nat (d_DMZ,Outside) static XXX.XXXX.XXX.XXX service tcp 25566 25566


3: -
object network Minecraft_1
 nat (d_DMZ,Outside) static XXX.XXXX.XXX.XXX

So here are the two scenarios. When I only have NAT 3 listed here in my config, I can connect to the server fine. But with that I can only have one server per IP address.

So then I did NAT 1 & 2 which is a satic 1 to 1 NAT with port mapping. Now the port mapping works because I can query the servers, but with having that port mapping I can't actually connect to the server. Only query it.

So I am fairly confident my NAT is working properly, I just need to figure out why when I set it up with port mapping it no longer works.

I cannot find another port being used that I would also have to map. It should only be the port that I designated.
0
 
Ernie BeekCommented:
How about UDP (25565 and 25566)?
0
 
TechFlyerAuthor Commented:
Finally resolved!

After watching the logs I kept seeing it trying to make a connection back outbound. I guess it has to make a connection to the user auth mincraft server which I wasn't allowing  which caused it not to be able to then connect to my server.

Thanks for all the suggestions and help!
0
 
TechFlyerAuthor Commented:
After watching the logs I kept seeing it trying to make a connection back outbound. I guess it has to make a connection to the user auth mincraft server which I wasn't allowing  which caused it not to be able to then connect to my server.
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

  • 5
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now