• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 646
  • Last Modified:

How to ASA 9.1 Port Forward

Hello,

I want to use a public IP I have that is not the outside interface but in the same subnet range to forward to a internal server that has a private IP and I need 3 service ports ie: udp6001 tcp/udp53 and tcp443.  So in short a outside vendor wants to be able to access this server using a public IP of mine and be able to utilize the above services unidirectional.  I see some examples but not sure if they really fit my issue.  Any help would be very appreciated.

Thanks
0
TonyLc
Asked:
TonyLc
  • 10
  • 8
  • 2
1 Solution
 
max_the_kingCommented:
Hi,

suppose you want to nat your server (i.e.: 192.168.1.10) to public IP 1.2.3.4, and give anyone access to the ports you indicated above:
here is the code:


object-group service WEBPORTSTCP tcp
 port-object eq 53
 port-object eq 443
 
object-group service WEBPORTSUDP udp
 port-object eq 53
 port-object eq 6001
 
object network obj_Webserver
 host 192.168.1.10

object network obj_Webserver
 nat (inside,outside) static 1.2.3.4
 
access-list external_access extended permit tcp any host 192.168.1.10 object-group WEBPORTSTCP
access-list external_access extended permit udp any host 192.168.1.10 object-group WEBPORTSUDP

access-group external_access in interface outside

should you want to give only your vendor that access (i.e.: vendor public IP 5.6.7.8), than you should replace the above access-lists with the following:

access-list external_access extended permit tcp host 5.6.7.8 host 192.168.1.10 object-group WEBPORTSTCP
access-list external_access extended permit udp host 5.6.7.8 host 192.168.1.10 object-group WEBPORTSUDP

hope this helps
max
0
 
ffleismaSenior Network EngineerCommented:
It would look something like this
object service PORTFORWARD_UDP6001
 service udp destination eq 6001
!
object service PORTFORWARD_UDP53
 service udp destination eq 53
!
object service PORTFORWARD_TCP53
 service tcp destination eq 53
!
object service PORTFORWARD_TCP443
 service tcp destination eq 443

!
object network OBJECT_EXTERNAL_IP
 host 1.1.1.3
!
object network OBJECT_INTERNAL_IP
 host 192.168.1.100
!
!
nat (outside,inside) 1 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_UDP6001 PORTFORWARD_UDP6001 unidirectional
nat (outside,inside) 2 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_UDP53 PORTFORWARD_UDP53 unidirectional
nat (outside,inside) 3 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP53 PORTFORWARD_TCP53 unidirectional
nat (outside,inside) 4 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP443 PORTFORWARD_TCP443 unidirectional
!
!
access-list outside_access_in line 1 extended permit udp any object OBJECT_INTERNAL_IP eq 6001 
access-list outside_access_in line 2 extended permit udp any object OBJECT_INTERNAL_IP eq 53 
access-list outside_access_in line 3 extended permit tcp any object OBJECT_INTERNAL_IP eq 53
access-list outside_access_in line 4 extended permit tcp any object OBJECT_INTERNAL_IP eq 443
!
access-group outside_access_in in interface outside

Open in new window

For ASA software 8.3 or higher, the NAT is done first in the order of operation. Hence you'll notice that the ACL pertains to the instenal IP and not the external IP.
0
 
TonyLcAuthor Commented:
Thanks Max,  I will give that config a try.  I had a feeling I was looking at multiple nat's and access but wanted some confirmation.  Anyway, thanks and I will get back with you.  Appreciate it.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
ffleismaSenior Network EngineerCommented:
Forgot to add:, if you will dedicate the public IP to this particular server, the NAT statement would look like this instead.
object network OBJECT_EXTERNAL_IP
 host 1.1.1.3

!
object network OBJECT_INTERNAL_IP
 host 192.168.1.100
!
nat (outside,inside) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP unidirectional

Open in new window

But if not, in case you just want to accomplish port forwarding, the above configuration I gave should do the trick.
NAT diagramLastly, the "nat (outside,inside)" might need to change to "nat (outside,dmz)" if the server is located on your dmz interface, or whatever your interface nameif is.

The NAT configuration I've given is for 8.3 above.
0
 
TonyLcAuthor Commented:
Ok, I modified the nat to match the dedicated since that is my intention.  Still gets dropped by nat on the packet trace but have not tested with the real device yet.  Will try again as soon as I can.

Thanks,
Tony
0
 
ffleismaSenior Network EngineerCommented:
I've tested this on GNS3 running 8.4 software (should be applicable for 9.1 as well)
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.0
!
interface GigabitEthernet2
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
object service PORTFORWARD_UDP6001
 service udp destination eq 6001
!
object service PORTFORWARD_UDP53
 service udp destination eq domain
!
object service PORTFORWARD_TCP53
 service tcp destination eq domain
!
object service PORTFORWARD_TCP443
 service tcp destination eq https
!
object network OBJECT_EXTERNAL_IP
 host 1.1.1.3
!
object network OBJECT_INTERNAL_IP
 host 192.168.1.100
!
!
nat (outside,dmz) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_UDP6001 PORTFORWARD_UDP6001 unidirectional
nat (outside,dmz) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_UDP53 PORTFORWARD_UDP53 unidirectional
nat (outside,dmz) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP53 PORTFORWARD_TCP53 unidirectional
nat (outside,dmz) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP443 PORTFORWARD_TCP443 unidirectional
!
!
access-list outside_access_in extended permit udp any object OBJECT_INTERNAL_IP eq 6001
access-list outside_access_in extended permit udp any object OBJECT_INTERNAL_IP eq domain
access-list outside_access_in extended permit tcp any object OBJECT_INTERNAL_IP eq domain
access-list outside_access_in extended permit tcp any object OBJECT_INTERNAL_IP eq https
!
access-group outside_access_in in interface outside
!

Open in new window

Sample packet-tracer shown:
ciscoasa# packet-tracer input outside tcp 8.8.8.8 53 1.1.1.3 53

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,dmz) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP53 PORTFORWARD_TCP53 unidirectional
Additional Information:
NAT divert to egress interface dmz
Untranslate 1.1.1.3/53 to 192.168.1.100/53

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object OBJECT_INTERNAL_IP eq domain
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,dmz) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP53 PORTFORWARD_TCP53 unidirectional
Additional Information:
Static translate 8.8.8.8/53 to 8.8.8.8/53

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,dmz) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP53 PORTFORWARD_TCP53 unidirectional
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

ciscoasa#

Open in new window

If static NAT will be done instead of port-forwarding, same configuration but change on NAT configuration.
nat (outside,dmz) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP unidirectional

Open in new window

ciscoasa# packet-tracer input outside udp 8.8.8.8 6001 1.1.1.3 6001

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,dmz) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP unidirectional
Additional Information:
NAT divert to egress interface dmz
Untranslate 1.1.1.3/6001 to 192.168.1.100/6001

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit udp any object OBJECT_INTERNAL_IP eq 6001
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,dmz) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP unidirectional
Additional Information:
Static translate 8.8.8.8/6001 to 8.8.8.8/6001

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,dmz) source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP unidirectional
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow

ciscoasa#

Open in new window


So two things:
NAT configuration, Static NAT or port forwarding configuration both tested.
ACL configuration on outside interface, should use the INTERNAL IP as destination.

If you packet-tracer doesn't show PHASE1 as UN-NAT, then it might be a problem with your NAT configuration. Can you share your pack-tracer output? Another thing you can check is the NAT sequence number. A preceding NAT statement might be causing the problem. Ensure that the new NAT statement are placed in front of existing NAT configuration by specifying the number "nat (outside,dmz) 1".
nat (outside,dmz) 1 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_UDP6001 PORTFORWARD_UDP6001 unidirectional
nat (outside,dmz) 2 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_UDP53 PORTFORWARD_UDP53 unidirectional
nat (outside,dmz) 3 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP53 PORTFORWARD_TCP53 unidirectional
nat (outside,dmz) 4 source static any any destination static OBJECT_EXTERNAL_IP OBJECT_INTERNAL_IP service PORTFORWARD_TCP443 PORTFORWARD_TCP443 unidirectional

Open in new window

0
 
TonyLcAuthor Commented:
Ok thank you. I have made sure the nat config goes above the others.  I am working with outside and inside interfaces so I will change to (outside,inside) then utilize the rest and give that a try.  If not successful this time - I will gladly share my results.

Thanks everybody.!
0
 
TonyLcAuthor Commented:
Still dropped for me.  So, since I am dedicating a Public for this at this time I have one nat stament and 4 acl's and then of course the defined ports and hosts.

DC-ASA5555-1# packet-tracer input outside udp 70.186.9.126 6001 172.16.15.156 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.248.0.0     inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit udp any object DEJERO-INSIDE eq 6001
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN    
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (outside,inside) source static any any destination static DEJERO-PUBLIC DEJERO-INSIDE unidirectional
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks,
Tony
0
 
TonyLcAuthor Commented:
Sorry, will attach that next time.  New to EE.
0
 
ffleismaSenior Network EngineerCommented:
A few things to clarify.
Is "172.16.15.156" the internal IP of the server? If yes, then you should run the packet-tracer with external IP as the destination IP and not the internal IP.
packet-tracer input outside udp x.x.x.x 6001 EXTERNAL_IP 6001

Open in new window

where x.x.x.x represents any outside (internet) IP.
0
 
TonyLcAuthor Commented:
Attached is the current config for this issue.

Thanks,
Tony
nat-config-dejero.txt
0
 
TonyLcAuthor Commented:
OK, re-did the packet trace - new to that also - took a couple years off of asa and was working on srx's and now the asa is like a new ball-game - sort of.

So I will attach the results but it passes almost all the way through this time.

except this:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed


Thanks,
Tony
packettrace-2.txt
0
 
ffleismaSenior Network EngineerCommented:
packet-tracer input outside udp 172.16.15.156 6001 70.186.9.126

You probably sourced it from the FW interface

try:
packet-tracer input outside udp 8.8.8.8 6001 70.186.9.126 6001
0
 
TonyLcAuthor Commented:
Yep, that did it.  I thank you all very much.  I hope you all have a wonderful day.

Thanks again,
Tony
0
 
TonyLcAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for TonyLc's comment #a40671801
Assisted answer: 167 points for max_the_king's comment #a40670818
Assisted answer: 167 points for ffleisma's comment #a40671397
Assisted answer: 166 points for ffleisma's comment #a40671634

for the following reason:

New at this - if I accidentally hit a wrong box sorry-  Both Max and  ffleisma were very helpful and  ffleisma had the final.  Thank you.
0
 
ffleismaSenior Network EngineerCommented:
I believe the user is new to EE.

I was able to provide the correct answe. This was mentioned in the remarks by the user when question was closed but solution was not credited to me.
0
 
TonyLcAuthor Commented:
Yes, while both was helpful ffleisma provided the final correct solution.  I am new to this and if I assigned it wrong I did not mean too.

Thanks,
Tony
0
 
ffleismaSenior Network EngineerCommented:
No worries, thanks Tony!
0
 
max_the_kingCommented:
Hi,
I should object to this odd behaviour but I have already wasted enough time on it and I really do not care.
cheers
max
0
 
ffleismaSenior Network EngineerCommented:
My apologies to max and tony. Both solution provided can result to a working configuration and given max gave a working solution first, he must be credited with the correct answer.

I initially objected on closing the question due to no answer was accepted as correct.

I'm sorry for offending anyone, please credit max the correct solution and points as he was the first to give reply. My mistake here guys, my apologies for my behavior.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 10
  • 8
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now