BluJ
asked on
Cisco ASA version 9.1 NAT/FIREWALL help
I am wanting to forward 22609 and 8080 to my internal dvr, I have a single static public IP address. I can't seem to get anything to hit my ACL rules, nat doesn't appear to be working. I want any request coming into 1.1.1.1:8080 to go to 192.168.0.100:8080. same for the other port any from the internet to 1.1.1.1:22609 to go to 192.168.0.100:22609.
ASA Version 9.1(5)
!
hostname FW1
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny udp any4 any4 eq domain
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.15.1.254 255.255.0.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 10.5.1.1 255.255.255.0
!
interface Ethernet0/3
nameif Security
security-level 75
ip address 192.168.0.1 255.255.255.0
!
interface Management0/0
no nameif
no security-level
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa915-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
object service exacq-tcp
service tcp destination eq 22609
object network Security-Internal
subnet 192.168.0.0 255.255.255.0
object service alternate-web-port
service tcp destination eq 8080
object network Public-IP
host 1.1.1.1
object network DVR-Private
host 192.168.0.100
object network STATIC-PAT-INTERFACE-TCP22609
host 192.168.0.100
object network HOST-192.168.0.100-22609
host 192.168.0.100
object-group network DEFAULT-PAT-SOURCE
network-object 192.168.0.0 255.255.255.0
network-object 10.15.0.0 255.255.0.0
network-object 10.5.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside eq 22609
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Inside 1500
mtu DMZ 1500
mtu Security 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network STATIC-PAT-INTERFACE-TCP22609
nat (Security,outside) static interface service tcp 22609 22609
!
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.15.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.15.0.0 255.255.0.0 Inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Inside
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd dns 8.8.8.8 8.8.4.4 interface Inside
dhcpd lease 86400 interface Inside
!
dhcpd address 10.5.1.5-10.5.1.254 DMZ
dhcpd dns 8.8.8.8 8.8.4.4 interface DMZ
dhcpd lease 86400 interface DMZ
dhcpd enable DMZ
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.05178-k9.pkg 1
anyconnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
:end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am also not seeing any hits on the ACL's at all other than on the permit ip any any
>>access-list outside_access_in extended permit ip any any
Remove that, why disable your firewall for inbound traffic?
Step 1 make sure the servers is listening on those ports internally (you would be surprised)
Step 2 Scan your firewall to check id the port is up.
Make sure you can 'ping' your ASA public IP (in case theres a device in front of it blocking these ports)
The syntax I posted above has worked for me on hundreds of clients for the past few years.
Pete
Remove that, why disable your firewall for inbound traffic?
Step 1 make sure the servers is listening on those ports internally (you would be surprised)
Step 2 Scan your firewall to check id the port is up.
Make sure you can 'ping' your ASA public IP (in case theres a device in front of it blocking these ports)
The syntax I posted above has worked for me on hundreds of clients for the past few years.
Pete
ASKER
This worked, I had not diabled one of the original nat rules I had marked as inactive after I made the change! Thanks.
ASKER
Open in new window