Cisco ASA 5505 Post 8.3 Port Forwarding

TechGuy_007
TechGuy_007 used Ask the Experts™
on
Previously to 8.3 I would setup my port forwards as it looks below.

static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 2222 192.168.1.253 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 4443 192.168.1.253 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.29 3389 netmask 255.255.255.255

access-list outsideINGRESS extended permit tcp host PUBLICIP interface outside eq smtp
access-list outsideINGRESS extended permit tcp any interface outside eq https
access-list outsideINGRESS extended permit icmp any any echo-reply
access-list outsideINGRESS extended permit tcp any interface outside eq pptp
access-list outsideINGRESS extended permit tcp any interface outside eq 4443
access-list outsideINGRESS extended permit tcp any interface outside eq 2222
access-list outsideINGRESS extended permit tcp any interface outside eq 3389

-----------------

I cannot figure the correct configuration to port forward now in post 8.3. below is what my new configuration looks like. What am I doing wrong?

object network server
 nat (inside,outside) static 10.0.0.250 service tcp smtp smtp
object network servervpn
 nat (inside,outside) static 10.0.0.250 service tcp pptp pptp
object network serverhttps
 nat (inside,outside) static 10.0.0.250 service tcp https https
object network serverrww
 nat (inside,outside) static 10.0.0.250 service tcp 4125 4125
object network pca
 nat (inside,outside) static 10.0.0.99 service tcp pcanywhere-data pcanywhere-data

access-list outsideINGRESS extended permit icmp any any echo-reply
access-list outsideINGRESS extended permit tcp any interface outside eq smtp
access-list outsideINGRESS extended permit tcp any interface outside eq 4125
access-list outsideINGRESS extended permit tcp any interface outside eq https
access-list outsideINGRESS extended permit tcp any interface outside eq 5632
access-list outsideINGRESS extended permit tcp any interface outside eq pptp
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Consultant
Commented:
Okay a few things here.  Not sure what is your real IP addresses and what is your natted outside addresses.. so for my example, the 192.168.1.2 is the real ip address and 10.0.0.250 is the public IP address.

In your object..

object network server
 host 192.168.1.2
 nat (inside,outside) static 10.0.0.250. service tcp smtp smtp

Then the ACL:

So the deal is in 8.3+ you reference the real IP address in the ACLs.  Therefore in your outsideINGRESS acl instead of using interface outside use permit tcp any host 192.168.1.2 eq smtp.

You will need to change all the entries in your ACL to reflect the real IP address instead of the natted address.

Hope that helps.

Author

Commented:
Thanks for the help. I believe I am still doing something incorrectly. Could you please look at my example below and let me know what information I am mixing up?

Email Server IP: 192.168.1.1
ASA IP: 192.168.1.250
Public IP: 70.70.70.70


object network server
 host 192.168.1.1
 nat (inside,outside) static 192.168.1.250 service tcp smtp smtp

access-list outside_access_in extended permit tcp any host 192.168.1.1 eq smtp
Ken BooneNetwork Consultant
Commented:
So if the public IP for the SMPT server should be natted to 70.70.70.70 it  should look like this:


object network server
 host 192.168.1.1
 nat (inside,outside) static 70.70.70.70 service tcp smtp smtp

ACL looks correct.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I tried that but I get the following error

"ERROR: Address 70.70.70.70 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded"
Ken BooneNetwork Consultant
Commented:
Sorry about that - in the object nat statement replace the 70.70.70.70 with the word interface.

Author

Commented:
Now my configuration looks as follows but the port is still not working.

Email Server IP: 192.168.1.1
ASA IP: 192.168.1.250
Public IP: 70.70.70.70


object network server
 host 192.168.1.1
 nat (inside,outside) static interface service tcp smtp smtp

access-list outside_access_in extended permit tcp any host 192.168.1.1 eq smtp
Ken BooneNetwork Consultant
Commented:
Have you applied the access-list?

access-group outside_access_in in interface outside

?

Also after these changes issue this command:

clear xlate

Author

Commented:
I just did with no luck. Do you need to see anything else with the configuration?
Ken BooneNetwork Consultant

Commented:
Yea maybe you can post the whole config just sanitize it first.

Author

Commented:
I have attached the config with the same example IP's we were using before.
I appreciate the help.

Email Server IP: 192.168.1.1
ASA IP: 192.168.1.250
Public IP: 70.70.70.70
Config.txt
Ken BooneNetwork Consultant
Commented:
So I would recommend doing the following to see if this fixes things:

Remove this line:

nat (inside,outside) source dynamic any interface

Then issue a clear xlate command

Then add this:

object network obj_any
  subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface

See if that works.  If not what shows up in the logs when you try to connect to that device?

Author

Commented:
Did this, still have nothing. I'm not sure how to check to see what happens when I attempt to telnet to the ports.

Author

Commented:
Never mind, I was wrong. For some reason the "nat (inside,outside) source dynamic any interface" line didn't remove itself. It looks like its working now! Thank you!
Ken BooneNetwork Consultant

Commented:
Great!  Glad its working.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial