• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 286
  • Last Modified:

Cisco ASA 5506 - port forwarding not working

We've established port forwarding successfully using the following method below on this firewall. Other services are reachable and working fine.

However, when we moved the service "MYSVC" behind the firewall, the remote company could not access their equipment. Also, our log showed outbound communication attempts from their internal equipment to their network were failing.

Step 1:
object network obj_inside_MYSVC-tcp9000
 host 10.0.0.240
object network obj_inside_MYSVC-tcp9001
 host 10.0.0.240

Step 2:
object network obj_inside_MYSVC-tcp9000
 nat (inside,outside) static interface service tcp 9000 9000
object network obj_inside_MYSVC-tcp9001
 nat (inside,outside) static interface service tcp 9001 9001

Step 3:
object-group service obj_svc_MYSVC tcp
 port-object eq 9000
 port-object eq 9001

Step 4:
object-group protocol MYSVC
 protocol-object tcp

Step 5:
access-list outside_access_in extended permit object-group MYSVC any object obj_inside_MYSVC-tcp9000 object-group obj_svc_MYSVC

Is there something incorrect about our method? Is there any reason the above port forwarding config would work for some services, but not others?
0
d4nnyo
Asked:
d4nnyo
  • 4
  • 3
  • 3
2 Solutions
 
CompProbSolvCommented:
Does the service only use TCP?  That appears to be how the forwarding is defined.
0
 
d4nnyoAuthor Commented:
Yes, vendor advised TCP only.
0
 
max_the_kingCommented:
Hi,
host 10.0.0.240 should be allowed to go on the internet, otherwise external requests wouldn't find the way back to source ip address.
So you need first to check that it can go on the on the internet: it should have a nat/pat rule and an access-list on inside interface if an access-group is present.

If this 1st step is confirmed that works, you can easily try if your rule is ok by trying a telnet on those ports from outside: telnet <public_IP_address> 9000.
If you have a response, then your firewall is ok and the problem is elsewhere.

hope this helps
max
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
CompProbSolvCommented:
I frequently use port forwarding to allow remote access with VNC.  It is very easy to change the port number on the VNC server so I will also use it to test if I have port forwarding working correctly.  For example, in your case I'd set up a computer with VNC configured for port 9000 and change the IP address in your 5506 to point to the IP address of that computer.  I'd test connectivity with the VNC client from another computer on the same network to confirm that I have the computer configured correctly.  Then I'd test from a computer outside of the network to confirm that I have port forwarding configured correctly.  Lastly, I'd change the port (in VNC and in the 5506) to 9001 and test again.

If all work, you've confirmed that your port forwarding is working correctly for TCP ports 9000 and 9001.  If it doesn't work for MYSVC to 10.0.0.240 as originally configured, then the issue is not with port forwarding but with the computer at 10.0.0.240 or with the specs on what needs to be forwarded.
0
 
CompProbSolvCommented:
@max:
I like your telnet suggestion but haven't tried it so universally.

Is it safe to assume that any device that has a TCP service will respond to a telnet connection?  I've used this before with email servers (and telnet servers, of course) but never considered that I could use it with anything that has a TCP service.
0
 
max_the_kingCommented:
It does respond. 100%. It might respond with a blank window should the application under that service give no answer for security reason.
max
0
 
d4nnyoAuthor Commented:
Hi Max,

Sorry, forgot to mention that when vendor's host was at 10.0.0.240, we could successfully telnet to 10.0.0.240 on 9000 and 9001.

Is that the absolute limit of our responsibility?
0
 
max_the_kingCommented:
Hi,
when you do a telnet session from outside you do it on the natted Public IP (in your case it is the public IP of the firewall).
If you can do that, that is the limit of your firewall's responsibility.

max
0
 
d4nnyoAuthor Commented:
Max, yes, I worded it incorrectly. Using a public admin website, we can telnet successfully to the public IP on those ports.

Vendor pushed back but we advised them there was nothing else we could do. I appreciate the confirmation.
0
 
max_the_kingCommented:
Yep, you did it all.
Just check with vendor that they set the right default gateway on their machine, which must be of course your ASA.
max
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now