Solved

Cisco ASA 5506 - port forwarding not working

Posted on 2016-10-13
10
140 Views
Last Modified: 2016-10-16
We've established port forwarding successfully using the following method below on this firewall. Other services are reachable and working fine.

However, when we moved the service "MYSVC" behind the firewall, the remote company could not access their equipment. Also, our log showed outbound communication attempts from their internal equipment to their network were failing.

Step 1:
object network obj_inside_MYSVC-tcp9000
 host 10.0.0.240
object network obj_inside_MYSVC-tcp9001
 host 10.0.0.240

Step 2:
object network obj_inside_MYSVC-tcp9000
 nat (inside,outside) static interface service tcp 9000 9000
object network obj_inside_MYSVC-tcp9001
 nat (inside,outside) static interface service tcp 9001 9001

Step 3:
object-group service obj_svc_MYSVC tcp
 port-object eq 9000
 port-object eq 9001

Step 4:
object-group protocol MYSVC
 protocol-object tcp

Step 5:
access-list outside_access_in extended permit object-group MYSVC any object obj_inside_MYSVC-tcp9000 object-group obj_svc_MYSVC

Is there something incorrect about our method? Is there any reason the above port forwarding config would work for some services, but not others?
0
Comment
Question by:d4nnyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 21

Expert Comment

by:CompProbSolv
ID: 41842783
Does the service only use TCP?  That appears to be how the forwarding is defined.
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 41843036
Yes, vendor advised TCP only.
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 41843353
Hi,
host 10.0.0.240 should be allowed to go on the internet, otherwise external requests wouldn't find the way back to source ip address.
So you need first to check that it can go on the on the internet: it should have a nat/pat rule and an access-list on inside interface if an access-group is present.

If this 1st step is confirmed that works, you can easily try if your rule is ok by trying a telnet on those ports from outside: telnet <public_IP_address> 9000.
If you have a response, then your firewall is ok and the problem is elsewhere.

hope this helps
max
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 21

Expert Comment

by:CompProbSolv
ID: 41843357
I frequently use port forwarding to allow remote access with VNC.  It is very easy to change the port number on the VNC server so I will also use it to test if I have port forwarding working correctly.  For example, in your case I'd set up a computer with VNC configured for port 9000 and change the IP address in your 5506 to point to the IP address of that computer.  I'd test connectivity with the VNC client from another computer on the same network to confirm that I have the computer configured correctly.  Then I'd test from a computer outside of the network to confirm that I have port forwarding configured correctly.  Lastly, I'd change the port (in VNC and in the 5506) to 9001 and test again.

If all work, you've confirmed that your port forwarding is working correctly for TCP ports 9000 and 9001.  If it doesn't work for MYSVC to 10.0.0.240 as originally configured, then the issue is not with port forwarding but with the computer at 10.0.0.240 or with the specs on what needs to be forwarded.
0
 
LVL 21

Expert Comment

by:CompProbSolv
ID: 41843366
@max:
I like your telnet suggestion but haven't tried it so universally.

Is it safe to assume that any device that has a TCP service will respond to a telnet connection?  I've used this before with email servers (and telnet servers, of course) but never considered that I could use it with anything that has a TCP service.
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 41843382
It does respond. 100%. It might respond with a blank window should the application under that service give no answer for security reason.
max
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 41843511
Hi Max,

Sorry, forgot to mention that when vendor's host was at 10.0.0.240, we could successfully telnet to 10.0.0.240 on 9000 and 9001.

Is that the absolute limit of our responsibility?
0
 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 41843543
Hi,
when you do a telnet session from outside you do it on the natted Public IP (in your case it is the public IP of the firewall).
If you can do that, that is the limit of your firewall's responsibility.

max
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 41843587
Max, yes, I worded it incorrectly. Using a public admin website, we can telnet successfully to the public IP on those ports.

Vendor pushed back but we advised them there was nothing else we could do. I appreciate the confirmation.
0
 
LVL 16

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
ID: 41843613
Yep, you did it all.
Just check with vendor that they set the right default gateway on their machine, which must be of course your ASA.
max
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question