Solved

Cisco ASA 5506 - port forwarding not working

Posted on 2016-10-13
10
100 Views
Last Modified: 2016-10-16
We've established port forwarding successfully using the following method below on this firewall. Other services are reachable and working fine.

However, when we moved the service "MYSVC" behind the firewall, the remote company could not access their equipment. Also, our log showed outbound communication attempts from their internal equipment to their network were failing.

Step 1:
object network obj_inside_MYSVC-tcp9000
 host 10.0.0.240
object network obj_inside_MYSVC-tcp9001
 host 10.0.0.240

Step 2:
object network obj_inside_MYSVC-tcp9000
 nat (inside,outside) static interface service tcp 9000 9000
object network obj_inside_MYSVC-tcp9001
 nat (inside,outside) static interface service tcp 9001 9001

Step 3:
object-group service obj_svc_MYSVC tcp
 port-object eq 9000
 port-object eq 9001

Step 4:
object-group protocol MYSVC
 protocol-object tcp

Step 5:
access-list outside_access_in extended permit object-group MYSVC any object obj_inside_MYSVC-tcp9000 object-group obj_svc_MYSVC

Is there something incorrect about our method? Is there any reason the above port forwarding config would work for some services, but not others?
0
Comment
Question by:d4nnyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 21

Expert Comment

by:CompProbSolv
ID: 41842783
Does the service only use TCP?  That appears to be how the forwarding is defined.
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 41843036
Yes, vendor advised TCP only.
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 41843353
Hi,
host 10.0.0.240 should be allowed to go on the internet, otherwise external requests wouldn't find the way back to source ip address.
So you need first to check that it can go on the on the internet: it should have a nat/pat rule and an access-list on inside interface if an access-group is present.

If this 1st step is confirmed that works, you can easily try if your rule is ok by trying a telnet on those ports from outside: telnet <public_IP_address> 9000.
If you have a response, then your firewall is ok and the problem is elsewhere.

hope this helps
max
0
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

 
LVL 21

Expert Comment

by:CompProbSolv
ID: 41843357
I frequently use port forwarding to allow remote access with VNC.  It is very easy to change the port number on the VNC server so I will also use it to test if I have port forwarding working correctly.  For example, in your case I'd set up a computer with VNC configured for port 9000 and change the IP address in your 5506 to point to the IP address of that computer.  I'd test connectivity with the VNC client from another computer on the same network to confirm that I have the computer configured correctly.  Then I'd test from a computer outside of the network to confirm that I have port forwarding configured correctly.  Lastly, I'd change the port (in VNC and in the 5506) to 9001 and test again.

If all work, you've confirmed that your port forwarding is working correctly for TCP ports 9000 and 9001.  If it doesn't work for MYSVC to 10.0.0.240 as originally configured, then the issue is not with port forwarding but with the computer at 10.0.0.240 or with the specs on what needs to be forwarded.
0
 
LVL 21

Expert Comment

by:CompProbSolv
ID: 41843366
@max:
I like your telnet suggestion but haven't tried it so universally.

Is it safe to assume that any device that has a TCP service will respond to a telnet connection?  I've used this before with email servers (and telnet servers, of course) but never considered that I could use it with anything that has a TCP service.
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 41843382
It does respond. 100%. It might respond with a blank window should the application under that service give no answer for security reason.
max
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 41843511
Hi Max,

Sorry, forgot to mention that when vendor's host was at 10.0.0.240, we could successfully telnet to 10.0.0.240 on 9000 and 9001.

Is that the absolute limit of our responsibility?
0
 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 41843543
Hi,
when you do a telnet session from outside you do it on the natted Public IP (in your case it is the public IP of the firewall).
If you can do that, that is the limit of your firewall's responsibility.

max
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 41843587
Max, yes, I worded it incorrectly. Using a public admin website, we can telnet successfully to the public IP on those ports.

Vendor pushed back but we advised them there was nothing else we could do. I appreciate the confirmation.
0
 
LVL 16

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
ID: 41843613
Yep, you did it all.
Just check with vendor that they set the right default gateway on their machine, which must be of course your ASA.
max
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question