Solved

Cisco ASA 5506 - port forwarding not working

Posted on 2016-10-13
10
49 Views
Last Modified: 2016-10-16
We've established port forwarding successfully using the following method below on this firewall. Other services are reachable and working fine.

However, when we moved the service "MYSVC" behind the firewall, the remote company could not access their equipment. Also, our log showed outbound communication attempts from their internal equipment to their network were failing.

Step 1:
object network obj_inside_MYSVC-tcp9000
 host 10.0.0.240
object network obj_inside_MYSVC-tcp9001
 host 10.0.0.240

Step 2:
object network obj_inside_MYSVC-tcp9000
 nat (inside,outside) static interface service tcp 9000 9000
object network obj_inside_MYSVC-tcp9001
 nat (inside,outside) static interface service tcp 9001 9001

Step 3:
object-group service obj_svc_MYSVC tcp
 port-object eq 9000
 port-object eq 9001

Step 4:
object-group protocol MYSVC
 protocol-object tcp

Step 5:
access-list outside_access_in extended permit object-group MYSVC any object obj_inside_MYSVC-tcp9000 object-group obj_svc_MYSVC

Is there something incorrect about our method? Is there any reason the above port forwarding config would work for some services, but not others?
0
Comment
Question by:d4nnyo
  • 4
  • 3
  • 3
10 Comments
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 41842783
Does the service only use TCP?  That appears to be how the forwarding is defined.
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 41843036
Yes, vendor advised TCP only.
0
 
LVL 15

Expert Comment

by:max_the_king
ID: 41843353
Hi,
host 10.0.0.240 should be allowed to go on the internet, otherwise external requests wouldn't find the way back to source ip address.
So you need first to check that it can go on the on the internet: it should have a nat/pat rule and an access-list on inside interface if an access-group is present.

If this 1st step is confirmed that works, you can easily try if your rule is ok by trying a telnet on those ports from outside: telnet <public_IP_address> 9000.
If you have a response, then your firewall is ok and the problem is elsewhere.

hope this helps
max
0
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 41843357
I frequently use port forwarding to allow remote access with VNC.  It is very easy to change the port number on the VNC server so I will also use it to test if I have port forwarding working correctly.  For example, in your case I'd set up a computer with VNC configured for port 9000 and change the IP address in your 5506 to point to the IP address of that computer.  I'd test connectivity with the VNC client from another computer on the same network to confirm that I have the computer configured correctly.  Then I'd test from a computer outside of the network to confirm that I have port forwarding configured correctly.  Lastly, I'd change the port (in VNC and in the 5506) to 9001 and test again.

If all work, you've confirmed that your port forwarding is working correctly for TCP ports 9000 and 9001.  If it doesn't work for MYSVC to 10.0.0.240 as originally configured, then the issue is not with port forwarding but with the computer at 10.0.0.240 or with the specs on what needs to be forwarded.
0
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 41843366
@max:
I like your telnet suggestion but haven't tried it so universally.

Is it safe to assume that any device that has a TCP service will respond to a telnet connection?  I've used this before with email servers (and telnet servers, of course) but never considered that I could use it with anything that has a TCP service.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 15

Expert Comment

by:max_the_king
ID: 41843382
It does respond. 100%. It might respond with a blank window should the application under that service give no answer for security reason.
max
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 41843511
Hi Max,

Sorry, forgot to mention that when vendor's host was at 10.0.0.240, we could successfully telnet to 10.0.0.240 on 9000 and 9001.

Is that the absolute limit of our responsibility?
0
 
LVL 15

Accepted Solution

by:
max_the_king earned 500 total points
ID: 41843543
Hi,
when you do a telnet session from outside you do it on the natted Public IP (in your case it is the public IP of the firewall).
If you can do that, that is the limit of your firewall's responsibility.

max
0
 
LVL 1

Author Comment

by:d4nnyo
ID: 41843587
Max, yes, I worded it incorrectly. Using a public admin website, we can telnet successfully to the public IP on those ports.

Vendor pushed back but we advised them there was nothing else we could do. I appreciate the confirmation.
0
 
LVL 15

Assisted Solution

by:max_the_king
max_the_king earned 500 total points
ID: 41843613
Yep, you did it all.
Just check with vendor that they set the right default gateway on their machine, which must be of course your ASA.
max
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now