Cisco ASA NAT Port Forwarding

Thanks for your reply.

everything works internally now but when I tried to telnet from R3 to R1 using port 80 it says port is open but connection never established.
when I tried SSH into R2 from router R3 it won’t work.
ASA configuration:

interface GigabitEthernet0/0
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 192.168.2.1 255.255.255.0

object network web-server
 host 192.168.1.10
object network ssh-server
 host 192.168.1.20
access-list dmz-server extended permit tcp any host 192.168.1.10 eq www
access-list dmz-server extended permit tcp any host 192.168.1.20 eq ssh

object network web-server
 nat (dmz,outside) static interface service tcp www www
object network ssh-server
 nat (dmz,outside) static interface service tcp ssh ssh
access-group dmz-server in interface outside

hi,
I have 1 public IP that I need to PAT for 40 ports to the inside. Some are 1 to 1 port (pub to priv), some are multiple to 1. Some need redirected ports. Do I have to create a network obj for each translation of multiple pub to 1 inside IP?

Example

outside int to inside IP of 10.10.10.50 need ports 554, 2000, 3000, 2222 translated

do I

object network obj-10.10.10.50-554
  host 10.10.10.50
   nat (inside,outside) static interface service tcp rtsp rtsp
object network obj-10.10.10.50-2000
  host 10.10.10.50
  nat (inside,outside) static interface service tcp 2000 2000

Or is there a way to do it under 1 network object or no network object?

Thanks for your insight

Hello Ankit

Once again, Telnet uses port 21 and all Telnet servers will listen in on port 21. You attempted to Telnet to port 80, but the server is not listening on port 80 for Telnet sessions. The port is indeed open, but the server is expecting web requests there. This is why the connection will never be established.

At first glance it doesn’t seem like your ASA is blocking the SSH connection. I suggest you try to connect from R1 to R2 using SSH to see if the SSH configuration is correct on R2. If that works correctly, you can begin troubleshooting other issues on the ASA that may not be in the config that you shared.

I hope this has been helpful!

Laz

Hello

I am having other issue now. I am trying to access mail.csm-compressor.com from my internal network but for some reason I can’t access it. Everything else works fine. I can access outside of our network.
It’s manage by google or gmail.

Please explain a bit about BVI interface. like major difference between BVI and Vlan.

because we are using BVI interface for inside and dmz network.

If you have any idea about that please let me know.

Hello Ankit

In order for us to help you out with the accessibility of the external sites, you’ll have to give us a little more information about your topology and your setup.

As for the BVI interface, take a look at this post:

I hope this has been helpful!

Laz

We are configuring new ASA 5506 and this is our topology.
we are having some serious issue to access remote desktop from outside.

nat (any,outside) source dynamic any-inside-networks interface description Allow Inside to Ouside

we use above rule to allow internet from inside to outside and it works and It is at number 1 in NAT rules.

Now we have few server that we would like to access from outside so we were trying to open ports.
we create network object NAT rules and access-lists for that for some reason it didn’t work so we create manual NAT before network object NAT rules. It only works when It is at number 1. That’s fine but than our internet stops working.
So we don’t have any idea what we are doing wrong.

If some can help me ASAP because we are planning to deploy ASAP.

Thanks Ankit

Hi Ankit,

Do you still have issues with this? You don’t need more than this config:


ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic interface

ASA1(config)#access-list OUTBOUND_INBOUND extended permit tcp any object SSH_SERVER eq 22

ASA1(config)# object network SSH_SERVER
ASA1(config-network-object)# host 192.168.1.100
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) static interface service tcp 22 10022

Which translates all traffic on the INSIDE to the public IP address on your OUTSIDE interface. It also forwards TCP 10022 to a SSH server listening on TCP 22 on the INSIDE.

Rene

Hello Rene,

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet1/2

bridge-group 1

nameif inside_1

security-level 100

!

interface GigabitEthernet1/3

bridge-group 1

nameif inside_2

security-level 100

!

interface GigabitEthernet1/4

bridge-group 1

nameif inside_3

security-level 100

!

interface GigabitEthernet1/5

bridge-group 1

nameif inside_4

security-level 100

!

interface GigabitEthernet1/6

bridge-group 3

nameif vlan2_1

security-level 100

!

interface GigabitEthernet1/7

bridge-group 2

nameif dmz_6

security-level 50

!

interface GigabitEthernet1/8

bridge-group 2

nameif dmz_7

security-level 50

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

interface BVI1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface BVI2

nameif dmz

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface BVI3

nameif vlan2

security-level 100

ip address 10.2.0.1 255.255.255.0

for some reason we can’t use out inside interface.
we have to use inside_1. if we try with inside it deletes our rule or access list. Don’t know why.
we were using ASA 9.8 before. i heard there was bug for bvi so i upgrade to 9.9.2 but still same problem.

I tried with above configuration too. it didn’t help either.

Thanks

Hi Ankit,

The bridge group implementation on the ASA 5506 is a bit of a pain. Do you only use one INSIDE interface? If so, I would suggest to get rid of the bridge-group and clean it up. This is what I do on a new ASA 5506:

Remove all bridge group info from the interfaces:

interface GigabitEthernet1/2
no nameif
no bridge-group 1
interface GigabitEthernet1/3
no nameif
no bridge-group 1
interface GigabitEthernet1/4
no nameif
no bridge-group 1
interface GigabitEthernet1/5
no nameif
no bridge-group 1
interface GigabitEthernet1/6
no nameif
no bridge-group 1
interface GigabitEthernet1/7
no nameif
no bridge-group 1
interface GigabitEthernet1/8
no nameif
no bridge-group 1

Delete the BVI:

clear configure interface BVI1

Delete all junk network objects:

no object network obj_any1
no object network obj_any2
no object network obj_any3
no object network obj_any4
no object network obj_any5
no object network obj_any6
no object network obj_any7

You can then configure one of the interfaces as the INSIDE interface, no need to use the BVI.

Rene

Hello Rene,

I’ve been reading the ASA NAT port forwarding lesson and the corresponding comments which have indeed help me in better understanding on how a i.e. DMZ NAT port forwarding should be done. However none of the provided examples have been working on my 5512-x box, until I came a cross this post from cisco - https://community.cisco.com/t5/firewalls/asa-8-4-port-forward-problem/td-p/1780460 which basically adds additional parameters to the nat statement. Would you be able to explain the difference between the two approaches?

Bear in mind the version of the 5512 is 9.1(2). Simple setup with:

interface GigabitEthernet0/0.101
 description Outside VLAN101
 no shutdown
 vlan 101
 nameif outside
 security-level 0
 ip address dhcp setroute 

interface GigabitEthernet0/1
 description LAN
 no shutdown
 nameif inside
 security-level 100
 ip address 192.168.23.1 255.255.255.0 

interface GigabitEthernet0/5
 description DMZ Network
 nameif DMZ
 security-level 10
 ip address 10.0.0.1 255.255.255.0 
Inside (security level 100) 

nat (inside,outside) after-auto source dynamic any interface description Inside -> Outside PAT
nat (DMZ,outside) after-auto source dynamic any interface description DMZ -> Outside PAT

Approach 1 (works):

Approach #1 (does work)
!Minecraft server Object - real IP
object network Minecraft01
host 10.0.0.15

! Patting the host on port 25565 ports
object service tcp_25565
service tcp destination eq 25565

object service udp_25565
service udp destination eq 25565

nat (oustide,DMZ) source static any any destination static interface Minecraft01 service tcp_25565 tcp_25565
nat (oustide,DMZ) source static any any destination static interface Minecraft01 service udp_25565 udp_25565

!Allowing the Real ip in my outside interface via ACL
access-list outside_access_in extended permit tcp any host 10.0.0.15
access-list outside_access_in extended permit udp any host 10.0.0.15
access-group outside_access_in in interface outside

Approach #2 (Does not work):

object network Minecraf01
host 10.0.0.15
!
access-list outside_access_in extended permit tcp any host 10.0.0.15 eq 25565 
access-list outside_access_in extended permit udp any host 10.0.0.15 eq 25565 
!
 nat (DMZ,OUTSIDE) static interface service tcp 25565 25565 
 nat (DMZ,OUTSIDE) static interface service udp 25565 25565 
access-group outside_access_in in interface outside

Thank you in advance.
Filip

Hi Filip,

Late reply from my end, just in case I checked this. On ASA 9.X:

ASA1# show version 
Cisco Adaptive Security Appliance Software Version 9.8(2)

I have a simple setup with an INSIDE and OUTSIDE interface:

ASA INSIDE: 192.168.1.254
ASA OUTSIDE: 192.168.2.254

There is a host on 192.168.1.1 on the INSIDE, another host with 192.168.2.2 on the OUTSIDE.

This still works for me:

object network WEB_SERVER
host 192.168.1.1
nat (INSIDE,OUTSIDE) static interface service tcp 80 80

access-list WEB_SERVER extended permit tcp any host 192.168.1.1 eq 80
access-group WEB_SERVER in interface OUTSIDE

Quick test:

R2#telnet 192.168.2.254 80
Trying 192.168.2.254, 80 ... Open

What does packet-tracer tell you?

ASA1# packet-tracer input OUTSIDE tcp 192.168.2.2 12345 192.168.2.254 80

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network WEB_SERVER
 nat (INSIDE,OUTSIDE) static interface service tcp www www 
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 192.168.2.254/80 to 192.168.1.1/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WEB_SERVER in interface OUTSIDE
access-list WEB_SERVER extended permit tcp any host 192.168.1.1 eq www 
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW 
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network WEB_SERVER
 nat (INSIDE,OUTSIDE) static interface service tcp www www 
Additional Information:

Phase: 7
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 16, packet dispatched to next module

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow

In your case, you could try:

ASA1(config)# packet-tracer input OUTSIDE tcp 1.2.3.4 12345 10.0.0.15 25565

About your other question:

This is a good question, let me explain. The ASA supports Auto NAT and Manual NAT.

Auto NAT

  • We configure this within a network object. That’s the only place where you can configure it.
  • It can only make NAT decisions based on source traffic.
  • It can only translate source traffic.

Manual NAT

  • We configure this globally.
  • It can make NAT decisions based on source and/or destination traffic.
  • It can translate source and/or destination traffic.

My example is Auto NAT. Your example is Manual NAT.

With a simple port forward, Auto NAT is quick and simple. For more complex translations, you need to use Manual NAT.

With Auto NAT, NAT statements order themselves. With Manual NAT, you have to do this yourself.

If you use both Auto NAT and Manual NAT, you also have to consider the ASA’s preference:

1: Manual NAT
2: Auto NAT

It is possible to change the order so that Manual NAT statements are processed after Auto NAT.

In your case where you probably have one server behind your ASA, it really doesn’t matter much whether you use Auto or Manual NAT.

Hope this helps!

Rene

I am confused about this sentence
nat (DMZ,OUTSIDE) static interface service tcp 22 10022
it should no be nat (OUTSIDE,DMZ) static interface service tcp 22 10022 since we are translating traffic from OUTSIDE TO THE DMZ and not the other way?

Normally when A firewall makes a PAT translation yo specify that traffic that goes from the inside to the outside is translated to the outside interface, hence

object network host
host 192.168.1.1
nat(inside,outside) dynamic interface

could you clarify this for me? thanks

Hello Rodrigo

When you want to configure the ASA such that hosts on the Internet will be able to access the internal devices, you must translate the internal device IP to an external IP/Port combination using a static NAT translation. Even though the traffic direction is taking place from outside to the DMZ in the specific scenario, the translation must be implemented as a translation from the private IP address of the server in question to the public IP address/port combination.

This can be seen in the example shown in this Cisco documentation as well:


The example shows the configuration applied using ASDM, but also shows the equivalent CLI commands for this at the end of the section.

But remember, such a translation is not enough. You must also include an access list that will allow the traffic from the outside to the servers to traverse the ASA.

I hope this has been helpful!

Laz

Dear Rene,

would you please write to us in special page about using nat in global command.

like i couldn’t understand this command

nat (insdie,outside) source static Object-group_Private Object_group_Public destination static Object-group_1 Object-group_1

they use destination static and then the same object twice !!

Thank you

Hello Aymen

When configuring static object NAT, you must define the translation for both the source and destination addresses. For example, take a look at the following diagram (ignore the fact that this is a router and not an ASA, the principle is the same):

When you configure object NAT, you configure the translation between the source addresses as well as the translation between the destination addresses. Notice in the diagram that it is the source address that changes, that is translated. The destination address (in this example) remains the same.

So when you configure object NAT, you are translating between Object-group_Private and Object_group_Public which are different (hence the translation that occurs. But for the destination, you are translating between Object-group_1 and Object-group_1 which are the same. They are the same because you are stating that no translation should take place.

You can find out more information and more examples at the following Cisco ASA command reference:

I hope this has been helpful!

Laz

1 Like

Thank you Rene, that makes perfectly sense!

Hello,
If I use dynamic NAT on my LAN , can I use NAT forwarding or not ?
Because in my opinion if I use dynamic NAT , I will have an range of public IPs and NAT Forwarding it’s only for ONE public IP. For me if I use NAT Forwarding, I only have the right to use PAT in my LAN.
Am I right ?
Thanks

Hello Anas

It is possible to configure Dynamic NAT and static NAT on the same outside IP address. The dynamic NAT will function as always, but the static translation you configure, will use a single outside port to forward to a particular inside device. Both configurations can take place on the same IP address.

This can be achieved either using Object NAT, which is how it is done in this lesson, or Twice NAT, which will allow you to identify both the source and the destination address in a single rule. You can find out more information about this feature at the following lesson:

I hope this has been helpful!

Laz

Hello Rene,
In the above- mentioned topic, and when checking the example- configuration into the tab- ASA1, after activating of the acl there are lots of commands there (to the end) that I do understand the meaning of.
Could you check, and advise back, please ?
Thanks, and Best,
Asen

Hello Asen

Most of the commands involve policy maps and class maps both of which are not actually part of this lesson. These are often configured in an ASA by default, but their presence there can be confusing. I will let Rene know to remove anything that is unnecessary. If you are interested in finding out more about these features, take a look at the following lesson:

I hope this has been helpful!

Laz