Cisco ASA port forwarding

In this article we saw how to do a static NAT on both ASA pre-8.3 and post-8.3 code. Now we will see how to do a port forward on ASA post 8.3 code. Let’s face it, it is time to slowly forget about the old code 🙂

This is our scenario: we want Internet users to connect to our ASA device on the IP address that belongs to us and is routable on the Internet. We also want users to connect to some non-standard port, such as TCP/2323 and our ASA will do a port forward to our internal server on the port that the service is usually running on, such as TCP/23 for telnet. This is our diagram:

port forward

The TESTPC and SERVER from the diagram above are Cisco routers that act as devices for testing purposes. Configurations of these devices are very basic. SERVER:

!
interface FastEthernet0/0
ip address 10.100.1.2 255.255.255.252
speed auto
duplex auto
!

ip route 0.0.0.0 0.0.0.0 10.100.1.1

TESTPC:

!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
speed auto
duplex auto
!

ip route 0.0.0.0 0.0.0.0 1.1.1.1

!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1

Now let’s prepare our ASA. Let’s suppose that we already have basic setup and we have verified our connectivity. First, we need to create several objects. The object that represents our server’s real IP address:

object network REAL-IP-10.100.1.2
host 10.100.1.2

Similar to this, we also need an object that will represent our server’s mapped IP address. This is the address that is visible and routable on the Internet:

object network MAPPED-IP-1.1.1.23
host 1.1.1.23

Also we need our port objects. The real port on which our server is listening:

object service REAL-TCP-23
service tcp source eq telnet

And the mapped port to which our Internet users will connect:

object service MAPPED-TCP-2323
service tcp source eq 2323

Now when we have all objects defined, we need two things to be done. One is NAT statement that describes our mapping:

nat (inside,outside) source static
                               REAL-IP-10.100.1.2 MAPPED-IP-1.1.1.23 
                               service REAL-TCP-23 MAPPED-TCP-2323
                               description Port Mapping

This command needs to be in a single line, of course. This line says: when somebody connects to IP 1.1.1.23 on port 2323, please, dear Mr. Firewall, forward the request to real IP address of 10.100.1.2 and real port 23.

Another thing is the access list that will permit this type of traffic:

access-list OUTSIDE_IN extended permit tcp
                                    any object REAL-IP-10.100.1.2 eq telnet
access-group OUTSIDE_IN in interface outside

Note: We must use real IP address and port when writing our access lists.

It’s time to verify our setup:

ASA#
ASA# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static REAL-IP-10.100.1.2 MAPPED-IP-1.1.1.23   service REAL-TCP-23 MAPPED-TCP-2323 description Port Mapping
    translate_hits = 0, untranslate_hits = 0
ASA#

ASA#
ASA# show conn
0 in use, 1 most used
ASA#

We can see that there is no translations and connections active at this time. Let’s connect from our test PC to publicly available address and port:

TESTPC#                    
TESTPC#telnet 1.1.1.23 2323
Trying 1.1.1.23, 2323 … Open

SERVER#who
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:23:37   
*  2 vty 0                idle                 00:00:00 1.1.1.2

  Interface    User               Mode         Idle     Peer Address

SERVER#

As we can see, we have successfully connected to our public IP of 1.1.1.23 and port TCP/2323, and our ASA did the port forwarding to our server’s real address and port.

Now we have translation and connection on our ASA:

ASA#
ASA# show nat  
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static REAL-IP-10.100.1.2 MAPPED-IP-1.1.1.23   service REAL-TCP-23 MAPPED-TCP-2323 description Port Mapping
    translate_hits = 0, untranslate_hits = 1
ASA#

ASA#
ASA# show conn
1 in use, 1 most used
TCP outside 1.1.1.2:54788 inside 10.100.1.2:23, idle 0:00:02, bytes 45, flags UIOB
ASA#

 

So, this is how do they do it 🙂

Finally, this is the ASA configuration:

!
hostname ASA
domain-name popravak.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.100.1.1 255.255.255.252
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name popravak.local
!
object service REAL-TCP-23
 service tcp source eq telnet
!
object service MAPPED-TCP-2323
 service tcp source eq 2323
!

object network REAL-IP-10.100.1.2
 host 10.100.1.2
!

object network MAPPED-IP-1.1.1.23
 host 1.1.1.23
!

access-list OUTSIDE_IN extended permit tcp any object REAL-IP-10.100.1.2 eq telnet
!

pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static REAL-IP-10.100.1.2 MAPPED-IP-1.1.1.23 service REAL-TCP-23 MAPPED-TCP-2323 description Port Mapping
!
access-group OUTSIDE_IN in interface outside
!
route outside 4.2.2.2 255.255.255.255 192.168.0.2 1
route inside 10.0.0.1 255.255.255.255 10.100.1.1 1
!

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable

 

Thanks for reading!

 

 

Advertisements
This entry was posted in ASA, Cisco, NAT, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s