- Posts: 2
- Thank you received: 1
ASA 5520 NAT & PORTFORWARDING Configration
- im_bajaj110
- Topic Author
- Offline
- New Member
-
9 years 5 months ago - 9 years 5 months ago #38648
by kev972
Replied by kev972 on topic ASA 5520 NAT & PORTFORWARDING Configration
If i understand, you want to open TCP port 37777, UDP 37778, TCP 80 on the outside interface of your firewall to give access to some internal services for external users.
So, first time i do that in that way. Took me some time to understand but i wanted to be clean.
It is on IOS 8.4(2).
Just replace 192.168.1.x by 192.168.100.x, i forgot the right subnet when i end-up in configuration.
For the nat statement, i dont know if your global address was just the outside interface or some additional global address.
If it is an additional address, just replace "interface" keyword by 168.187.104.101
So you have to specify an object network where you will put all of your servers for a specific port and perform static nat on them.
object network DVR-SERVERS-37778
range 192.168.1.246 192.168.1.253
nat (inside,outside) static interface service udp 37778 37778
object network DVR-SERVERS-37777
range 192.168.1.246 192.168.1.253
nat (inside,outside) static interface service tcp 37777 37777
object network DVR-SERVERS-80
range 192.168.1.246 192.168.1.253
nat (inside,outside) static interface service tcp www www
Here is an object group with all the servers to avoid waste of time in the ACL.
object-group network DVR-HOSTS
description DVR-HOSTS-ADDR
network-object host 192.168.1.246
network-object host 192.168.1.247
network-object host 192.168.1.248
network-object host 192.168.1.249
network-object host 192.168.1.250
network-object host 192.168.1.251
network-object host 192.168.1.252
network-object host 192.168.1.253
Now i create object-group service to avoid waste of time in the acl again
object-group service DVR-TCP
service-object tcp destination eq www
service-object tcp destination eq 37777
object-group service DVR-UDP
service-object udp destination eq 37778
Now your 24 lines ACL in two lines
access-list outside extended permit object-group DVR-TCP any object-group DVR-HOSTS
access-list outside extended permit object-group DVR-UDP any object-group DVR-HOSTS
Verifications
packet-tracer input outside tcp 1.1.1.2 1234 1.1.1.1 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network DVR-SERVERS-80
nat (inside,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.1.1/80 to 192.168.1.246/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit object-group DVR-TCP any object-group DVR-HOSTS
object-group service DVR-TCP
service-object tcp destination eq www
service-object tcp destination eq 37777
object-group network DVR-HOSTS
description: DVR-HOSTS-ADDR
network-object host 192.168.1.246
network-object host 192.168.1.247
network-object host 192.168.1.248
network-object host 192.168.1.249
network-object host 192.168.1.250
network-object host 192.168.1.251
network-object host 192.168.1.252
network-object host 192.168.1.253
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network DVR-SERVERS-80
nat (inside,outside) static interface service tcp www www
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 56, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Good exercice
So, first time i do that in that way. Took me some time to understand but i wanted to be clean.
It is on IOS 8.4(2).
Just replace 192.168.1.x by 192.168.100.x, i forgot the right subnet when i end-up in configuration.
For the nat statement, i dont know if your global address was just the outside interface or some additional global address.
If it is an additional address, just replace "interface" keyword by 168.187.104.101
So you have to specify an object network where you will put all of your servers for a specific port and perform static nat on them.
object network DVR-SERVERS-37778
range 192.168.1.246 192.168.1.253
nat (inside,outside) static interface service udp 37778 37778
object network DVR-SERVERS-37777
range 192.168.1.246 192.168.1.253
nat (inside,outside) static interface service tcp 37777 37777
object network DVR-SERVERS-80
range 192.168.1.246 192.168.1.253
nat (inside,outside) static interface service tcp www www
Here is an object group with all the servers to avoid waste of time in the ACL.
object-group network DVR-HOSTS
description DVR-HOSTS-ADDR
network-object host 192.168.1.246
network-object host 192.168.1.247
network-object host 192.168.1.248
network-object host 192.168.1.249
network-object host 192.168.1.250
network-object host 192.168.1.251
network-object host 192.168.1.252
network-object host 192.168.1.253
Now i create object-group service to avoid waste of time in the acl again
object-group service DVR-TCP
service-object tcp destination eq www
service-object tcp destination eq 37777
object-group service DVR-UDP
service-object udp destination eq 37778
Now your 24 lines ACL in two lines
access-list outside extended permit object-group DVR-TCP any object-group DVR-HOSTS
access-list outside extended permit object-group DVR-UDP any object-group DVR-HOSTS
Verifications
packet-tracer input outside tcp 1.1.1.2 1234 1.1.1.1 80
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network DVR-SERVERS-80
nat (inside,outside) static interface service tcp www www
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.1.1/80 to 192.168.1.246/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit object-group DVR-TCP any object-group DVR-HOSTS
object-group service DVR-TCP
service-object tcp destination eq www
service-object tcp destination eq 37777
object-group network DVR-HOSTS
description: DVR-HOSTS-ADDR
network-object host 192.168.1.246
network-object host 192.168.1.247
network-object host 192.168.1.248
network-object host 192.168.1.249
network-object host 192.168.1.250
network-object host 192.168.1.251
network-object host 192.168.1.252
network-object host 192.168.1.253
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network DVR-SERVERS-80
nat (inside,outside) static interface service tcp www www
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 56, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Good exercice
Last edit: 9 years 5 months ago by kev972.
- im_bajaj110
- Topic Author
- Offline
- New Member
-
Time to create page: 0.174 seconds