6.Cisco ASA NAT Port Forwarding



NAT Port Forwarding is useful when you have a single public IP address and multiple devices behind it that you want to reach from the outside world. Take a look at the example below:

Cisco ASA PAT DMZ HTTP SSHIn the topology above we have an ASA firewall with a DMZ and two servers…a HTTP server and a SSH server. Let’s imagine that the IP address on the ASA’s E0/1 interface (192.168.2.254) is a public IP address. Our goal is to make sure that we can reach these servers from the outside world. R2 is only there so we have a device in the “outside” so we can try if NAT is working.

HTTP uses TCP port 80 and SSH uses TCP port 22 so what we’ll do is forward these ports. Whenever someone connects on IP address 192.168.2.254 TCP port 80 we will forward them to 192.168.3.1 TCP port 80.

We can use different port numbers if we want and to demonstrate this, we will configure the ASA so that whenever someone connects on 192.168.2.254 TCP port 10022, we will forward it to 192.168.3.3 TCP port 22.

Let me show you how to configure this. We start with the HTTP server:

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.3.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static interface service tcp 80 80

We create a network object that specifies the real IP address of the web server and then we create our NAT rule. By using the keyword interface we tell the ASA to use the IP address on the (outside) interface. The first port number is the port that the server is listening on, the second port number is the outside port number.  Let’s configure another PAT entry for the SSH server:

ASA1(config)# object network SSH_SERVER
ASA1(config-network-object)# host 192.168.3.3
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static interface service tcp 22 10022

This network object is similar to the first one but you can see I used a different port number for the outside. Whenever someone connects on TCP port 10022, it will be forwarded to TCP port 22. This takes care of the NAT rules but don’t forget to create an access-list or our traffic will be dropped:

ASA1(config)# access-list DMZ_SERVERS extended permit tcp any host 192.168.3.1 eq 80
ASA1(config)# access-list DMZ_SERVERS extended permit tcp any host 192.168.3.3 eq 22

ASA1(config)# access-group DMZ_SERVERS in interface OUTSIDE

This access-list will allow traffic from the outside to our servers. Let’s verify our work…

1.Verification

First we’ll take a look at the ASA NAT table:

ASA1# show  xlate 
2 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from DMZ:192.168.3.1 80-80 to OUTSIDE:192.168.2.254 80-80
    flags sr idle 0:02:20 timeout 0:00:00
TCP PAT from DMZ:192.168.3.3 22-22 to OUTSIDE:192.168.2.254 10022-10022
    flags sr idle 0:00:29 timeout 0:00:00

This gives a nice overview of all the forwarded ports that we configured. Now let’s see if we can connect to our HTTP and SSH server from R2:

R2#telnet 192.168.2.254 80
Trying 192.168.2.254, 80 ... Open

Great, this is working. R2 is able to reach the HTTP server. Let’s also try SSH:

R2#ssh -l cisco -p 10022 192.168.2.254
Password: 

SSH_SERVER>

Excellent, SSH is also working! This is all you have to do to make NAT port forwarding work on your Cisco ASA Firewall.

hostname ASA1
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.2.254 255.255.255.0 
!             
interface GigabitEthernet0/1
 nameif DMZ
 security-level 50
 ip address 192.168.3.254 255.255.255.0 
!
object network WEB_SERVER
 host 192.168.3.1
object network SSH_SERVER
 host 192.168.3.3
!
access-list DMZ_SERVERS extended permit tcp any host 192.168.3.1 eq www 
access-list DMZ_SERVERS extended permit tcp any host 192.168.3.3 eq ssh 
!
object network WEB_SERVER
 nat (DMZ,OUTSIDE) static interface service tcp www www 
object network SSH_SERVER
 nat (DMZ,OUTSIDE) static interface service tcp ssh 10022 
access-group DMZ_SERVERS in interface OUTSIDE
!
: end
hostname HTTP
!
no ip routing
!
interface GigabitEthernet0/1
 ip address 192.168.3.1 255.255.255.0
 no ip route-cache
 duplex auto
 speed auto
 media-type rj45
!
ip default-gateway 192.168.3.254
!
ip http server
!
end
hostname SSH
!
no ip routing
!
interface GigabitEthernet0/1
 ip address 192.168.3.3 255.255.255.0
 no ip route-cache
 duplex auto
 speed auto
 media-type rj45
!
ip default-gateway 192.168.3.254
ip forward-protocol nd
!
line vty 0 4
 login
 transport input ssh
line vty 5 924
 login
 transport input ssh
!
end
hostname R2
!
no ip routing
!
interface GigabitEthernet0/1
 ip address 192.168.2.2 255.255.255.0
 no ip route-cache
 duplex auto
 speed auto
 media-type rj45
!
ip default-gateway 192.168.2.254
!
end

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more