Cisco ASA5505 Port Forwarding

Curiosityx · 16 Jul 2007 at 15:48

Greetings, im hoping there's a CCSP kicking arround here, one of our customers has recently purchased a Cisco ASA5505, ive just sat down to get it up and running except im having problems forwarding traffic from outside to inside, namely HTTP and SMTP.

The unit is configured with a valid static outside address with a /28 mask.

I have created the following access lists for HTTP traffic to an internal webserver as follows and also created a static NAT statement with PAT for HTTP traffic also on the same external address.

I have also configured HTTP and SMTP for inspection using the FIXUP command.

access-list outside_access_in extended permit tcp any eq www host 192.168.200.10 eq www

access-list outside_access_in extended permit tcp any eq https host 192.168.200.10 eq https

static (outside,inside) tcp 192.168.200.10 www **.**.**.** www netmask 255.255.255.255

When i try to gain access from an external IP debugging is telling me that traffic is being denied by the implict ACL.

Am i missing something obvious, any help would be appreciated.

Regards

oddjob62 · 16 Jul 2007 at 15:57

Curiosityx said:
access-list outside_access_in extended permit tcp any eq www host 192.168.200.10 eq www

access-list outside_access_in extended permit tcp any eq https host 192.168.200.10 eq https

static (outside,inside) tcp 192.168.200.10 www **.**.**.** www netmask 255.255.255.255

Not played with an ASA yet, but for a PIX these are the errors i see (i'm 90% sure it would be the same)

1. in the access list 192.168.200.10 should be the pre-NATed ip (ie the external ip address), because access-lists are processed before NAT
2. In both lines of the access list. the first www and https should not be there. the source port can be pretty much anything, you are saying that it should permit traffic coming from port 80 to port 80
3. Static (inside,outside)

Actually looking at that... is 192.168.200.X the external subnet? if so then ignore point 1.

Curiosityx · 16 Jul 2007 at 16:11

oddjob62 said:
Not played with an ASA yet, but for a PIX these are the errors i see (i'm 90% sure it would be the same)

1. in the access list 192.168.200.10 should be the pre-NATed ip (ie the external ip address), because access-lists are processed before NAT
2. In both lines of the access list. the first www and https should not be there. the source port can be pretty much anything, you are saying that it should permit traffic coming from port 80 to port 80
3. Static (inside,outside)

Actually looking at that... is 192.168.200.X the external subnet? if so then ignore point 1.

Thanks for that, the 192.168.200.x subnet is internal, ill try those changes now.

oddjob62 · 16 Jul 2007 at 16:23

Curiosityx said:
Thanks for that, the 192.168.200.x subnet is internal, ill try those changes now.

In that case the IPs you have in the static line should be swapped.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

Curiosityx · 16 Jul 2007 at 16:27

Edited Config:

static (inside,outside) tcp 192.168.200.10 www **.***.**.* www netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host **.***.**.* eq www

I made the changes and temporarily removed the HTTPs statement but still no luck im affraid, it still appears to being blocked by the implicit deny.

oddjob62 · 16 Jul 2007 at 16:34

Curiosityx said:
Edited Config:

static (inside,outside) tcp 192.168.200.10 www **.***.**.* www netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 80.169.171.8 eq www

I made the changes and temporarily removed the HTTPs statement but still no luck im affraid, it still appears to being blocked by the implicit deny.

The static has the IPs the wrong way round, oh and why have you starred out your external IP on one line but left it showing on the other??

Curiosityx · 16 Jul 2007 at 16:42

oddjob62 said:
The static has the IPs the wrong way round, oh and why have you starred out your external IP on one line but left it showing on the other??

Oi ive had enough today haha

Cheers for the info guys much appreciated.

Curiosityx · 16 Jul 2007 at 17:02

The above solutions have unfortunately had no effect, its still not seeing the acl.

oddjob62 · 16 Jul 2007 at 17:22

Curiosityx said:
The above solutions have unfortunately had no effect, its still not seeing the acl.

I'm assuming you've actually applied the ACL to the interface.

Curiosityx · 16 Jul 2007 at 17:27

Hoorah! Well that interesting, ive kept my outside address the same and changed the nat/acl's to use the next address in the range and its working.

Current Address

**.***.***.8

New Address

**.***.***.9

NAT and ACLS

global (outside) 1 **.***.***.9
static (inside,outside) **.***.***.9 192.168.200.246

access-list 101 permit tcp any host **.***.***.9 eq www
access-group 101 in interface outside

Now im very confused as to why this wouldn't work on the same IP address as the outside interface.

:confused:

oddjob62 · 16 Jul 2007 at 18:11

Curiosityx said:
Now im very confused as to why this wouldn't work on the same IP address as the outside interface.

When i use the interface IP, i always use "interface" instead of "host ipadress". Don't know if that makes a difference

IT definitely should work that way, because i have some clients with just the single IP address and it works fine

Curiosityx · 16 Jul 2007 at 18:18

oddjob62 said:
When i use the interface IP, i always use "interface" instead of "host ipadress". Don't know if that makes a difference

IT definitely should work that way, because i have some clients with just the single IP address and it works fine

Indeed, thats what i have imagined, only problem is when i try to specify the outside address as the global PAT address it gives me an error message stating that it overlaps with an existing address being the outside address.

Rich · 16 Jul 2007 at 18:57

You dont need to specify the address, just the interface. Example:

nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface

Oddjob has got everything else covered off, the pix and ASA are fairly similar, more so if both are running v7+ (I have 8 running on my home 5505).

Job jobbed

Curiosityx · 16 Jul 2007 at 19:08

Rich said:
You dont need to specify the address, just the interface. Example:

nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface

Oddjob has got everything else covered off, the pix and ASA are fairly similar, more so if both are running v7+ (I have 8 running on my home 5505).

Job jobbed

Thats the issue i was having originally, when using the global (outside) 1 interface command port forwarding doesnt work.

Rich · 16 Jul 2007 at 19:25

Should have no effect on port redirection, I do the same thing here with only 1 IP address.

Example Config:

This bit covers pat for outbound web access for anyone on the 192.168.1.0/24 network.
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface

Here comes the Port Redirection/Forwarding. The "Interface" bit relates to the outside interface as stated in brackets, and is probably key in making this work:

static (inside,outside) udp interface 53 192.168.1.3 53 netmask 255.255.255.255
static (inside,outside) tcp interface 25 192.168.1.2 25 netmask 255.255.255.255

So in this example, I have forwarded both DNS and SMTP traffic to the hosts 192.168.1.3 and 1.2 respectively. I now need to allow the access through the outside ACL:
access-list outside_access_in line 1 remark Allow INBOUND SMTP
access-list outside_access_in line 2 extended permit tcp any interface outside eq smtp
access-list outside_access_in line 3 remark Allow INBOUND DNS
access-list outside_access_in line 4 extended permit udp any interface outside eq 53

Obviously this allows traffic from anyone, so lock down the source as necessary.

HTH.

EDIT: The above config assumes you are using the same address for PAT and "port forwarding". If you have a seperate IP address for each server, the config is still relevant, but you obviously need to change the port redirection for a static translation and also amend the access list.

oddjob62 · 16 Jul 2007 at 21:07

Might test it later... I guess if you are using the interface IP you MUST use "interface" instead of the IP. Never tried it using the IP so i don't know for sure.

Well at least my SNPA studying seems to have helped someone out

Rich · 16 Jul 2007 at 21:49

Yeah, i think the "interface" command makes a difference also. Either that, or some config is amiss elsewhere. It is also very worth clearing all translations when you have changed them around a lot. Should be "clear xlate" from a command prompt

The SNPA is a fairly interesting Exam

IDS not so much haha! SND is very easy though, i guess that is why they have recently rehashed it.

Curiosityx · 16 Jul 2007 at 22:22

Id very much like to hear how you guys get on with a similar config.

I do like the security side but im focussed on routing switching and iptx at the moment mainly cme and cue.

Humm i wonder how much of the training budget is left

Curiosityx · 16 Jul 2007 at 22:28

Rich said:
Should have no effect on port redirection, I do the same thing here with only 1 IP address.

Example Config:

This bit covers pat for outbound web access for anyone on the 192.168.1.0/24 network.
nat (inside) 1 192.168.1.0 255.255.255.0
global (outside) 1 interface

Here comes the Port Redirection/Forwarding. The "Interface" bit relates to the outside interface as stated in brackets, and is probably key in making this work:

static (inside,outside) udp interface 53 192.168.1.3 53 netmask 255.255.255.255
static (inside,outside) tcp interface 25 192.168.1.2 25 netmask 255.255.255.255

So in this example, I have forwarded both DNS and SMTP traffic to the hosts 192.168.1.3 and 1.2 respectively. I now need to allow the access through the outside ACL:
access-list outside_access_in line 1 remark Allow INBOUND SMTP
access-list outside_access_in line 2 extended permit tcp any interface outside eq smtp
access-list outside_access_in line 3 remark Allow INBOUND DNS
access-list outside_access_in line 4 extended permit udp any interface outside eq 53

Obviously this allows traffic from anyone, so lock down the source as necessary.

HTH.

EDIT: The above config assumes you are using the same address for PAT and "port forwarding". If you have a seperate IP address for each server, the config is still relevant, but you obviously need to change the port redirection for a static translation and also amend the access list.

I think youve hit the nail on the head my friend, the statements i was using are as follows, this is in when i was using the "global (ouside) 1 interface command.

static (inside,outside) tcp **.**.**.** www 192.168.200.246 www netmask 255.255.255.255
static (inside,outside) tcp **.**.**.** https 192.168.200.246 https netmask 255.255.255.255
static (inside,outside) tcp **.**.**.** 3389 192.168.200.246 3389 netmask 255.255.255.255
static (inside,outside) tcp **.**.**.** smtp 192.168.200.246 smtp netmask 255.255.255.255

I see the issue now, instead of defining "interface" im using the ip address of the outside interface.

The above config would work if i selected the next external IP address in the range and pointed my statements at that.

Ill give it a go in the morning, very useful post indeed! Thank you

**Edit: Rich - dont ever come to Birmingham...i love you!

Rich · 17 Jul 2007 at 12:16

*hides*

CCME/CUE is pretty cool. I built our internal system here when we moved offices. Seems very solid, though we are going to upgrade to full Call Manager shortly.