Cisco ASA NAT Port Forwarding

This topic is to discuss the following lesson:

Rene,

Your scenario explains forwarding traffic to port 22 for SSH, but further down in your configuration example you are using port 25 for SMTP. Any reason for the change between the scenario and the example configuration??

Hi Ralph,

That was a typo, I just changed port 25 to 22. Thanks for letting me know!

Rene

Hi Rene,

Thank you for the explanation.

I have a question.

In this tutorial, you are using PAT for sending traffic from Outside to DMZ. However, if I want to use PAT for sending traffic from DMZ to Outside, how should I do the configurations ?

Thank you

Taslim

Hi Taslim,

Hmm why would you want to do this? :slight_smile: We use PAT in this example so that someone on the Internet is able to connect to a public IP address on the outside so that we can reach our DMZ servers with private IP addresses.

Our DMZ servers can reach the Internet by using “regular” NAT.

Rene

Hi Rene,

Diagram needs to be updated to 192.16.1.0/24 for lan subnet.

I mean 192.168.1.0/24

Hi Harmit,

Thanks, I just fixed the text so it matches the diagram.

Rene

Base on this configuration, it working with ASA 8.4 or later.

Can you show me if ASA 8.2 or older, how to configure ASA 8.2 or older?

It should be something like this:

static (DMZ,OUTSIDE) tcp <outside ip> <port> <inside ip> <port> netmask 255.255.255.255

Hi Rene,

 

Is there any reason given by Cisco as to why the order of operations was changed on the Asa 8.3 code?

The real ip’s in the acls and the post natt’d port numbers etc

Thanks

Hi Paul,

Not that I know of, I tried looking it up but couldn’t find anything.

Rene

Rene,

Hi Rene… For some reason when trying to telnet from my outside router to my http server I keep getting error message “Connection refused by remote host” I was able to successfully ssh into my ssh server. Also I am able to telnet from ssh server to http server so I know the configuration is correct any idea ?

Thanks in advance.

interface GigabitEthernet0
nameif DMZ
security-level 50
ip address 10.1.1.254 255.255.255.0
!
interface GigabitEthernet1
nameif OUTSIDE
security-level 0
ip address 12.1.1.254 255.255.255.0
!
object network WEB_SERVER
host 10.1.1.1
object network SSH_SERVER
host 10.1.1.2
access-list DMZ_SERVERS extended permit tcp any host 10.1.1.1 eq www
access-list DMZ_SERVERS extended permit tcp any host 10.1.1.2 eq ssh
!
object network WEB_SERVER
nat (DMZ,OUTSIDE) static interface service tcp www www
object network SSH_SERVER
nat (DMZ,OUTSIDE) static interface service tcp ssh ssh
access-group DMZ_SERVERS in interface OUTSIDE
!
class-map icmp
match default-inspection-traffic
!
!
policy-map icmp_policy
class icmp
inspect icmp
inspect http
!
service-policy icmp_policy global

Hi Juan,

Your configuration is looking good to me. SSH from OUTSIDE to DMZ is no problem?

Is it possible it’s something else? perhaps no route or default gateway on the HTTP server pointing to your ASA?

Rene

Rene,

Correct SSH from OUTSIDE TO DMZ is working fine… I configured my hhtp server (Router 2) to allow ssh with the following command

access-list DMZ_SERVERS extended permit tcp any host 10.1.1.1 eq ssh

Now I can remote in but by using the routers IP ex:(ssh -l Cisco 10.1.1.1) for some reason my ASA is no nating/port forwarding to my http server

ciscoasa# show xlate
2 in use, 2 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from DMZ:10.1.1.1 80-80 to OUTSIDE:12.1.1.254 80-80
    flags sr idle 0:05:12 timeout 0:00:00
TCP PAT from DMZ:10.1.1.2 22-22 to OUTSIDE:12.1.1.254 22-22
    flags sr idle 0:09:33 timeout 0:00:00
ciscoasa# show nat

Auto NAT Policies (Section 2)
1 (DMZ) to (OUTSIDE) source static WEB_SERVER interface   service tcp www www
    translate_hits = 0, untranslate_hits = 23
2 (DMZ) to (OUTSIDE) source static SSH_SERVER interface   service tcp ssh ssh
    translate_hits = 14, untranslate_hits = 6

not sure why!!!

Hi Juan,

Your ASA configuration does look ok and seems to translate HTTP traffic. If you enable a debug IP packet (with an access-list) or debug ip http can you see anything?

Using packet tracer on the ASA also helps to check if you have any errors.

Rene

Hi Rene

I do the lab again and set the default route to the firewall.
I can check port 80 on the Web Server by you command in this example “telnet 192.168.2.254 80” but I can’t use “ssh -l cisco -p 10022 192.168.2.254” from R2 to outside ip of firewall.
I dont know why is it?

I think it should be nat static to SSH server 192.168.3.3

Please help me resolve this!

Thank you!

Just a couple of things to check…

  • Can you SSH from the webserver into the SSH server? that proves SSH is working.
  • Do you have a default route on the SSH server towards the ASA?
  • Do you see a matching entry in show xlate?

Not sure I am correct,but this should allow telnet from outside
en
config t
telnet 0.0.0.0 0.0.0.0 outside

This might be correct

config t
telnet 0.0.0.0 0.0.0.0 outside