0

I have an ASA connected to the primary network and I'd like it to do an easy port forward so that when a pc tries to telnet the ASA on port 500, for example, the ASA forward the request to a server. The topology would be like: 192.168.1.100 (PC) -> 192.168.1.200 (ASA) -> 192.168.1.300 (SERVER)

So from my PC if I do "telnet 192.168.1.200 500" the request would actually go to 192.168.1.300

I created a nat rule and enabled the access list but it's not working

  • access-list eth0_access_in line 12 extended permit object-group DM_INLINE_SERVICE_3 object PC object SERVER
  • access-list eth0_access_in line 13 extended permit object-group DM_INLINE_SERVICE_4 object SERVER object PC
  • nat (eth0,eth0) 1 source static SERVER SERVER destination static PC PC service tcp-500 tcp-500
Gabe Intothe
  • 1

1 Answers1

0

The Cisco ASA has a limitation with the traffic flow. The incoming and the outgoing interface must be different. I'm speaking of named interfaces. Two different vlans on the same physical nic are ok, but incoming and outgoing in the same vlan, or untagged on a physical nic is not working.

Aside from this, your setup won't work on TCP level. I will remove one 0 from the last octet to have real IP addresses.

Initial Packet 
192.168.1.10:12345 -> 192.168.1.20:500 (SYN) 
Rewrite on ASA 
192.168.1.10:12345 -> 192.168.1.30:500 (SYN) 
Response from Server
192.168.1.30:500 -> 192.168.1.10:12345 (SYN,ACK)

Client receives this packet because it has no connection for 192.168.1.30:500 in the connection table.

You need either a additional source nat on your firewall, or a host route on 192.168.1.300 to 192.168.1.100 via the firewall.

Just another side note: I hope this is a lab setup. The asa is out of support since september 2018 and the 300Mbps throughput are not state of the art nowadays.

Alexander Worlitschek
  • 326
  • 1
  • 9