0

I have a Cisco ASA-5505 firewall, which is currently configured to share our internet connection and do NAT for my LAN, as well as forward port 443 to an internal machine.

I need to forward port 2222 to a second internal machine, and I'm running into a bit of trouble. My understanding is that typically packets are forwarded to a machine with a rule like:

static (inside,outside) [Public IP] [Internal IP] netmask 255.255.255.255

However, when I try to add two of these rules, they conflict with each other.

I tried adding port-specific rules like this instead:

static (inside,outside) tcp interface 443 [internal IP 1] 443 netmask 255.255.255.255
static (inside,outside) tcp interface 2222 [internal IP 2] 2222 netmask 255.255.255.255

But then both ports were filtered (as per nmap from a remote machine).

My access-list rules currently look like this:

access-list outside-in line 1 extended permit tcp any host [public IP] eq 443
access-list outside-in line 2 extended permit tcp any host [public IP] eq 2222

Can anyone provide me a working set of static and access-list rules that will forward port 443 to one machine, and port 2222 to a different machine?

EDIT: I should mention that, unfortunately, the only access I have to this ASA is via telnet - I can't use ASDM.

CmdrMoozy
  • 123
  • 1
  • 5

2 Answers2

1

FIrst, there can be some discrepancies based on what level of code you are running...

There's a difference betweeen your old static NAT rule and the new rules that would be required to split up the ports from a single WAN IP to multiple internal IPs.

You can get the details from Cisco on how to do this here: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html

Youtube can also help visual learners..see here:

http://www.youtube.com/watch?v=ZvjrN9lYtsI

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • My understanding is that since this is a pre-8.0 ASA, nat objects aren't available to me, and static is the correct command to use. Am I mistaken? – CmdrMoozy Jun 10 '13 at 18:48
  • Looking at your static rules then, they should be right...you would use "interface" if you are using the outside interface's IP and static PAT. What isn't working when you say "both ports are filtered"? – TheCleaner Jun 10 '13 at 19:05
  • If I do `nmap -sS -p 443 [Internal IP]` from inside my network it reports `443/tcp open`, whereas if I do `nmap -sS -p 443 [Public IP]` from outside my network it reports `443/tcp filtered`. I would expect it to be open if the port was really being forwarded correctly. – CmdrMoozy Jun 10 '13 at 19:07
  • 1
    "show running-config static" - can you post that as well as any global statements? Or follow this link http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_staticpat.html and see if that helps you out. – TheCleaner Jun 10 '13 at 19:35
  • `show running-config static` shows exactly the two lines I put in my OP. I tried enabling logging with `logging enable` and `logging buffered debug`, but none of my incoming packets seem to show up in the output of `show log`. Does this guarantee that my problem is really that no packets are getting there at all? – CmdrMoozy Jun 10 '13 at 20:10
  • 1
    http://www.t1shopper.com/tools/port-scan/ - try there to confirm. You will at a minimum get a connection request on the external interface in your debug logs and should be able to use that to help debug. Do you have globals setup? Did you check the URL guide link? – TheCleaner Jun 10 '13 at 20:16
  • I've been trying `nmap -sS -p 443 [public IP]` from a remote machine, and that remote machine's IP doesn't show up in `show log` at all. I have been looking at the Cisco documentation, but unfortunately I don't see where I'm going astray from their steps. Here's my full `show run` output: http://pastebin.com/V0JkEBj9 – CmdrMoozy Jun 10 '13 at 20:20
  • That config looks right. Are you sure that you aren't getting hit counters on the ACLs? I'm at a loss to be honest...looks right to me but maybe my own eyes are deceiving me... – TheCleaner Jun 10 '13 at 20:46
  • You were right - my configuration syntax was correct. The problem ended up being that my public IP in my ACL was wrong - I think, although my boss said we do, that we don't actually have a static IP address. Anyway, I'm accepting your answer, because if I wasn't terrible it would have solved my problem exactly. :) – CmdrMoozy Jun 10 '13 at 21:01
0

In your static rules, don't use interface. Use your public IP instead.

longneck
  • 23,082
  • 4
  • 52
  • 86
  • 1
    `static (inside,outside) tcp [Public IP] 443 [Internal IP] 443 netmask 255.255.255.255` tells me that "Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address." – CmdrMoozy Jun 10 '13 at 18:50