Cisco Firewall Port Forwarding

KB ID 0000077

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Note2: If your firewall is running a version older than 8.3 you will need to scroll down the page.

Port forwarding on Cisco firewalls can be a little difficult to get your head around, to better understand what is going on remember in the “World of Cisco” you need to remember two things…..

1. NAT Means translate MANY addresses to FEW Addresses

2. PAT Means translate MANY addresses to ONE Address.

Why is that important you ask? Well most networking types assume NAT is translating one address to many, BUT on a Cisco device this is PAT, and it uses (as the name implies) port numbers to track everything. e.g. the first connection outbound might be seen on the firewall as 123.123.123.123:1026 and the second connection outbound might be seen as 123.123.123.123:2049 so when the traffic comes back the firewall knows where to send it.

Fair enough but what has that got to do with Port Forwarding? Well you can use the exact same system to lock a port to an IP address – so if only one port can go to one IP address then that’s going to give you port forwarding 🙂

To make matters more confusing (sorry) you configure PAT in the NAT settings, for this very reason it confuses the hell out of a lot of people, and the GUI is not intuitive for configuring port forwarding, (the ADSM is better than the old PIX PDM) but most people, (me included,) prefer to use command line to do port forwarding.

Below you will find;

Option 1 (Use ASDM)
Option 2 Use Command Line Interface
Option 3 Use PDM (PIX v6 Only)

Option 1: Port Forwarding Using ASDM

Note: This option uses ASDM Version 7.9(2) If yours is older see below;

Connect to the ASDM, Configuration > Firewall > NAT Rules > Right Click ‘Network Object Nat Rules’ > Add ‘Network Object’ Nat Rule.

Name = “Give the internal server/host a sensible name” > Type = Host > IP Address = The internal / private IP address > Type = Static > Translated address = Outside > Advanced > Source Interface = Inside > Destination Interface = Outside > Protocol = TCP  > Real port = http > Mapped Port = http > Ok > OK > Apply.

Note: This assumes your Outside interface is called outside, Inside interface is called inside and you want to port TCP port 80 (http).

Configuration > Firewall > Access Rules > Right Click ‘Outside Interface” > Add Access Rule.

Interface = Outside > Action = Permit > Source = Any > Destination {Browse}  > Locate the object you created earlier > Add to Destination > OK.

Service {Browse} > Select the Port you require (i.e. http) > OK.

OK > Apply > When you have tested it works, save the changes.

 

Using Older ASDM (PIX V7 and ASA5500) 1 Port to 1 IP Address

1. As above you will need to know the port and the IP to forward it to, Launch the ASDM, Select Configuration > Security Policy > Then either Rule Add, or right click the incoming rules and select “Add Access Rule.”

2. Interface = Outside > Direction = Incoming > Action = Permit > Source = Any > Destination, Type = Interface IP, Interface = Outside > Protocol = TCP > Destination Port Source = smtp (for example) > OK > Apply.

3. Back at the main screen select Configuration > NAT > Add, or Right Click an Existing mapping and click “Add Static NAT Rule.”

4. Real Address Interface = Inside > IP Address = 10.254.254.1 > Netmask = 255.255.255.255 > Static Translation Interface = outside > IP Address = (Interface IP) > Tick “Enable Port Translation (PAT) > Protocol = TCP > Original Port = smtp > Translated Port = smtp (for example) > OK > Apply.

5. File > “Save Running Configuration to Flash.”

Option 2 Use the Command Line to Port Forward (Post Version 8.3)

Note: Port forwarding changed on PIX/ASA devices running OS 8.3 and above, in regards to port forwarding. There is no longer a global command, for a full run-down of the changes click here.

If you issue a global command after version 8.3 you will see this error,

ERROR: This syntax of nat command has been deprecated.
Please refer to “help nat” command for more details.

1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I’ve got a server at 10.254.254.5 and it’s a mail server so I want to Forward all TCP Port 80 traffic (HTTP) to it. Connect to the Firewall via Console/Telnet or SSH.

[box]

Warning Notice
User Access Verification#
Password:********
Type help or '?' for a list of available commands.
Petes-ASA>

[/box]

2. Enter enable mode, and enter the enable mode password.

[box]

Petes-ASA> enable
Password:********
Petes-ASA#

[/box]

3. Now we need to go to configuration mode.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

4. Create an object for the web server that the traffic is going to be forwarded to.

[box]

Petes-ASA(config)# object network Internal_Web_Server
Petes-ASA(config-network-object)# host 10.254.254.5

[/box]

5. Then create a NAT translation for the port to be forwarded. Then you can exit the network object prompt.

[box]

Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp http http
Petes-ASA(config-network-object)# exit

[/box]

6. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA# show run access-group
access-group inbound in interface outside
access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!

[box]

Petes-ASA(config)# access-list inbound permit tcp any object Internal_Web_Server eq http

[/box]

7. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#

[/box]

8. Don’t forget to save your hard work. (write memory).

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

All the commands to Copy & Paste (Post v 8.3);

[box]

object network Internal_Web_Server
 host 10.254.254.5
nat (inside,outside) static interface  service tcp http http
access-list inbound permit tcp any object Internal_Web_Server eq http
access-group inbound in interface outside 

[/box]

Use the Command Line to Port Forward (pre version 8.3) 1 Port to 1 IP Address

1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example we will assume I’ve got a server at 10.254.254.1 and it’s a mail server so I want to forward all TCP Port 25 traffic to it. Connect to the Firewall via Console/Telnet or SSH.

[box]

Warning Notice

User Access Verification
Password:*******

Type help or '?' for a list of available commands.
Petes-ASA>

[/box]

2. Enter enable mode, and enter the enable mode password.

[box]

Petes-ASA> enable
Password: ********
Petes-ASA#

[/box]

3. Now we need to go to configuration mode.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

4. Now you need to allow the http traffic in. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA#show run access-group
access-group inbound in interface outside
access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DON’T have an access-group entry for inbound traffic then we will do that at the end!

5. Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside
Petes-ASA(config)#

[/box]

6. Lastly the command that actually does the port forwarding, (static command). And allow the traffic in.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface smtp 10.254.254.1 smtp netmask 255.255.255.255
Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq smtp

[/box]

7. Don’t forget to save your hard work. (write memory).

[box]

Petes-ASA(config)# write memory
Building configuration...
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#

[/box]

Option 3 Use the PIX Device Manager (PIX Version 6 Only)1 Port to 1 IP Address

1. As above you will need to know the port and the IP to forward it to, Launch the PIX Device manager, Select Configuration > Access Rules > Then either click “Rule”s > Add or Right click an incoming rule and select > “Insert Before” or “Insert After”.

2. Under the “Action” select “Permit”, Under Source Host/Network Select “Outside”, and all the zeros, Under Destination Host/Network Select “Inside” and all the zeros then set the “Destination Port” to smtp > OK > Apply.

3, Now select the “Translation Rules” tab, Rules Add or Right click a rule and select “Insert before” or “Insert After”.

4. In this example I’ve set it to forward all TCP Port 25 traffic to 10.254.254.10 (NOTE: I’ve blurred out the public IP Address you will need to add this also) > OK > Apply.

5. Finally save your work > File > “Save Running Configuration to Flash.” > Exit.

Related Articles, References, Credits, or External Links

ASA 5500 – Port Forwarding To A Different Port

Cisco ASA – Port Forward a ‘Range of Ports’

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

ASA 5500 Adding a DMZ Step By Step

KB ID 0000316 

Problem

Assuming you have a working ASA 5500 and you want to add a DMZ to it, this is the process.

Assumptions

1. Networks,

a. Inside network is 10.1.0.0 255.255.0.0 b. Outside network is 123.123.123.120 255.255.255.248 c. DMZ network is 172.16.1.0 255.255.0.0

2. Interfaces,

a. Inside Interface is 10.1.0.254 b. Outside Interface is 172.16.1.254 c. DMZ Interface is 172.16.1.254

3. The Web server in the DMZ will have the following IP addresses,

a. DMZ IP address 172.16.1.1 b. Public IP address 123.123.123.124

4. From the Internet you want to allow web traffic and secure web traffic (http/www and https/ssl) to the DMZ Server.

5. The DMZ Server needs to speak to a database server on the inside LAN, on TCP port 1433.

 

Solution

Step 1: Setup the DMZ Interface

1. Firstly connect to the ASA log in and go to enable mode.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********

[/box]

2. Go to configure terminal mode and set up the DMZ interface (In this case Ethernet0/2).

[box]

PetesASA# configure terminal
PetesASA(config)# interface Ethernet0/2
PetesASA(config-if)# nameif DMZ
PetesASA(config-if)# security-level 50
PetesASA(config-if)# ip address 172.16.1.254 255.255.0.0
PetesASA(config-if)# no shutdown
PetesASA(config-if)# exit

[/box]

Step 2: Setup the DMZ NAT

Before we worry about the NAT, we need to find out what version of code the ASA is running, (configuration of NAT changes in version 8.3).

Find out your Cisco ASA version (Operating system and ASDM)

ASA Version 8.3 and Newer DMZ NAT

1. Allow the IP addresses in the DMZ to be NATTED to the outside IP address, (we will set up a static translation for the DMZ host in a minute).

[box]

PetesASA(config)# object network DMZ-subnet
PetesASA(config-network-object)# subnet 172.16.1.0 255.255.0.0
PetesASA(config-network-object)# nat (DMZ,outside) dynamic interface
PetesASA(config-network-object)# exit
PetesASA(config)#

[/box]

2. Specify the public IP of the DMZ host.

[box]

PetesASA(config)# object network DMZ-Host-EXT
PetesASA(config-network-object)# host 123.123.123.124
PetesASA(config-network-object)# exit
PetesASA(config)#

[/box]

3. Create a static NAT translation for the public ip of the DMZ host, to its private IP.

[box]

PetesASA(config)# object network DMZ-Host-INT
PetesASA(config-network-object)# host 172.16.1.1
PetesASA(config-network-object)# nat (DMZ,outside) static DMZ-Host-EXT
PetesASA(config-network-object)# exit
PetesASA(config)#

[/box]

ASA Version 8.2 and Older DMZ NAT

1. I like to name the DMZ entities IP addresses so things look neat.

[box]

PetesASA(config)# name 172.16.1.1 DMZ-Host-Private-IP
PetesASA(config)# name 123.123.123.124 DMZ-Host-Public-IP2. Set a some NAT statement to handle traffic flow. (assuming you have a matching global statement like global (outside) 1 xxx - "show run global" will tell you).

[/box] [box]

PetesASA(config)# nat (DMZ) 1 0.0.0.0 0.0.0.0

[/box]

Note We are only going to have one DMZ host, and it will have a static mapping – if you had many DMZ hosts then also add “global (DMZ) 1 interface”.

3. Now add some static mappings.

[box]

PetesASA(config)# static (DMZ,outside) DMZ-Host-Public-IP DMZ-Host-Private-IP netmask 255.255.255.255
PetesASA(config)# static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0
PetesASA(config)# static (inside,DMZ) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

[/box]

Step 4: Create ACL’s to Allow Traffic

Once again there’s a slight change in the syntax based on the ASA version, after version 8.3 you allow access to the ‘Pre-Natted’ address, but before version 8.3 you allowed access to the ‘Post-Natted’ address.

ASA Version 8.3 and Newer Access Lists

1. To let people from outside you need to either create an access-list or add some rules to any existing inbound access-list. (“show run access-group” will tell you, look for an ACL applies “in” to the outside interface e.g. “access-group outbound in interface inside”. We will assume I don’t have one so I’ll need the access-group at the end..

[box]

PetesASA(config)# access-list inbound extended permit tcp any object DMZ-Host-INT eq www
PetesASA(config)# access-list inbound extended permit tcp any object DMZ-Host-INT eq https
PetesASA(config)# access-group inbound in interface outside

[/box]

2. Now to allow the DMZ host to get to the database server I’m going to allow TCP 1433.

[box]PetesASA(config)# access-list DMZ-outbound permit tcp object DMZ-Host-INT host 10.1.0.100 eq 1433 PetesASA(config)# access-group DMZ-outbound in interface DMZ[/box]

ASA Version 8.2 and Older Access Lists

1. To let people in from the outside you need to either create an access-list or add some rules to any existing inbound access-list. (“show run access-group” will tell you, look for an ACL applies “in” to the outside interface e.g. “access-group outbound in interface inside”. We will assume I don’t have one so I’ll need the access-group at the end.

[box]PetesASA(config)# access-list inbound extended permit tcp any host DMZ-Host-Public-IP eq www PetesASA(config)# access-list inbound extended permit tcp any host DMZ-Host-Public-IP eq https PetesASA(config)# access-group inbound in interface outside 2. Now to allow the DMZ host to get to the database server I’m going to allow TCP 1433.

PetesASA(config)# access-list DMZ_outbound extended permit tcp host DMZ-Host-Private-IP host DMS-SQL eq 1433 PetesASA(config)# access-group DMZ_outbound in interface DMZ[/box]

Step 5: Save the changes

8. Finally save the configuration.

[box]

PetesASA(config)#
write mem
Building configuration...
Cryptochecksum: 5417d5a1 bee8b082 16c6f19d b3839f139379 bytes copied in 1.410 secs (9379 bytes/sec)
[OK]

[/box]

Related Articles, References, Credits, or External Links

Original Article Written 27/08/10

Configure Cisco EasyVPN With Cisco ASA 5500

KB ID 0000337

Problem

Site to site VPN’s are great for main office to branch office connections, but for remote workers in a SOHO environment obtaining a static IP address can be expensive and time consuming. Traditionally remote workers will use either AnyConnect or IPSEC Remote VPN’s.

However Cisco have a system which lets you have a main site (or sites), with a static IP, that acts as the EasyVPN server, then remote sites with dynamic DHCP IP addresses can authenticate and connect via a hardware device. That remote hardware device can be another ASA (Note: Only ASA5505 can be used as an EasyVPN client), or a Cisco IOS router. In addition if you have any old PIX 501 or 506E firewalls laying around they can also be used as EasyVPN clients.

Solution

Step 1 Setup the EasyVPN server at the main site. (Example on ASA5510)

Step 2 Setup the EasyVPN client at the remote site. (Example on ASA5505)

Before you start – No other VPN’s can be running from this remote device, i.e. ISAKMP cannot be enabled on its outside interface.

Related Articles, References, Credits, or External Links

NA