Cisco ASA – Port Forwarding To A Different Port

Port Translation

KB ID 0001087 

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

A very long time ago I wrote an article about how to port forward from a public IP address to multiple servers for RDP. Basically you would connect to the firewall using various different ports, and the firewall would change the port to the correct one for RDP (TCP port 3389, unless you changed it on the machine). Then send it to the correct server, so you could manage multiple servers from the same public IP.

Now that was so long ago it was before the version 8.3 NAT changes. This week I was working on a problem where every change I made that had to be tested meant I had to swap VPNs, and reconnect to servers and test comms. This was getting a bit time consuming so I needed a public server to jump on for testing. I didn’t want to expose RDP to my server, so I planned to use a different port and translate that port on the firewall. But how to do that with modern ASA code?

Solution

1. Create the objects and NAT Rules;

[box]

 Petes-ASA> enable
 Password: ********
 Petes-ASA# configure terminal
 Petes-ASA(config)# object network Internal_RDP_Server-1
 Petes-ASA(config-network-object)# host 192.168.1.1
 Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp 3389 3390
 Petes-ASA(config-network-object)# exit
 Petes-ASA(config)# object network Internal_RDP_Server-2
 Petes-ASA(config-network-object)# host 192.168.1.2
 Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp 3389 3391
 Petes-ASA(config-network-object)# exit [/box]

2. Allow the traffic, (read this article before executing the access-group command).

[box] Petes-ASA(config)# access-list inbound permit tcp any object Internal_RDP_Server-1 eq 3389
 Petes-ASA(config)# access-list inbound permit tcp any object Internal_RDP_Server-2 eq 3389 
 Petes-ASA(config)# access-group inbound in interface outside
 

[/box]

Whole Code

[box]

object network Internal_RDP_Server-1
 host 192.168.1.1
 nat (inside,outside) static interface service tcp 3389 3390
 object network Internal_RDP_Server-2
 host 192.168.1.2
 nat (inside,outside) static interface service tcp 3389 3391
 !
 access-list inbound permit tcp any object Internal_RDP_Server-1 eq 3389
 access-list inbound permit tcp any object Internal_RDP_Server-2 eq 3389
 !
 access-group inbound in interface outside 

[/box]

OLD (Pre version 8.3) Port Forwarding to a Different port

So (as above), I’ll connect to the first server on port 3390, and the second on port 3391.

[box]

Petes-ASA> enable
 Password: *********
 Petes-ASA#configure terminal
 Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390
 Petes-ASA(config)#access-list inbound extended permit tcp any interface outside eq 3391

[/box]

Then Port Forward AND TRANSLATE those ports to the correct internal servers.

[box]

Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.1 3389 netmask 255.255.255.255
 Petes-ASA(config)# static (inside,outside) tcp interface 3391 192.168.1.2 3389 netmask 255.255.255.255

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco ASA5500 Change the AnyConnect Port

KB ID 0000422 

Problem

AnyConnect runs over TCP port 443 (That’s HTTPS/SSL), but if you only have one public IP and need to forward that port to a web server or internal host then you are a bit snookered. You can of course change the port that AnyConnect runs over, so that it’s no longer on TCP port 443.

Why you would NOT want to do this.

Bear in mind that https is a well known port, and its open in most places for secure web traffic. You use it when you purchase things over the internet, or do your banking. For that reason it’s allowed from most networks, and through most firewalls. Which is what makes AnyConnect so handy, if you change the port then you may have some connection problems.

Solution

Assuming you accept the potential problems and want to swap the port over then do the following.

Via Command Line

1. Connect to the ASA via Telnet, SSH or Console Cable.

2. Log in and go to “configure terminal” mode.

[box]

PetesASA> enable
Password: ***********
PetesASA# configure terminal
PetesASA(config)#

[/box]

3. You can’t change the port while AnyConnect is enabled, so you need to disable it, change the port then re-enable it again (in this example I’ve changed it to port 444).

[box]

PetesASA(config)# webvpn
PetesASA(config-webvpn)# no enable outside
WARNING: Disabling webvpn removes proxy-bypass settings.
Do not overwrite the configuration file if you want to keep existing proxy-bypass commands.
INFO: WebVPN and DTLS are disabled on 'outside'.
PetesASA(config-webvpn)# port 444
PetesASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
PetesASA(config-webvpn)#

[/box]

4. Save the changes with a write mem command.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948

9830 bytes copied in 1.550 secs (9830 bytes/sec)
[OK]
PetesASA(config)#

[/box]

Via ASDM

1. Connect to the ASDM.

2. Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection profiles.

3. You will need to un-tick the allow access on the outside option, then change the port, then re-tick to allow access, then click Apply.

Update 01/10/12

4. When done, click File > Save Running configuration to flash, to save the changes.

BE AWARE

Your clients would now need to connect to the portal on,

https://{name or IP address}:444

Or if using the client software, they will need to tag the port number on the end like so,

Related Articles, References, Credits, or External Links

Changing the ASDM Port