Port Forwarding on the Cisco ASA in 8.3 from the CLI made easy

3Aug/1030

Port Forwarding on the Cisco ASA in 8.3 from the CLI made easy

So it's been a month and a half since I posted an update, and it's 4:15 am right now. I can't sleep and I found out there's another networking blog out there using the same WP theme as me, so I figured I better put something up here since it was fresh in my mind. Well, now that the niceties are out of the way, let's get to work.

I recently added an ASA 5505 to my home network at the edge. Obviously, when I did, all of my port forwards went to hell because the ASA is now blocking everything. I run a web server on one of my servers here and I like to be able to access it because I keep a lot of tech manuals and other stuff on there. Well, I went about trying to set up port forwarding the old way and learned real quick that this pops up when I do:

ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.

Yeah, that sucks. On the new version of the ASA OS, global has gone the way of the dodo. I did a bunch of searches on Google to figure it out and everything I ran across was very hard to decipher. That's why I'm writing this. You can setup a port forward in 4 quick and easy steps. Just change the things that are underlined to fit your network and you'll be just fine.

In this example, we want to be able to access a web server behind the firewall. We'll assume you are using the standard HTTP port, the web server's internal IP address is 10.9.8.7/24, and that you at least know what you're doing enough to be configuring an ASA in the first place. I'll give you the steps, then I'll explain.

Step 1: Create a new object group for you web server.

asa5505(config)# object network Webserver

Step 2: Add the IP of the web server to the network group.

asa5505(config-network-object)# host 10.9.8.7

Step 3: Forward the port via the NAT command.

asa5505(config-network-object)# nat (inside,outside) static interface service tcp www www

Step 4: Exit back to the root and add the access list

 asa5505(config)# access-list outside_access_in permit tcp any object Webserver eq www

That's it! Now, let's explain what's going on here. Cisco has started moving more and more towards use of object groups in their configs. It makes things easier, especially when you have a situation where you have 20 web servers behind the firewall and you want to add 1 more in. Rather than having to rewrite a whole bunch of ACL's, you just add the IP of the new web server into the object group and everything is done for you. After you create the object group (in this instance a network object, you can also create service objects), you add the IP of the specific object (or objects) that you want to point to. So here our web server is 10.9.8.7. If you want to send port 80 to more than 1 IP on your internal network, just add more IP's to that object group.

Now is the fun part. While we're in the object group, we need to NAT port 80 only to that specific object group, hence you're still at "asa5505(config-network-object)#" prompt. Now type "end" to get back to the regular config terminal and we need to open that port in the ACL. Yes, www = 80. You can type either one and you get the same result. If I have to go through and explain NAT, how it works and why I enter in that specific command to forward the port, then there's a possibility that I'd need to send you an invoice for my time because we would be here for a while.

This works for ANY port forward. If you want to RDP into a machine, simply replace port 80 (all those www's you see up there) with 3389. There is one caveat. You can only do one port forward per object group. So let's say that our web server is also an FTP server and you want port 21 to forward as well as port 80. You're going to have to create a whole new object group (object network FTPServer), put the same IP in the group (host 10.9.8.7), do the nat command again (nat (inside,outside) static interface service tcp ftp ftp), exit back to the root of config, and add the access list (access-list outside_access_in permit tcp any object FTPServer eq ftp).

This should get you up and running with you port forwards in no time flat. It is a bit of a pain in the ass to have to create a new object group for every port you want to forward, and maybe there's someone out there that's reading this right now thinking "dude, you don't have to create more than one group! You can just do...". Well, you need to enlighten the world with this knowledge and post it in the comments section. And if you're too scared to do so, shoot me an email to greg(at)gregledet(dot)net.

I'd also like to thank Stefan Fouant for an excellent class today on JUNOS Switching. I learned a lot in his class and you can learn a lot from his website. Check it out and tell him Greg sent ya!

Tagged as: 8.3, 8.3(1), ASA, ASA 5505, CCIE, CCNA, CCNA - Security, CCNP, CCSP, Cisco, config t, exec mode, firewall, forward, forwarding, global, Greg Ledet, IOS, juniper, junos, nat, network, network object, NX-OS, object, object group, pat, PIX, port, port forward, route, router, routing, security, server, static, switch, switching Leave a comment

http://www.shortestpathfirst.net Sfouant

Don't worry we love your blog even though it has the same wordpress them as that other networking guy Had fun teaching you and enjoyed all the interactive discussion. Keep learning Junos and you'll eventually forget about that other Cisco stuff
http://www.shortestpathfirst.net Sfouant

Don't worry we love your blog even though it has the same wordpress them as that other networking guy Had fun teaching you and enjoyed all the interactive discussion. Keep learning Junos and you'll eventually forget about that other Cisco stuff
Pingback: Port Forwarding on the Cisco ASA in 8.3 from the ASDM made easy « GregLedet.net
http://www.gregoryledet.com Greg Ledet

I've been going through the “Junos as a Switching Language” eLearning course today with the idea that I'll get my JNCIA-EX by the end of the month. Plus, seeing as I have a Cisco tattoo, I doubt seriously that I'll be forgetting it anytime soon.
Andrew

Greg, great article. ASA version 8.3 is a puzzle to get your head around at first. One point I'd like to make is you mention you can only have 1 port forward per object group. There is a method to open a group of ports to a single or group of servers which you may or may not already know. Check this out:

object-group network web_servers
network-object object 192.168.1.1
network-object object 192.168.1.2

object-group network web_server_ports tcp
port-object eq 80
port-object eq 21
port-object eq 3389
!
!
!
!Then your access list would look like:
!
!
access-list outside_in permit tcp any object-group web_servers object-group web_server_ports
http://www.gregoryledet.com Greg Ledet

That is exactly the kind of enlightenment I was looking for. I think you're a little off on the config though. I could be wrong, but shouldn't that config be:

object-group network web_servers
host 192.168.1.1
host 192.168.1.2

object-group service web_server_ports tcp
service-object tcp desination eq 80
service-object tcp desination eq 21
service-object tcp desination eq 3389

Like you said, 8.3 is a bit of a puzzle. If I'm off here, please let me know!

I'm sure most people are aware that you can open up ports that way, but the problem addressed in the post was about the NAT. In your instance, there's no way of telling the packets that the web_servers object group is where the web traffic needs to go. If you were to open up your browser and go to the public IP the ASA wouldn't translate the public to the private without that NAT statement.

If you were to add the NAT statement in the web_servers object group for www then try to add another one for ftp and rdp, they would simply over write each other and you would only end up opening one port.

Plus, you shouldn't need to create the “object-group”, object network web_servers and object service web_server_ports is all you need to create.
Andrew

Greg, you are correct, you can use “host 192.168.1.1″ as well as
“network-object object 192.168.1.1″, but an object does have to be created for the later method.

For the port forward statements, if you specify “tcp” in the object-group service command, like this:

object-group service web_server_ports tcp

It is not nessecarry to to specify tcp or udp in the individual port forwards since the object group statement already specifies tcp. The same can be done for UDP as well.

As for the NAT, I omitted the statements in my post because they are different depending on if you have just one public IP or a range of public IPs to use where you could give each server an indvidual public IP, I was just trying to demonstrate the use of groups for port forwards.

For example if you have a block of public IPs:

192.168.1.0 (inside subnet)
10.0.0.0 (outside subnet)

The ASA config would look like this:

object network webserver1
host 192.168.1.1
object network webserver2
host 192.168.1.2
!
!
object-group network web_servers
network-object host 192.168.1.1
network-object host 192.168.1.2
!
object-group network web_server_ports tcp
port-object eq 80
port-object eq 21
port-object eq 3389
!
!
access-list outside_in permit tcp any object-group web_servers object-group web_server_ports
!
object network webserver1
nat (dmz,outside) static 10.0.0.1
object network webserver2
nat (dmz,outside) static 10.0.0.2

One things I don't like about ASA 8.3 in the CLI is how they split the NAT statements apart in the config, as shown above.
The network object with the inside IP address appears near the top of the config above the access lists and object group statements. The other half where I specified the outside IP appears further down in the config.

Also, when specifying IP addresses for port fowards in ACLs, you must specify the inside IP, not the natt'd or outside IP address. This isn't so much of a problem but just an unexpected change from the way things have been done since the days of the PIX OS, or finnesse OD if you really to want to get picky!
You might already know this stuff but if someone else is having troubles its just one more place to find an answer.
Great site by the way, I'll be keeping an eye on it. Lots of good articles!
You might like a magazine called 2600. I've been reading it for years and its great. It's a Hacker magazine that deals mainly with security issues and hacking hardware and software, there's a lot of cool stufff in it. I've even had an article published in it about disk encryption. http://www.2600.com.
http://www.iweb-ftp.co.uk Ants ftp services

When I have lots of ports to forward or if I’m having trouble with a certain app then putting the router into DMZ mode makes things a lot easier!
http://www.gregoryledet.com Greg Ledet

Well, the problem here is that on the Basic feature set, there is a DMZ limitation. You can create a 3rd VLAN, but that VLAN can only access one of the other 2 VLANs. So you can either have internet only access or intranet only access, but not both.
Sam_isp

What about if you want to add this:
asa5505(config-network-object)# nat (inside,outside) static interface service tcp 3005 3005
Michael

Don’t forget to apply the ACL to an interface with
access-group outside_access_in in interface outside
http://www.gregoryledet.com Greg Ledet

What about it? Is it kicking back at you? Post the output
Mery jessy

It’s a great and so nice comments…………Thank you for post.
Fahima D costa

Interesting article comments. This article help to every one……. I wish you all the best……… Thanks.
Pingback: Xbox 360 Open NAT with Cisco ASA 8.3 or newer « GregLedet.net
Keith Howanitz

So, if you have a service you wish to nat that is not predefined, it would seem to make sense to me to define it first, like say:

# object service imaps
# service tcp destination eq 993

and then use “imaps” definition in the (following incorrect) nat statement:

# nat (inside,outside) static interface service tcp imaps imaps

instead of this working statement:

# nat (inside,outside) static interface service tcp 993 993

So, am I missing something? Is the best practice to use the port number to define nat statements, or is there some step or some other definition?

What is the purpose of “object service”?
http://dissertationtoday.com/writing/dissertation/phd-dissertation phd dissertation

very cool post! thanks alot for sharing!
Steven Cottom

excellent post, you missed adding the access list to the access group on the outside interface as someone mentioned but it’s still a great post for anyone getting to grips with ACL’s on 8.3
http://www.begun.ru/begun/collaboration/agents/detail.php?ID=3689 ????????

Wow great i have read many articles about this topic and everytime i learn something new i dont think it will ever stop always new info , Thanks for all of your hard work!
http://customresearchpaper.net/ research papers

Thanks!!! . It’s
really helped me
http://www.moncleroutletmall-it.com Moncler Outlet

very cool post! thanks alot for sharing
http://customresearchpaper.net/ custom research paper

Nice effort, very
informative!
http://web-promo.com.ua webpromo

I will recommend my friends to read this.I will bookmark your blog and have my children check up here often.
http://maldives2you.com/ maldives vacation packages

It is a nice post.thank you.
http://researchpapermonster.com/ research paper

Great post, I enjoyed ready
reading it.
http://www.christianlouboutinfantasy.com/ Christian Louboutin

All amazing think again, frequently purchasing using a individual shopper has
many rewards Christian
Louboutin Miss Cristo 140mm Black. Your individual stylist should certainly
be experienced at buying outfits that meet your appearance christian
louboutin Black Suede Guerriere 120 wrapped boots.
http://webpromoexpert.co.uk/ seo optimization

This is a very significant blog.
Allen Hancock

Any word on this?
http://whoisessay.com/writingbee-review.html writingbee

agreed
http://writingbee.info/ writingbee.com

That is really
amazing dear buddy keep it up.
http://www.facebook.com/essaywriter.org essaywriter

Great so nice great!!
http://twitter.com/#!/Essay___Writer essaywriter.org

very interestin post!!

Port Forwarding on the Cisco ASA in 8.3 from the ASDM made easy » « HTC EVO 4G – A week later

GregLedet.net Adventures in networking, security, and other things

Port Forwarding on the Cisco ASA in 8.3 from the CLI made easy

Categories

Blogroll

Social Networking

Recent Comments

Meta

Certifications

Sponsors