Custom PRTG Sensor with Speedtest.Net CLI (Windows)

There’s a few different options out there offering insight into how to create a custom speed test sensor to PRTG, but today I’m going to use this one from Nicolai Pederson as my jumping off point. Nicolai was using an .exe file from Github that hadn’t been updated in sometime now, and when I started messing with it, I noticed that the speed test really didn’t run long enough to give a valid result. Also, Ookla’s Speedtest.net recently released their own CLI tool, so I wanted to take what Nicolai did and make it work with the new took from Ookla, which is actually pretty easy. So, we’re going to follow his instructions, with a few changes to his .bat file and I’m going to make one change to keep the results consistent.

    1. Download the Speedtest.net CLI app from Ookla.
    2. Copy those files to “C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML”. For sake of simplicity, that’s going to be our working directory.
    3. Open up a command prompt, cd to “C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML”, and run “speedtest.exe -L”. This is going to give you a list of servers close to you. I would recommend picking the server of your ISP if it’s on the list.
    4. Once you have your server picked, make note of server ID. We’re going to be using that in our .bat file shortly. In my case, I’m using the Spectrum server, ID 16969.
    5. Open up Notepad and copy the following. We’re going to create a .bat file with it.
      1. @ECHO off
        SETLOCAL EnableDelayedExpansion
        SET “Latency=”
        SET “Download=”
        SET “Upload=”
        FOR /F “tokens=4,7,8 delims=,” %%A IN (‘”C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML\speedtest.exe” –accept-license -s 16969 -f csv’) DO (
        SET Latency=%%~A
        SET Download=%%~B
        SET Upload=%%~C
        )
        ECHO ^<PRTG^>
        ECHO ^<result^>
        ECHO ^<Channel^>Ping Latency^</Channel^>
        ECHO ^<value^>%Latency%^</value^>
        ECHO ^<Mode^>Absolute^</Mode^>
        ECHO ^<Unit^>TimeResponse^</Unit^>
        ECHO ^<Float^>1^</Float^>
        ECHO ^<ShowChart^>1^</ShowChart^>
        ECHO ^<ShowTable^>1^</ShowTable^>
        ECHO ^</result^>
        ECHO ^<result^>
        ECHO ^<Channel^>Download^</Channel^>
        ECHO ^<value^>%Download%^</value^>
        ECHO ^<Mode^>Absolute^</Mode^>
        ECHO ^<volumeSize^>MegaBit^</volumeSize^>
        ECHO ^<float^>0^</float^>
        ECHO ^<unit^>SpeedNet^</unit^>
        ECHO ^<ShowChart^>1^</ShowChart^>
        ECHO ^<ShowTable^>1^</ShowTable^>
        ECHO ^</result^>
        ECHO ^<result^>
        ECHO ^<Channel^>Upload^</Channel^>
        ECHO ^<value^>%Upload%^</value^>
        ECHO ^<Mode^>Absolute^</Mode^>
        ECHO ^<volumeSize^>MegaBit^</volumeSize^>
        ECHO ^<float^>0^</float^>
        ECHO ^<unit^>SpeedNet^</unit^>
        ECHO ^<ShowChart^>1^</ShowChart^>
        ECHO ^<ShowTable^>1^</ShowTable^>
        ECHO ^</result^>
        ECHO ^</PRTG^>

    6. Replace the server 16969 with the server ID of your choice. The reason we’re going to use the same server, preferably from your ISP, is to have consistency with your speed test. If you’re using multiple servers, you could get varying results as you don’t know what kind of bandwidth each server has. And, if you’re using your own ISP, they’re a lot more likely to give you truly accurate results and less likely to block you if you run the test a lot.
    7. Save the file as something like speedtest.bat in the working directory, “C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXEXML”. Just make sure you remember what you saved it as.
    8. Go to PRTG and create a new sensor. The sensor type will be “EXE / Script Advanced”, then name it and select your “speedtest.bat” for EXE/Script under Sensor Settings.
    9. Once you have the sensor created and you gather some data, go in change the scanning interval. You obviously don’t want this thing scanning every 60 seconds or so. I set mine to scan every 6 hours, but you can set yours as you see fit.

So, why did I do this when Nicolai had already done the work? Well, the Github .exe that Nicolai uses only runs for a few seconds and doesn’t really run long enough to give an accurate reading, also it tried to use servers that didn’t exist anymore. If you check his website, you’ll see there’s some comments about people complaining that they were getting incorrect results. The “official” Speedtest CLI app solves that problem. Also, the official app can spit out JSON, but PRTG doesn’t like the format, and I’m not smart enough to know how to parse the data into a format that it does like, so I had to figure out a way to get the data I wanted into a format that PRTG wanted.

Now, for those of you like me that aren’t smart and want to figure out what that .bat file is doing, I’ll explain. The speedtest.exe file is spitting out the data in a CSV format (the “-f csv” behind the command is the formatting). The “FOR /F “tokens=4,7,8 delims=,”” in the .bat is a loop telling it that the output is comma delimited, and you want to look at the data that’s behind the 4th, 7th, and 8th comma. YOU MAY NEED TO CHANGE THIS! The reason It’s set to 4,7,8 on mine is because the output of the actual command comes back with the very first line being “Spectrum – Columbus, OH”, and it reads the comma before OH as, well, a comma. If the output of your command doesn’t have a comma there, you may have to change it. To find out for sure, you can run the following:

speedtest.exe –accept-license -s #YOURSERVERNUMBER# -f csv

The count commas. If you’re not sure what data is where, you can run the following and it will tell you.

speedtest.exe –accept-license -s #YOURSERVERNUMBER# -f csv –output-header

That will tell you what data is in which location. You’ll get something like this:

“server name”,”server id”,”latency”,”jitter”,”packet loss”,”download”,”upload”,”download bytes”,”upload bytes”,”share url”

“Spectrum – Columbus, OH”,”16969″,”7.495″,”0.786″,”N/A”,”110863914″,”4621941″,”1425470568″,”32103608″,”https://www.speedtest.net/result/c/73cf23fa-84cd-4473-a816-4154424fd027″

Of course, now that you know what’s being parsed and how, you can add more data to this if you want, like packet loss, jitter, download bytes, etc. You just need to follow the example set in the .bat file, make sure you test it out. You can run the .bat from the CLI and see the data or check for errors before creating the sensor. Since I first posted this, I’ve gone ahead and created an example that pulls all the information from the CLI output except packet loss into one place. You can download that here, and just rename it to .bat to run it. Don’t forget to change your server ID too! One more note of changes I made in the .bat file between his and mine; I removed his remarks, added a ~ between “%%~A”, etc to remove the quotes from the response in the CSV file, and cleaned up the formatting a bit, and removed the “00” from the upload and download values (they’re not needed). I should also note that I spent over 2 hours trying to figure out why I was seeing good, clean data at the CLI, but only zeros in PRTG. Let’s just say there’s very a reason the “–accept-license” option is set in the command now <grrr….>. Once you’re done, you’ll end up with a working sensor!

Update 3/11/20: As Roman in the comments found out, if your country or area requires that you accept other types of licenses or data protection regulations (like the GDPR in the EU), you may need to feed that into the command. It took me 2 hours to realize I needed to feed the “–accept-license” option, and it took Roman 3 days to figure out he needed to feed the “–accept-gdpr” option. Whenever you first run the command from the CLI, you will be asked to accept certain things, like the license and possibly the GDPR and anything else. REMEMBER WHAT IT IS YOU ACCEPT. PRTG is going to run this command as a different user, which is why you have to feed the “–accept-license” option to the command; just because you accepted the license doesn’t mean PRTG did. If you’re getting zero’s on your sensor, try to figure out what other options need to be accepted in your area when you issue the command. Then go into the comments below and thank Roman for chasing this down over 3 days so you didn’t have to.

IPv6, Time Warner / Spectrum, and the Juniper SRX.

I’ve had an IPv6 tunnel from HE.net for quite some time now. Back when I was running the ASA 5505 as my edge, I had to put a router behind it to create the tunnel. Then, when I replaced the ASA with an SRX 220 back in December 2015, I was able to build the tunnel natively on the SRX. Since that time, Time Warner has gotten around to providing IPv6 in my area and I’ve tried a couple different times to get it working with no luck. Now, I’ve finally decided that I wasn’t going to stop working on it until I got it working, and I’ve done just that, so it’s time to tell you guys how to do it yourself.

First a few caveats… Obviously, Time Warner (now Spectrum) needs to provide IPv6 in your area and that your modem supports it. I don’t remember how I found out that they finally had it here, but it was probably a fellow network engineer at TWC that told me. Second, realize that you’re going to have to reboot the SRX, so you’re going to lose connectivity for a bit. The reason you’ll need to reboot is that we need to enable IPv6 flow mode, otherwise the SRX will just drop IPv6 traffic. Let’s start with that…

Obviously, ssh into the SRX and enter config mode. Then enter the following command:

set security forwarding-options family inet6 mode flow-based

Then you’ll need to reboot with “request system reboot”. Once it comes back up, you’re ready to move on.

Your ge-0/0/0.0 interface probably looks something this at present:

greg@SRX220H# show interfaces ge-0/0/0.0

description “Uplink to Cable Modem”;

family inet {

    dhcp;

}

We’re going to need to change the dhcp daemon that you’re using on that interface because if we were to continue on with what’s coming, you’d get an error. Then we’re going to add the ipv6 dhcpv6-client config to the same interface. Here’s your commands:

delete interfaces ge-0/0/0 unit 0 family inet dhcp
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set interfaces ge-0/0/0 unit 0 family inet6 dad-disable
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-type statefull
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-na
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-pd
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-identifier duid-type duid-ll
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client update-router-advertisement interface vlan.0

Now we need to set our firewall to allow some traffic:

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcpv6
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols router-discovery

That should be pretty self explanatory. You need to allow dhcpv6 through the firewall for all this to work, and we’re going to use router-discovery to figure things out. Once you commit that, the SRX should ask TWC for an IPv6 address. Let’s check to see if we got one…

greg@SRX220H# run show dhcpv6 client binding

IP/prefix                       Expires     State      ClientType    Interface       Client DUID

2607:fcc8:ffc0:5:14c9:b140:XXXX:XXXX/128 600553 BOUND  STATEFUL      ge-0/0/0.0      LL0x3-54:e0:32:ec:XX:XX

2605:a000:XXXX:XXXX::/64        600553      BOUND      STATEFUL      ge-0/0/0.0      LL0x3-54:e0:32:ec:XX:XX

It looks like we have an address! Now, we need to add a route… we’ll find our next hop by running the previous command and adding detail:

greg@SRX220H# run show dhcpv6 client binding detail

Client Interface: ge-0/0/0.0

     Hardware Address:             54:e0:32:ec:XX:XX

     State:                        BOUND(DHCPV6_CLIENT_STATE_BOUND)

     ClientType:                   STATEFUL

     Lease Expires:                2017-07-14 08:01:52 EDT

     Lease Expires in:             600551 seconds

     Lease Start:                  2017-07-07 08:01:52 EDT

     Bind Type:                    IA_NA IA_PD

     Client DUID:                  LL0x3-54:e0:32:ec:XX:XX

     Rapid Commit:                 Off

     Server Ip Address:            fe80::201:5cff:fe78:XXXX

     Client IP Address:            2607:fcc8:ffc0:5:14c9:b140:XXXX:XXXX/128

     Client IP Prefix:             2605:a000:XXXX:XXXX::/64

DHCP options:

    Name: server-identifier, Value: LL_TIME0x1-0x1d7c50b0-00:50:56:XX:XX:XX

Yes, the lease started about an hour before I posted this. I was so excited that I had to post immediately! Anyway, we’re looking for that Server IP Address. Once we have that, let’s add a static route to it.

set routing-options rib inet6.0 static route ::/0 qualified-next-hop fe80::201:5cff:fe78:XXXX interface ge-0/0/0.0

The qualified-next-hop is going to give you a lot more control over a standard next-hop. Commit the config. Once everything is committed, it’s time to test, so we’ll ping Google’s DNS server.

# run ping 2001:4860:4860::8888

You should get a response. IPv6 is now working! W00T! In order to get your network clients talking to the internet on IPv6, you’ll have to configure them to use IPv6. As you can see up above in the dhcpv6 client binding detail, there’s a “Client IP Prefix”. That’s the prefix assigned to you. If you do a “run show interfaces vlan.0 terse”, you’ll see that it now has an inet6 address that looks like 2605:a000:XXXX:XXXX:1::1/80. That’s going to be your IPv6 router / gateway address. You can statically assign IP’s by just counting up from that last ::1, so assign 2605:a000:XXXX:XXXX:1::2/80 to your workstation and try to ping 2001:4860:4860::8888. If you get a response, you’re good to go.

So, that’s the commands I had to enter to get IPv6 working on my SRX. YMMV depending on TWC’s configuration in your area, but this should get you pretty damn close.

Home NAS Refresh

I think that, in this day and age, everyone should have a NAS at their house. For those of you that don’t know what I’m talking about, NAS stands for ‘Network Attached Storage’. A NAS is handy for storing all sorts of things, primarily backups of your computers and your media. In my case, I have a lot of movies and TV shows for my various media players. I also have a ton of photos and videos from over the years, as well as from my drones. Having a large NAS means that I don’t have delete anything. My NAS also acts as a server for various other things that I’ll get into in another post.

For your NAS to be effective, it needs to have lots of space and have enough room to expand. You also need to have an effective operating system running the NAS. For this build, I’m going to use FreeNAS. I had been planning to build this thing for a while, but didn’t get around to finally getting everything setup and running until July 31, 2015. Since then it’s been running pretty stable, but I used an Intel G3220 and 8GB of RAM when I first put it together and I’ve outgrown that processor and RAM, so it’s time for an upgrade. Here’s the hardware list of everything that’s going into the machine:

  • Intel Core i7-4790K CPU
  • ASRock Z97 EXTREME6 ATX LGA1150 Motherboard
  • G.Skill Ripjaws X Series 32GB (4 x 8GB) DDR3-1600 Memory
  • 6x WD Red 3TB 3.5″ 5400RPM HDD
  • Rosewill R​SV-L4412 -​ 4U Rackmo​unt Server​ C​hassis, 12​ SATA / SA​S Hot-swap​ Drives
  • EVGA SuperNOVA 1000G2 1000W 80+ Gold Certified Fully-Modular ATX Power Supply

The only thing that’s carrying over from the previous build are the 6 WD Red 3TB hard drives and the actual FreeNAS install. I was going to just upgrade the CPU and the RAM, but some pins got bent on the ASUS Z87-A motherboard I had, so it needed to get upgraded too. I also figured that while I was at it, I’d put it in a nice rackmount chassis too.

The build went rather smooth. I pulled the hardware out of the old mid-tower case and moved it into the rackmount chassis. I had originally planned on using some M.2 SSDs for boot drives, but ran into some issues. First, the drives I bought weren’t compatible with the Ultra M.2 slot on the motherboard. Secondly, the other M.2 slot ate two of my SATA ports on the motherboard. Because I didn’t bother to read the manual, it took me quite a while to figure out why those two drives weren’t being seen by the BIOS. Ultimately, I got everything put together and all 6 drives were being recognized. FreeNAS booted right up without any issues. I’ll probably pick up an Ultra M.2 SSD in the future to use as L2ARC since it’s so freaking FAST.

More info will be posted soon on how I’m going to automate my media collection and sharing.

Windows IP conflict when there is no conflict

Just had an interesting problem with a customer that seems a bit obscure, so I figured I would write it down to help someone else. All of the other solutions to this issue focus solely on there being a problem on the Windows side, which may not necessarily be the case.

Situation: customer is setting up a Windows 2008 R2 server in a VMware cluster, on a VLAN that is sitting behind a firewall. The firewall is is the gateway for the VLAN (say 192.168.34.1). When configuring the network interface on the server, picking ANY IP address in the 192.168.34.0/24 network results in the error message “Windows had detected an IP address conflict”. This happens even if there are no other devices on the VLAN aside from the firewall.

The issue? There was a static (identity) NAT entry in the Cisco ASA firewall for 192.168.34.0/24. By default, Cisco firewalls will proxy ARP for NAT entries.

  • (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting.
  • (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired.

This is desirable behavior for a firewall on the edge of the network because the upstream router needs to know where to send traffic for NAT’ed hosts. For internal firewalls this can cause issues, especially with 8.4 code where you need to setup identity NAT to exempt devices from NAT.

The solution? Add “no-proxy-arp” to the end of your identity NAT statements:

nat (inside,outside) source static obj_Internal obj_Internal no-proxy-arp route-lookup

The other (less desirable) solution is to disable the ARP-checking functionality in Windows, but this means it won’t be able to detect a legitimate IP conflict. You can do this through a quick registry hack: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, create a DWORD named “ArpRetryCount” with a value of “0?.

Configuring a port analyzer (port mirror) on the Juniper EX switch

Yes, it’s been a while since my last update, so I’m going to make this one short and sweet. Lately I started messing around with Plex Media Center/Server and sharing my server with a couple of my friends. While I do have a good bit of bandwidth here at the house, my friends sure know how to suck that bandwidth dry. So, it’s time to implement some traffic shaping here at the house.

In order to implement the traffic shaping, I need to know what the traffic looks like. For me to shape it, I need to know what it looks like, so I’m going to setup an analyzer. I have a specific media server that is separate from my lab rack. It’s plugged into a little Cisco gigabit switch that has an LACP Lag bundle going back to my core EX3200-48T. To setup an analyzer is very simple…in fact, it’s only 3 commands.

set ethernet-switching options analyzer plex–monitor input ingress interface ae0.0 set ethernet-switching options analyzer plex–monitor input egress interface ae0.0 set ethernet-switching options analyzer plex–monitor output interface xe-0/0/45.0

That’s it. Now, let me explain what I did there.

To configure an analyzer called “plex-monitor” and specify the input (source) interfaces and the output interface, I need to configure the interface connected to my media server as input interfaces for the port-mirror analyzer. I want to see both ingress and egress traffic, so I tell it to do both.

[edit ethernet-switching-options]
user@switch# set analyzer plex-monitor input ingress interface ae0.0
user@switch# set analyzer plex-monitor input egress interface ae0.0

Now, I configure the output analyzer interface for the analyzer. This will be the destination interface for the mirrored packets:

[edit ethernet-switching-options] user@switch# set analyzer plex-monitor output interface ge-0/0/45.0

That’s it. Now, all the traffic going to that lag bundle (the server is the only thing plugged into that switch) will be mirrored to port ge-0/0/45. I can plug my Wireshark box into that port, get a good capture of the traffic, and set my traffic shaping accordingly. Can you guess what my next post is going to be about? ;)

QoS issues on Cisco 2960s. (High CPU Utilization)

Recently I’ve run into two clients that were issues with the Cisco 2960G and 2960S switches. Both clients are using PoE versions of the switch for VoIP applications. They were noticing jitter, packet loss and poor call quality, even though QoS is configured on the switch. After a lot of troubleshooting on the voice side of the house, they came to me to see if I could find anything going on. In digging around in the first customer’s network, I noticed that the CLI was pretty slow and did a quick “show processes cpu” and saw that the cpu utilization was around 80%. By sorting the processes, I saw that the Hulc LED process was taking up about 15%. A quick search of the Cisco Bug Toolkit brought up Bug ID CSCtg86211 (you need a CCO account to view), even though that’s not 100% correct. It’s the only one that explained what’s going on.

I had the client open a TAC case and TAC wanted to fight with the client, telling them that the high CPU shouldn’t have any effect on the switch performance (really!). I suggested that the client upgrade the switches to the latest version of IOS and once that was done, all the voice quality issues disappeared. Total CPU utilization dropped to below 20%, calls cleared up, everything was beautiful.

Last week, I got an email from one of our project managers asking if I could look into an issue that another client was having. If I hadn’t known that this was a different client, I would have thought that she had cut and pasted the exact problems that the first client was having. When I found out that they were using 2960’s, I immediately thought of this and sent the client a copy of the bug report and told him to open a TAC case. This is the email I received from him:

I tested the CPU Utilization on all of our Cisco 2960Ss and they ranged between 68-99%. I have a test switch on the bench with nothing connected and it was running at 75%. I updated it with the new code and it dropped to the 20-35 % range. I am going to update some additional switches before I call Cisco. The first question they will probably ask is are you running the latest code.

He’s right… Cisco will be wanting to know that. I know that once the new IOS is on the switch, it’ll solve his problems. I just wanted to put this out there so you guys don’t have to do all the searching that I did when/if you run across the same issues on your end.

Port Forwarding on the Cisco ASA in 8.3 from the ASDM made easy

In my last post I taught you how to forward a port on the ASA 5505 running version 8.3 from the CLI. Some of you prefer to use the ASDM to do you changes, so I guess I’ll show you how to do it from there. The ASDM is a bit of a learning curve for someone that’s used to the CLI, and most CLI guys hate a GUI with a great passion. I can go either way. I use the ASDM to make some changes simply because I want to learn it and there’s some guys coming into the field today that were taught on the GUI rather than a command line.

In this lesson I’m using ASDM version 6.3(1) and ASA version 8.3(1). Since we added a web server in the last post, let’s make this one an FTP server. The FTP server’s IP is the same as the web server, 10.9.8.7/24 and we’re running over the standard FTP port, 21.

First off, we want to start up the ASDM and connect to the ASA. Once there, click on the button at the top of the screen, then the button near the bottom left, and finally select near the top left. You’ll now be at a screen that looks something like this:

Click for larger version

Now we need to create a new object, so click on “Add” under Addresses, then “Network Object”.
Now we need to fill out our new window. Once you fill out the name, IP address and description, you need to drop down the NAT box and fill it out. Click the “Add Automatic Address Translation Rules” box, leave the type as “static” and set the translated address as the outside interface.
We now need to go to the Advanced menu from the Add Network Object window and setup the port forwarding. The source will be inside, destination is outside. Protocol in this instance is TCP and our port is 21, both real and mapped.
Click “OK” twice and your object will be created as well as the port forward. Now we just need to add the access rule. On the left side of the screen, just above the NAT Rules is your Access Rules. From there we want to click “Add” and “Access Rule”.
We need to create the rule on the outside interface, coming from any IP to the FTPServer using FTP as the service.
Once you click OK, your rule is added. You don’t have to add a description like I did in the image above this one, I just did that for the hell of it. When you click “Apply” at the bottom of the screen, the ASDM will issue the commands to the ASA. I have preview turned on, so I can always see what commands are being sent to the device before they are actually sent. If you followed all the steps above and you have preview turned on, you’ll see the following:
And you’ll notice that those are the exact 4 commands that I gave in the last post about doing it from the CLI! Now you can forward any port you want from either the CLI or the ASDM!

On a side note, I know a lot of guys hate the ASDM. When I was writing this post and going through all of this I was kinda upset when I saw that I had 10 pictures for 4 lines of code. The good thing about the ASDM is that you have everything right there at your disposal and you really don’t need to know the vernacular of IOS. The drawback is that it will take you longer to get things done at first, but once you get used to it, it can be just as fast.

Port Forwarding on the Cisco ASA in 8.3 from the CLI made easy

So it’s been a month and a half since I posted an update, and it’s 4:15 am right now. I can’t sleep and I found out there’s another networking blog out there using the same WP theme as me, so I figured I better put something up here since it was fresh in my mind. Well, now that the niceties are out of the way, let’s get to work.

I recently added an ASA 5505 to my home network at the edge. Obviously, when I did, all of my port forwards went to hell because the ASA is now blocking everything. I run a web server on one of my servers here and I like to be able to access it because I keep a lot of tech manuals and other stuff on there. Well, I went about trying to set up port forwarding the old way and learned real quick that this pops up when I do:

ERROR: This syntax of nat command has been deprecated.
Please refer to “help nat” command for more details.

Yeah, that sucks. On the new version of the ASA OS, global has gone the way of the dodo. I did a bunch of searches on Google to figure it out and everything I ran across was very hard to decipher. That’s why I’m writing this. You can setup a port forward in 4 quick and easy steps. Just change the things that are underlined to fit your network and you’ll be just fine.

In this example, we want to be able to access a web server behind the firewall. We’ll assume you are using the standard HTTP port, the web server’s internal IP address is 10.9.8.7/24, and that you at least know what you’re doing enough to be configuring an ASA in the first place. I’ll give you the steps, then I’ll explain.

Step 1: Create a new object group for you web server.

asa5505(config)# object network Webserver

Step 2: Add the IP of the web server to the network group.

asa5505(config-network-object)# host 10.9.8.7

Step 3: Forward the port via the NAT command.

asa5505(config-network-object)# nat (inside,outside) static interface service tcp www www

Step 4: Exit back to the root and add the access list

 asa5505(config)# access-list outside_access_in permit tcp any object Webserver eq www

That’s it! Now, let’s explain what’s going on here. Cisco has started moving more and more towards use of object groups in their configs. It makes things easier, especially when you have a situation where you have 20 web servers behind the firewall and you want to add 1 more in. Rather than having to rewrite a whole bunch of ACL’s, you just add the IP of the new web server into the object group and everything is done for you. After you create the object group (in this instance a network object, you can also create service objects), you add the IP of the specific object (or objects) that you want to point to. So here our web server is 10.9.8.7. If you want to send port 80 to more than 1 IP on your internal network, just add more IP’s to that object group.

Now is the fun part. While we’re in the object group, we need to NAT port 80 only to that specific object group, hence you’re still at “asa5505(config-network-object)#” prompt. Now type “end” to get back to the regular config terminal and we need to open that port in the ACL. Yes, www = 80. You can type either one and you get the same result. If I have to go through and explain NAT, how it works and why I enter in that specific command to forward the port, then there’s a possibility that I’d need to send you an invoice for my time because we would be here for a while.

This works for ANY port forward. If you want to RDP into a machine, simply replace port 80 (all those www’s you see up there) with 3389. There is one caveat. You can only do one port forward per object group. So let’s say that our web server is also an FTP server and you want port 21 to forward as well as port 80. You’re going to have to create a whole new object group (object network FTPServer), put the same IP in the group (host 10.9.8.7), do the nat command again (nat (inside,outside) static interface service tcp ftp ftp), exit back to the root of config, and add the access list (access-list outside_access_in permit tcp any object FTPServer eq ftp).

This should get you up and running with you port forwards in no time flat. It is a bit of a pain in the ass to have to create a new object group for every port you want to forward, and maybe there’s someone out there that’s reading this right now thinking “dude, you don’t have to create more than one group! You can just do…”. Well, you need to enlighten the world with this knowledge and post it in the comments section. And if you’re too scared to do so, shoot me an email to greg(at)gregledet(dot)net.

I’d also like to thank Stefan Fouant for an excellent class today on JUNOS Switching. I learned a lot in his class and you can learn a lot from his website. Check it out and tell him Greg sent ya!