Cisco ASA Port Forwarding 1

[moria6]

Trying to replace a Linksys router/firewall ( BEFSR41 ) with a Cisco ASA5505 (ran out of ports and port forwarding capability - also would like to do more with network management and vpn but that's for later)

Linksys device was set to forward ports from one public IP address to multiple private IP addresses as below:


forward ports 5635-5636 tcp to 192.168.1.223
forward ports 5637-5638 tcp to 192.168.1.224
forward ports 5639-5640 tcp to 192.168.1.225
forward port 7011 tcp to 192.168.1.223
forward port 7013 tcp to 192.168.1.224
forward port 7015 tcp to 192.168.1.225


Config I currently have is below (with public IP's x'd out) and is not working.

xxx.xxx.xxx.1 is gateway (cable modem)
xxx.xxx.xxx.2 is ASA public IP

I am not by any stretch a PIX/ASA expert. Any help is much appreciated!


moria6

##########################################################
ASA Version 7.2(3)
!
hostname asa1
domain-name default.domain.invalid
enable password
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.2 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5635
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5636
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5637
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5638
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5639
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5640
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5641
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 5642
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 7013
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 7015
access-list inbound extended permit tcp any host xxx.xxx.xxx.2 eq 7017
access-list inbound extended permit icmp any any
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any echo
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging console warnings
logging asdm informational
logging host inside 192.168.1.xxx
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp xxx.xxx.xxx.2 5635 192.168.1.223 5635 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5636 192.168.1.223 5636 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5637 192.168.1.224 5637 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5638 192.168.1.224 5638 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5639 192.168.1.225 5639 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5640 192.168.1.225 5640 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5641 192.168.1.226 5641 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 5642 192.168.1.226 5642 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7013 192.168.1.223 7011 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7013 192.168.1.224 7013 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7015 192.168.1.225 7015 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.2 7017 192.168.1.226 7017 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 10
ssh version 2
console timeout 0

!
!
prompt hostname context
##########################################################

 

[nnnnnnnnnn]

try this, change your acl and static nat to use interface outside instead of the ip address. clear xlate after making the changes


access-list inbound extended permit tcp any interface outside range 5635 5642
access-list inbound extended permit tcp any interface outside eq 7013
access-list inbound extended permit tcp any interface outside eq 7015
access-list inbound extended permit tcp any interface outside eq 7017
access-list inbound extended permit icmp any any
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any echo
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any time-exceeded

static (inside,outside) tcp interface outside 5635 192.168.1.223 5635 netmask 255.255.255.255
static (inside,outside) tcp interface outside 5636 192.168.1.223 5636 netmask 255.255.255.255
static (inside,outside) tcp interface outside 5637 192.168.1.224 5637 netmask 255.255.255.255
static (inside,outside) tcp interface outside 5638 192.168.1.224 5638 netmask 255.255.255.255
static (inside,outside) tcp interface outside 5639 192.168.1.225 5639 netmask 255.255.255.255
static (inside,outside) tcp interface outside 5640 192.168.1.225 5640 netmask 255.255.255.255
static (inside,outside) tcp interface outside 5641 192.168.1.226 5641 netmask 255.255.255.255
static (inside,outside) tcp interface outside 5642 192.168.1.226 5642 netmask 255.255.255.255
static (inside,outside) tcp interface outside 7013 192.168.1.223 7011 netmask 255.255.255.255
static (inside,outside) tcp interface outside 7013 192.168.1.224 7013 netmask 255.255.255.255
static (inside,outside) tcp interface outside 7015 192.168.1.225 7015 netmask 255.255.255.255
static (inside,outside) tcp interface outside 7017 192.168.1.226 7017 netmask 255.255.255.255

 

[moria6]

Thanks for the reply and suggestion, hepcatg!

I've been asked to hold off until early Saturday morning before I try another cut-over. Will let you know how it goes.

Thanks again!!!


moria6

 

[moria6]

Hepcatg:

Your code fixed the problem but revealed another.

Started seeing "MSS exceeded, MSS 0" errors. I played around with various settings for the sysopt connection tcpmss x command until issuing a sh asp drop command showed no more MSS drops. Still not getting the expected traffic through. I've asked the vendor to confirm the ports that I am opening for them. I will also try putting a packet sniffer on the line to see what else is going on.

Thanks again for your help!!!


moria6

 

[nnnnnnnnnn]

You may have tried this already but there is a work around for that. you will just create a class map to allow exceed MSSes. In the example below I used a permit any acl but you will want to tailor that to the specific traffic that your having an issue with to avoid unnecessary vunerabilities. Hope that helps

cheers




access-list mss-list permit ip any any

class-map mss-class
match access-list mss-list

tcp-map mss-map
exceed-mss allow

policy-map mss-class
class mss-class
set connection advanced-options mss-map

service-policy mss-class interface outside

 

[moria6]

hepcatg:

Your code is better than what I used and I will make the changes and test in the AM.

Thanks again!!!


moria6