Cisco ASA port forwarding explained
One of the most frequent issues connected with the Cisco ASA configuration is the so-called “port forwarding”. In other words, the NAT configuration that allows users from the Internet to enter the internal company servers.
Basic NAT settings for the users’ access and internal resources on the Internet are described in the article “Basic configuration of Cisco ASA“, and the principle of using the NAT technology for one or another case – in “Using NAT on Cisco router”. While this article, in particular, covers the configuration for the publication of the internal resources on the Internet.
For successful implementation, there are two steps required:
- The Static NAT configuration for needed addresses and ports;
- Permitted rules in the access-lists.
In modern versions of Cisco ASA, there are two ways of Static NAT configuration – 1) through the objects (object NAT) and 2) manual/twice NAT. Those ways differ by the configuration logic and command syntax, but both lead to the same result. In first one – strings that describe the rules of translating the addresses are bound to a specific object. While the second one – in the separate line with the help of the same objects, the addresses both of original packet and transformed one are specified. Later there will be shown the settings for both ways, and you should decide for yourself which of them is the best for you. And if the port forwarding doesn’t work by one of the ways, then try another one.
Important!
If you have old hardware and an IOS version up to 8.3, then an example of writing a string for the old syntax is given at the very end of the article.
Object NAT
The object creation for the external address
object network OBJ_NAT_SERVER_XXX_EXT
host x.x.x.x
For each port, the separate object with internal server address is being created
object network OBJ_NAT_SERVER_XXX _INT_1433
host 192.168.1.100
object network OBJ_NAT_SERVER_XXX _INT_1433
nat (inside,outside) static OBJ_NAT_SERVER_XXX_EXT service tcp 1433 1433
Here and further the parts of code responsible for internal resources will be marked in green, and the external ones – in red.
The second object for the same server 192.168.1.100, but with another name
object network OBJ_NAT_SERVER_XXX_INT_8080
host 192.168.1.100
object network OBJ_NAT_SERVER_XXX_INT_8080
nat (inside,outside) static OBJ_NAT_SERVER_XXX_EXT service tcp 8080 8080
Important!
Depending on how many external public addresses ISP provides, you should adjust the command syntax.
If the ISP provides only one(!) static address and it is the address of the external interface of the router, then in command for NAT it is necessary to specify “interface” (implying external outside interface).
If the ISP responded with several(!) static addresses and it is needed to use one of them not on the external interface, then you need to create a separate object and specify the certain address for it.
In case only one address is available, the command from the last example will look like this:
object network OBJ_NAT_SERVER_XXX _INT_1433
nat (inside, outside) static interface service tcp 1433 1433
Manual/Twice NAT
The creation of the object for the external interface
object network OBJ_NAT_SERVER_XXX_EXT
host x.x.x.x
The creation of the object for the internal interface
object network OBJ_NAT_SERVER_XXX _INT
host 192.168.1.100
Now we should create the objects for ports and protocols, that should be visible from the outside network
object service SERVICE_TCP_1433
service tcp source eq 1433
object service SERVICE_TCP_8080
service tcp source eq 8080
The rule of broadcasting for each port/protocol is written in a separate line
nat (inside,outside) source static OBJ_NAT_SERVER_XXX_INT
OBJ_NAT_SERVER_XXX_EXT service SERVICE_TCP_1433 SERVICE_TCP_1433
nat (inside,outside) source static OBJ_NAT_SERVER_XXX_INT
OBJ_NAT_SERVER_XXX_EXT service SERVICE_TCP_8080 SERVICE_TCP_8080
As it was mentioned earlier, if only one private address is available, and it is already used in the interface, then, instead of the object with external address, the word “interface” should be used.
nat (inside,outside) source static OBJ_NAT_SERVER_XXX_INT
interface service SERVICE_TCP_1433 SERVICE_TCP_1433
Check the configuration
To check the current configuration, use the command sh nat detail. It will show all the current rules of broadcast, in which both external and internal addresses will be specified for each line.
Command syntax for old hardware (Cisco version up to 8.3)
The NAT rules are written line by line – one line for each port. Pay attention that at the beginning of the line in the brackets the sequence of the internal/external interfaces is specified, while further it is needed to define the addresses backwards – external/internal. The command will look like:
If it is necessary to use the address, not in the external interface:
static (inside,outside) tcp x.x.x.x 1433 192.168.1.100 1433 netmask
or
255.255.255.255
If it is needed to use the address of the external interface of the device, use the following command:
static (inside,outside) tcp interface 1433 192.168.1.100 1433 netmask
255.255.255.255
The access permission
Additionally to the NAT configuration for object NAT or Manual NAT, you should set up a few rules in access lists in order to allow the traffic. For that, in the access list, that is connected to the external interface, you should add the corresponding lines. Pay attention, that in the rules of modern versions of Cisco ASA access is permitted from any address (any) to the internal server address.
access-list ACL_OUTSIDE_IN line 1 extended permit tcp any
object OBJ_NAT_SERVER_XXX_INT eq 1433
access-list ACL_OUTSIDE_IN line 2 extended permit tcp any
object OBJ_NAT_SERVER_XXX_INT eq 8080
However, if you have old hardware, and version of ASA older than 8.3, then you should specify the external address in the access list.
access-list ACL_OUTSIDE_IN line 1 extended permit tcp any
object OBJ_NAT_SERVER_XXX_EXT eq 1433
access-list ACL_OUTSIDE_IN line 2 extended permit tcp any
object OBJ_NAT_SERVER_XXX_EXT eq 8080
Important!
For more details about the principles and subtleties of the creation and filling the access lists, read the article: Basic Configuration of Cisco ASA.
This article was written by Alexey Yurchenko