Saturday, November 17, 2018

Configure Port Forwarding on a Cisco ASA Firewall

If there's a Cisco router behind an ASA firewall that you need to remotely access over the Internet, you can configure port forwarding on the ASA firewall (using its public WAN/outside IP). This is very useful in scenarios when there's no remote tech to provide console access and you need to establish (and troubleshoot) a site-to-site IPSec VPN back to your HQ.



ASA# show interface ip brief
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0        200.1.1.50     YES CONFIG up                    up             // outside WAN
GigabitEthernet0/1         192.168.0.229    YES CONFIG up                    up      // inside LAN
GigabitEthernet0/2         unassigned      YES unset  administratively down down
GigabitEthernet0/3         unassigned      YES unset  administratively down down
Management0/0              192.168.128.3    YES CONFIG up                    up 
 

You'll need to configure a NAT statement that will map the WAN IP of the router to the outside IP of the ASA (if you're only given a single public IP). This is commonly called port forwarding. You can map the inside service of Telnet TCP port 23 to a static port 2323 when accessing it from the outside (Internet). Make sure Telnet is allowed on the firewall outside ACL.

object network OBJ-ROUTER
 host 192.168.0.230
 nat (inside,outside) static interface service tcp 23 2323


If you need dynamic NAT/PAT for the inside users, use the after-auto key word (to put it in Section 3).

object network OBJ-LAN
 subnet 192.168.0.0 255.255.0.0
 nat (inside,outside) static after-auto source dynamic any interface


You also need a NAT statement (Identity NAT) for the router's WAN IP to be exempted from being translated by the firewall and avoid the rpf-check error when you do a packet-tracer.

object network OBJ-192.168.0.230
 host 192.168.0.230
 nat (inside,outside) static 192.168.0.230


You could either Telnet (using port 2323) from the HQ router or use a terminal emulator program (over the Internet).

HQ-RTR# telnet 200.1.1.50 2323
Trying 200.1.1.50, 2323 ... Open


User Access Verification

Password:
BRANCH-RTR>



You can verify hits on the firewall NAT and ACL using ASA commands below.

ASA# show nat
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static OBJ-192.168.0.230 OBJ-192.168.0.230     // IDENTITY NAT
    translate_hits = 1042, untranslate_hits = 7
2 (inside) to (outside) source static OBJ-ROUTER interface  service tcp telnet 2323    // PORT FORWARDING
    translate_hits = 0, untranslate_hits = 33

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface        // PAT
    translate_hits = 23877, untranslate_hits = 12204


ASA# show access-list                    
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list OUTSIDE; 5 elements; name hash: 0x6045359
access-list OUTSIDE line 1 extended permit icmp any any (hitcnt=0) 0xdfa29219
access-list OUTSIDE line 2 extended permit icmp any any time-exceeded (hitcnt=0) 0x8fa50f18
access-list OUTSIDE line 3 extended permit icmp any any unreachable (hitcnt=0) 0x23f941a7
access-list OUTSIDE line 4 extended permit tcp any any telnet (hitcnt=1) 0x2e855ed6


Once the remote access to the router and IPSec VPN tunnel to your HQ has been established, you'll need to lock down the firewall ACL.

ROUTER#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down
GigabitEthernet0/0         unassigned      YES TFTP   up                    up 
GigabitEthernet0/0     192.168.128.1    YES manual up                    up 
GigabitEthernet0/1         192.168.0.230    YES NVRAM  up                    up 
Tunnel123                 192.168.0.201    YES NVRAM  up                    up

ROUTER#show run interface tunnel123
Building configuration...

Current configuration : 208 bytes
!
interface Tunnel123
 ip address 192.168.0.201 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 192.168.0.230
 tunnel destination 192.168.0.158
end

ROUTER#ping 192.168.0.158 source 192.168.0.230
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.158, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.230
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/24 ms

ROUTER#ping 192.168.0.202
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.202, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/24/28 ms

No comments:

Post a Comment