Static PAT a.k.a Port Forwarding (ASA 8.3/8.4)


Configuring Static PAT as a Network Object NAT/Auto NAT:

1. Create a Network Object
2. Define the Real IP/Private IP
3. Create a Static PAT/Port Forwarding rule inside the network object itself.

ASA(config)# object network websrv 
ASA(config-network-object)# host 10.1.1.3
ASA(config-network-object)# nat (dmz,outside) static 2.2.2.3 service tcp 8080 www

8080 is the real port and www is the mapped port.

Verification

ciscoasa# show nat
Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static websrv 2.2.2.3 service tcp 8080 www
translate_hits = 0, untranslate_hits = 3

Configuring Static PAT as a Twice NAT/Manual NAT:

1. Create the required network objects that need to be referenced in the Twice NAT/Manual NAT syntax (real ip, mapped ip and services).
2. Create the Static PAT/Port Forwarding rule in the ‘global configuration’ mode

ASA(config)# object network private_ip
ASA(config-network-object)# host 10.1.1.3
ASA(config-network-object)# object network public_ip
ASA(config-network-object)# host 2.2.2.3
ASA(config-network-object)# object service www
ASA(config-service-object)# service tcp source eq www
ASA(config-service-object)# object service tcp_8080
ASA(config-service-object)# service tcp source eq 8080
ASA(config-service-object)# exit
ASA(config)# nat (dmz,outside) source static websrv public_ip service tcp_8080 www

tcp_8080 is the real port and www is the mapped port.
— In this case the service is defined as a ‘source’ port because the direction of the NAT is DMZ > Outside. The private IP belongs to a web server and it’s ‘source’ port will be 8080 when it replies to a HTTP request from the outside.
— If the NAT was configured as Outside> DMZ then the service would be defined as a ‘destination’ service because a source from the internet would request for HTTP traffic on the web server’s Public IP on port 80 and in that the service would be a ‘destination’ port.

I hope you got what I tried to point out over here but let me know if you didn’t get it.

Verification

ciscoasa(config)# show nat
Manual NAT Policies (Section 1)
1 (dmz) to (outside) source static private_ip public_ip service tcp_8080 www
translate_hits = 0, untranslate_hits = 2

Corresponding Access-Control Lists

While configuring ACLs corresponding to the NATs that you configure, make sure you use the Real/Pre-translated/Private IP as well as the real port number in them.

ACLs PRE 8.3:

access-list outside_access_in permit extended ip any host 2.2.2.3 eq www log

ACLs POST 8.3:

access-list outside_access_in permit extended ip any host 10.1.1.3 tcp_8080 log

Here’s more on NAT -> https://networkology.net/tag/nat/

Advertisements

8 thoughts on “Static PAT a.k.a Port Forwarding (ASA 8.3/8.4)

  1. In your Static PAT – Twice NAT example I believe you meant to have “public-ip” and not “wan-ip”.

  2. No problem. Thank you for the article. It really helped out. Can you tell me what the benefit of object and twice NAT is over the old way of doing it? I don’t see the benefit.

  3. I’m glad you found it useful! :)

    There may be many reasons for the change in NAT and after digging deeper into it, I do feel the changes are for good.

    You don’t need to create ACLs and apply it to a NAT statement for policy based NAT. You can define your real/translated source/destination/service in a single statement making it easier to read and understand.

    It is more flexible now, you can change the order of the NAT statements in their respective sections.

    The ‘show nat’ output shows all the NAT statements in a single place in the order of their priority. The ‘show nat interface inside’ will show all the NAT statements where the source interface is inside. The point is that it is more easier to find stuff and isolate problems.

    I like the way Destination NAT is done now.

    The new NAT syntax is more inline with the way Check Point does it and Check Point has always used this form of NAT. Organizations who use Check Point and who are planning to migrate to another vendor (for whatever reason it may be) can now consider Cisco’s ASA as an alternative.

    I could only come up with these points for now. Hope that helps a little!

  4. Fortunately, i have to configure like yours for microsoft owa, but with different mapped ports, and its failure, could you give me suggesttion? i already configure like yours with different mapped (tcp_443 is the real port and tcp_44443 is the mapped port.)
    thanks in advance!!

  5. Thanks for reaching out to me. I’ll be glad to help you get it working.

    Are you not able to configure the NAT itself or is it something to do with the ACLs?
    Are you using the real IP in the ACL?
    Did you try running a packet-tracer to see where is it failing?
    Make sure there are no NAT statements that would shadow the NAT that you are trying to configure.

    Or else you can you provide me with the real IP, mapped IP, real port, mapped port, the two interfaces and the direction of the traffic flow. That will help me out to write a NAT that should work for you.

    Regards,
    Shoaib

  6. im using asa with ios version 9 and asdm version 7.2. To configure this asa port forwarding is not simple enough, so i tried with port forwarding my owa server with the https, and its still failed. my configuration for nat and acces list is :

    object network owa
    host 172.28.16.5
    nat (inside,outside) static interface service tcp https https

    access-list outside_access_in extended permit ip any host 172.28.17.39 log
    access-list outside_access_in extended permit ip any host 1.2.3.4 log

    1.2.3.4 = public ip for outside interface,

    based on logging with this configuration :

    6 Mar 13 2013 03:31:02 106100 114.79.12.227 53584 172.28.16.5 443 access-list outside_access_in permitted tcp outside/114.79.12.227(53584) -> inside/172.28.16.5(443) hit-cnt 1 first hit [0x90c43aef, 0x0]

    6 Mar 13 2013 03:31:02 302013 114.79.12.227 53584 172.28.16.5 443 Built inbound TCP connection 1697 for outside:114.79.12.227/53584 (114.79.12.227/53584) to inside:172.28.16.5/443 (1.2.3.4/443)

    6 Mar 13 2013 03:31:13 302014 114.79.12.227 53109 172.28.16.5 443 Teardown TCP connection 1693 for outside:114.79.12.227/53109 to inside:172.28.16.5/443 duration 0:00:30 bytes 0 SYN Timeout

    6 Mar 13 2013 03:31:13 302014 114.79.12.227 53110 172.28.16.5 443 Teardown TCP connection 1694 for outside:114.79.12.227/53110 to inside:172.28.16.5/443 duration 0:00:30 bytes 0 SYN Timeout

    The ip is permitted to access internal server, but then is teardown tcp connection,
    i dont know why.

    and for your question below :
    Are you using the real IP in the ACL? yes, im using the real ip for outside and inside, but for outside in version 9, when i input it on nat configuration is always error.

    Did you try running a packet-tracer to see where is it failing?
    when im trying to run packet tracer is failing in route lookup, test connection from public ip (my notebook – 114.79.12.227) to my owa public ip (1.2.3.4)

    Make sure there are no NAT statements that would shadow the NAT that you are trying to configure.

    Thanks for replied my question, this is my first time with asa.
    I appreciate your great help

  7. Remove the following ACL;
    access-list outside_access_in extended permit ip any host 1.2.3.4 log

    And use this ACL at line 1 on the outside interface;
    access-list outside_access_in line 1 extended permit ip any host 172.28.16.5 log

    Run the following packet-tracer command and let me know what are the results;
    packet-tracer input outside tcp 114.79.12.227 5678 1.2.3.4 443 detailed

    Instead of using outside ‘interface’ IP can you try using another free IP? Something like this;
    object network owa
    host 172.28.16.5
    nat (inside,outside) static 1.2.3.6 service tcp https https

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s