OK ASA NAT experts

Started by icecream-guy, June 17, 2022, 03:11:52 PM

Previous topic - Next topic

icecream-guy

My ASA is Connect to comcrap modem (netgear CM1000,  I want to port forward udp/6000 and udp/6001 to a host behind my firewall on my wireless network. (not sure if I also need to do something on my WIFI Router, but the ASA config appears like it doesn't work)

it's an asa. I really shouldnt have to port forward, just need ACL to allow traffic.


object service port-6000
service udp source eq 6000
object service port-6001
service udp source eq 6001

object-group network outside_ip
network-object host <comcrap assigned DHCP Address>


object network source-connect-6000
network-object host <internal wireless assigned DHCP Address>

object network source-connect-6001
network-object host <internal wireless assigned DHCP Address>

nat (outside,wireless) 1 source static outside_ip source-connect-6000 service port-6000 port-6000
nat (outside,wireless) 1 source static outside_ip source-connect-6001 service port-6001 port-6001

access-list outside_access line 1 extended permit udp any object source-connect-6000 eq 6000
access-list outside_access line 2 extended permit udp any object source-connect-6001 eq 6001




a# show nat
Manual NAT Policies (Section 1)
1 (outside) to (wireless) source static outside_ip source-connect-6001   service port-6001 port-6001
    translate_hits = 0, untranslate_hits = 0
2 (outside) to (wireless) source static outside_ip source-connect-6000   service port-6000 port-6000
    translate_hits = 0, untranslate_hits = 0

:professorcat:

My Moral Fibers have been cut.

deanwebb

Do you have the ACL to match on the traffic so it's marked as "interesting" and processed? I dimly remember that being needed to make things work.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

yes there is


access-list outside_access extended permit udp any host <internal> eq 6001 log notifications
access-list outside_access extended permit udp any host <internal> eq 6000 log notifications
[code]
:professorcat:

My Moral Fibers have been cut.

Otanx

The nat statement does not look right to me. Try:


object-group service nat_services
service-object udp destination range 6000 6001
!
object-group network internal_server
network-object host INTERNAL_SERVER_IP
!
nat (outside, wireless) source static any any destination static interface internal_server service nat_services nat_services


-Otanx

Dieselboy

The nat is from highest security to lowest. So, nat inside or wireless -> outside
That's if wireless has security level 100 and outside is default 0.

I also recall needing to use source port in the service port.

Lets say internal ip is 192.168.1.10 and comcrap is 1.1.1.1, so it will be like:

nat udp 192.168.1.10:6000 -> 1.1.1.1:6000

The udp port number is the source port because from the firewall perspective we're natting from inside to outside to allow traffic inbound, but this is only  destination port on the reverse ie when something remote is targeting our comcrap IP. Same with IP, source IP of 192.168.1.10 is translated to 1.1.1.1 which is our source when going outbound.