dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1918
share rss forum feed


Techi3Rebel

@charter.com

[HELP] ASA5505 & Cisco Router 3825 - Double NAT w/ Port Forward

Click for full size
downloadMK_Double_NAT.pdf 112,713 bytes
I have been brainstorming over this for a few days and need help. This is my Cisco LAB environment used for study but also in production for daily use. I am trying to setup a double-NAT network with just one IP from my ISP through the ASA & 3825 going to (2) end nodes and multiple ports for port forwarding. It is currently working but only as simple PAT and I cannot initiate FTP from the outside. I know some may suggest removing the router, but this is my study LAB and it's a bit unconventional for learning purposes. I attached the diagram and would really appreciate it if you could provide some pointers, tips, parts of the config. I have done quite a bit of reading on different forums but cannot seem to grasp the concept. Thank you…


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

Re: [HELP] ASA5505 & Cisco Router 3825 - Double NAT w/ Port Forw

so -- just to be clear -- how do you know its "working"? are you able to initiate a connection on some other service port from the outside and "make it work"(tm)?

fyi -- ftp is terrible to test with. while its raw data streams -- you have to be cognizant of the two different ports (tcp/20, tcp/21) and that there are different modes of operation (active, passive).

set up a test with ssh, telnet, or rdp. run it through the double-nat. if it works -- then the issue is with your ftp server setup.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to Techi3Rebel
Current configs (minus IP addresses, passwords, and information of a sensitive nature) would help as well.

Regards


Techi3Rebel

@charter.com
Thank you for looking at this...

ASA Version 9.0(2)
!
hostname FF
domain-name ciscolab.local
enable password xxxxxxxxxxxxxxxx encrypted
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
passwd xxxxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
switchport access vlan 5
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan5
mac-address 001c.70a5.fb51
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan10
nameif inside
security-level 100
ip address 10.1.1.30 255.255.255.224
!
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 198.153.192.40
name-server 198.153.194.40
domain-name ciscolab.local
object network DNAT_3825
object network INTERNAL-LAN
host 10.1.1.1
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service NAS-FTP tcp
description Synology FTP
port-object eq 2121
port-object eq 2222
port-object range 55536 55567
access-list ACL-OUTSIDE extended permit object-group TCPUDP any any eq domain log
access-list ACL-OUTSIDE extended permit icmp any any time-exceeded log
access-list ACL-OUTSIDE extended permit icmp any any echo-reply log
access-list ACL-OUTSIDE extended permit icmp any any echo log
access-list ACL-OUTSIDE extended permit tcp any object INTERNAL-LAN object-group NAS-FTP log
access-list ACL-OUTSIDE extended deny ip any any log
access-list ACL-INSIDE extended permit ip any any log
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
nat (inside,outside) after-auto source dynamic any interface dns
access-group ACL-OUTSIDE in interface outside
access-group ACL-INSIDE in interface inside
!
router ospf 1
network 10.1.1.0 255.255.255.224 area 0
network 192.168.1.0 255.255.255.192 area 0
log-adj-changes
default-information originate always metric 1
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http server idle-timeout 60
http server session-timeout 90
http 192.168.1.0 255.255.255.192 inside
http 10.1.1.0 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.192 inside
ssh timeout 60
ssh version 2
console timeout 0

dhcp-client client-id interface outside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.1.1.1 source inside
ntp server 129.6.15.29 source outside prefer
webvpn
anyconnect-essentials
username cisco password xxxxxxxxxxxxxxxx encrypted privilege 15
username lab password xxxxxxxxxxxxxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

********************************************************

version 15.1
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RR
!
boot-start-marker
boot system flash:c3825-adventerprisek9_ivs-mz.151-4.M6.bin
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200
logging console critical
enable secret 4 xxxxxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
clock timezone CST -6 0
clock summer-time CDT recurring
!
dot11 syslog
no ip source-route
!
ip cef
!
ip dhcp excluded-address 192.168.1.1 192.168.1.4
ip dhcp excluded-address 192.168.1.51 192.168.1.62
ip dhcp excluded-address 172.16.1.1
ip dhcp excluded-address 172.16.1.14
!
ip dhcp pool DHCP_192.168.1.0/26
network 192.168.1.0 255.255.255.192
dns-server 192.168.1.1
default-router 192.168.1.1
domain-name ciscolab.local
!
ip dhcp pool VOICE_LAN
import all
network 172.16.1.0 255.255.255.240
default-router 172.16.1.1
dns-server 192.168.1.1
domain-name ciscolab.local
option 150 ip 172.16.1.1
!
no ip bootp server
ip domain name ciscolab.local
ip name-server 198.153.192.40
ip name-server 198.153.194.40
ip inspect log drop-pkt
ip inspect tcp reassembly queue length 128
ip inspect tcp reassembly timeout 10
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type inspect global
log dropped-packets enable

parameter-map type ooo global
tcp reassembly queue length 64
tcp reassembly memory limit 4096
tcp reassembly alarm off
!
voice-card 0
!
voice service voip
ip address trusted list
ipv4 64.xx.xx.xx
ipv4 64.xx.xx.xx
allow-connections sip to sip
no supplementary-service h450.2
no supplementary-service h450.3
no supplementary-service h450.7
no supplementary-service sip moved-temporarily
no supplementary-service sip refer
no supplementary-service sip handle-replaces
redirect ip2ip
sip
bind control source-interface GigabitEthernet0/1.20
bind media source-interface GigabitEthernet0/1.20
session transport tcp
registrar server
!
voice class codec 1
codec preference 1 g711ulaw
!
voice register global
mode cme
source-address 172.16.1.1 port 5060
max-dn 25
max-pool 25
load 7960-7940 P0S3-8-12-00
authenticate register
tftp-path flash:
create profile sync 0027104243302222
!
voice register dn 1
number 1001
name cisco
label cisco
!
voice register dn 2
number 1002
name lab
label lab
!
voice register pool 1
id mac 000D.BC80.EABD
type 7960
number 1 dn 1
username lab password xxxxxxxxxxxxxxxxxxxxxxxxx
!
voice register pool 2
id mac 000D.BC80.EB61
type 7960
number 1 dn 2
username lab password xxxxxxxxxxxxxxxxxxxxxxxxx
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-24697700023
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-24697700023
revocation-check none
rsakeypair TP-self-signed-24697700023
!
crypto pki certificate chain TP-self-signed-24697700023
certificate self-signed 01
!
license udi pid CISCO3825 sn xxxxxxxxxxxxxxxxxxxxxxxxx
archive
log config
hidekeys
username cisco privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
username lab privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
ip tcp synwait-time 10
!
interface Loopback0
description $FW_INSIDE$
ip address 99.99.99.99 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description OUTSIDE TO ASA$ETH-WAN$
ip address 10.1.1.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in max-reassemblies 64
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.10
description DATA_VLAN$ETH-LAN$
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1460
!
interface GigabitEthernet0/1.20
description VOICE_VLAN$ETH-LAN$
encapsulation dot1Q 20
ip address 172.16.1.1 255.255.255.240
ip nbar protocol-discovery
ip flow ingress
ip flow egress
!
router ospf 1
network 10.1.1.0 0.0.0.31 area 0
network 172.16.1.0 0.0.0.15 area 0
network 192.168.1.0 0.0.0.63 area 0
default-information originate
!
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat pool DHCP_192.168.1.0/26 192.168.1.1 192.168.1.62 netmask 255.255.255.192
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_OSPF
remark CCP_ACL Category=1
permit ospf any any
!
logging trap debugging
logging 192.168.1.60
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.63
!
tftp-server flash:/P0S3-8-12-00/P0S3-8-12-00.loads alias P0S3-8-12-00.loads
tftp-server flash:/P0S3-8-12-00/P0S3-8-12-00.sb2 alias P0S3-8-12-00.sb2
tftp-server flash:/P0S3-8-12-00/P003-8-12-00.bin alias P003-8-12-00.bin
tftp-server flash:/P0S3-8-12-00/P003-8-12-00.sbn alias P003-8-12-00.sbn
tftp-server flash:/SIP/SEP000DBC80EABD.cnf alias SEP000DBC80EABD.cnf
tftp-server flash:/SIP/SEP000DBC80EB61.cnf alias SEP000DBC80EB61.cnf
tftp-server flash:/SIP/XMLDefault.cnf alias XMLDefault.cnf
!
control-plane
!
mgcp fax t38 ecm
!
mgcp profile default
!
sip-ua
credentials number xxxxxxxxxxxxxx username xxxxxxxxxxxxx password xxxxxxxxxxxxxx realm GVGW
authentication username xxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxx
registrar dns:gvgw3.simonics.com:5070 expires 1800 tcp
sip-server dns:gvgw3.simonics.com:5070
!
gatekeeper
shutdown
!
telephony-service
no auto-reg-ephone
pin 0000 override
max-dn 25
ip source-address 172.16.1.1 port 2000
max-redirect 5
system message CISCO
cnf-file location flash:
max-conferences 12 gain -6
web admin system name lab secret xxxxxxxxxxxxxxxxx
transfer-system full-consult
create cnf-files version-stamp 7960 Apr 14 2013 02:39:02
!
banner login ^CPrivate Network - STAY OUT!!!^C
!
line con 0
exec-timeout 0 0
password xxxxxxxxxxxxxxxxxxxxxxxxx
logging synchronous
line aux 0
line vty 0 4
access-class 102 in
exec-timeout 0 0
privilege level 15
password xxxxxxxxxxxxxxxxxxxxxxxxx
login local
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server time.nist.gov prefer
end


Techi3Rebel

@charter.com
reply to tubbynet
Sorry, I should have been clearer. What I meant by 'it works' is that I am using the devices in production and have Internet but cannot establish FTP session from the 'outside'. The FTP is on a Synology NAS and when I only had the 3825, FTP worked perfectly. I added the ASA because the 3825 ZBF was awful and slowed down all HTTP traffic, so I reconfigured it and use it for DHCP and CME.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
then have it on the lan -- on the same segment as your asa lan.
remove double nat.

problem solved.

q.


Techi3Rebel

@charter.com
Thanks for the idea and I understand that would be the easy way out but this is a learning environment for me and I wanted to see how this would work. I am stuck and wanted some guidance.

I know I will need different types of NAT but I'm uncertain on how to accomplish that. For instance, if I work with just port 2222 going to my NAS at 192.168.1.60, at the ASA, do I create a static NAT from 24.x.x.x to a (made up) IP of 10.1.1.60, and then at the Router, do I take that 10.1.1.60 and static NAT to 192.168.1.60?

Does that make sense? Do I have to perform the same type of static NAT for all destinations and ports and also have a dynamic NAT pool for the PAT?


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
said by Techi3Rebel :

Does that make sense? Do I have to perform the same type of static NAT for all destinations and ports and also have a dynamic NAT pool for the PAT?

yes. for all static mappings -- you will need a map for the port.
each nat has 'global outside', 'local outside', 'global inside', and 'local inside' -- though the global addresses are usually enough.

each nat will have an in/out pair mapping a port. this port will need continuity throughout the lan. for example -- 1.1.1.1/80 maps to 10.1.1.1/8080 which maps to 192.168.1.1/8080. for dynamic nat pools -- you will need them at both nat points.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."