Port Forward on ASA

[cholzhauer]

Has anyone done port forwarding with an ASA?  I have a setup where I only have one public address, so I need to forward proto/41 to an inside host.  However, I'm only presented with TCP/UDP options.

I'm looking for the command to enter to accomplish the aforementioned.

Thanks

[cholzhauer]

Well, I guess it wouldn't be port forwarding if I'm trying to forward a protocol, but I think you get the idea

[jimb]

Yeah I posted about this before.  I don't think IOS allows you to do an arbitrary protocol forward.  It presumes UDP or TCP ports, or icmp, or a handful of other proto that it has built in.  Unless perhaps you can specify "41" instead of udp or tcp in an ACL.

[cholzhauer]

The bad thing is the ASA doesn't even run IOS   I think IOS would let me do this.  Someone mentioned using a class map..would that work?

[jimb]

OOPS yeh my bad.  It's not IOS, it's sort of a bastardization of PixOS and IOS.   

Yeh u may want to look into class maps and route maps to do your NAT.  Good luck. 

[cholzhauer]

Haha I've never used class maps...do you know of any place I should look to get myself up to speed?

[cholzhauer]

I took advantage of our contract with Cisco and asked them.  Below is the response

Carl,

On the ASA there would be no way to do this. The only thing we could do would be to use PAT but that's not going to work as there are no ports to send it back to.

You may be able to accomplish this with policy-based routing. On the router you could configure an ACL matching ip protocol 41 and route it inside to a specific address. The only thing is that you would still need to create some sort of static translation for that traffic.

-Pete

On 1/13/2010 2:02 PM, Carl wrote:
> Hm.
>
> It seems like there's a way to do this if I had a router...then I could use the ip-forward command?
>
> Someone had mentioned using a class map to achieve this...is that possible?
>
> Thanks
>
> -----Original Message-----
>
> Carl,
>
> There is currently no way to do a NAT policy based on IP protocol number. We can only do something like this is if we had TCP/UDP port numbers. You may be able to talk to your tunnel broker and see if they can do TSP or some other kind of UDP based encapsulation for the traffic so that we could create the desired NAT policy.
>
> -Pete
>
> On 1/13/2010 1:50 PM, Carl wrote:
>> I'll try and explain.
>>
>> I want to set up an IPv6 tunnel at my site, but I only have one external Public IP address.  So, I need to forward protocol 41 to an internal host to set up this tunnel.
>>
>> Say my Public IP address is 12.12.12.12.  I would set up the tunnel
>> at the tunnel broker site to send all tunnel traffic to 12.12.12.12.
>> However, there is a router at that address, not the computer that
>> needs to receive the traffic.  So, what I would need to do is create
>> something that says ok, any protocol 41 traffic sent to 12.12.12.12
>> needs to be forwarded to the internal address of 192.168.1.1
>>
>> Hope that helps.
>>
>>
>> -----Original Message-----
>>
>> Hello,
>>
>> My name is Pete, I'm with the TAC Firewall team here in RTP, North Carolina and I'll be the new engineer working on your case.
>>
>> To get started can you describe to me exactly what you are doing? Are
>> you trying to do dual-stack PAT where you take in an IPv6 packet on
>> port
>> 100 and translate to an IPv4 address on port 50 for example?
>>

[chrissw]

Interestingly - especially for those using an ASA without sufficient memory for later software versions - you can do this with ASA 8.0(3). It may have been an oversight or a "bug" with positive consequences in that version, because, it doesn't work in 8.0(5).

So I have a Cat4948 doing all the routing for my internal network. Now of course the 4948 doesn't support NAT, and since I'm on a domestic broadband service with only 1 public IPv4 address, I need something to do NAT, and that is an ASA, which of course is connected directly to my broadband.

The IPv6in4 tunnel remote endpoint (at the tunnel broker) is 216.66.80.26. The inside address of my end of the IPv6in4 tunnel is x.x.x.1/30.

The config is like this:

interface GigabitEthernet0/0
 description Broadband Service
 nameif outside
 security-level 0
 ip address dhcp setroute
!

interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address x.x.x.2 255.255.255.252
 ipv6 address 2001:x:x:ff::2/64
 ipv6 enable
 ipv6 nd suppress-ra
!
object-group protocol IPV6inIP
 protocol-object 41
!
access-list OUTSIDE-IN extended permit object-group IPV6inIP host 216.66.80.26 interface outside
!
access-list STATIC-IPV6TUNNEL extended permit object-group IPV6inIP host x.x.x.1 host 216.66.80.26
!
static (inside,outside) interface  access-list STATIC-IPV6TUNNEL
!
access-group OUTSIDE-IN in interface outside

When I configure this, I get a warning about all traffic being translated to the interface address (IIRC) but it doesn't matter of course. I presume the warning applies only to protocol 41 traffic.