• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Port Forward on ASA

Started by cholzhauer, January 11, 2010, 07:47:49 AM

Previous topic - Next topic

cholzhauer

Has anyone done port forwarding with an ASA?  I have a setup where I only have one public address, so I need to forward proto/41 to an inside host.  However, I'm only presented with TCP/UDP options.

I'm looking for the command to enter to accomplish the aforementioned.

Thanks

cholzhauer

Well, I guess it wouldn't be port forwarding if I'm trying to forward a protocol, but I think you get the idea

jimb

Yeah I posted about this before.  I don't think IOS allows you to do an arbitrary protocol forward.  It presumes UDP or TCP ports, or icmp, or a handful of other proto that it has built in.  Unless perhaps you can specify "41" instead of udp or tcp in an ACL.

cholzhauer

The bad thing is the ASA doesn't even run IOS :(  I think IOS would let me do this.  Someone mentioned using a class map..would that work?

jimb

OOPS yeh my bad.  It's not IOS, it's sort of a bastardization of PixOS and IOS.   :P

Yeh u may want to look into class maps and route maps to do your NAT.  Good luck.  :P

cholzhauer

Haha I've never used class maps...do you know of any place I should look to get myself up to speed?

cholzhauer

I took advantage of our contract with Cisco and asked them.  Below is the response
Quote
Carl,

On the ASA there would be no way to do this. The only thing we could do would be to use PAT but that's not going to work as there are no ports to send it back to.

You may be able to accomplish this with policy-based routing. On the router you could configure an ACL matching ip protocol 41 and route it inside to a specific address. The only thing is that you would still need to create some sort of static translation for that traffic.

-Pete

On 1/13/2010 2:02 PM, Carl wrote:
> Hm.
>
> It seems like there's a way to do this if I had a router...then I could use the ip-forward command?
>
> Someone had mentioned using a class map to achieve this...is that possible?
>
> Thanks
>
> -----Original Message-----
>
> Carl,
>
> There is currently no way to do a NAT policy based on IP protocol number. We can only do something like this is if we had TCP/UDP port numbers. You may be able to talk to your tunnel broker and see if they can do TSP or some other kind of UDP based encapsulation for the traffic so that we could create the desired NAT policy.
>
> -Pete
>
> On 1/13/2010 1:50 PM, Carl wrote:
>> I'll try and explain.
>>
>> I want to set up an IPv6 tunnel at my site, but I only have one external Public IP address.  So, I need to forward protocol 41 to an internal host to set up this tunnel.
>>
>> Say my Public IP address is 12.12.12.12.  I would set up the tunnel
>> at the tunnel broker site to send all tunnel traffic to 12.12.12.12.
>> However, there is a router at that address, not the computer that
>> needs to receive the traffic.  So, what I would need to do is create
>> something that says ok, any protocol 41 traffic sent to 12.12.12.12
>> needs to be forwarded to the internal address of 192.168.1.1
>>
>> Hope that helps.
>>
>>
>> -----Original Message-----
>>
>> Hello,
>>
>> My name is Pete, I'm with the TAC Firewall team here in RTP, North Carolina and I'll be the new engineer working on your case.
>>
>> To get started can you describe to me exactly what you are doing? Are
>> you trying to do dual-stack PAT where you take in an IPv6 packet on
>> port
>> 100 and translate to an IPv4 address on port 50 for example?
>>


chrissw

Interestingly - especially for those using an ASA without sufficient memory for later software versions - you can do this with ASA 8.0(3). It may have been an oversight or a "bug" with positive consequences in that version, because, it doesn't work in 8.0(5).

So I have a Cat4948 doing all the routing for my internal network. Now of course the 4948 doesn't support NAT, and since I'm on a domestic broadband service with only 1 public IPv4 address, I need something to do NAT, and that is an ASA, which of course is connected directly to my broadband.

The IPv6in4 tunnel remote endpoint (at the tunnel broker) is 216.66.80.26. The inside address of my end of the IPv6in4 tunnel is x.x.x.1/30.

The config is like this:

interface GigabitEthernet0/0
description Broadband Service
nameif outside
security-level 0
ip address dhcp setroute
!

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address x.x.x.2 255.255.255.252
ipv6 address 2001:x:x:ff::2/64
ipv6 enable
ipv6 nd suppress-ra
!
object-group protocol IPV6inIP
protocol-object 41
!
access-list OUTSIDE-IN extended permit object-group IPV6inIP host 216.66.80.26 interface outside
!
access-list STATIC-IPV6TUNNEL extended permit object-group IPV6inIP host x.x.x.1 host 216.66.80.26
!
static (inside,outside) interface  access-list STATIC-IPV6TUNNEL
!
access-group OUTSIDE-IN in interface outside

When I configure this, I get a warning about all traffic being translated to the interface address (IIRC) but it doesn't matter of course. I presume the warning applies only to protocol 41 traffic.