My ASA is Connect to comcrap modem (netgear CM1000, I want to port forward udp/6000 and udp/6001 to a host behind my firewall on my wireless network. (not sure if I also need to do something on my WIFI Router, but the ASA config appears like it doesn't work)
it's an asa. I really shouldnt have to port forward, just need ACL to allow traffic.
object service port-6000
service udp source eq 6000
object service port-6001
service udp source eq 6001
object-group network outside_ip
network-object host <comcrap assigned DHCP Address>
object network source-connect-6000
network-object host <internal wireless assigned DHCP Address>
object network source-connect-6001
network-object host <internal wireless assigned DHCP Address>
nat (outside,wireless) 1 source static outside_ip source-connect-6000 service port-6000 port-6000
nat (outside,wireless) 1 source static outside_ip source-connect-6001 service port-6001 port-6001
access-list outside_access line 1 extended permit udp any object source-connect-6000 eq 6000
access-list outside_access line 2 extended permit udp any object source-connect-6001 eq 6001
a# show nat
Manual NAT Policies (Section 1)
1 (outside) to (wireless) source static outside_ip source-connect-6001 service port-6001 port-6001
translate_hits = 0, untranslate_hits = 0
2 (outside) to (wireless) source static outside_ip source-connect-6000 service port-6000 port-6000
translate_hits = 0, untranslate_hits = 0
Do you have the ACL to match on the traffic so it's marked as "interesting" and processed? I dimly remember that being needed to make things work.
yes there is
access-list outside_access extended permit udp any host <internal> eq 6001 log notifications
access-list outside_access extended permit udp any host <internal> eq 6000 log notifications
[code]
The nat statement does not look right to me. Try:
object-group service nat_services
service-object udp destination range 6000 6001
!
object-group network internal_server
network-object host INTERNAL_SERVER_IP
!
nat (outside, wireless) source static any any destination static interface internal_server service nat_services nat_services
-Otanx
The nat is from highest security to lowest. So, nat inside or wireless -> outside
That's if wireless has security level 100 and outside is default 0.
I also recall needing to use source port in the service port.
Lets say internal ip is 192.168.1.10 and comcrap is 1.1.1.1, so it will be like:
nat udp 192.168.1.10:6000 -> 1.1.1.1:6000
The udp port number is the source port because from the firewall perspective we're natting from inside to outside to allow traffic inbound, but this is only destination port on the reverse ie when something remote is targeting our comcrap IP. Same with IP, source IP of 192.168.1.10 is translated to 1.1.1.1 which is our source when going outbound.