ASA 5505 Port forwarding

Unanswered Question
Mar 29th, 2007

I cannot seem to get port forwarding working on my ASA 5505. I am running everything through one outside IP and do not have additional public IPs to use. I think I have the configuration right, but it is still not working. Through ASDM I do a packet trace and the flow stops at the NAT section with the following error: no translation group found for source outside....

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vitripat Thu, 03/29/2007 - 16:33

Following are the commands required for port-forwarding. Assuming that you have a webserver with internal IP x.x.x.x and need to use the outside interface for access from outside, you would need following commands-

static (inside,outside) tcp interface 80 x.x.x.x 80

access-list outside_in permit tcp any interface eq 80

access-group outside_ in in interface outside

If you already have a access-group on the outside interface, please use the access-list in the same access-group.

Hope this clears your issue.

Regards,

Vibhor.

DJCanuck1_2 Thu, 03/29/2007 - 17:53

Still cannot get this working...

ASA Version 7.2(2)

!

hostname Cal12-ASA5505

domain-name carmanah.com

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address XXXXXXXXXXXX 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns server-group DefaultDNS

domain-name carmanah.com

object-group service Dameware tcp

port-object range 6129 6129

object-group service RDC tcp

description Remote Desktop Connections

port-object range 3389 3389

access-list inside_access_out extended permit tcp any eq www any

access-list inside_access_out extended permit tcp any eq smtp any

access-list inside_access_out extended permit tcp any eq ftp-data any

access-list inside_access_out extended permit tcp any eq ftp any

access-list inside_access_out extended permit tcp any eq sqlnet any

access-list inside_access_out extended permit tcp any eq nntp any

access-list inside_access_out extended permit tcp any eq 3389 any

access-list inside_access_out extended permit udp any eq ntp any

access-list inside_access_out extended permit esp any any

access-list inside_access_out extended permit tcp any eq https any

access-list inside_access_out extended permit tcp any eq domain host 207.54.98.193

access-list inside_access_out extended permit udp any eq domain host 207.54.98.193

access-list outside_access_in extended permit udp host 207.54.98.193 eq domain any

access-list outside_access_in extended permit tcp any eq 3389 host 192.168.1.5 eq 3389

pager lines 24

logging enable

logging timestamp

logging asdm-buffer-size 200

logging console errors

logging asdm warnings

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 207.54.100.105 3389 192.168.1.5 3389 netmask 255.255.255.255

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 207.54.100.110 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec

password-storage disable

group-lock none

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 10

ssh timeout 5

console timeout 10

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

ntp server 136.159.2.2 source outside prefer

prompt hostname context

Cryptochecksum:xxx

: end

acomiskey Thu, 03/29/2007 - 18:27

acl should be

access-list outside_access_in extended permit tcp any host 207.54.100.105 eq 3389

This will allow any to access 207.54.100.105 on tcp 3389. You do not reference the server with the inside address when the acl is applied on the outside interface. You also had "permit tcp any eq 3389" which means any source with a source port of 3389, you don't want to filter on source port, just destination. Now that I look again, all your acl's are written with a source port. So those should be like this...

access-list inside_access_out extended permit tcp any any eq www

access-list inside_access_out extended permit tcp any any eq smtp

access-list inside_access_out extended permit tcp any any eq ftp-data

access-list inside_access_out extended permit tcp any any eq ftp

access-list inside_access_out extended permit tcp any any eq sqlnet

access-list inside_access_out extended permit tcp any any eq nntp

access-list inside_access_out extended permit tcp any any eq 3389

access-list inside_access_out extended permit udp any any eq ntp

access-list inside_access_out extended permit esp any any

access-list inside_access_out extended permit tcp any any eq https

access-list inside_access_out extended permit tcp any host 207.54.98.193 eq domain

access-list inside_access_out extended permit udp any host 207.54.98.193 eq domain

David White Thu, 03/29/2007 - 19:30

One addendum to acomiskey's comments.

If you only have a single routable address (allocated by your ISP), then you need to use the keyword "interface" in both the static and ACL statements. Do not specify the outside IP address in the static command if you are overloading on the interface. That is not supported.

Sincerely,

David.

acomiskey Fri, 03/30/2007 - 12:00

Yes, thanks david, if your outside interface address is 207.54.100.105 then your acl's need to look like this

access-list outside_access_in extended permit tcp any interface outside eq 3389

and as vibhor wrote, your static's need to look like this

static (inside,outside) tcp interface 3389 192.158.1.5 3389

Actions

This Discussion