cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
553
Views
0
Helpful
11
Replies

Help with port forwarding

kpoon
Level 1
Level 1

I have recently installed an ASA5510. I need to forward certain incoming internet traffic to a few internal servers as below:

These 3 are already configured with NAT and security policy via ASDM.

tcp-smtp traffic from 66.66.66.66 goes to 192.168.1.16

tcp-http traffic from 66.66.66.66 goes to 192.168.1.16

tcp-https traffic from 66.66.66.66 goes to 192.168.1.16

However, I'm not quite sure how to accomplish the following since it doesn't allow me to overlap the 192.168.1.x subnet:

tcp-pptp traffic from 66.66.66.66 goes to 192.168.1.10

ip-gre47 from 66.66.66.66 goes to 192.168.1.10

where 66.66.66.66 is part of our external subnet.

2 Accepted Solutions

Accepted Solutions

static (inside,outside) tcp 66.66.66.133 smtp 192.168.1.16 smtp netmask 255.255.255.255

static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255

access-list outside extended permit tcp any host 66.66.66.133 eq smtp

access-list outside extended permit tcp any host 66.66.66.133 eq pptp

access-group outside in interface outside

clear xlate

That should work how you had it.

View solution in original post

These commands will not work

static (inside,outside) ip 66.66.66.133 47 192.168.1.10 47 netmask 255.255.255.255

access-list outside extended permit ip any host 66.66.66.133 eq 47

Your option is to use another ip address (if you have one or you can use the ASA interface ip) for the gre like this...

static (inside,outside) 66.66.66.1xx 192.168.1.10 netmask 255.255.255.255

access-list outside extended permit ip any host 66.66.66.1xx eq 47

but you would have to get rid of you other static with 192.168.1.10

no static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255

Please rate helpful posts above.

View solution in original post

11 Replies 11

acomiskey
Level 10
Level 10

static (inside,outside) tcp 66.66.66.66 smtp 192.168.1.16 smtp netmask 255.255.255.255

static (inside,outside) tcp 66.66.66.66 www 192.168.1.16 www netmask 255.255.255.255

static (inside,outside) tcp 66.66.66.66 https 192.168.1.16 https netmask 255.255.255.255

static (inside,outside) tcp 66.66.66.66 pptp 192.168.1.10 pptp netmask 255.255.255.255

The last one won't work.

It's complaining about

ERROR: mapped-address conflict with existing static inside:192.168.1.16 to outside:66.66.66.66 netmask 255.255.255.255

when I do

static (inside,outside) tcp 66.66.66.66 pptp 192.168.1.10 pptp netmask 255.255.255.255

Post a "show run static" before you input that command that you got an error on.

ciscoasa(config)# show run static

static (inside,outside) 66.66.66.134 172.30.1.50 netmask 255.255.255.255

static (inside,outside) 66.66.66.132 192.168.1.15 netmask 255.255.255.255

static (inside,outside) 66.66.66.133 192.168.1.16 netmask 255.255.255.255

static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255 *this is only a temp solution for us*

ciscoasa(config)# static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10$

ERROR: mapped-address conflict with existing static

inside:192.168.1.16 to outside:66.66.66.133 netmask 255.255.255.255

and this is from the config:

access-list dzm extended permit ip any any

access-list dzm extended permit icmp any any

access-list ouside extended permit ip any any

access-list cont_in extended permit ip host 66.66.66.135 any

access-list outside extended permit tcp any host 66.66.66.134

access-list outside extended permit tcp any host 66.66.66.132 eq 3103

access-list outside extended permit tcp any host 66.66.66.133 eq smtp

access-list outside extended permit tcp any host 66.66.66.133 eq www

access-list outside extended permit tcp any host 66.66.66.133 eq https

access-list outside extended permit udp any host 66.66.66.133 eq www

access-list outside extended permit gre any host 66.66.66.137

access-list outside extended permit tcp any host 66.66.66.137 eq pptp

access-list outside_cryptomap_20 extended permit ip 192.168.0.0 255.255.0.0 192.168.123.0 255.255.255.0

access-list Split_tunnel_ACL standard permit 192.168.0.0 255.255.0.0

access-list outside_cryptomap_80 extended permit ip 192.168.1.0 255.255.255.0 192.168.111.0 255.255.255.0

access-list outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.222.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool rock-pool 192.168.100.1-192.168.100.50 mask 255.255.255.0

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm512-k8.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) 66.66.66.134 172.30.1.50 netmask 255.255.255.255

static (inside,outside) 66.66.66.132 192.168.1.15 netmask 255.255.255.255

static (inside,outside) 66.66.66.133 192.168.1.16 netmask 255.255.255.255

static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255

I don't think it likes that you already have a static for 1.10.

static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255

You would have to remove that, make it port forwarding for whichever ports you needed, then add the port forward for pptp.

no static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255

static (inside,outside) tcp 66.66.66.137 whatever 192.168.1.10 whatever netmask 255.255.255.255

static (inside,outside) tcp 66.66.66.66 pptp 192.168.1.10 pptp netmask 255.255.255.255

I tried

static (inside,outside) tcp 66.66.66.133 smtp 192.168.1.16 smtp netmask 255.255.255.255

static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255

But emails are not coming in, nor we can connect to 66.66.66.133 pptp from the internet.

The only way I could make it work is

access-list outside extended permit tcp any host 66.66.66.133 eq smtp

access-list outside extended permit tcp any host 66.66.66.137 eq pptp

static (inside,outside) 66.66.66.133 192.168.1.16 netmask 255.255.255.255

static (inside,outside) 66.66.66.137 192.168.1.10 netmask 255.255.255.255

access-group outside in interface outside

I want to keep both services on the outside 66.66.66.133 but it wouldn't allow me to do so. I don't know how I can accomplish that.

static (inside,outside) tcp 66.66.66.133 smtp 192.168.1.16 smtp netmask 255.255.255.255

static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255

access-list outside extended permit tcp any host 66.66.66.133 eq smtp

access-list outside extended permit tcp any host 66.66.66.133 eq pptp

access-group outside in interface outside

clear xlate

That should work how you had it.

It works great! Thank you very much!

You've mentioned that

static wouldn't work with GRE. Is there any work around if I want to do something like this?

static (inside,outside) tcp 66.66.66.133 smtp 192.168.1.16 smtp netmask 255.255.255.255

static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255

static (inside,outside) ip 66.66.66.133 47 192.168.1.10 47 netmask 255.255.255.255

access-list outside extended permit tcp any host 66.66.66.133 eq smtp

access-list outside extended permit tcp any

host 66.66.66.133 eq pptp

access-list outside extended permit ip any host 66.66.66.133 eq 47

Do you think you can look at another issue I have when you get a chance?

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=Subscriptions&loc=.1ddefbb9/0&forum=Security&topic=General

Thanks again!

These commands will not work

static (inside,outside) ip 66.66.66.133 47 192.168.1.10 47 netmask 255.255.255.255

access-list outside extended permit ip any host 66.66.66.133 eq 47

Your option is to use another ip address (if you have one or you can use the ASA interface ip) for the gre like this...

static (inside,outside) 66.66.66.1xx 192.168.1.10 netmask 255.255.255.255

access-list outside extended permit ip any host 66.66.66.1xx eq 47

but you would have to get rid of you other static with 192.168.1.10

no static (inside,outside) tcp 66.66.66.133 pptp 192.168.1.10 pptp netmask 255.255.255.255

Please rate helpful posts above.

Thanks, I will post about your other issue in a moment.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: