Inbound static Natting

Unanswered Question
Aug 13th, 2008
User Badges:

I have been trying to get a inbound static rule working - with no success.


What we want to to have any computer on the web access to port 7080 which is forwarded and NATted to the inside - now we have to ASA 5520 inplace ( one which we control and the other that company X controls) as per the diagram


The rules that I have in place want the Source Port to be 7080 and not the destination port on the external interface on the asa.


Rules that I have now ( I have been testing with 1 ip address)

access-list outside_nat_static_1 extended permit tcp host 2.1.20.26 eq 7080 any


static (outside,SMARTS_VPN) tcp interface 7080 access-list outside_nat_static_1


What am I missing - thanks in advance



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Wed, 08/13/2008 - 21:49
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

can u just post the exact addrsing of the firewalls and the natinf config u have


because it must be very precise as u have to nating stages while it not recomended but possible


then can give u more presice answer

thanks

alex.broad Thu, 08/14/2008 - 07:20
User Badges:

Hi,


The config that I have posted the the running conf. the IP address have just have a number removed eg 2.x.x.x = 22.x.x.x so then numbers should not be "that" important. ( all internal numbers are what is in place ;-)


When I test the rules with the ASDM if the packet source port is 7080 then the rules works. and if I test this from my local machine and force my local machine to send the packet from 7080 then everything works - however this should not be.


The source/port of the packet should be any - it is only the dest port that I want to NAT/forward on.


Thanks in advance

Marwan ALshawi Thu, 08/14/2008 - 15:40
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

as i know

u can only map port to port PAT

or any to ant normal nat

but ant to spesific port havt seen


anyway if u useweb browser

u can map http to 7080 and so on

in this case will be more reasonable


and regardign ur config with ACL

try to mal like this


static (smart_vpn, outside) [internal ip] [ur ACL]


by the way have u made ta permit acl on the outside interface ?


alex.broad Thu, 08/14/2008 - 07:42
User Badges:

Too add to this


access-list outside_nat_static_1 extended permit tcp host 2.1.20.26 eq 7080 any


static (outside,inside) tcp interface 7080 access-list outside_nat_static_1



Actions

This Discussion