Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
0
Helpful
4
Replies

Inbound static Natting

alex.broad
Level 1
Level 1

‎08-13-2008 06:20 AM - edited ‎03-09-2019 09:16 PM

I have been trying to get a inbound static rule working - with no success.

What we want to to have any computer on the web access to port 7080 which is forwarded and NATted to the inside - now we have to ASA 5520 inplace ( one which we control and the other that company X controls) as per the diagram

The rules that I have in place want the Source Port to be 7080 and not the destination port on the external interface on the asa.

Rules that I have now ( I have been testing with 1 ip address)

access-list outside_nat_static_1 extended permit tcp host 2.1.20.26 eq 7080 any

static (outside,SMARTS_VPN) tcp interface 7080 access-list outside_nat_static_1

What am I missing - thanks in advance

Labels:
Preview file
23 KB
0 Helpful
4 Replies 4

Marwan ALshawi
VIP Alumni
VIP Alumni

‎08-13-2008 09:49 PM

can u just post the exact addrsing of the firewalls and the natinf config u have

because it must be very precise as u have to nating stages while it not recomended but possible

then can give u more presice answer

thanks

0 Helpful

alex.broad
Level 1
Level 1
In response to Marwan ALshawi

‎08-14-2008 07:20 AM

Hi,

The config that I have posted the the running conf. the IP address have just have a number removed eg 2.x.x.x = 22.x.x.x so then numbers should not be "that" important. ( all internal numbers are what is in place ;-)

When I test the rules with the ASDM if the packet source port is 7080 then the rules works. and if I test this from my local machine and force my local machine to send the packet from 7080 then everything works - however this should not be.

The source/port of the packet should be any - it is only the dest port that I want to NAT/forward on.

Thanks in advance

0 Helpful

Marwan ALshawi
VIP Alumni
VIP Alumni
In response to alex.broad

‎08-14-2008 03:40 PM

as i know

u can only map port to port PAT

or any to ant normal nat

but ant to spesific port havt seen

anyway if u useweb browser

u can map http to 7080 and so on

in this case will be more reasonable

and regardign ur config with ACL

try to mal like this

static (smart_vpn, outside) [internal ip] [ur ACL]

by the way have u made ta permit acl on the outside interface ?

0 Helpful

alex.broad
Level 1
Level 1

‎08-14-2008 07:42 AM

Too add to this

access-list outside_nat_static_1 extended permit tcp host 2.1.20.26 eq 7080 any

static (outside,inside) tcp interface 7080 access-list outside_nat_static_1

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents