Simple asa 5505 firewall NAT question

Unanswered Question
Feb 25th, 2009

Hi,

I want to allow incoming trafic on port 444 to be NATed to an internal host. I also want to allow this traffic using ACL. Seems fairly simple but I can't figure it out.

The important part of my config:

xxx.xxx.xxx.xxx is my external IP address.

: Saved

:

ASA Version 7.2(3)

!

hostname x

domain-name x

enable password x

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 12

!

interface Ethernet0/6

!

interface Ethernet0/7

!

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any eq 444 host xxx.xxx.xxx.xxx eq 444

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp xxx.xxx.xxx.xxx 444 192.168.100.16 444 netmask 255.255.255.255

access-group outside_access_in in interface outside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Wed, 02/25/2009 - 03:08

Traffic coming from outside will not have both the src and dst port set to 444 so your acl will not work -

access-list outside_access_in extended permit tcp any eq 444 host xxx.xxx.xxx.xxx eq 444

assuming you are talking about traffic coming in with a destination port of 444 which you then want to send to your internal server 192.168.100.16 change the acl line to -

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444

Jon

robbhanMid Wed, 02/25/2009 - 07:06

I changed the ACL to:

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444

But the problem still remains. Is there something wrong with my NAT rule perhaps?

Actions

This Discussion