Simple asa 5505 firewall NAT question

Unanswered Question
Feb 25th, 2009
User Badges:

Hi,

I want to allow incoming trafic on port 444 to be NATed to an internal host. I also want to allow this traffic using ACL. Seems fairly simple but I can't figure it out.



The important part of my config:


xxx.xxx.xxx.xxx is my external IP address.


: Saved


:


ASA Version 7.2(3)


!


hostname x


domain-name x


enable password x


names


!


interface Vlan1


nameif inside


security-level 100


ip address 192.168.100.1 255.255.255.0


!


interface Vlan2


nameif outside


security-level 0


ip address xxx.xxx.xxx.xxx 255.255.255.248


!


interface Ethernet0/0


switchport access vlan 2


!


interface Ethernet0/1


!


interface Ethernet0/2


!


interface Ethernet0/3


!


interface Ethernet0/4


!


interface Ethernet0/5


switchport access vlan 12


!


interface Ethernet0/6


!


interface Ethernet0/7


!




access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0


access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0


access-list outside_access_in extended permit icmp any any


access-list outside_access_in extended permit tcp any eq 444 host xxx.xxx.xxx.xxx eq 444



global (outside) 1 interface


nat (inside) 0 access-list inside_nat0_outbound


nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) tcp xxx.xxx.xxx.xxx 444 192.168.100.16 444 netmask 255.255.255.255


access-group outside_access_in in interface outside



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Wed, 02/25/2009 - 03:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Traffic coming from outside will not have both the src and dst port set to 444 so your acl will not work -


access-list outside_access_in extended permit tcp any eq 444 host xxx.xxx.xxx.xxx eq 444


assuming you are talking about traffic coming in with a destination port of 444 which you then want to send to your internal server 192.168.100.16 change the acl line to -


access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444


Jon

and I always find it usefull when I am using the IP address of the outside interface to configure the acl & nat to use it, like:-


access-list outside_access_in extended permit tcp any interface outside eq telnet


static (inside,outside) tcp interface 23 192.168.100.16 23 netmask 255.255.255.255


HTH>

robbhanMid Wed, 02/25/2009 - 07:06
User Badges:

I changed the ACL to:

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444


But the problem still remains. Is there something wrong with my NAT rule perhaps?

Actions

This Discussion