Opening A Port To Server On LAN & Allowing Port Forwarding

Unanswered Question
Feb 27th, 2009

Hello All,

I have been tasked with configuring some port access for a server on my internal LAN. The Vendor provided me with 2 IP's on their end that I need to allow Port 1081 access to my server on my LAN.

We use an ASA 5520(Ver.8.0) with ASDM 6.0(3). I was wondering, to accomplish this, do I need to create a 1-to-1 NAT translation so that this server on the inside can see traffic destined for it from the outside? Or can I simply forward any traffic from those to IP's to my server coming over Port 1081?

Thank you,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
eddie.mitchell@... Fri, 02/27/2009 - 13:52

1-You need a static statement to translate one of your public IP addresses to the inside IP address of your server.

2-You need a corresponding ACE on your outside interface ACL to permit traffic over port 1081 from the 2 vendor addresses to the public IP statically natted to your server.

If the traffic over 1081 is unencrypted, I would recommend using an IPSec tunnel.

Hope this helps.

ljgarcia44 Fri, 02/27/2009 - 14:17

Andrew, I like the port-forwarding option as well. Would it be too much to ask for more specific information? Keep in mind I am only experienced in ASDM and I have never managed a firewall via command line. Or maybe if I explain your solution out, you can correct me where I'm wrong. I currently have 4 interfaces configured on my ASA. outside, inside, DMZ, and a dedicated interface for our police department. The server resides on a LAN segment on the "Inside" interface. The "Outside" interface is where the ISP is connected.

Step 1. Create an incoming Access Rule on my firewall's outside interface that allows TCP port 1081 traffic from "vendor's IP addresses".

Step 2. I imagine this is where I set up the port-forwarding to my internal server (If possible, I require assistance with this).

Thank you!



Not a fan of the ASDm, so I do everyting via the cli.

to have an acl allow access the below is what I would do:-

access-list outside_in extended permit tcp host <> interface outside 1081

access-list outside_in extended permit tcp host <> interface outside 1081

access-group outside_in in interface outside

The above config binds the acl to the traffic from the ISP to your firewall interface and allows it thru on the specific tcp destination port og 1081.

then the NAT:-

static (inside,outside) tcp interface 1081 <> 1081 netmask

The above instructs the firewall to forward any tcp 1081 connections for the outside interface IP to forward them onto the internal server IP and tcp port 1081.


ljgarcia44 Tue, 03/03/2009 - 14:57

This is great information, Thank you Andrew. Is there anyone out there that can assist me in setting this up through ASDM?


This Discussion