Port forwarding using outside interface - ASA with 8.3.1

Answered Question

Hi,

I am struggling badly on figuring out how to port forward ftp service to one of my internal box when outside interface is using dhcp. It was very easy with earlier version of code but the new syntax of 8.3.1 is throwing me off totally. Neither there is a good example in documentation for command line and neither the ASDM configuration pushes off either.

Goal: Inbound ftp request to outside interface needs to be forwarded to 172.20.100.11 on inside host.

Can somebody help out with correct syntax? OR should I downgrade to previous version of code?

Thanks,

Sam Munzani

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 6 months ago

Hi,

According to the migration guide:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Old Configuration

static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 255.255.255.255

Migrated Configuration

object network obj-10.1.1.16
host 10.1.1.16
nat (inside,outside) static 10.1.2.45 service tcp 8080 www


Hope it helps.

Federico.

Correct Answer by John Blakley about 6 years 6 months ago

Are you sure its supposed to be dynamic NAT?

No We're both learning this at the same time! LOL!

Try with:

nat (inside,outside) static interface service tcp ftp ftp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
John Blakley Tue, 05/25/2010 - 08:30

I don't have that version of the code, but unless things have changed drastically, you might be able to try something like:

static (inside,outside) tcp interface 21 172.20.100.11 21

Then in your ACL, you'd put:

access-list OUTSIDE permit tcp any interface outside eq 21

HTH,

John

*** You really use the word "interface" ****

That old syntax and does not work with 8.3.1 code at all. That's my frustration. Static command is removed from 8.3.1.

In past when cisco deprecated some commands, the OS automatically converted the command syntax if old commands were typed. In this case, it complains that command has been deprecated but doesn't do conversion or point out right syntax.

See output below.

ASA(config)# static (inside,outside) tcp interface 21 172.20.100.11 21
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.

Needless to say that "help nat" command or the product documentation doesn't show a good example of how to achieve it. It shows how to do port forwarding using dedicated IP but nothing shows how to do with outside interface it self.

Thanks,

Sam

John Blakley Tue, 05/25/2010 - 11:47

Okay,

I upgraded a 5505 here and I see what you mean.

From what I can guess, try this. You want your FTP traffic to be forwarded to  172.20.100.11. In the ASA type:

object network FTPSERVER

host 172.20.100.11

nat (inside,outside) dynamic interface

That's it....see if that works and PLEASE let me know because I have 2 firewalls in active/standby that have a TON of mappings in them. :-)

HTH,

John

Did not work. Here is my config.

object network obj-172.24.100.0
subnet 172.24.100.0 255.255.255.0

object network FTPSERVER
host 172.24.100.22

!

object-group service FTP-Service tcp
port-object eq ftp
port-object eq ftp-data

!

access-list outside-in extended permit tcp any host 172.24.100.22 object-group FTP-Service

!

object network obj-172.24.100.0
nat (inside,outside) dynamic interface
object network FTPSERVER
nat (inside,outside) dynamic interface

!

Are you sure its supposed to be dynamic NAT?

Correct Answer
John Blakley Tue, 05/25/2010 - 12:39

Are you sure its supposed to be dynamic NAT?

No We're both learning this at the same time! LOL!

Try with:

nat (inside,outside) static interface service tcp ftp ftp

Actions

This Discussion