ASA 5510 port forwarding

Unanswered Question
Sep 8th, 2010

Has anyone succesfully created a port-forward in ASA5510, ASA version 8.3(1) ASDM6.3(1)?

I have spend hours now trying, but I'm still unsuccesfull.

What I want is a simple: "if this particular ip-adress hits the wan interface on this tcp-port redirect to this inside ip-address on this tcp-port.

I have never had any trouble on any other firewall creating something like this, but the ASA is killing me. Please help.

Kind regards Anders

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
abinjola Wed, 09/08/2010 - 23:45

See if this helps,

Old Configuration

static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 255.255.255.255


Migrated Configuration

object network obj-10.1.1.16
host 10.1.1.16
nat (inside,outside) static 10.1.2.45 service tcp 8080 www

I'll be more than happy to coonvert your entire configuration just in case you need it

--regards

smakodako Thu, 09/09/2010 - 01:25

Hi abinjola

Thanks for the fast response.

It's not a migrated config, but a brandnew box configured from scratch in 8.3

I have search for help in the online help of the box, and tried different howto's, besides just "fooling" around to get it to work, but completely unsuccesfull.

I think I need the exact commands, in order to understand anything of what is going on.

Kind regards Anders

abinjola Thu, 09/09/2010 - 01:33

Did the above example of port forwarding commands worked ? what exact config/commands do you need  ?

I understand 8.3 is a total somersault in terms of NAT syntax and handling, but once you get accustomed to it you would it will be as easy as a walk in a park

Meanwhile I am sending you a link for 8.3 command structures and different examples:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

--regards

smakodako Fri, 09/10/2010 - 02:41

Hi

I tried but here's how it goes.

nat (mgmt,wan) static 193.xxx.xxx.34 service tcp 823 23

ERROR: Address 193.xxx.xxx.34 overlaps with wan interface address.

ERROR: NAT Policy is not downloaded

Nagaraja Thanthry Thu, 09/09/2010 - 05:36

Hello,

Please try the following:

Inside host 10.1.1.1

Outside address 100.1.1.1

Outside port HTTP

inside port 8080

object network Inside_server

host 10.1.1.1

object network Outside_server

host 100.1.1.1

object service Inside_port

service tcp source eq 8080

object service Outside_port

service tcp source eq 80

nat (inside,outside) source static Inside_server Outside_server service

Inside_port Outside_port

If you want to make it a policy NAT where this should be applicable only for

specific destination, then

object network Outside_dst

host 24.1.1.1

nat (inside,outside) source static Inside_server Outside_server destination

static Outside_dst Outside_dst service Inside_port Outside_port

On the outside interface access-list, you need to allow access to the actual

IP of the inside device on the actual port.

access-list outside_access_in permit tcp any host 10.1.1.1 eq 8080

access-group outside_access_in in interface outside

Hope this helps.

Regards,

NT

Indrit_Qesja Mon, 04/09/2012 - 13:06

Hi ! Im an trying the same config but with no result

Address xx.xx.xx.xx overlaps with Outside interface address.

Any help?

thanks

Jouni Forss Mon, 04/09/2012 - 13:18

Hi, Indrit Qesja

Can you please make a new discussion about your problem with some background information.

It will probably get more/better answers that way.

I can look through your issue when you've posted some background information about that kind of situation you have and what you are trying to accomplish.

- Jouni

Dennis Mink Mon, 04/09/2012 - 17:10

Indrit,

I am guessing you are using static nat against your outside interface's IP address   (for example 203.100.100.100)

instead of using:

nat (inside,outside) static 203.100.100.100 service tcp 21 21

use:

nat (inside,outside) static interface service tcp 21 21

Indrit_Qesja Tue, 04/10/2012 - 00:56

Hi dennis!

I will test the nat in static interface and i will come back in the forum

thank you very much

Actions

This Discussion