09-08-2010 11:34 PM - edited 03-11-2019 11:37 AM
Has anyone succesfully created a port-forward in ASA5510, ASA version 8.3(1) ASDM6.3(1)?
I have spend hours now trying, but I'm still unsuccesfull.
What I want is a simple: "if this particular ip-adress hits the wan interface on this tcp-port redirect to this inside ip-address on this tcp-port.
I have never had any trouble on any other firewall creating something like this, but the ASA is killing me. Please help.
Kind regards Anders
09-08-2010 11:45 PM
See if this helps,
Old Configuration
static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 255.255.255.255
Migrated Configuration
object network obj-10.1.1.16
host 10.1.1.16
nat (inside,outside) static 10.1.2.45 service tcp 8080 www
I'll be more than happy to coonvert your entire configuration just in case you need it
--regards
09-09-2010 01:25 AM
Hi abinjola
Thanks for the fast response.
It's not a migrated config, but a brandnew box configured from scratch in 8.3
I have search for help in the online help of the box, and tried different howto's, besides just "fooling" around to get it to work, but completely unsuccesfull.
I think I need the exact commands, in order to understand anything of what is going on.
Kind regards Anders
09-09-2010 01:33 AM
Did the above example of port forwarding commands worked ? what exact config/commands do you need ?
I understand 8.3 is a total somersault in terms of NAT syntax and handling, but once you get accustomed to it you would it will be as easy as a walk in a park
Meanwhile I am sending you a link for 8.3 command structures and different examples:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html
--regards
09-10-2010 02:41 AM
Hi
I tried but here's how it goes.
nat (mgmt,wan) static 193.xxx.xxx.34 service tcp 823 23
ERROR: Address 193.xxx.xxx.34 overlaps with wan interface address.
ERROR: NAT Policy is not downloaded
09-09-2010 05:36 AM
Hello,
Please try the following:
Inside host 10.1.1.1
Outside address 100.1.1.1
Outside port HTTP
inside port 8080
object network Inside_server
host 10.1.1.1
object network Outside_server
host 100.1.1.1
object service Inside_port
service tcp source eq 8080
object service Outside_port
service tcp source eq 80
nat (inside,outside) source static Inside_server Outside_server service
Inside_port Outside_port
If you want to make it a policy NAT where this should be applicable only for
specific destination, then
object network Outside_dst
host 24.1.1.1
nat (inside,outside) source static Inside_server Outside_server destination
static Outside_dst Outside_dst service Inside_port Outside_port
On the outside interface access-list, you need to allow access to the actual
IP of the inside device on the actual port.
access-list outside_access_in permit tcp any host 10.1.1.1 eq 8080
access-group outside_access_in in interface outside
Hope this helps.
Regards,
NT
09-10-2010 03:17 AM
I succeded. Thank you so much:)
Best regards Anders
04-09-2012 01:06 PM
Hi ! Im an trying the same config but with no result
Address xx.xx.xx.xx overlaps with Outside interface address.
Any help?
thanks
04-09-2012 01:18 PM
Hi, Indrit Qesja
Can you please make a new discussion about your problem with some background information.
It will probably get more/better answers that way.
I can look through your issue when you've posted some background information about that kind of situation you have and what you are trying to accomplish.
- Jouni
04-09-2012 05:10 PM
Indrit,
I am guessing you are using static nat against your outside interface's IP address (for example 203.100.100.100)
instead of using:
nat (inside,outside) static 203.100.100.100 service tcp 21 21
use:
nat (inside,outside) static interface service tcp 21 21
04-10-2012 12:56 AM
Hi dennis!
I will test the nat in static interface and i will come back in the forum
thank you very much
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: