cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7369
Views
0
Helpful
10
Replies

ASA 5510 port forwarding

smakodako
Level 1
Level 1

Has anyone succesfully created a port-forward in ASA5510, ASA version 8.3(1) ASDM6.3(1)?

I have spend hours now trying, but I'm still unsuccesfull.

What I want is a simple: "if this particular ip-adress hits the wan interface on this tcp-port redirect to this inside ip-address on this tcp-port.

I have never had any trouble on any other firewall creating something like this, but the ASA is killing me. Please help.

Kind regards Anders

10 Replies 10

abinjola
Cisco Employee
Cisco Employee

See if this helps,

Old Configuration

static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 255.255.255.255


Migrated Configuration

object network obj-10.1.1.16
host 10.1.1.16
nat (inside,outside) static 10.1.2.45 service tcp 8080 www

I'll be more than happy to coonvert your entire configuration just in case you need it

--regards

Hi abinjola

Thanks for the fast response.

It's not a migrated config, but a brandnew box configured from scratch in 8.3

I have search for help in the online help of the box, and tried different howto's, besides just "fooling" around to get it to work, but completely unsuccesfull.

I think I need the exact commands, in order to understand anything of what is going on.

Kind regards Anders

Did the above example of port forwarding commands worked ? what exact config/commands do you need  ?

I understand 8.3 is a total somersault in terms of NAT syntax and handling, but once you get accustomed to it you would it will be as easy as a walk in a park

Meanwhile I am sending you a link for 8.3 command structures and different examples:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

--regards

Hi

I tried but here's how it goes.

nat (mgmt,wan) static 193.xxx.xxx.34 service tcp 823 23

ERROR: Address 193.xxx.xxx.34 overlaps with wan interface address.

ERROR: NAT Policy is not downloaded

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Please try the following:

Inside host 10.1.1.1

Outside address 100.1.1.1

Outside port HTTP

inside port 8080

object network Inside_server

host 10.1.1.1

object network Outside_server

host 100.1.1.1

object service Inside_port

service tcp source eq 8080

object service Outside_port

service tcp source eq 80

nat (inside,outside) source static Inside_server Outside_server service

Inside_port Outside_port

If you want to make it a policy NAT where this should be applicable only for

specific destination, then

object network Outside_dst

host 24.1.1.1

nat (inside,outside) source static Inside_server Outside_server destination

static Outside_dst Outside_dst service Inside_port Outside_port

On the outside interface access-list, you need to allow access to the actual

IP of the inside device on the actual port.

access-list outside_access_in permit tcp any host 10.1.1.1 eq 8080

access-group outside_access_in in interface outside

Hope this helps.

Regards,

NT

I succeded. Thank you so much:)

Best regards Anders

Hi ! Im an trying the same config but with no result

Address xx.xx.xx.xx overlaps with Outside interface address.

Any help?

thanks

Hi, Indrit Qesja

Can you please make a new discussion about your problem with some background information.

It will probably get more/better answers that way.

I can look through your issue when you've posted some background information about that kind of situation you have and what you are trying to accomplish.

- Jouni

Indrit,

I am guessing you are using static nat against your outside interface's IP address   (for example 203.100.100.100)

instead of using:

nat (inside,outside) static 203.100.100.100 service tcp 21 21

use:

nat (inside,outside) static interface service tcp 21 21

Please remember to rate useful posts, by clicking on the stars below.

Indrit_Qesja
Level 1
Level 1

Hi dennis!

I will test the nat in static interface and i will come back in the forum

thank you very much

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: