Port Forwarding Configuration

Unanswered Question
Dec 1st, 2010


I have a Cisco ASA 5520. I need to configure port forwarding on the vpn tunnel. Eg. i have almost 100 L2L vpn tunnels. Any clients hitting my LAN ip on port 21, my ASA should forward that port 21 traffic to Is it possible on the VPN? Please let me the configuration. If that doesn't work, lemme know any you suggestions on this. Please note that, any other traffic if client is hitting it should not forward.

Requirement (client) -----> ----->

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 12/01/2010 - 10:30


Port forwarding will work over VPN if you're NATing through the tunnel (VPN traffic not included in NAT exemption)

static (in,out) tcp 21 21

The above will redirect all TCP 21 coming to to

If the VPN client uses to reach, it should work.


Anand Narayana Wed, 12/01/2010 - 18:52

Thanks for the response. Let me try this in my lab in a day or two before configuring them on LIVE. But as mentioned, any other traffic if client is hitting, it should be forwarding to a different server say or may be i can use it on some other server to re-direct. That should also work.

Let me know if that too is possible

If port port 21 port forwarding rule is applied, there will be no change in the existing access-list on the vpn tunnel (which  is already in place) as this rule will forward only when it receives port  21 traffic from the client isn't?


any change required in the access-list?


while my existing configuration (which you have suggested) is in place, Client ----> ---->

when i do port forwarding on the same server using different port say port 80 (as mentioned below) should also work

Client -----> (this will open the web page on this server itself without re-directing to any other)


Client -----> -----> (which has to re-direct to any other server)

Federico Coto F... Thu, 12/02/2010 - 05:51


You can use port forwarding to define other ports using the same IP as you mentioned.

For this to work is because you are doing NAT through the tunnel... meaning the access-list for VPN is directed to the NAT IP.


Anand Narayana Thu, 12/02/2010 - 06:11

Thanks. Could you just provide me a sample configuration of the access-list which i need to use on the vpn tunnel or any other configuration required for port forwarding?

Below is my vpn configuration in addition to your suggested port forwarding configuration (PAT) for your understand of my current configuration.

interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address

interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address

access-list VPN-CLIENT extended permit ip host host

access-list NONAT extended permit ip host host

access-list in2out extended permit ip any any

static (inside,outside) tcp 21 21

global (outside) 1 netmask

nat (inside) 0 access-list NONAT

nat (inside) 1

access-group out2in in interface outside

access-group in2out in interface inside

Client IP -

My Server -

My FTP Server ip -

Federico Coto F... Thu, 12/02/2010 - 10:40

The problem that I see is the following:

Client IP -

My Server -

My FTP Server ip -

The ASA will receive the VPN traffic from

The ASA have a NAT exemption rule to forward the traffic to

After the ASA forwards the packets to, the ASA is not going to manipulate the packets again to be able to redirect the packets to


If the ASA receives a packet on its outside interface, it can redirect those packets to an internal IP using port forwarding.

The difference here is that you're telling the ASA to send the packets to a host already on the inside and the redirect those packets again.


Anand Narayana Thu, 12/02/2010 - 19:16

Does it mean that it will work only when i have server on the DMZ port on the same ASA?


This Discussion