Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
0
Helpful
4
Replies

Need Help With ASA Rule

townofnewmarket
Level 1
Level 1

‎04-24-2014 09:44 AM - edited ‎03-11-2019 09:07 PM

ASA running 8.3(2)

Want to be able to hit an internal IP addy from the outside.  ONly need access to port 5001.

Generally, I would do something like this (assume internal is 10.0.0.1, external is 74.75.76.77 and port is 5001)

access-list inbound permit tcp any host 74.75.76.77 eq 5001
static (inside,outside) tcp interface 5001 10.0.0.1 5001 netmask 255.255.255.255 0 0

With the second command I get an error about "This syntax of nat command has been deprecated".

So I have tried this:

object network remote-test

 host 10.0.0.1

 nat (inside,outside) static 74.75.76.77 service tcp 5001 5001

But I am not getting there.  Am I missing anything else I need to add (maybe an acl list)?

Appreciate any help!

Thanks

Labels:
0 Helpful
4 Replies 4

joseoroz
Cisco Employee
Cisco Employee

‎04-24-2014 10:19 AM

The configuration that you are using is for code <8.2 there was a major change on the syntax on code 8.3 and above:

https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Please have on mind that on the access-list we permit the traffic now to the private IP of the server instead of the public.

The configuration will look something like this

Object network Public server

host 74.75.76.77

Object network Private_server

host 10.0.0.1

Object service 5001

service tcp source 5001

Nat (nside,outside) source static Private_server Public server service 5001 5001

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_rules.html#wp1101985

Hope you find this information helpful.

0 Helpful

townofnewmarket
Level 1
Level 1
In response to joseoroz

‎04-24-2014 10:45 AM

Jose, that looks awesome.  Is there any command I can issue inside the ASA that would show me if this connection is in fact being "hit"?  I am wondering if I don't have something else in between me and the ASA. 

I say this because, from the top of "sho run":

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.20 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!

0 Helpful

joseoroz
Cisco Employee
Cisco Employee
In response to townofnewmarket

‎04-24-2014 02:49 PM

You may run the packet tracer command. This will tell you the traffic can be permitted. Other than that you can setup a packet capture on in and outbound interface to confirm the traffic is actually permitted.

packet-tracer input outside tcp (source ip from the internet) 1025 (Public destination)  5001

packet-tracer input outside tcp 4.2.2.2 1025 74.75.76.77  5001

This is the example of access list that I missed earlier.

access-list inbound permit tcp any host 10.0.0.1 eq 5001

This are the instructions for packet capturing:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

0 Helpful

Gene Kazimiarovich
Level 1
Level 1
In response to townofnewmarket

‎04-25-2014 05:03 AM

"show conn" and "show xlate" will let you verify if connection is in the table and if NAT is taking place. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card