Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Need help with port forwarding on ASA

 

Guys,

 

How do I achieve this port forwarding on ASA 5505.. Here is the situation

I have one host on inside lan

Host IP: 10.0.0.9

Outside ip: 65.65.65.100 (just an example)

 

So if a user from outside ssh into port 65.65.65.100:557, I want that traffic to go to 10.0.0.9:22 

and if another user from outside ssh into port 65.65.65.100:7111, I want that traffic to go to 10.0.0.9:22 

 

So basically when outside users connects to an IP on two different ports, I want that traffic to go to same host on same port number

 

Here is what I tried and I get "duplicate entry" error and it wont let me enter the second line

 

static(inside,outside)  tcp 65.65.65.100 557 10.0.0.9 22

static (inside,outside) tcp 65.65.65.100 7111 10.0.0.9 22 <---This line fails

 

Please help

3 REPLIES
Silver

Hi avashifa09, What comes to

Hi

What comes to my mind right now is what if you upgrade to 8.3 or up and try port forwarding with objects (object network and object service)

I haven't tried yet this on my lab , so it may work or not...

Example of the config:

 

Object service telnet

service tcp destination eq telnet

object service portx

service tcp destination eq 9999

nat (out,DMZ) source static any any destination static interface dmzserver service portx telnet

 

Hope this helps.

Community Member

8.3 or high version supports

8.3 or high version supports this.. I was able to achieve it by upgrading to 8.3 or higher version. Sorry about posting this late

Silver

Here is the configuration

Here is the configuration that you need:

 

access-list ssh_557 permit tcp host 10.0.0.9 eq 22 any

access-list ssh_7111 permit tcp host 10.0.0.9 eq 22 any

 

static (inside,outside)   tcp 65.65.65.100 557 access-list ssh_557

static (inside,outside)  tcp 65.65.65.100 7111 access-list ssh_7111

 

ciscoasa(config)# show xlate detail

2 in use, 2 most used
Flags: D - DNS, d - dump, I - identity, i - dynamic, n - no random,
       r - portmap, s - static

TCP PAT from inside:10.0.0.9/22 to outside(ssh_557):65.65.65.100/557 flags sr

TCP PAT from inside:10.0.0.9/22 to outside(ssh_7111):65.65.65.100/7111 flags sr

Value our effort and rate the assistance!
100
Views
0
Helpful
3
Replies
CreatePlease to create content