Solved: Port Forwarding for portal Access

Jon Moots · ‎12-21-2011

May be a simple question for someone, but I need to see if anyone can give me the syntax for a port forward.

I need to forward port 55443 to an internal address ( lets call it 15.15.15.15) from two outside ip's ( 5.5.5.5 and 6.6.6.6)

These addresses need to see the server IP address (15.15.15.15) only and nothing else.

Can someone please give me the syntax or an example of the syntax to make the changes in my device? It is an ASA 5510

Thanks for hte help

-Jon

Julio Carvajal · ‎12-21-2011

Hello Jon

What version are you running? Lets say it is 8.2

Static (inside,outside) tcp 5.5.5.5 55443 15.15.15.15 55443

access-list test permit tcp host 15.15.15.15 eq 54443 any

static(inside,outside) tcp 6.6.6.6 55443 access-list test

Remember to create the ACLs on the outside.

Give it a try and let me know if you need more help.

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-28-2011

Hello Jon,

They are two separate entries as I showed you on config terminal mode:

Object network Primary_Public

host 5.5.5.5

Let me know if you still unable to do it like that.

Regards,

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-21-2011

Hello Jon

What version are you running? Lets say it is 8.2

Static (inside,outside) tcp 5.5.5.5 55443 15.15.15.15 55443

access-list test permit tcp host 15.15.15.15 eq 54443 any

static(inside,outside) tcp 6.6.6.6 55443 access-list test

Remember to create the ACLs on the outside.

Give it a try and let me know if you need more help.

Please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jon Moots · ‎12-21-2011

Julio,

The ASA version is 8.3(1).

Would this make a difference inthe syntax that you listed above?

Thanks

for the help.

-Jon

Julio Carvajal · ‎12-21-2011

Hello Jon,

Yes, the syntax would be completely different:

Object network Primary_Public

host 5.5.5.5

Object network Secondary_Public

host 6.6.6.6

Object network Internal_host

host 15.15.15.15

Object service port_55443

service tcp source eq 55443

nat (inside,outside) source static Internal_host Primary_Public service port_55443 port_55443

nat (inside,outside) source static Internal_host Secondary_Public service port_55443 port_55443

Please rate helpful posts

Kind regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jon Moots · ‎12-28-2011

Julio

I tried entering the syntax you gave above, but it keeps hitting an error code at The "host" keyword of the line

Object network Primary_Public host 5.5.5.5.

What access level do I need to be in to enter the syntax? I tried it in configuration term, do i need to be higher or in a different config mode?

Are the lines "Object network Primary_Public

host 5.5.5.5"

two seperate entries lines or should they be entered as one line?

thanks

--Jon

Julio Carvajal · ‎12-28-2011

Hello Jon,

They are two separate entries as I showed you on config terminal mode:

Object network Primary_Public

host 5.5.5.5

Let me know if you still unable to do it like that.

Regards,

Do rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jon Moots · ‎12-28-2011

Thank you Julio

Now the only problem that I have is it is catching on the first port number for the following statement:

nat (inside,outside) source static Internal_host Primary_Public service port_55443 port_55443

Is this supposed to be a 2 line statement as well?

-Jon

Julio Carvajal · ‎12-28-2011

Hello Jon,

No, the Nat statements on 8.3 and prior versions are made of just one line (Great improvement).

Now that you have created the nat statement you just need the ACL pointing to the real ip address of the server, this becuase Nat is checked before the ACL on 8.3 and prior versions.

Do please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jon Moots · ‎12-29-2011

Julio

I can't get the nat statement to enter. it errors out at the port number.

If I get the nat statement in, is there another statement for the ACL? What would the syntax for that be?

-Jon

Jon Moots · ‎12-29-2011

Julio,

Here is the error that I get back:

nat(inside,outside) source static Internal_host Primary_Public service port_5544 ^3 port_55443

ERROR: % Invalid input detected at '^' marker.