Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9630
Views
0
Helpful
7
Replies

Port forwarding using outside interface - ASA with 8.3.1

Go to solution
smunzani
Level 1
Level 1

‎05-25-2010 07:15 AM - edited ‎03-11-2019 10:50 AM

Hi,

I am struggling badly on figuring out how to port forward ftp service to one of my internal box when outside interface is using dhcp. It was very easy with earlier version of code but the new syntax of 8.3.1 is throwing me off totally. Neither there is a good example in documentation for command line and neither the ASDM configuration pushes off either.

Goal: Inbound ftp request to outside interface needs to be forwarded to 172.20.100.11 on inside host.

Can somebody help out with correct syntax? OR should I downgrade to previous version of code?

Thanks,

Sam Munzani

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to smunzani

‎05-25-2010 12:39 PM 

Are you sure its supposed to be dynamic NAT?

No We're both learning this at the same time! LOL!

Try with:

nat (inside,outside) static interface service tcp ftp ftp

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to John Blakley

‎05-25-2010 12:44 PM

Hi,

According to the migration guide:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Old Configuration

static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 255.255.255.255

Migrated Configuration

object network obj-10.1.1.16

host 10.1.1.16

nat (inside,outside) static 10.1.2.45 service tcp 8080 www


Hope it helps.

Federico.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎05-25-2010 08:30 AM

I don't have that version of the code, but unless things have changed drastically, you might be able to try something like:

static (inside,outside) tcp interface 21 172.20.100.11 21

Then in your ACL, you'd put:

access-list OUTSIDE permit tcp any interface outside eq 21

HTH,

John

*** You really use the word "interface" ****

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
smunzani
Level 1
Level 1
In response to John Blakley

‎05-25-2010 09:07 AM

That old syntax and does not work with 8.3.1 code at all. That's my frustration. Static command is removed from 8.3.1.

In past when cisco deprecated some commands, the OS automatically converted the command syntax if old commands were typed. In this case, it complains that command has been deprecated but doesn't do conversion or point out right syntax.

See output below.

ASA(config)# static (inside,outside) tcp interface 21 172.20.100.11 21
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.

Needless to say that "help nat" command or the product documentation doesn't show a good example of how to achieve it. It shows how to do port forwarding using dedicated IP but nothing shows how to do with outside interface it self.

Thanks,

Sam

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to smunzani

‎05-25-2010 11:47 AM

Okay,

I upgraded a 5505 here and I see what you mean.

From what I can guess, try this. You want your FTP traffic to be forwarded to  172.20.100.11. In the ASA type:

object network FTPSERVER

host 172.20.100.11

nat (inside,outside) dynamic interface

That's it....see if that works and PLEASE let me know because I have 2 firewalls in active/standby that have a TON of mappings in them. :-)

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
smunzani
Level 1
Level 1
In response to John Blakley

‎05-25-2010 12:10 PM

Did not work. Here is my config.

object network obj-172.24.100.0
subnet 172.24.100.0 255.255.255.0

object network FTPSERVER
host 172.24.100.22

!

object-group service FTP-Service tcp
port-object eq ftp
port-object eq ftp-data

!

access-list outside-in extended permit tcp any host 172.24.100.22 object-group FTP-Service

!

object network obj-172.24.100.0
nat (inside,outside) dynamic interface
object network FTPSERVER
nat (inside,outside) dynamic interface

!

Are you sure its supposed to be dynamic NAT?

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to smunzani

‎05-25-2010 12:39 PM 

Are you sure its supposed to be dynamic NAT?

No We're both learning this at the same time! LOL!

Try with:

nat (inside,outside) static interface service tcp ftp ftp

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to John Blakley

‎05-25-2010 12:44 PM

Hi,

According to the migration guide:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Old Configuration

static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 255.255.255.255

Migrated Configuration

object network obj-10.1.1.16

host 10.1.1.16

nat (inside,outside) static 10.1.2.45 service tcp 8080 www


Hope it helps.

Federico.

0 Helpful

Go to solution
smunzani
Level 1
Level 1
In response to John Blakley

‎05-25-2010 12:58 PM

Works now.

I guess it will take a little time to get used to with new syntax. For some reason ASDM interface didn't let me save configuration with such NAT.

Thanks,

Sam

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card