Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port forwarding with ASA

I'm stuck with my Cisco ASA config.

What I try to do is forward TCP port 8443 on my OUTSIDE interface (111.x.x.444) to the same port on an internal machine (INSIDE 192.168.0.230).

I've got a static NAT rule and applied a access-list to accept TCP traffic on port 8443 OUTSIDE.

After every change I do a "clear xlate" so that can not be the problem.

When I sniff packages on the INSIDE 192.168.0.230 machine I don't see any incoming packets on port 8443.

Also when I do a check with the packet-tracer the problem looks te be at the outside_access_in ACL because the packet is blocked at the "deny any any" rule.

What am I doing wrong?

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Port forwarding with ASA

First, this is NOT the way the ASA is suppsed to behave, in my opinion. There is a fast and easy workaround for it though.

When you port forward on the outside IP, the ASA should take the static command with the outside IP. The ASA does not. The ASA now requires you to use the keyword interface instead of the actual IP.

You static command should look like this:

static (inside,outside) tcp interface 8443 192.168.0.230 8443 netmask 255.255.255.255

Please rate when this works for you :-)

Bryan

8 REPLIES
New Member

Re: Port forwarding with ASA

I've got the exact same problem so I'll be watching this.

I get the following error:

ASA-3-71003: TCP Access denied by ACL from xxx.xxx.xxx.xxx/xxxx to outside xxx.xxx.xxx.xxx/6574

Are you getting the same?

New Member

Re: Port forwarding with ASA

Well, the strange thing is that I'm not getting an error in my log buffer.

But with the packet-tracer I see that it's block by my rule that is enabled to log.

Gold

Re: Port forwarding with ASA

It looks you have bad syntax of STATIC command

INSTEAD

static (outside,inside) tcp 192.168.0.230 8443 111.222.333.444 8443 netmask 255.255.255.255

USE

static (inside,outside) tcp 111.222.333.444 8443 192.168.0.230 8443 netmask 255.255.255.255

ASA has little bit non logical syntax of static command its:

static ( real_interface, mapped_interface) mapped_IP port real_IP port netmask

Check this link for more info

http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f101.html#wp1182234

M.

hope that helps rate if it does

New Member

Re: Port forwarding with ASA

Unfortunately that doesn't help.

First I had that syntax as m.sir said. I tried it again but without success.

I reconfigured my NAT rules:

1) no global (outside) 1 interface

2) no nat (inside) 0 access-list inside_nat0_outbound

3) no nat (inside) 1 192.168.0.0 255.255.255.0

4) no static (inside,outside) tcp 111.222.333.444 netmask 255.255.255.255

5) static (inside,outside) tcp 111.222.333.444 netmask 255.255.255.255

6) global (outside) 1 interface

7) nat (inside) 1 192.168.0.0 255.255.255.0

8) nat (inside) 0 access-list inside_nat0_outbound

9) clear xlate

Also without success

New Member

Re: Port forwarding with ASA

My ASA config

New Member

Re: Port forwarding with ASA

First, this is NOT the way the ASA is suppsed to behave, in my opinion. There is a fast and easy workaround for it though.

When you port forward on the outside IP, the ASA should take the static command with the outside IP. The ASA does not. The ASA now requires you to use the keyword interface instead of the actual IP.

You static command should look like this:

static (inside,outside) tcp interface 8443 192.168.0.230 8443 netmask 255.255.255.255

Please rate when this works for you :-)

Bryan

New Member

Re: Port forwarding with ASA

Great! It is working but strange that there is not much information about this.

I searched Google, this forum and the Cisco site.

One question... why the word "interface"?

How does the ASA know which interface you mean?

New Member

Re: Port forwarding with ASA

THe ASA knows its the outside interface becasue of te syntax of the static command.

static (intside,outside) OUTSIDE_IP INSIDE_IP netmask 255.255.255.255

Bryan

815
Views
0
Helpful
8
Replies