Hi,

It did not work, i tried to write same command, it did not accept

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

object service 80

service tcp destination eq www

object service 8080

service tcp source eq 8080

object network R1

host 192.168.2.1

ciscoasa(config)# nat (inside,ouside) source static ?

configure mode commands/options:
  WORD  Specify object or object-group name for real source
  any   Abbreviation for source address and mask of 0.0.0.0

ciscoasa(config)# nat (inside,ouside) source static R1 ?

configure mode commands/options:
  WORD       Specify object or object-group name for mapped source
  interface  Specify interface NAT

how to write it ?

Hi,

You did not enter the commands I suggested.

The NAT configuration should be

object network R1

host 192.168.1.1

nat (inside,outside) static 192.168.1.1 service tcp 80 8080

You are trying to add the "nat" configuration in the global configuration space and not under the "object network R1"

So enter these in order wihtout entering any other command in between

object network R1

host 192.168.1.1

nat (inside,outside) static 192.168.1.1 service tcp 80 8080

The first one will create the "object" and move under its configuration space. The next one will add the "host" address under the "object". The last command will add the actual "nat" command under the "object" we created

Then you need the ACL to allow the traffic as described in my first reply. Naturally you will have to use an ACL that is attached with the "access-group" to your "outside" interface

- Jouni

Hi, i manage to write command, but i am getting

R1#telnet 192.168.1.1 8080

Trying 192.168.1.1, 8080 ...

% Connection refused by remote host

Hi,

Post your ACL configuration

show run access-list

show run access-group

If you have no ACL configured you could add

access-list OUTSIDE-IN permit tcp any object R1 eq 80

access-group OUTSIDE-IN in interface outside

But I presume you have an existing ACL attached to interface "outside" like in my above example so you could use that ACL to allow what I have allowed above.

Let me know if it works. Otherwise post the configurations so I can check what is needed

- Jouni

hi,

ciscoasa(config)#  sh run access-list
access-list l extended permit tcp any object R1 eq www
access-list l extended permit ip any any

ciscoasa# sh run access-group
access-group l in interface ouside

Thanks for all your help

%ASA-6-302013: Built outbound TCP connection 44 for ouside:192.168.2.1/8080 (192.168.2.1/8080) to inside:192.168.1.1/29489 (192.168.1.1/29489)

%ASA-6-302014: Teardown TCP connection 44 for ouside:192.168.2.1/8080 to inside:192.168.1.1/29489 duration 0:00:00 bytes 0 TCP Reset-O

%ASA-6-302013: Built inbound TCP connection 46 for ouside:192.168.2.1/42377 (192.168.2.1/42377) to inside:192.168.1.1/8080 (192.168.1.1/8080)

%ASA-6-302014: Teardown TCP connection 46 for ouside:192.168.2.1/42377 to inside:192.168.1.1/8080 duration 0:00:00 bytes 0 TCP Reset-I

Hi,

The connection should work if you are connecting from R2 to R1 with the destination IP 192.168.1.1 and port TCP/8080. Or that is how I understood the original request below

Now i want to configure ASA to port map 80 to 8080,  telnet from R2 to R1 ( telnet 192.168.1.1 8080) , how can i do it ?

Your above example seems to be you connecting from the R1 to itself?

R1#telnet 192.168.1.1 8080
Trying 192.168.1.1, 8080 ...
% Connection refused by remote host

So test this from R2

- Jouni

Hi, same thing i am getting

R2#telnet 192.168.1.1 8080

Trying 192.168.1.1, 8080 ...

% Connection refused by remote host

%ASA-6-302013: Built outbound TCP connection 53 for ouside:192.168.1.1/8080 (192.168.1.1/8080) to inside:192.168.2.1/55789 (192.168.2.1/55789)

%ASA-6-302014: Teardown TCP connection 53 for ouside:192.168.1.1/8080 to inside:192.168.2.1/55789 duration 0:00:00 bytes 0 TCP Reset-O

%ASA-7-609002: Teardown local-host inside:192.168.2.1 duration 0:00:00

%ASA-7-609002: Teardown local-host ouside:192.168.1.1 duration 0:00:00

Hi,

The logs dont match your original posts topology at all.

The log says R1 192.168.1.1 is located "outside" and the R2 192.168.2.1 is located "inside"?

Can you share the complete firewall configuration

Actually seems your other interface is called "ouside" and not "outside".

- Jouni

ciscoasa# sh run

: Saved

:

ASA Version 8.4(2)

interface GigabitEthernet0

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface GigabitEthernet1

nameif outside

security-level 0

ip address 192.168.2.2 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network out

host 192.168.2.1

object network in

host 192.168.1.1

object service 80

service tcp destination eq www

object service 8080

service tcp source eq 8080

object network R1

host 192.168.2.1

access-list l extended permit ip any any

pager lines 24

logging enable

logging buffered debugging

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network R1

nat (outside,inside) static 192.168.2.1 service tcp www 8080

access-group l in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

thx Jouni,

can u share good tutorial for such config ?

thxxxxxxxxxxxxxxxxxx