Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Port to application mapping on asa

Hi,

i have cisco asa 8.4, i am using simple topology on gns3:

R1  ----------------------------------(inisde) ASA (outside) ------------------------------ R2

192.168.1.1               192.168.1.2           192.168.2.2                           192.168.2.1 

I have enabled http on R1, telnet from R2 to R1 (telnet 192.168.1.1 80) , it work.

Now i want to configure ASA to port map 80 to 8080,  telnet from R2 to R1 ( telnet 192.168.1.1 8080) , how can i do it ?

Thankssss

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Port to application mapping on asa

Hi,

There is different IP address used in the NAT configuration? The IP address of R2 even though you wanted to do the NAT for R1 IP address 192.168.1.1 to my understanding so that R2 could connec to 192.168.1.1 port TCP/8080 to reach the actual port TCP/80 on the R1 192.168.1.1?

If so then you would need to issue these commands which I suggested originally

object network R1

host 192.168.1.1

nat (inside,outside) static 192.168.1.1 service tcp 80 8080

- Jouni

15 REPLIES
Super Bronze

Port to application mapping on asa

Hi,

This depends on your software level used. The NAT configuration format is different for software levels 8.2 (and below) compared to levels 8.3 (and above)

Here is an example of both

Software 8.2 and below

static (inside,outside) tcp 192.168.1.1 8080 192.168.1.1 80 netmask 255.255.255.255

access-list permit tcp any host 192.168.1.1 8080

Software 8.3 and above

object network R1

host 192.168.1.1

nat (inside,outside) static 192.168.1.1 service tcp 80 8080

access-list permit tcp any object R1 eq 80

Hope this helps

Let me know if it works for you. If not then will have to look more into the configuration.

- Jouni

New Member

Port to application mapping on asa

Hi,

It did not work, i tried to write same command, it did not accept

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

object service 80

service tcp destination eq www

object service 8080

service tcp source eq 8080

object network R1

host 192.168.2.1

ciscoasa(config)# nat (inside,ouside) source static ?

configure mode commands/options:
  WORD  Specify object or object-group name for real source
  any   Abbreviation for source address and mask of 0.0.0.0

ciscoasa(config)# nat (inside,ouside) source static R1 ?

configure mode commands/options:
  WORD       Specify object or object-group name for mapped source
  interface  Specify interface NAT

how to write it ?

Super Bronze

Port to application mapping on asa

Hi,

You did not enter the commands I suggested.

The NAT configuration should be

object network R1

host 192.168.1.1

nat (inside,outside) static 192.168.1.1 service tcp 80 8080

You are trying to add the "nat" configuration in the global configuration space and not under the "object network R1"

So enter these in order wihtout entering any other command in between

object network R1

 

host 192.168.1.1

nat (inside,outside) static 192.168.1.1 service tcp 80 8080

The first one will create the "object" and move under its configuration space. The next one will add the "host" address under the "object". The last command will add the actual "nat" command under the "object" we created

Then you need the ACL to allow the traffic as described in my first reply. Naturally you will have to use an ACL that is attached with the "access-group" to your "outside" interface

- Jouni

New Member

Port to application mapping on asa

Hi, i manage to write command, but i am getting

R1#telnet 192.168.1.1 8080

Trying 192.168.1.1, 8080 ...

% Connection refused by remote host

Super Bronze

Port to application mapping on asa

Hi,

Post your ACL configuration

show run access-list

show run access-group

If you have no ACL configured you could add

access-list OUTSIDE-IN permit tcp any object R1 eq 80

access-group OUTSIDE-IN in interface outside

But I presume you have an existing ACL attached to interface "outside" like in my above example so you could use that ACL to allow what I have allowed above.

Let me know if it works. Otherwise post the configurations so I can check what is needed

- Jouni

New Member

Port to application mapping on asa

hi,

ciscoasa(config)#  sh run access-list
access-list l extended permit tcp any object R1 eq www
access-list l extended permit ip any any

ciscoasa# sh run access-group
access-group l in interface ouside

Thanks for all your help

New Member

Port to application mapping on asa

%ASA-6-302013: Built outbound TCP connection 44 for ouside:192.168.2.1/8080 (192.168.2.1/8080) to inside:192.168.1.1/29489 (192.168.1.1/29489)

%ASA-6-302014: Teardown TCP connection 44 for ouside:192.168.2.1/8080 to inside:192.168.1.1/29489 duration 0:00:00 bytes 0 TCP Reset-O

New Member

Port to application mapping on asa

%ASA-6-302013: Built inbound TCP connection 46 for ouside:192.168.2.1/42377 (192.168.2.1/42377) to inside:192.168.1.1/8080 (192.168.1.1/8080)

%ASA-6-302014: Teardown TCP connection 46 for ouside:192.168.2.1/42377 to inside:192.168.1.1/8080 duration 0:00:00 bytes 0 TCP Reset-I

Super Bronze

Port to application mapping on asa

Hi,

The connection should work if you are connecting from R2 to R1 with the destination IP 192.168.1.1 and port TCP/8080. Or that is how I understood the original request below

Now i want to configure ASA to port map 80 to 8080,  telnet from R2 to R1 ( telnet 192.168.1.1 8080) , how can i do it ?

Your above example seems to be you connecting from the R1 to itself?

R1#telnet 192.168.1.1 8080

Trying 192.168.1.1, 8080 ...

% Connection refused by remote host

So test this from R2

- Jouni

New Member

Port to application mapping on asa

Hi, same thing i am getting

R2#telnet 192.168.1.1 8080

Trying 192.168.1.1, 8080 ...

% Connection refused by remote host

%ASA-6-302013: Built outbound TCP connection 53 for ouside:192.168.1.1/8080 (192.168.1.1/8080) to inside:192.168.2.1/55789 (192.168.2.1/55789)

%ASA-6-302014: Teardown TCP connection 53 for ouside:192.168.1.1/8080 to inside:192.168.2.1/55789 duration 0:00:00 bytes 0 TCP Reset-O

%ASA-7-609002: Teardown local-host inside:192.168.2.1 duration 0:00:00

%ASA-7-609002: Teardown local-host ouside:192.168.1.1 duration 0:00:00

Super Bronze

Re: Port to application mapping on asa

Hi,

The logs dont match your original posts topology at all.

The log says R1 192.168.1.1 is located "outside" and the R2 192.168.2.1 is located "inside"?

Can you share the complete firewall configuration

Actually seems your other interface is called "ouside" and not "outside".

- Jouni

New Member

Port to application mapping on asa

ciscoasa# sh run

: Saved

:

ASA Version 8.4(2)

interface GigabitEthernet0

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface GigabitEthernet1

nameif outside

security-level 0

ip address 192.168.2.2 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network out

host 192.168.2.1

object network in

host 192.168.1.1

object service 80

service tcp destination eq www

object service 8080

service tcp source eq 8080

object network R1

host 192.168.2.1

access-list l extended permit ip any any

pager lines 24

logging enable

logging buffered debugging

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network R1

nat (outside,inside) static 192.168.2.1 service tcp www 8080

access-group l in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

Super Bronze

Port to application mapping on asa

Hi,

There is different IP address used in the NAT configuration? The IP address of R2 even though you wanted to do the NAT for R1 IP address 192.168.1.1 to my understanding so that R2 could connec to 192.168.1.1 port TCP/8080 to reach the actual port TCP/80 on the R1 192.168.1.1?

If so then you would need to issue these commands which I suggested originally

object network R1

host 192.168.1.1

nat (inside,outside) static 192.168.1.1 service tcp 80 8080

- Jouni

New Member

Port to application mapping on asa

thx Jouni,

can u share good tutorial for such config ?

thxxxxxxxxxxxxxxxxxx

Super Bronze

Port to application mapping on asa

Hi,

You could take a look at the document I have made here on the forums. It contains some examples of basic NAT configurations. It still work in progress

Here is the link

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

- Jouni

327
Views
0
Helpful
15
Replies