11-05-2013 05:03 AM - edited 03-11-2019 08:00 PM
Hi,
i have cisco asa 8.4, i am using simple topology on gns3:
R1 ----------------------------------(inisde) ASA (outside) ------------------------------ R2
192.168.1.1 192.168.1.2 192.168.2.2 192.168.2.1
I have enabled http on R1, telnet from R2 to R1 (telnet 192.168.1.1 80) , it work.
Now i want to configure ASA to port map 80 to 8080, telnet from R2 to R1 ( telnet 192.168.1.1 8080) , how can i do it ?
Thankssss
Solved! Go to Solution.
11-05-2013 06:38 AM
Hi,
There is different IP address used in the NAT configuration? The IP address of R2 even though you wanted to do the NAT for R1 IP address 192.168.1.1 to my understanding so that R2 could connec to 192.168.1.1 port TCP/8080 to reach the actual port TCP/80 on the R1 192.168.1.1?
If so then you would need to issue these commands which I suggested originally
object network R1
host 192.168.1.1
nat (inside,outside) static 192.168.1.1 service tcp 80 8080
- Jouni
11-05-2013 05:17 AM
Hi,
This depends on your software level used. The NAT configuration format is different for software levels 8.2 (and below) compared to levels 8.3 (and above)
Here is an example of both
Software 8.2 and below
static (inside,outside) tcp 192.168.1.1 8080 192.168.1.1 80 netmask 255.255.255.255
access-list
Software 8.3 and above
object network R1
host 192.168.1.1
nat (inside,outside) static 192.168.1.1 service tcp 80 8080
access-list
Hope this helps
Let me know if it works for you. If not then will have to look more into the configuration.
- Jouni
11-05-2013 05:35 AM
Hi,
It did not work, i tried to write same command, it did not accept
ciscoasa# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(2)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
object service 80
service tcp destination eq www
object service 8080
service tcp source eq 8080
object network R1
host 192.168.2.1
ciscoasa(config)# nat (inside,ouside) source static ?
configure mode commands/options:
WORD Specify object or object-group name for real source
any Abbreviation for source address and mask of 0.0.0.0
ciscoasa(config)# nat (inside,ouside) source static R1 ?
configure mode commands/options:
WORD Specify object or object-group name for mapped source
interface Specify interface NAT
how to write it ?
11-05-2013 05:39 AM
Hi,
You did not enter the commands I suggested.
The NAT configuration should be
object network R1
host 192.168.1.1
nat (inside,outside) static 192.168.1.1 service tcp 80 8080
You are trying to add the "nat" configuration in the global configuration space and not under the "object network R1"
So enter these in order wihtout entering any other command in between
object network R1
host 192.168.1.1
nat (inside,outside) static 192.168.1.1 service tcp 80 8080
The first one will create the "object" and move under its configuration space. The next one will add the "host" address under the "object". The last command will add the actual "nat" command under the "object" we created
Then you need the ACL to allow the traffic as described in my first reply. Naturally you will have to use an ACL that is attached with the "access-group" to your "outside" interface
- Jouni
11-05-2013 05:48 AM
Hi, i manage to write command, but i am getting
R1#telnet 192.168.1.1 8080
Trying 192.168.1.1, 8080 ...
% Connection refused by remote host
11-05-2013 06:00 AM
Hi,
Post your ACL configuration
show run access-list
show run access-group
If you have no ACL configured you could add
access-list OUTSIDE-IN permit tcp any object R1 eq 80
access-group OUTSIDE-IN in interface outside
But I presume you have an existing ACL attached to interface "outside" like in my above example so you could use that ACL to allow what I have allowed above.
Let me know if it works. Otherwise post the configurations so I can check what is needed
- Jouni
11-05-2013 06:08 AM
hi,
ciscoasa(config)# sh run access-list
access-list l extended permit tcp any object R1 eq www
access-list l extended permit ip any any
ciscoasa# sh run access-group
access-group l in interface ouside
Thanks for all your help
11-05-2013 06:11 AM
%ASA-6-302013: Built outbound TCP connection 44 for ouside:192.168.2.1/8080 (192.168.2.1/8080) to inside:192.168.1.1/29489 (192.168.1.1/29489)
%ASA-6-302014: Teardown TCP connection 44 for ouside:192.168.2.1/8080 to inside:192.168.1.1/29489 duration 0:00:00 bytes 0 TCP Reset-O
11-05-2013 06:11 AM
%ASA-6-302013: Built inbound TCP connection 46 for ouside:192.168.2.1/42377 (192.168.2.1/42377) to inside:192.168.1.1/8080 (192.168.1.1/8080)
%ASA-6-302014: Teardown TCP connection 46 for ouside:192.168.2.1/42377 to inside:192.168.1.1/8080 duration 0:00:00 bytes 0 TCP Reset-I
11-05-2013 06:11 AM
Hi,
The connection should work if you are connecting from R2 to R1 with the destination IP 192.168.1.1 and port TCP/8080. Or that is how I understood the original request below
Now i want to configure ASA to port map 80 to 8080, telnet from R2 to R1 ( telnet 192.168.1.1 8080) , how can i do it ?
Your above example seems to be you connecting from the R1 to itself?
R1#telnet 192.168.1.1 8080
Trying 192.168.1.1, 8080 ...
% Connection refused by remote host
So test this from R2
- Jouni
11-05-2013 06:20 AM
Hi, same thing i am getting
R2#telnet 192.168.1.1 8080
Trying 192.168.1.1, 8080 ...
% Connection refused by remote host
%ASA-6-302013: Built outbound TCP connection 53 for ouside:192.168.1.1/8080 (192.168.1.1/8080) to inside:192.168.2.1/55789 (192.168.2.1/55789)
%ASA-6-302014: Teardown TCP connection 53 for ouside:192.168.1.1/8080 to inside:192.168.2.1/55789 duration 0:00:00 bytes 0 TCP Reset-O
%ASA-7-609002: Teardown local-host inside:192.168.2.1 duration 0:00:00
%ASA-7-609002: Teardown local-host ouside:192.168.1.1 duration 0:00:00
11-05-2013 06:24 AM
Hi,
The logs dont match your original posts topology at all.
The log says R1 192.168.1.1 is located "outside" and the R2 192.168.2.1 is located "inside"?
Can you share the complete firewall configuration
Actually seems your other interface is called "ouside" and not "outside".
- Jouni
11-05-2013 06:34 AM
ciscoasa# sh run
: Saved
:
ASA Version 8.4(2)
interface GigabitEthernet0
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network out
host 192.168.2.1
object network in
host 192.168.1.1
object service 80
service tcp destination eq www
object service 8080
service tcp source eq 8080
object network R1
host 192.168.2.1
access-list l extended permit ip any any
pager lines 24
logging enable
logging buffered debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network R1
nat (outside,inside) static 192.168.2.1 service tcp www 8080
access-group l in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
11-05-2013 06:38 AM
Hi,
There is different IP address used in the NAT configuration? The IP address of R2 even though you wanted to do the NAT for R1 IP address 192.168.1.1 to my understanding so that R2 could connec to 192.168.1.1 port TCP/8080 to reach the actual port TCP/80 on the R1 192.168.1.1?
If so then you would need to issue these commands which I suggested originally
object network R1
host 192.168.1.1
nat (inside,outside) static 192.168.1.1 service tcp 80 8080
- Jouni
11-05-2013 06:40 AM
thx Jouni,
can u share good tutorial for such config ?
thxxxxxxxxxxxxxxxxxx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide