Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Problem port forwarding on ASA 5505

Hello,

I have a ftp-server running on 192.168.1.170 with port 21 and I want to do port forwarding in my Cisco ASA 5505.

The outside ip-address is 10.1.1.2 but I can't make a connection from a client with ip-address 10.1.1.1.

I did the same with a USRobotics router and it works as a charm. So the problem must be in the Cisco configuration.

My config:

: Saved

: Written by enable_15 at 12:57:10.202 UTC Sat Mar 28 2009

!

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.1.1.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq ftp-data

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface ftp 192.168.1.170 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 192.168.1.170 ftp netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:08bbfacb3de9a0ecc718793d99d3effc

: end

kind regards,

ME

3 REPLIES

Re: Problem port forwarding on ASA 5505

1) issue the below command

fixup protocol ftp 21 ( I read that this is necessary when you are natting the FTP-Server ip address, This will not show up in your running-config )

2) you don't need to permit ftp-data in your access-list applied to outside interface , as the firewall inspects ftp and dynamically opens the ports needed for the data channel.

so, the below ACE is not needed

access-list outside_access_in extended permit tcp any interface outside eq ftp-data

and also the destination address in your ACE should be an ip-address (host 10.1.1.20) isn't it ??

3) the below static is wrong, you are forwarding ftp-data to ftp ,

static (inside,outside) tcp interface ftp-data 192.168.1.170 ftp( should be ftp-data )netmask 255.255.255.255

if it doesn't work with the above static, I suggest you do a one-one static instead of the existing 2 without port-forwarding

static (inside,outside) tcp interface 192.168.1.170 netmask 255.255.255.255

HTH

Vikram

Community Member

Re: Problem port forwarding on ASA 5505

You could try this

1.Create ACL

access-list outside_access_in permit tcp any host "ip address of outside interface' eg ftp

access-list outside_access_in permit tcp any host "ip address of outside interface' eg ftp-data

Apply to outside interface in the inbound direction

access-group outside_access_in in interface outside

2. Add static statement

static (inside,outside) tcp interface ftp 192.168.1.170 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 192.168.1.170 ftp netmask 255.255.255.255 0 0

access-list outside_access_in extended permit tcp any interface outside eq ftp-data 0 0

Re: Problem port forwarding on ASA 5505

try the following

1. remove "static" and "acl entry" related to ftp-data. since "inspect ftp" has been enabled, system will open port 20 automatically.

2. use IP address instead of "interface" in both ACL and static NAT config and try it again.

428
Views
0
Helpful
3
Replies
CreatePlease to create content