Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Simple asa 5505 firewall NAT question

Hi,

I want to allow incoming trafic on port 444 to be NATed to an internal host. I also want to allow this traffic using ACL. Seems fairly simple but I can't figure it out.

The important part of my config:

xxx.xxx.xxx.xxx is my external IP address.

: Saved

:

ASA Version 7.2(3)

!

hostname x

domain-name x

enable password x

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 12

!

interface Ethernet0/6

!

interface Ethernet0/7

!

access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any eq 444 host xxx.xxx.xxx.xxx eq 444

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp xxx.xxx.xxx.xxx 444 192.168.100.16 444 netmask 255.255.255.255

access-group outside_access_in in interface outside

6 REPLIES
Hall of Fame Super Blue

Re: Simple asa 5505 firewall NAT question

Traffic coming from outside will not have both the src and dst port set to 444 so your acl will not work -

access-list outside_access_in extended permit tcp any eq 444 host xxx.xxx.xxx.xxx eq 444

assuming you are talking about traffic coming in with a destination port of 444 which you then want to send to your internal server 192.168.100.16 change the acl line to -

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444

Jon

Re: Simple asa 5505 firewall NAT question

Your ACL is wrong, you are using a source port of 444 - It will be anything from 1024-65535.

Change the acl to:-

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444

HTH>

Re: Simple asa 5505 firewall NAT question

and I always find it usefull when I am using the IP address of the outside interface to configure the acl & nat to use it, like:-

access-list outside_access_in extended permit tcp any interface outside eq telnet

static (inside,outside) tcp interface 23 192.168.100.16 23 netmask 255.255.255.255

HTH>

New Member

Re: Simple asa 5505 firewall NAT question

I changed the ACL to:

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.xxx eq 444

But the problem still remains. Is there something wrong with my NAT rule perhaps?

Re: Simple asa 5505 firewall NAT question

post your current nat rule.

also try a clear xlate then re-test

New Member

Re: Simple asa 5505 firewall NAT question

Forget my last post. I got it.

120
Views
10
Helpful
6
Replies