cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
408
Views
10
Helpful
5
Replies

urgent hep with cisco ASA 5505 with port forwarding

Dr.X
Level 2
Level 2

hi  all ,

i have cisco asa 8.4  with asdm and  want to make portforward

my simple topology is as below :

inside---------------------ASA-------------outside-------------------------------------internet

inside with security 100

outside with security level 0

the outside interface has an ip public assume it is 1.1.1.1

and in my lan i have 3 private ips :

192.168.1.2

192.168.1.3

192.168.1.4

i want to open rdp for 192.168.1.2 by portforward from asa

also i want to open http for 192.168.1.3

also https for 192.168.1.4

as an example

if somebody from internet need to access the host 192.168.1.2 rdp , he has to use the ip 1.1.1.1 with port of rdp

and who want to access web  of 192.168.1.3========>1.1.1.1:80

and who want to access https 192.168.1.4=========1.1.1.1:443

i read alot , and googled alot , i dnt have clear solution about how to do my object above

any any one give me brief steps ?

im using asdm but no luck , it always fail !

i know that i need to do nat and allow access rules but still no luck

wish to help

regards

5 Replies 5

Hello.

Coudl you please show:

  • sh runn access-list
  • sh runn access-group
  • sh runn nat
  • sh runn object
  • sh runn object-group

NAT should be like:

object network MY_RDP

host 192.168.1.2

nat (inside,outside) static interface service tcp 3389 3389

PS: on outside ACL in you need to allow access to 192.168.1.2:3389, 192.168.1.3:80 and 192.168.1.4:443

Jami Bailey
Level 1
Level 1

object network RDP_Server

host 192.168.1.2

nat (inside,outside) static 1.1.1.1 service tcp rdp rdp

!

object network HTTP_Server

host 192.168.1.3

nat (inside,outside) static 1.1.1.1 service tcp http http

!

object network HTTPS_Server

host 192.168.1.4

nat (inside,outside) static 1.1.1.1 service tcp https https

Also ensure your rules allow the connections.

hi all ,

thanks alot ,

but im fond of doing it by ASDM

im not good by cli , im still beginner

should i make print screen for u for my iusse ??

i will some print screen for u

hi ,

mr jami ,

here is my lab asdm image :

here is sh run :

ciscoasa# sh run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif UP

security-level 30

ip address 10.10.10.2 255.255.255.0

!

interface GigabitEthernet1

nameif DOWN

security-level 50

ip address 50.60.70.1 255.255.255.0

!

interface GigabitEthernet2

nameif LEFT

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet3

nameif RIGHT

security-level 0

ip address 12.13.14.1 255.255.255.0

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network gpohost

host 192.168.1.50

object service 8090

service tcp destination eq 8090

object service telnet

service tcp destination eq telnet

object network xp10

subnet 12.0.0.0 255.0.0.0

object network gogogogo

host 12.13.14.1

object network virus

range 16.16.16.1 16.16.16.255

object network nat_192

host 192.168.1.50

object network pool

range 4.4.4.4 4.4.4.10

object network 809055

subnet 12.0.0.0 255.255.255.0

object network nattt

host 192.168.1.50

description kkkkk

object network iiiiii

host 192.168.1.50

description hhhhhhhhhhh

object network jjjj

host 1.1.1.1

object network pppppppp

host 192.168.1.50

description ooooooooo

object network kkkkk

host 192.168.1.5

description iiiii

object network ll

host 192.168.50.1

object network portforwarddddd

host 192.168.1.50

object network RDP_Server

host 192.168.1.50

access-list RIGHT_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu UP 1500

mtu LEFT 1500

mtu DOWN 1500

mtu RIGHT 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-204.bin

no asdm history enable

arp timeout 14400

access-group RIGHT_access_in in interface RIGHT

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.10.10.0 255.255.255.0 UP

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 10.10.10.0 255.255.255.0 UP

telnet 12.0.0.0 255.0.0.0 RIGHT

telnet timeout 5

ssh 10.10.10.0 255.255.255.0 DOWN

ssh timeout 5

console timeout 0

dhcpd auto_config UP

dhcpd update dns override

!

dhcpd address 192.168.1.50-192.168.1.60 LEFT

dhcpd dns 8.8.8.8 interface LEFT

dhcpd enable LEFT

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username virus password 8GQz2i.ViIn9Z/x8 encrypted

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:bdd486511991a5b7be4dd6a2daac1a55

: end

===================================

herer is topoloy :

http://www6.0zz0.com/2014/01/22/18/286624589.png

quick trial :

from asa console

object network RDP_Server

host 192.168.1.50

ciscoasa(config-network-object)#

nat (LEFT,RIGHT) static 12.13.14.1 service tcp rdp rdp

ERROR: Address 12.13.14.1 overlaps with RIGHT interface address.

ERROR: NAT Policy is not downloaded

why it failed ???

it give me the same error when i try from asdm ??

it say

ERROR: Address 12.13.14.1 overlaps with RIGHT interface address.

ERROR: NAT Policy is not downloaded

why ?

Use Mikahil's NAT statements ie. instead of using the public IP address use the "interface" keyword instead.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco