Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

urgent hep with cisco ASA 5505 with port forwarding

hi  all ,

i have cisco asa 8.4  with asdm and  want to make portforward

my simple topology is as below :

inside---------------------ASA-------------outside-------------------------------------internet

inside with security 100

outside with security level 0

the outside interface has an ip public assume it is 1.1.1.1

and in my lan i have 3 private ips :

192.168.1.2

192.168.1.3

192.168.1.4

i want to open rdp for 192.168.1.2 by portforward from asa

also i want to open http for 192.168.1.3

also https for 192.168.1.4

as an example

if somebody from internet need to access the host 192.168.1.2 rdp , he has to use the ip 1.1.1.1 with port of rdp

and who want to access web  of 192.168.1.3========>1.1.1.1:80

and who want to access https 192.168.1.4=========1.1.1.1:443

i read alot , and googled alot , i dnt have clear solution about how to do my object above

any any one give me brief steps ?

im using asdm but no luck , it always fail !

i know that i need to do nat and allow access rules but still no luck

wish to help

regards

5 REPLIES

Re: urgent hep with cisco ASA 5505 with port forwarding

Hello.

Coudl you please show:

  • sh runn access-list
  • sh runn access-group
  • sh runn nat
  • sh runn object
  • sh runn object-group

NAT should be like:

object network MY_RDP

host 192.168.1.2

nat (inside,outside) static interface service tcp 3389 3389

PS: on outside ACL in you need to allow access to 192.168.1.2:3389, 192.168.1.3:80 and 192.168.1.4:443

New Member

Re: urgent hep with cisco ASA 5505 with port forwarding

object network RDP_Server

host 192.168.1.2

nat (inside,outside) static 1.1.1.1 service tcp rdp rdp

!

object network HTTP_Server

host 192.168.1.3

nat (inside,outside) static 1.1.1.1 service tcp http http

!

object network HTTPS_Server

host 192.168.1.4

nat (inside,outside) static 1.1.1.1 service tcp https https

Also ensure your rules allow the connections.

New Member

Re: urgent hep with cisco ASA 5505 with port forwarding

hi all ,

thanks alot ,

but im fond of doing it by ASDM

im not good by cli , im still beginner

should i make print screen for u for my iusse ??

i will some print screen for u

New Member

urgent hep with cisco ASA 5505 with port forwarding

hi ,

mr jami ,

here is my lab asdm image :

here is sh run :

ciscoasa# sh run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif UP

security-level 30

ip address 10.10.10.2 255.255.255.0

!

interface GigabitEthernet1

nameif DOWN

security-level 50

ip address 50.60.70.1 255.255.255.0

!

interface GigabitEthernet2

nameif LEFT

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet3

nameif RIGHT

security-level 0

ip address 12.13.14.1 255.255.255.0

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network gpohost

host 192.168.1.50

object service 8090

service tcp destination eq 8090

object service telnet

service tcp destination eq telnet

object network xp10

subnet 12.0.0.0 255.0.0.0

object network gogogogo

host 12.13.14.1

object network virus

range 16.16.16.1 16.16.16.255

object network nat_192

host 192.168.1.50

object network pool

range 4.4.4.4 4.4.4.10

object network 809055

subnet 12.0.0.0 255.255.255.0

object network nattt

host 192.168.1.50

description kkkkk

object network iiiiii

host 192.168.1.50

description hhhhhhhhhhh

object network jjjj

host 1.1.1.1

object network pppppppp

host 192.168.1.50

description ooooooooo

object network kkkkk

host 192.168.1.5

description iiiii

object network ll

host 192.168.50.1

object network portforwarddddd

host 192.168.1.50

object network RDP_Server

host 192.168.1.50

access-list RIGHT_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu UP 1500

mtu LEFT 1500

mtu DOWN 1500

mtu RIGHT 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-204.bin

no asdm history enable

arp timeout 14400

access-group RIGHT_access_in in interface RIGHT

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.10.10.0 255.255.255.0 UP

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet 10.10.10.0 255.255.255.0 UP

telnet 12.0.0.0 255.0.0.0 RIGHT

telnet timeout 5

ssh 10.10.10.0 255.255.255.0 DOWN

ssh timeout 5

console timeout 0

dhcpd auto_config UP

dhcpd update dns override

!

dhcpd address 192.168.1.50-192.168.1.60 LEFT

dhcpd dns 8.8.8.8 interface LEFT

dhcpd enable LEFT

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username virus password 8GQz2i.ViIn9Z/x8 encrypted

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:bdd486511991a5b7be4dd6a2daac1a55

: end

===================================

herer is topoloy :

http://www6.0zz0.com/2014/01/22/18/286624589.png

quick trial :

from asa console

object network RDP_Server

host 192.168.1.50

ciscoasa(config-network-object)#

nat (LEFT,RIGHT) static 12.13.14.1 service tcp rdp rdp

ERROR: Address 12.13.14.1 overlaps with RIGHT interface address.

ERROR: NAT Policy is not downloaded

why it failed ???

it give me the same error when i try from asdm ??

it say

ERROR: Address 12.13.14.1 overlaps with RIGHT interface address.

ERROR: NAT Policy is not downloaded

why ?

Hall of Fame Super Blue

urgent hep with cisco ASA 5505 with port forwarding

Use Mikahil's NAT statements ie. instead of using the public IP address use the "interface" keyword instead.

Jon

164
Views
10
Helpful
5
Replies
CreatePlease login to create content