Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Inbound static Natting

I have been trying to get a inbound static rule working - with no success.

What we want to to have any computer on the web access to port 7080 which is forwarded and NATted to the inside - now we have to ASA 5520 inplace ( one which we control and the other that company X controls) as per the diagram

The rules that I have in place want the Source Port to be 7080 and not the destination port on the external interface on the asa.

Rules that I have now ( I have been testing with 1 ip address)

access-list outside_nat_static_1 extended permit tcp host 2.1.20.26 eq 7080 any

static (outside,SMARTS_VPN) tcp interface 7080 access-list outside_nat_static_1

What am I missing - thanks in advance

4 REPLIES

Re: Inbound static Natting

can u just post the exact addrsing of the firewalls and the natinf config u have

because it must be very precise as u have to nating stages while it not recomended but possible

then can give u more presice answer

thanks

New Member

Re: Inbound static Natting

Hi,

The config that I have posted the the running conf. the IP address have just have a number removed eg 2.x.x.x = 22.x.x.x so then numbers should not be "that" important. ( all internal numbers are what is in place ;-)

When I test the rules with the ASDM if the packet source port is 7080 then the rules works. and if I test this from my local machine and force my local machine to send the packet from 7080 then everything works - however this should not be.

The source/port of the packet should be any - it is only the dest port that I want to NAT/forward on.

Thanks in advance

Re: Inbound static Natting

as i know

u can only map port to port PAT

or any to ant normal nat

but ant to spesific port havt seen

anyway if u useweb browser

u can map http to 7080 and so on

in this case will be more reasonable

and regardign ur config with ACL

try to mal like this

static (smart_vpn, outside) [internal ip] [ur ACL]

by the way have u made ta permit acl on the outside interface ?

New Member

Re: Inbound static Natting

Too add to this

access-list outside_nat_static_1 extended permit tcp host 2.1.20.26 eq 7080 any

static (outside,inside) tcp interface 7080 access-list outside_nat_static_1

117
Views
0
Helpful
4
Replies