Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
5
Helpful
5
Replies

Opening A Port To Server On LAN & Allowing Port Forwarding

ljgarcia44
Level 1
Level 1

‎02-27-2009 10:06 AM - edited ‎03-09-2019 10:05 PM

Hello All,

I have been tasked with configuring some port access for a server on my internal LAN. The Vendor provided me with 2 IP's on their end that I need to allow Port 1081 access to my server on my LAN.

We use an ASA 5520(Ver.8.0) with ASDM 6.0(3). I was wondering, to accomplish this, do I need to create a 1-to-1 NAT translation so that this server on the inside can see traffic destined for it from the outside? Or can I simply forward any traffic from those to IP's to my server coming over Port 1081?

Thank you,

Joey

Labels:
0 Helpful
5 Replies 5

eddie.mitchell
Level 3
Level 3

‎02-27-2009 01:52 PM

1-You need a static statement to translate one of your public IP addresses to the inside IP address of your server.

2-You need a corresponding ACE on your outside interface ACL to permit traffic over port 1081 from the 2 vendor addresses to the public IP statically natted to your server.

If the traffic over 1081 is unencrypted, I would recommend using an IPSec tunnel.

Hope this helps.

0 Helpful

andrew.prince
Level 10
Level 10

‎02-27-2009 01:53 PM

Joey,

You have 2 options:-

1) Port forwarding

2) Static 1:1 NAT

I personally would not choose option 2, as I would not waste an external IP for 1 port forward.

Just allow the remote end IP's to access the outside interface IP based on destination TCP 1081.

HTH>

0 Helpful

ljgarcia44
Level 1
Level 1
In response to andrew.prince

‎02-27-2009 02:17 PM

Andrew, I like the port-forwarding option as well. Would it be too much to ask for more specific information? Keep in mind I am only experienced in ASDM and I have never managed a firewall via command line. Or maybe if I explain your solution out, you can correct me where I'm wrong. I currently have 4 interfaces configured on my ASA. outside, inside, DMZ, and a dedicated interface for our police department. The server resides on a LAN segment on the "Inside" interface. The "Outside" interface is where the ISP is connected.

Step 1. Create an incoming Access Rule on my firewall's outside interface that allows TCP port 1081 traffic from "vendor's IP addresses".

Step 2. I imagine this is where I set up the port-forwarding to my internal server (If possible, I require assistance with this).

Thank you!

Joey

0 Helpful

andrew.prince
Level 10
Level 10
In response to ljgarcia44

‎02-27-2009 03:12 PM

Joey,

Not a fan of the ASDm, so I do everyting via the cli.

to have an acl allow access the below is what I would do:-

access-list outside_in extended permit tcp host <> interface outside 1081

access-list outside_in extended permit tcp host <> interface outside 1081

access-group outside_in in interface outside

The above config binds the acl to the traffic from the ISP to your firewall interface and allows it thru on the specific tcp destination port og 1081.

then the NAT:-

static (inside,outside) tcp interface 1081 <> 1081 netmask 255.255.255.255

The above instructs the firewall to forward any tcp 1081 connections for the outside interface IP to forward them onto the internal server IP and tcp port 1081.

HTH>

ljgarcia44
Level 1
Level 1
In response to andrew.prince

‎03-03-2009 02:57 PM

This is great information, Thank you Andrew. Is there anyone out there that can assist me in setting this up through ASDM?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents