Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Opening A Port To Server On LAN & Allowing Port Forwarding

Hello All,

I have been tasked with configuring some port access for a server on my internal LAN. The Vendor provided me with 2 IP's on their end that I need to allow Port 1081 access to my server on my LAN.

We use an ASA 5520(Ver.8.0) with ASDM 6.0(3). I was wondering, to accomplish this, do I need to create a 1-to-1 NAT translation so that this server on the inside can see traffic destined for it from the outside? Or can I simply forward any traffic from those to IP's to my server coming over Port 1081?

Thank you,

Joey

5 REPLIES

Re: Opening A Port To Server On LAN & Allowing Port Forwarding

1-You need a static statement to translate one of your public IP addresses to the inside IP address of your server.

2-You need a corresponding ACE on your outside interface ACL to permit traffic over port 1081 from the 2 vendor addresses to the public IP statically natted to your server.

If the traffic over 1081 is unencrypted, I would recommend using an IPSec tunnel.

Hope this helps.

Re: Opening A Port To Server On LAN & Allowing Port Forwarding

Joey,

You have 2 options:-

1) Port forwarding

2) Static 1:1 NAT

I personally would not choose option 2, as I would not waste an external IP for 1 port forward.

Just allow the remote end IP's to access the outside interface IP based on destination TCP 1081.

HTH>

Community Member

Re: Opening A Port To Server On LAN & Allowing Port Forwarding

Andrew, I like the port-forwarding option as well. Would it be too much to ask for more specific information? Keep in mind I am only experienced in ASDM and I have never managed a firewall via command line. Or maybe if I explain your solution out, you can correct me where I'm wrong. I currently have 4 interfaces configured on my ASA. outside, inside, DMZ, and a dedicated interface for our police department. The server resides on a LAN segment on the "Inside" interface. The "Outside" interface is where the ISP is connected.

Step 1. Create an incoming Access Rule on my firewall's outside interface that allows TCP port 1081 traffic from "vendor's IP addresses".

Step 2. I imagine this is where I set up the port-forwarding to my internal server (If possible, I require assistance with this).

Thank you!

Joey

Re: Opening A Port To Server On LAN & Allowing Port Forwarding

Joey,

Not a fan of the ASDm, so I do everyting via the cli.

to have an acl allow access the below is what I would do:-

access-list outside_in extended permit tcp host <> interface outside 1081

access-list outside_in extended permit tcp host <> interface outside 1081

access-group outside_in in interface outside

The above config binds the acl to the traffic from the ISP to your firewall interface and allows it thru on the specific tcp destination port og 1081.

then the NAT:-

static (inside,outside) tcp interface 1081 <> 1081 netmask 255.255.255.255

The above instructs the firewall to forward any tcp 1081 connections for the outside interface IP to forward them onto the internal server IP and tcp port 1081.

HTH>

Community Member

Re: Opening A Port To Server On LAN & Allowing Port Forwarding

This is great information, Thank you Andrew. Is there anyone out there that can assist me in setting this up through ASDM?

177
Views
5
Helpful
5
Replies
CreatePlease to create content