https://community.cisco.com/t5/network-security/asa-5506-port-forwarding/m-p/2984679#M147809 <P>Hello,</P> <P>I have a 5506-x that needs to port forward a range of ports. My outside IP is also Dynamic from the ISP.</P> <P></P> <P>So far I made a Network\Service Object for the ports I want to use in the port forwarding.</P> <P>object service Service_OBJ_IPcamPorts_UDP<BR />&nbsp;service udp source range 8186 8191 destination range 8186 8191<BR />&nbsp;<BR />object service Service_OBJ_IPcamPort_TCP<BR />&nbsp;service tcp source range 8186 8191 destination range 8186 8191</P> <P>object network Network-Object-SOHO-Cisco-Router<BR />&nbsp;host 10.0.0.2</P> <P></P> <P>After the creation of the objects I'm unsure how to nat and make the acl to allow the packets.</P> <P>nat (CISCO-SOHO-Router,outside) source static Network-Object-SOHO-Cisco-Router Network-Object-SOHO-Cisco-Router service Service_OBJ_IPcamPort_TCP Service_OBJ_IPcamPort_TCP</P> <P></P> <P>Then my Current ACL</P> <P></P> <P>access-list outside_access_in line 2 extended permit tcp any range 8186 8191 host 10.0.0.2 range 8186 8191 log disable (hitcnt=0) 0x95da1b49<BR />&nbsp; access-list outside_access_in line 2 extended permit udp any range 8186 8191 host 10.0.0.2 range 8186 8191 log disable (hitcnt=0) 0x401fe7ac<BR /><IMG src="https://community.cisco.com/legacyfs/online/media/capture_254.png" class="migrated-markup-image" /></P> <P>any is the internet</P> <P>10.0.0.2 is a SOHO home router that is nating again with the same port ranges</P> <P></P> <P></P> <P></P> <P></P> <P></P> <P><BR /><BR />&nbsp;</P> Tue, 12 Mar 2019 08:46:06 GMT Joshuabowers 2019-03-12T08:46:06Z https://community.cisco.com/t5/network-security/asa-5506-port-forwarding/m-p/2984679#M147809 <P>Hello,</P> <P>I have a 5506-x that needs to port forward a range of ports. My outside IP is also Dynamic from the ISP.</P> <P></P> <P>So far I made a Network\Service Object for the ports I want to use in the port forwarding.</P> <P>object service Service_OBJ_IPcamPorts_UDP<BR />&nbsp;service udp source range 8186 8191 destination range 8186 8191<BR />&nbsp;<BR />object service Service_OBJ_IPcamPort_TCP<BR />&nbsp;service tcp source range 8186 8191 destination range 8186 8191</P> <P>object network Network-Object-SOHO-Cisco-Router<BR />&nbsp;host 10.0.0.2</P> <P></P> <P>After the creation of the objects I'm unsure how to nat and make the acl to allow the packets.</P> <P>nat (CISCO-SOHO-Router,outside) source static Network-Object-SOHO-Cisco-Router Network-Object-SOHO-Cisco-Router service Service_OBJ_IPcamPort_TCP Service_OBJ_IPcamPort_TCP</P> <P></P> <P>Then my Current ACL</P> <P></P> <P>access-list outside_access_in line 2 extended permit tcp any range 8186 8191 host 10.0.0.2 range 8186 8191 log disable (hitcnt=0) 0x95da1b49<BR />&nbsp; access-list outside_access_in line 2 extended permit udp any range 8186 8191 host 10.0.0.2 range 8186 8191 log disable (hitcnt=0) 0x401fe7ac<BR /><IMG src="https://community.cisco.com/legacyfs/online/media/capture_254.png" class="migrated-markup-image" /></P> <P>any is the internet</P> <P>10.0.0.2 is a SOHO home router that is nating again with the same port ranges</P> <P></P> <P></P> <P></P> <P></P> <P></P> <P><BR /><BR />&nbsp;</P> Tue, 12 Mar 2019 08:46:06 GMT https://community.cisco.com/t5/network-security/asa-5506-port-forwarding/m-p/2984679#M147809 Joshuabowers 2019-03-12T08:46:06Z https://community.cisco.com/t5/network-security/asa-5506-port-forwarding/m-p/2984680#M147810 <P>Hi,</P> <P></P> <P>Can you capture traffic on your outside interface to make sure that you are receiving traffic from SOHO using the right IP/Port</P> Thu, 12 Jan 2017 06:38:07 GMT https://community.cisco.com/t5/network-security/asa-5506-port-forwarding/m-p/2984680#M147810 Mohammed al Baqari 2017-01-12T06:38:07Z https://community.cisco.com/t5/network-security/asa-5506-port-forwarding/m-p/2984681#M147811 <P>Hi,</P> <P></P> <P>You need to translate the private IP address 10.0.0.2 to a public one. You can use the outside interface public IP, similar to this:</P> <P></P> <P>nat (CISCO-SOHO-Router,outside) source static Network-Object-SOHO-Cisco-Router&nbsp;interface service Service_OBJ_IPcamPort_TCP Service_OBJ_IPcamPort_TCP</P> <P></P> <P>Another thing, I am not sure if the incoming traffic would be sourcing from the same destination range ports toward the 10.0.0.2. If not please correct the ACLs to read as following:</P> <P></P> <P>access-list outside_access_in extended permit tcp any host 10.0.0.2 range 8186 8191 log disable<BR />access-list outside_access_in&nbsp;extended permit udp any host 10.0.0.2 range 8186 8191 log disable</P> <P></P> <P>Also please remove the destination range from the service object.</P> <P></P> <P>Regards,</P> <P>Aref</P> Thu, 12 Jan 2017 23:43:54 GMT https://community.cisco.com/t5/network-security/asa-5506-port-forwarding/m-p/2984681#M147811 Aref Alsouqi 2017-01-12T23:43:54Z https://community.cisco.com/t5/network-security/asa-5506-port-forwarding/m-p/2984682#M147812 <P>I found out my main problem.</P> <P></P> <P>for acls for natting, only one acl needs to be &nbsp; Specified &nbsp;for the node that has the natted service. I believe the asa will build acls&nbsp;&nbsp;on there own to allow non nated traffic to come back.</P> Fri, 13 Jan 2017 20:12:29 GMT https://community.cisco.com/t5/network-security/asa-5506-port-forwarding/m-p/2984682#M147812 Joshuabowers 2017-01-13T20:12:29Z https://community.cisco.com/t5/network-security/asa-5506-port-forwarding/m-p/2984683#M147813 <P>ASA by default inspects the traffic leaving and&nbsp;allows&nbsp;the returning traffic to pass through without any need for any ACL, but if you want to allow the traffic initiated from outside to inside, you need an ACL entry to allow it.</P> <P></P> <P>Regards,</P> <P>Aref</P> Fri, 13 Jan 2017 20:29:37 GMT https://community.cisco.com/t5/network-security/asa-5506-port-forwarding/m-p/2984683#M147813 Aref Alsouqi 2017-01-13T20:29:37Z