https://community.cisco.com/t5/network-security/asa-5505-how-to-create-a-port-forwarding-rule/m-p/2612478#M197530 <P>Hello Jouni,</P><P>Thanks for the response. So if I'm understanding correctly it will only work if I use the following commands?</P><P>nat (inside,outside) static interface service tcp 21 21<BR />access-list NASFTP-in permit tcp any object NAS eq 21</P><P>So the ASA is no longer capable of doing port forwarding rule for certain services?</P> Fri, 30 Jan 2015 07:12:31 GMT Frazer Johnson Jr 2015-01-30T07:12:31Z https://community.cisco.com/t5/network-security/asa-5505-how-to-create-a-port-forwarding-rule/m-p/2612476#M197527 <P>ASA 5505 IOS ver 9.2.3</P><P>I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.</P><P>I tried these commands but they didn't work:</P><P>object network NAS<BR />host 192.168.2.8<BR />nat (inside,outside) static interface service tcp 21 1545<BR />access-list NASFTP-in permit tcp any object NAS eq 1545<BR />conf t<BR />int vlan 2<BR />access-group NASFTP-in permit tcp any object NAS eq 1545</P><P>I really appreciate the help everyone.</P> Tue, 12 Mar 2019 05:24:37 GMT https://community.cisco.com/t5/network-security/asa-5505-how-to-create-a-port-forwarding-rule/m-p/2612476#M197527 Frazer Johnson Jr 2019-03-12T05:24:37Z https://community.cisco.com/t5/network-security/asa-5505-how-to-create-a-port-forwarding-rule/m-p/2612477#M197528 <P>Hi,</P><P>&nbsp;</P><P>The NAT configuration itself is fine.</P><P>&nbsp;</P><P>Notice though that since we talking about a software level that is 8.3+ it means that the ACLs will always use the local/real IP address and port in the rules.</P><P>&nbsp;</P><P>So in your case you should allow the connections to the real port TCP/21. This is because when the connection attempt comes to the ASA it will first untranslate the public destination address and port to the real destination address and port and only after that it will check the packet against the interface ACL.</P><P>&nbsp;</P><P>- Jouni</P> Wed, 28 Jan 2015 08:11:15 GMT https://community.cisco.com/t5/network-security/asa-5505-how-to-create-a-port-forwarding-rule/m-p/2612477#M197528 Jouni Forss 2015-01-28T08:11:15Z https://community.cisco.com/t5/network-security/asa-5505-how-to-create-a-port-forwarding-rule/m-p/2612478#M197530 <P>Hello Jouni,</P><P>Thanks for the response. So if I'm understanding correctly it will only work if I use the following commands?</P><P>nat (inside,outside) static interface service tcp 21 21<BR />access-list NASFTP-in permit tcp any object NAS eq 21</P><P>So the ASA is no longer capable of doing port forwarding rule for certain services?</P> Fri, 30 Jan 2015 07:12:31 GMT https://community.cisco.com/t5/network-security/asa-5505-how-to-create-a-port-forwarding-rule/m-p/2612478#M197530 Frazer Johnson Jr 2015-01-30T07:12:31Z https://community.cisco.com/t5/network-security/asa-5505-how-to-create-a-port-forwarding-rule/m-p/2612479#M197532 <P>try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60 &nbsp;and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"</P><P>object network obj-10.10.50.60-1</P><P>host 10.10.50.60</P><P>nat (inside,outside) static interface service tcp 80 80</P><P><BR />object network INSIDE<BR />nat (inside,outside) dynamic interface</P><P><BR />object network WWW-SERVER<BR />nat (inside,outside) static interface service tcp 80 80</P><P><BR />access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80</P><P>access-group Outside_access_in in interface Outside</P><P>&nbsp;</P> Fri, 30 Jan 2015 16:07:36 GMT https://community.cisco.com/t5/network-security/asa-5505-how-to-create-a-port-forwarding-rule/m-p/2612479#M197532 davidechen 2015-01-30T16:07:36Z