https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458462#M689505 <P>Hi,</P><P></P><P>I am struggling badly on figuring out how to port forward ftp service to one of my internal box when outside interface is using dhcp. It was very easy with earlier version of code but the new syntax of 8.3.1 is throwing me off totally. Neither there is a good example in documentation for command line and neither the ASDM configuration pushes off either.</P><P></P><P>Goal: Inbound ftp request to outside interface needs to be forwarded to 172.20.100.11 on inside host.</P><P></P><P>Can somebody help out with correct syntax? OR should I downgrade to previous version of code?</P><P></P><P>Thanks,</P><P>Sam Munzani</P> Mon, 11 Mar 2019 17:50:27 GMT smunzani 2019-03-11T17:50:27Z https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458462#M689505 <P>Hi,</P><P></P><P>I am struggling badly on figuring out how to port forward ftp service to one of my internal box when outside interface is using dhcp. It was very easy with earlier version of code but the new syntax of 8.3.1 is throwing me off totally. Neither there is a good example in documentation for command line and neither the ASDM configuration pushes off either.</P><P></P><P>Goal: Inbound ftp request to outside interface needs to be forwarded to 172.20.100.11 on inside host.</P><P></P><P>Can somebody help out with correct syntax? OR should I downgrade to previous version of code?</P><P></P><P>Thanks,</P><P>Sam Munzani</P> Mon, 11 Mar 2019 17:50:27 GMT https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458462#M689505 smunzani 2019-03-11T17:50:27Z https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458463#M689514 <HTML><HEAD></HEAD><BODY><P>I don't have that version of the code, but unless things have changed drastically, you might be able to try something like:</P><P></P><P>static (inside,outside) tcp interface 21 172.20.100.11 21</P><P></P><P>Then in your ACL, you'd put:</P><P></P><P>access-list OUTSIDE permit tcp any interface outside eq 21</P><P></P><P>HTH,</P><P>John</P><P></P><P>*** You really use the word "interface" ****</P></BODY></HTML> Tue, 25 May 2010 15:30:03 GMT https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458463#M689514 John Blakley 2010-05-25T15:30:03Z https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458464#M689520 <HTML><HEAD></HEAD><BODY><P>That old syntax and does not work with 8.3.1 code at all. That's my frustration. Static command is removed from 8.3.1.</P><P>In past when cisco deprecated some commands, the OS automatically converted the command syntax if old commands were typed. In this case, it complains that command has been deprecated but doesn't do conversion or point out right syntax.</P><P></P><P>See output below.</P><P>ASA(config)# static (inside,outside) tcp interface 21 172.20.100.11 21<BR />ERROR: This syntax of nat command has been deprecated.<BR />Please refer to "help nat" command for more details.</P><P></P><P>Needless to say that "help nat" command or the product documentation doesn't show a good example of how to achieve it. It shows how to do port forwarding using dedicated IP but nothing shows how to do with outside interface it self.</P><P></P><P>Thanks,</P><P>Sam</P></BODY></HTML> Tue, 25 May 2010 16:07:53 GMT https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458464#M689520 smunzani 2010-05-25T16:07:53Z https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458465#M689525 <HTML><HEAD></HEAD><BODY><P>Okay,</P><P></P><P>I upgraded a 5505 here and I see what you mean.</P><P></P><P>From what I can guess, try this. You want your FTP traffic to be forwarded to&nbsp; 172.20.100.11. In the ASA type:</P><P></P><P>object network FTPSERVER</P><P>host 172.20.100.11</P><P>nat (inside,outside) dynamic interface</P><P></P><P></P><P>That's it....see if that works and PLEASE let me know because I have 2 firewalls in active/standby that have a TON of mappings in them. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>HTH,</P><P>John</P></BODY></HTML> Tue, 25 May 2010 18:47:35 GMT https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458465#M689525 John Blakley 2010-05-25T18:47:35Z https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458466#M689543 <HTML><HEAD></HEAD><BODY><P>Did not work. Here is my config.</P><P></P><P>object network obj-172.24.100.0 <BR /> subnet 172.24.100.0 255.255.255.0</P><P>object network FTPSERVER <BR /> host 172.24.100.22</P><P>!</P><P>object-group service FTP-Service tcp<BR /> port-object eq ftp<BR /> port-object eq ftp-data</P><P>!</P><P>access-list outside-in extended permit tcp any host 172.24.100.22 object-group FTP-Service</P><P>!</P><P>object network obj-172.24.100.0<BR /> nat (inside,outside) dynamic interface<BR />object network FTPSERVER<BR /> nat (inside,outside) dynamic interface</P><P>!</P><P></P><P>Are you sure its supposed to be dynamic NAT?</P></BODY></HTML> Tue, 25 May 2010 19:10:08 GMT https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458466#M689543 smunzani 2010-05-25T19:10:08Z https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458467#M689551 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>Are you sure its supposed to be dynamic NAT?</P></PRE><P></P><P>No <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN> We're both learning this at the same time! LOL!</P><P></P><P>Try with:</P><P></P><P>nat (inside,outside) static interface service tcp ftp ftp</P></BODY></HTML> Tue, 25 May 2010 19:39:15 GMT https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458467#M689551 John Blakley 2010-05-25T19:39:15Z https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458468#M689564 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>According to the migration guide:</P><P><A href="http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html">http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html</A></P><P></P><P><SPAN class="content"></SPAN></P><P class="pBl_BlockLabel">Old Configuration</P><A name="wp96335"></A><P class="pExT_ExampleTable">static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 255.255.255.255</P><DIV class="pPreformatted"><PRE class="pPreformatted"><A name="wp96336"></A></PRE></DIV><A name="wp96337"></A><P class="pBl_BlockLabel">Migrated Configuration</P><A name="wp96338"></A><DIV class="pEx1_Example1"><PRE>object network obj-10.1.1.16 </PRE></DIV><A name="wp96339"></A><DIV class="pEx2_Example2"><PRE>host 10.1.1.16 </PRE></DIV><A name="wp96340"></A><DIV class="pEx2_Example2"><PRE>nat (inside,outside) static 10.1.2.45 service tcp 8080 www </PRE></DIV><P></P><P><BR />Hope it helps.</P><P></P><P>Federico.</P></BODY></HTML> Tue, 25 May 2010 19:44:10 GMT https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458468#M689564 Federico Coto Fajardo 2010-05-25T19:44:10Z https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458469#M689578 <HTML><HEAD></HEAD><BODY><P>Works now.</P><P></P><P>I guess it will take a little time to get used to with new syntax. For some reason ASDM interface didn't let me save configuration with such NAT.</P><P></P><P>Thanks,</P><P>Sam</P></BODY></HTML> Tue, 25 May 2010 19:58:51 GMT https://community.cisco.com/t5/network-security/port-forwarding-using-outside-interface-asa-with-8-3-1/m-p/1458469#M689578 smunzani 2010-05-25T19:58:51Z