Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
0
Helpful
4
Replies

Port Forwarding in ASDM7.1

Go to solution
AlekseyAndrosov
Level 1
Level 1

‎06-17-2015 08:03 AM - edited ‎03-11-2019 11:08 PM

Hi all,

I can't make the port forwarding on ASA work.

Internal Resouce IP: AA

ASA Public Interface IP: BB

Real port: 443

Mapped port: 4444

External hosts, for whom Access Must be allowed: CC

 

I configured Static NAT: BB:4444 -> AA:443

And ACL: permit CC -> BB:4444

 

Live test negative, and packet tracer shows "blocked by ACL".

In packet tracer, I enter Source Addr CC, Source Port 1000, Dest Addr BB, Dest Port 4444

 

Any suggestions very welcome !

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Henrik Grankvist
Level 4
Level 4

‎06-17-2015 12:36 PM

Hi

Post your CLI configuration instead.

Should be something similar to (if you are using auto NAT):

object network INTERNAL_RESOURCE_IP
 host 192.168.1.50
 nat (INSIDE,OUTSIDE) static interface service tcp 443 4444

access-list OUTSIDE_IN permit tcp any object INTERNAL_IP 443
access-group OUTSIDE_IN in interface OUTSIDE

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Henrik Grankvist
Level 4
Level 4

‎06-17-2015 12:36 PM

Hi

Post your CLI configuration instead.

Should be something similar to (if you are using auto NAT):

object network INTERNAL_RESOURCE_IP
 host 192.168.1.50
 nat (INSIDE,OUTSIDE) static interface service tcp 443 4444

access-list OUTSIDE_IN permit tcp any object INTERNAL_IP 443
access-group OUTSIDE_IN in interface OUTSIDE

 

0 Helpful

Go to solution
AlekseyAndrosov
Level 1
Level 1
In response to Henrik Grankvist

‎06-17-2015 11:32 PM

@Henrik,

Thanks for your quick answer.

If my external clients need to access Public IP on port 4444, and the Dest. IP in this packet must be translated to INTERNAL_IP port 443, shouldn't I reverse 443 and 4444 in your proposed configuration ?

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to AlekseyAndrosov

‎06-17-2015 11:40 PM

No, it should be as I wrote it.

0 Helpful

Go to solution
AlekseyAndrosov
Level 1
Level 1
In response to Henrik Grankvist

‎06-18-2015 04:53 AM

Thanks, it worked.

There's 1 more thing though, not mentioned in your post, and not mentioned in ASA config guides (either ASDM or CLI).

There must be 2 ACLs on the Outside interface.

1 to mapped Address:Port, and 2nd to real Address:Port.

i.e. ACL1: permit tcp any object MAPPED_IP eq 4444

ACL2: permit tcp any object INTERNAL_IP eq 443

Foud out by mere luck.

I guess this is a subtle way to ensure that Cisco TAC is kept busy :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card