Re: Port Forwarding

Adnan Khan · ‎01-06-2019

Hi,

I want to configure port forwarding on the firewall for all traffic coming on inside interface going to the internet with destination port 5222 I want to forward this port to 443 instead. What could be the syntax on ASA firewall from any source IP from inside to any destination on the outside?

balaji.bandi · ‎01-06-2019

These are high ports, most cases user not going to type http or ftp with that port as per i know.

can you explain more use case here..

belo document reference :

https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Karsten Iwen · ‎01-06-2019

Do I understand you right that you want the following:

Whenever a client on the inside network accesses any IP on the outside network with the port TCP/5222, then the destination port has to be changed to TCP/443?

the you need to configure manual or twice NAT:

object service TCP-5222
 service tcp destination eq 5222
object service TCP-443
 service tcp destination eq https
object network ANY
 subnet 0.0.0.0 0.0.0.0
!
nat (inside,outside) after-auto source dynamic any interface destination static ANY any service TCP-5222 TCP-443

Here the source IP is changed to the ASA interface IP as the client typically has a private IP and for any destination the port is changed from 5222 to 443.

Adnan Khan · ‎01-07-2019

Thank Bajaji and Karsten.I can be more spesifec. I would like all traffic reaching the firewall inside interface with destination port 5222 should immediately forward to port 443 because 5222 port is block on ISP side and application take so much time to connect because it tries to initiate connection first on port 5222.

Karsten Iwen · ‎01-07-2019

Ok, the NAT-solution will work, but is not the best way to solve this problem. Better configure your firewall to deny this port. The ASA will send a TCP reset and the client will/should try the alternate port directly after that.

Sheraz.Salim · ‎01-07-2019

@Karsten Iwenwill this rule wont come in section 1 instead of section 3 ? also if Adnan already have a rule in section 3 than he must have to define on top of the rule. where 1 give a priority to other rules in section 3 or either in section 1.

i understand as the section 3 will be last to check in.

(inside,outside) after-auto 1 source dynamic any interface destination static ANY any service TCP-5222 TCP-443

please do not forget to rate.

Karsten Iwen · ‎01-07-2019

As always: it depends ... ;-)

Putting this rule in section three gives the easy possibility to overwrite this behavior for clients with "normal" NAT-needs.

In section three it has to be above the general PAT-rule which is done with the number "1" in the nat-statement. But it all depends on the rest of the NAT-config and has to be evaluated accordingly.

Sheraz.Salim · ‎01-07-2019

cheers Karsten. Appropriated for the quick reply.

please do not forget to rate.

Moaz.Elzhrawey · ‎01-06-2019

as they mentioned, configuration is straight forward, it's all about static nat with ports, wither to do it from CLI or using ASDM.

Moaz Elzhrawey
Solutions Architect, CCIE 2x RS | DC, VCP 3x NV | DCV | DTM
+966 596822551