allow outside access to inside device using Cisco ASA 5510

pfeiferkim · ‎04-23-2013

I have a mail archiver (hardware device) in my network that I need to access to from the Ipad/iphone. There is an app for it but I have to allow the access on the ASA. I created an 'object' for the device and added a Static NAT entry for it, then added an access rule. Its not working so I am guessing I did it wrong. The device uses port 8000 which I also added to the object. Can someone help me out with the correct commands, or using the ASDM works too.

Thanks

Jouni Forss · ‎04-23-2013

Hi,

Usually I would configure the NAT and ACL in the following way

Presuming you are using "inside" and "outside" named interfaces
Presuming you want to just forward a single port using the "outside" interface IP address of ASA
Presuming you dont have an ACL attached to the "outside" interface before this. If you have then you naturally use the existing ACL

object network STATIC

host

nat (inside,outside) static interface service tcp 8000 8000

access-list OUTSIDE-IN permit tcp any object STATIC eq 8000

access-group OUTSIDE-IN in interface outside

While this configuration should work just fine there is always a possibility that some other configuration prevents it from working correctly. So if it doesnt work just with this then we would need to see the current configuration of the ASA to determine the problem.

You can also test the ASA configurations with the CLI command "packet-tracer"

The command format roughly in your case would probably be

packet-tracer input outside tcp 1.2.3.4 12345 8000

The output of the above command should tell us which configurations/rules are applied to this simulated connection. Dont mind the strange source IP and port. They dont really matter as long the IP used as the source is something that your ASA considers located behind its "outside" interface.

- Jouni