Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1373
Views
0
Helpful
3
Replies

ASA 5505 how to create a port forwarding rule

Go to solution
Frazer Johnson Jr
Level 1
Level 1

‎01-27-2015 04:12 PM - edited ‎03-11-2019 10:24 PM

ASA 5505 IOS ver 9.2.3

I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.

I tried these commands but they didn't work:

object network NAS
host 192.168.2.8
nat (inside,outside) static interface service tcp 21 1545
access-list NASFTP-in permit tcp any object NAS eq 1545
conf t
int vlan 2
access-group NASFTP-in permit tcp any object NAS eq 1545

I really appreciate the help everyone.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-28-2015 12:11 AM

Hi,

 

The NAT configuration itself is fine.

 

Notice though that since we talking about a software level that is 8.3+ it means that the ACLs will always use the local/real IP address and port in the rules.

 

So in your case you should allow the connections to the real port TCP/21. This is because when the connection attempt comes to the ASA it will first untranslate the public destination address and port to the real destination address and port and only after that it will check the packet against the interface ACL.

 

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-28-2015 12:11 AM

Hi,

 

The NAT configuration itself is fine.

 

Notice though that since we talking about a software level that is 8.3+ it means that the ACLs will always use the local/real IP address and port in the rules.

 

So in your case you should allow the connections to the real port TCP/21. This is because when the connection attempt comes to the ASA it will first untranslate the public destination address and port to the real destination address and port and only after that it will check the packet against the interface ACL.

 

- Jouni

0 Helpful

Go to solution
Frazer Johnson Jr
Level 1
Level 1
In response to Jouni Forss

‎01-29-2015 11:12 PM

Hello Jouni,

Thanks for the response. So if I'm understanding correctly it will only work if I use the following commands?

nat (inside,outside) static interface service tcp 21 21
access-list NASFTP-in permit tcp any object NAS eq 21

So the ASA is no longer capable of doing port forwarding rule for certain services?

0 Helpful

Go to solution
davidechen
Level 1
Level 1
In response to Frazer Johnson Jr

‎01-30-2015 08:07 AM

try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60  and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"

object network obj-10.10.50.60-1

host 10.10.50.60

nat (inside,outside) static interface service tcp 80 80


object network INSIDE
nat (inside,outside) dynamic interface


object network WWW-SERVER
nat (inside,outside) static interface service tcp 80 80


access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80

access-group Outside_access_in in interface Outside

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card