Solved: ASA 5505 how to create a port forwarding rule

Frazer Johnson Jr · ‎01-27-2015

ASA 5505 IOS ver 9.2.3

I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.

I tried these commands but they didn't work:

object network NAS
host 192.168.2.8
nat (inside,outside) static interface service tcp 21 1545
access-list NASFTP-in permit tcp any object NAS eq 1545
conf t
int vlan 2
access-group NASFTP-in permit tcp any object NAS eq 1545

I really appreciate the help everyone.

Jouni Forss · ‎01-28-2015

Hi,

The NAT configuration itself is fine.

Notice though that since we talking about a software level that is 8.3+ it means that the ACLs will always use the local/real IP address and port in the rules.

So in your case you should allow the connections to the real port TCP/21. This is because when the connection attempt comes to the ASA it will first untranslate the public destination address and port to the real destination address and port and only after that it will check the packet against the interface ACL.

- Jouni

View solution in original post

Jouni Forss · ‎01-28-2015

Hi,

The NAT configuration itself is fine.

Notice though that since we talking about a software level that is 8.3+ it means that the ACLs will always use the local/real IP address and port in the rules.

So in your case you should allow the connections to the real port TCP/21. This is because when the connection attempt comes to the ASA it will first untranslate the public destination address and port to the real destination address and port and only after that it will check the packet against the interface ACL.

- Jouni

Frazer Johnson Jr · ‎01-29-2015

Hello Jouni,

Thanks for the response. So if I'm understanding correctly it will only work if I use the following commands?

nat (inside,outside) static interface service tcp 21 21
access-list NASFTP-in permit tcp any object NAS eq 21

So the ASA is no longer capable of doing port forwarding rule for certain services?

davidechen · ‎01-30-2015

try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60 and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"

object network obj-10.10.50.60-1

host 10.10.50.60

nat (inside,outside) static interface service tcp 80 80

object network INSIDE
nat (inside,outside) dynamic interface

object network WWW-SERVER
nat (inside,outside) static interface service tcp 80 80

access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80

access-group Outside_access_in in interface Outside