ASA 5505 Port Forwarding to Different Internal Port

S Kumar · ‎02-12-2015

My Config:

object network obj-192.168.220.104
host 192.168.220.104
object network obj-192.168.220.124
host 192.168.220.124

access-list acl_in_http extended permit tcp host 1.1.1.1 object obj-192.168.1.100 eq 3389 log
access-list acl_in_http extended permit tcp host 1.1.1.1 object obj-192.168.1.200 eq 3389 log

object network obj-192.168.1.100
nat (inside,outside) static interface service tcp 3390 3389
object network obj-192.168.1.200
nat (inside,outside) static interface service tcp 3389 3389

I have one public IP configured on ASA5505 and I have 2 internal hosts which needs RDP access from outside.
One host is accessible from outside using 3389. I wanted to configure the second host with outside port 3390 and inside 3389.

When I configure natting for second host, I get following warning message:
WARNING: mapped-address 2.2.2.2/3389 ovelap with existing static NAT.

where 2.2.2.2 is public ip address of ASA's outside interface.

S Kumar · ‎02-17-2015

Anyone ?

Rishabh Seth · ‎02-17-2015

You are getting warning because the configuration that you have is using same mapped port (3389)

change nat statements to

object network obj-192.168.1.100
nat (inside,outside) static interface service tcp 3389 3390
object network obj-192.168.1.200
nat (inside,outside) static interface service tcp 3389 3389

And your ACL should permit traffic to the UN NATed ip:

access-list acl_in_http extended permit tcp host 1.1.1.1 object obj-192.168.1.100 eq 3389 log
access-list acl_in_http extended permit tcp host 1.1.1.1 object obj-192.168.1.200 eq 3389 log

Hope it helps.!!