03-29-2007 04:26 PM - edited 03-11-2019 02:53 AM
I cannot seem to get port forwarding working on my ASA 5505. I am running everything through one outside IP and do not have additional public IPs to use. I think I have the configuration right, but it is still not working. Through ASDM I do a packet trace and the flow stops at the NAT section with the following error: no translation group found for source outside....
03-29-2007 04:33 PM
Following are the commands required for port-forwarding. Assuming that you have a webserver with internal IP x.x.x.x and need to use the outside interface for access from outside, you would need following commands-
static (inside,outside) tcp interface 80 x.x.x.x 80
access-list outside_in permit tcp any interface eq 80
access-group outside_ in in interface outside
If you already have a access-group on the outside interface, please use the access-list in the same access-group.
Hope this clears your issue.
Regards,
Vibhor.
03-29-2007 05:53 PM
Still cannot get this working...
ASA Version 7.2(2)
!
hostname Cal12-ASA5505
domain-name carmanah.com
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXXXXXXXXXXX 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name carmanah.com
object-group service Dameware tcp
port-object range 6129 6129
object-group service RDC tcp
description Remote Desktop Connections
port-object range 3389 3389
access-list inside_access_out extended permit tcp any eq www any
access-list inside_access_out extended permit tcp any eq smtp any
access-list inside_access_out extended permit tcp any eq ftp-data any
access-list inside_access_out extended permit tcp any eq ftp any
access-list inside_access_out extended permit tcp any eq sqlnet any
access-list inside_access_out extended permit tcp any eq nntp any
access-list inside_access_out extended permit tcp any eq 3389 any
access-list inside_access_out extended permit udp any eq ntp any
access-list inside_access_out extended permit esp any any
access-list inside_access_out extended permit tcp any eq https any
access-list inside_access_out extended permit tcp any eq domain host 207.54.98.193
access-list inside_access_out extended permit udp any eq domain host 207.54.98.193
access-list outside_access_in extended permit udp host 207.54.98.193 eq domain any
access-list outside_access_in extended permit tcp any eq 3389 host 192.168.1.5 eq 3389
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 200
logging console errors
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 207.54.100.105 3389 192.168.1.5 3389 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.54.100.110 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
group-lock none
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 10
ssh timeout 5
console timeout 10
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 136.159.2.2 source outside prefer
prompt hostname context
Cryptochecksum:xxx
: end
03-29-2007 06:27 PM
acl should be
access-list outside_access_in extended permit tcp any host 207.54.100.105 eq 3389
This will allow any to access 207.54.100.105 on tcp 3389. You do not reference the server with the inside address when the acl is applied on the outside interface. You also had "permit tcp any eq 3389" which means any source with a source port of 3389, you don't want to filter on source port, just destination. Now that I look again, all your acl's are written with a source port. So those should be like this...
access-list inside_access_out extended permit tcp any any eq www
access-list inside_access_out extended permit tcp any any eq smtp
access-list inside_access_out extended permit tcp any any eq ftp-data
access-list inside_access_out extended permit tcp any any eq ftp
access-list inside_access_out extended permit tcp any any eq sqlnet
access-list inside_access_out extended permit tcp any any eq nntp
access-list inside_access_out extended permit tcp any any eq 3389
access-list inside_access_out extended permit udp any any eq ntp
access-list inside_access_out extended permit esp any any
access-list inside_access_out extended permit tcp any any eq https
access-list inside_access_out extended permit tcp any host 207.54.98.193 eq domain
access-list inside_access_out extended permit udp any host 207.54.98.193 eq domain
03-29-2007 07:30 PM
One addendum to acomiskey's comments.
If you only have a single routable address (allocated by your ISP), then you need to use the keyword "interface" in both the static and ACL statements. Do not specify the outside IP address in the static command if you are overloading on the interface. That is not supported.
Sincerely,
David.
03-30-2007 12:00 PM
Yes, thanks david, if your outside interface address is 207.54.100.105 then your acl's need to look like this
access-list outside_access_in extended permit tcp any interface outside eq 3389
and as vibhor wrote, your static's need to look like this
static (inside,outside) tcp interface 3389 192.158.1.5 3389
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide