ASA 5505 Version 8.2(5) Commands to enable port forwarding

saladart · ‎05-16-2016

I am needing assistance with the command(s) needed to enable traffic from the outside interface using port 8181 to a device behind the firewall.

The outside (public) interface is using ip address 66.76.160.79.

The device that I need to access behind the firewall is 192.168.10.73 using port 8181.

The ASA Config is below.

BFECFIREWALL# sh run
: Saved
:
ASA Version 8.2(5)
!
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 66.76.160.79 255.255.255.0
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network STATIC-PAT
network-object host 192.168.10.73
access-list outtoin extended permit tcp any host 66.76.160.79 eq 8181
access-list inside_nat0_outbound extended permit ip host 192.168.10.73 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8181 192.168.10.73 8181 netmask 255.255.255.255
access-group outtoin in interface outside
route outside 0.0.0.0 0.0.0.0 66.76.160.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=BFEC
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 34dc4352
    3082022c 30820195 a0030201 02020434 dc435230 0d06092a 864886f7 0d010105
    05003028 310d300b 06035504 03130442 46454331 17301506 092a8648 86f70d01
    09021608 63697363 6f617361 301e170d 31333039 32363037 31333437 5a170d32
    33303932 34303731 3334375a 3028310d 300b0603 55040313 04424645 43311730
    1506092a 864886f7 0d010902 16086369 73636f61 73613081 9f300d06 092a8648
    86f70d01 01010500 03818d00 30818902 818100b4 c015c994 d5de37a9 eb26cf18
    4ba8e82e ff934677 c708525d db2d3c71 5e213b5e d655d74c 941a67c8 5c5f24ce
    95ce5aba 7903db89 7613eace 63ca2b8d 06c2bab4 22bfe3f4 3ff559cb 29cf6793
    6dd3862e 9391402b b43e1556 cddd6752 dd13d5a9 024a88e7 fda4dc66 35b5fb06
    b127a666 60fadab7 2f78d5ec 1b623f8e 9cee0102 03010001 a3633061 300f0603
    551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
    03551d23 04183016 8014d9d6 c1e7d101 b686dc28 7695c343 ed166c02 a710301d
    0603551d 0e041604 14d9d6c1 e7d101b6 86dc2876 95c343ed 166c02a7 10300d06
    092a8648 86f70d01 01050500 03818100 4c99cce5 41766a8c 3ed589ed d2c8042f
    2030c01e 3ededb27 04250bf7 fb494add 0d0d28aa e2f18407 d27de436 967bd4ca
    08c09b7a cdf8ada8 6a7e2d45 040b3487 f0f2e660 9c5e255a bcb0507e a41033cd
    535ea845 f34469d9 1484b32c 5c5cdf63 a45b8197 d541cea1 9f8d967a 7e2c7d71
    19b93aa4 e583c396 b9e29cf4 60327ad5
quit
telnet timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username XXXX encrypted privilege 15
!
class-map http-class
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:8d792f243b67d7198caf48fadb7da6bc
: end

Philip D'Ath · ‎05-16-2016

I'm not sure what is wrong. Perhaps try changing:

access-list outtoin extended permit tcp any host 66.76.160.79 eq 8181

to:

access-list outtoin extended permit tcp any host 192.168.10.73 eq 8181

At some version it change from having to be the outside address to the inside address, but I can't remember back that far. It was long ago.

Kornelia Gutierrez · ‎05-24-2016

Hi Saladart,

Since the ASA is running ASA code 8.2.5 , the following ACE statement is right

access-list outtoin extended permit tcp any host 66.76.160.79 eq 8181

After 8.3 the acl references the private ip.

Please try the following:

-Run the packet tracer command to check if the ASA will allow the traffic

Packet-tracer input outside tcp 8.8.8.8 1024 66.76.160.79 8181

-Could you please add a packet capture on the outside interface to see if there is traffic reaching the ASA in port 8181

Capture out interface outside trace match tcp any host 66.76.160.79 eq 8181

Best regards