09-08-2010 11:34 PM - edited 03-11-2019 11:37 AM
Has anyone succesfully created a port-forward in ASA5510, ASA version 8.3(1) ASDM6.3(1)?
I have spend hours now trying, but I'm still unsuccesfull.
What I want is a simple: "if this particular ip-adress hits the wan interface on this tcp-port redirect to this inside ip-address on this tcp-port.
I have never had any trouble on any other firewall creating something like this, but the ASA is killing me. Please help.
Kind regards Anders
09-08-2010 11:45 PM
See if this helps,
Old Configuration
static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 255.255.255.255
Migrated Configuration
object network obj-10.1.1.16
host 10.1.1.16
nat (inside,outside) static 10.1.2.45 service tcp 8080 www
I'll be more than happy to coonvert your entire configuration just in case you need it
--regards
09-09-2010 01:25 AM
Hi abinjola
Thanks for the fast response.
It's not a migrated config, but a brandnew box configured from scratch in 8.3
I have search for help in the online help of the box, and tried different howto's, besides just "fooling" around to get it to work, but completely unsuccesfull.
I think I need the exact commands, in order to understand anything of what is going on.
Kind regards Anders
09-09-2010 01:33 AM
Did the above example of port forwarding commands worked ? what exact config/commands do you need ?
I understand 8.3 is a total somersault in terms of NAT syntax and handling, but once you get accustomed to it you would it will be as easy as a walk in a park
Meanwhile I am sending you a link for 8.3 command structures and different examples:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html
--regards
09-10-2010 02:41 AM
Hi
I tried but here's how it goes.
nat (mgmt,wan) static 193.xxx.xxx.34 service tcp 823 23
ERROR: Address 193.xxx.xxx.34 overlaps with wan interface address.
ERROR: NAT Policy is not downloaded
09-09-2010 05:36 AM
Hello,
Please try the following:
Inside host 10.1.1.1
Outside address 100.1.1.1
Outside port HTTP
inside port 8080
object network Inside_server
host 10.1.1.1
object network Outside_server
host 100.1.1.1
object service Inside_port
service tcp source eq 8080
object service Outside_port
service tcp source eq 80
nat (inside,outside) source static Inside_server Outside_server service
Inside_port Outside_port
If you want to make it a policy NAT where this should be applicable only for
specific destination, then
object network Outside_dst
host 24.1.1.1
nat (inside,outside) source static Inside_server Outside_server destination
static Outside_dst Outside_dst service Inside_port Outside_port
On the outside interface access-list, you need to allow access to the actual
IP of the inside device on the actual port.
access-list outside_access_in permit tcp any host 10.1.1.1 eq 8080
access-group outside_access_in in interface outside
Hope this helps.
Regards,
NT
09-10-2010 03:17 AM
I succeded. Thank you so much:)
Best regards Anders
04-09-2012 01:06 PM
Hi ! Im an trying the same config but with no result
Address xx.xx.xx.xx overlaps with Outside interface address.
Any help?
thanks
04-09-2012 01:18 PM
Hi, Indrit Qesja
Can you please make a new discussion about your problem with some background information.
It will probably get more/better answers that way.
I can look through your issue when you've posted some background information about that kind of situation you have and what you are trying to accomplish.
- Jouni
04-09-2012 05:10 PM
Indrit,
I am guessing you are using static nat against your outside interface's IP address (for example 203.100.100.100)
instead of using:
nat (inside,outside) static 203.100.100.100 service tcp 21 21
use:
nat (inside,outside) static interface service tcp 21 21
04-10-2012 12:56 AM
Hi dennis!
I will test the nat in static interface and i will come back in the forum
thank you very much
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide