Solved: ASA 5510 versin 8.4

chigumbab · ‎08-22-2011

Hi Guys how do i enable port forwarding on the CLI for ASA 5510. outside subnet is 192.168.1.0/27. when i try to ping another IP with that range i can't access.

Anu M Chacko · ‎08-22-2011

Here you go:

https://supportforums.cisco.com/message/3373195#3373195

Hope this helps!

Regards,

Anu

P.S. Do rate this post if it was helpful.

View solution in original post

varrao · ‎08-22-2011

HI,

What is the destination ip for which you are trying to do port forwarding, what ports you want to use and what is the public ip that you want to nat to??

If you can provide this , i can definitely let you know the commands for it.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-22-2011

In auto nat, you can define only one nat statement per Object network, so you would need the following:

object network Web_for_server

host 10.0.4.2

nat (DMZ,outside) static 196.33.156.37 service tcp 80 80

object network RDP_for_server

host 10.0.4.2

nat (DMZ,outside) static 196.33.156.37 service tcp 3389 3389

This should be your configuration. If you use the first, the secon statement would replace the first statement.

I hope this helps you out.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-25-2011

Can you explain me with an example???

Remember on one interface in one direction you can only ap[ply one access-group, whicvh means, if you have an access-group:

access-group test in interface inside

and then you add:

access-group test_acl in interface inside

The second would replace the first access-group, and that is wat I guess you are experiencing.

Hope this helps

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-25-2011

Hi Chigumbab,

First create 9 access-lists like this:

access-list out_in permit tcp any host 10.0.4.2 eq www

access-list out_in permit tcp any host 10.0.4.3 eq 3389

access-list out_in permit tcp any host 10.0.4.4 eq 443

.

access-list out_in permit tcp any host 10.0.4.9 eq 22

and then apply all the 9 acl's to one access-group only.

access-group out_in in interface outside

thats it, you do not need to create an access-group for each acl, just one is required.

Hope this was helpful

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

Anu M Chacko · ‎08-22-2011

Here you go:

https://supportforums.cisco.com/message/3373195#3373195

Hope this helps!

Regards,

Anu

P.S. Do rate this post if it was helpful.

varrao · ‎08-22-2011

HI,

What is the destination ip for which you are trying to do port forwarding, what ports you want to use and what is the public ip that you want to nat to??

If you can provide this , i can definitely let you know the commands for it.

Thanks,

Varun

Thanks,
Varun Rao

chigumbab · ‎08-22-2011

Hi Varun, the public IP range is 196.33.156.32/27 and my outside interface has the first usable IP.

Partial config to one server,

object network Web&RDP

host 10.0.4.2

nat (DMZ,outside) static 196.33.156.37 service tcp 3389 3389

nat (DMZ,outside) static 196.33.156.37 service tcp 80 80

varrao · ‎08-22-2011

No this is not correct, let me give you the correct config.

Thanks,
Varun Rao

varrao · ‎08-22-2011

In auto nat, you can define only one nat statement per Object network, so you would need the following:

object network Web_for_server

host 10.0.4.2

nat (DMZ,outside) static 196.33.156.37 service tcp 80 80

object network RDP_for_server

host 10.0.4.2

nat (DMZ,outside) static 196.33.156.37 service tcp 3389 3389

This should be your configuration. If you use the first, the secon statement would replace the first statement.

I hope this helps you out.

Thanks,

Varun

Thanks,
Varun Rao

chigumbab · ‎08-22-2011

Thank you Varun. Will chat to you tomorrow, am setting this up tomorrow. This is perferct , i can see all my configs with what you told me.

varrao · ‎08-22-2011

Sure no problem, let me know if you face any issues.

-Varun

Thanks,
Varun Rao

chigumbab · ‎08-22-2011

Sure, i will update you.

chigumbab · ‎08-22-2011

Hi Varun, i have an issue . I want to set up multiple Public IPs on the outside interface and nat it to 9 servers internally. Each server will have it's own external Public IP then will nat to internal IPs and do port forwarding. My outside interface IP is 196.33.156.33/27 and i want to use the Public IPs within this range and nat them to the internal network range 10.0.4.0/24.

When i tested with one of the Public IPs for one of the servers it's not responding. Can you help? AM i missing something or what. These are some of my nat rules.

nat (DMZ,outside) static 196.33.156.51 service tcp www www

nat (DMZ,outside) static 196.33.156.38 service tcp 3389 3389

varrao · ‎08-22-2011

Hi,

Apart from the nat statment you would also need the access-listy to allow the access from outside.

Varun

Thanks,
Varun Rao

varrao · ‎08-22-2011

For eg:

object network RDP_for_server

host 10.0.4.2

nat (DMZ,outside) static 196.33.156.37 service tcp 3389 3389

access-list outside_access_in extended permit tcp any host 10.0.4.2 eq 3389

access-group outside_access_in in interface outside

can you apply this and check??

Thanks,

Varun

Thanks,
Varun Rao

chigumbab · ‎08-22-2011

Hi Varun,

i did that and applied the acls but still same thing. these are my acls

access-list betx0OUTSIDE_IN extended permit tcp any host 10.0.4.2 eq 3389

access-group betx0OUTSIDE_IN in interface outside

I have these for different IPs i have. Is there anything else i should do?

varrao · ‎08-22-2011

Can you provide me output of:

show run nat

show run access-group

show run access-list betx0OUTSIDE_IN

I'll try and isolate the issue.

Thanks,

Varun

Thanks,
Varun Rao

chigumbab · ‎08-22-2011

betxfirewall# show run access-list betx0OUTSIDE_IN

access-list betx0OUTSIDE_IN extended permit tcp any host 10.0.4.2 eq 3389

access-list betx0OUTSIDE_IN extended permit tcp any host 10.0.4.2 eq 161

access-list betx0OUTSIDE_IN extended permit tcp any host 10.0.4.2 eq www

betxfirewall#

betxfirewall# sh run nat

!

object network betx11

nat (DMZ,outside) static 196.33.156.51 service tcp 3389 3389

object network betx0-web

nat (DMZ,outside) static 196.33.156.37 service tcp www www

object network betx0-RDP

nat (DMZ,outside) static 196.33.156.37 service tcp 3389 3389

object network betx3-RDP

nat (DMZ,outside) static 196.33.156.39 service tcp 3389 3389

object network betx3-https

nat (DMZ,outside) static 196.33.156.39 service tcp https https

object network betx3-web

nat (DMZ,outside) static 196.33.156.39 service tcp www www

object network betx3-ftp

nat (DMZ,outside) static 196.33.156.39 service tcp ftp ftp

object network betx4-web

nat (DMZ,outside) static 196.33.156.48 service tcp www www

object network betx4-https

nat (DMZ,outside) static 196.33.156.48 service tcp https https

object network betx4-RDP

nat (DMZ,outside) static 196.33.156.48 service tcp 3389 3389

object network betx4-SQL

nat (DMZ,outside) static 196.33.156.48 service tcp 1433 1433

object network betx4-SNMP

nat (DMZ,outside) static 196.33.156.48 service udp snmp snmp

betxfirewall# sh access-group

^

ERROR: % Invalid input detected at '^' marker.

betxfirewall#