Solved: ASA 5516-X CLI 9.8 - need help getting port-forward working

JossEllis · ‎10-03-2019

I have an ASA-5516-X that I'm migrating an old 5510 to. As an example I have the below, which is trying to take inbound port 54321 and routing that to 'thing:80' inside.

object network thing

host 192.168.1.27

nat (inside,outside) static interface service tcp 54321 www

access-list outside_access_in extended permit tcp any host 192.168.1.27 eq 54321

but connecting from an outside connection to http://<static_ip>:54321 just times out

If I do

packet-tracer input outside tcp 8.8.8.8 60002 <static_ip> 80

it shows all ACL & NAT is fine

If I'm on the inside, I can access the service, so I know it's working

If all the above is OK - how can I see what's stopping it connecting?

Thanks

Marius Gunnerud · ‎10-03-2019

You have the ports in your NAT statement swapped around.

Here is the format it should be in:

nat (<REAL-INTF>, <MAPPED-INTF>) static <MAPPED-IP> [service <tcp|udp> <REAL-PORT> <MAPPED-PORT>]

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎10-03-2019

You have the ports in your NAT statement swapped around.

Here is the format it should be in:

nat (<REAL-INTF>, <MAPPED-INTF>) static <MAPPED-IP> [service <tcp|udp> <REAL-PORT> <MAPPED-PORT>]

--
Please remember to select a correct answer and rate helpful posts

JossEllis · ‎10-04-2019

OMG so I do !! thank you for that spot :)

It all works correctly .. thanks you