Solved: ASA 8.4 port forward command request

CHUN FAI LAW · ‎05-07-2013

i can't do it with ASDM and try to use command but still fail

nat (inside,outside) source static inside-10.18.20.162 4F-1.1.1.2

it is working fine for the above command if there is more than one public ip, in case 1.1.1.1 is for firewall interface public ip

if i have only one public ip and i would like to forward http traffic to my internal network

how can i use command to do that?

Jouni Forss · ‎05-07-2013

Hi,

You can use this configuration also to just forward the port TCP/80 to the "inside" device.

I presume that you are using the "outside" interface public IP address

object network SERVER

host 10.18.20.162

nat (inside,outside) static interface service tcp 80 80

access-list OUTSIDE-IN permit tcp any object SERVER eq 80

access-group OUTSIDE-IN in interface outside

This would configure a Network Object NAT that would use the public IP address of your ASA "outside" interface and forward the port TCP/80 to the internal host of 10.18.20.162 when connecting from the Internet. It also defines the ACL rule and attaches that ACL to the "outside" interface.

If you already have an ACL in place, then you naturally just add the rule to that ACL.

Hope this helps

Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.

Ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎05-07-2013

Hi,

You need to enter it under the "object network SERVER"

Both the "host" configuration line and the "nat" configuration lines are parameters of the "object network SERVER"

So the source address of the NAT and the actual NAT configuration are contained under the "object network SERVER"

- Jouni

View solution in original post

CHUN FAI LAW · ‎05-07-2013

it show this error when do in this way

object service http

service tcp source eq www object service http
service tcp source eq www

ASA5510(config)# nat (inside,outside) source static inside-10.18.20.162 4F-1.1.1.1 service http http

ERROR: Address 1.1.1.1 overlaps with outside interface address.

ERROR: NAT Policy is not downloaded

Jouni Forss · ‎05-07-2013

Hi,

You can use this configuration also to just forward the port TCP/80 to the "inside" device.

I presume that you are using the "outside" interface public IP address

object network SERVER

host 10.18.20.162

nat (inside,outside) static interface service tcp 80 80

access-list OUTSIDE-IN permit tcp any object SERVER eq 80

access-group OUTSIDE-IN in interface outside

This would configure a Network Object NAT that would use the public IP address of your ASA "outside" interface and forward the port TCP/80 to the internal host of 10.18.20.162 when connecting from the Internet. It also defines the ACL rule and attaches that ACL to the "outside" interface.

If you already have an ACL in place, then you naturally just add the rule to that ACL.

Hope this helps

Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.

Ask more if needed

- Jouni

CHUN FAI LAW · ‎05-07-2013

THX Jouni

when i try to input this command it reject with and error

ASA5510(config)# ASA5510(config)# nat (inside,outside) source static interface service tcp 80 80
^
ERROR: % Invalid input detected at '^' marker.
ASA5510(config)#

Jouni Forss · ‎05-07-2013

Hi,

You need to enter it under the "object network SERVER"

Both the "host" configuration line and the "nat" configuration lines are parameters of the "object network SERVER"

So the source address of the NAT and the actual NAT configuration are contained under the "object network SERVER"

- Jouni

CHUN FAI LAW · ‎05-08-2013

thx so much, all command can input to the router, although is not allow to access to web server at the moment.

But i know how to create the rule through ASDM now. Thx so much

Jouni Forss · ‎05-08-2013

Hi,

If the reply answered your question, please mark it as the correct answer

- Jouni

CHUN FAI LAW · ‎05-08-2013

Access to webserver finally, i find that the problem is come from one dynamic nat is before the static to make it crash.

Jouni Forss · ‎05-08-2013

Hi,

I tend to configure the Default Dynamic PAT rule for my LAN networks in the following way

object-group network DEFAULT-PAT-SOURCE

network-object 10.10.10.0 255.255.255.0

network-object 10.10.20.0 255.255.255.0

network-object 10.10.30.0 255.255.255.0

nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

The "object-group" contains all the networks that need Dynamic PAT. The source interface is "any" so we dont have to configure multiple Dynamic PAT statements.

This way it wont interfere with Static NAT, Static PAT, NAT0 or any other configurations.

Some people leave the "after-auto" part away which in turn means that the Dynamic PAT rule is way higher in the priority of NAT configurations to match against traffic THAN it is when its configured with the "after-auto" parameter

- Jouni