Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
3
Replies

ASA 9.0 Port forwarding

layne.peterson1
Level 1
Level 1

‎04-23-2015 09:19 AM - edited ‎03-11-2019 10:49 PM

I've got an ASA 5505 and I'm not very familiar with ASAs, let alone the 8.3+ release versions. I'm trying to set up some port forwarding, and using port 3389 just to test. I have this set up in the ASA:

object network PC_IP
 nat (inside,outside) static interface service tcp 3389 3389 

 

And these access-rules set up to allow it:

access-list outside_access_in extended permit object PC_T3389 any object PC_IP 

After the first rule didn't work I tried this, without restricting IP at all.

access-list outside_access_in extended permit object PC_T3389 any any

When I actually test it or use Packet Tracer it doesn't work. Here is the output from Packet Tracer:

packet-tracer input outside tcp 66.236.77.178 61000 208.64.90.2 3389 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   208.64.90.2     255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎04-23-2015 10:04 PM

Hi,

This is a NAT misconfiguration and i would request you to post the NAT commands from the ASA device .

Thanks and Regards,

Vibhor Amrodia

0 Helpful

layne.peterson1
Level 1
Level 1
In response to Vibhor Amrodia

‎04-24-2015 09:21 AM

Yeah, that's what I'm thinking as well. I played with it some more and I was able to get it to work using network object NAT, but at that point I can only forward one port to that network object. If I try to configure another port, it will overwrite the original with the new port.

 

nat (inside,outside) source static Inside_hosts NAT_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
!
object network PC_IP
 nat (any,outside) static interface service tcp 3389 3389
!
nat (any,any) after-auto source static VPN_USERS VPN_USERS destination static Inside_hosts Inside_hosts
nat (inside,outside) after-auto source dynamic Inside_hosts interface

 

I tried to forward UDP 69 and TCP 3389 and only one would work at a time. There has to be a way to forward multiple non-contiguous ports to the same host correct?

 

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to layne.peterson1

‎04-24-2015 08:14 PM

Hi,

The only way is using the Object NAT and use the Range Keyword for forwarding the contiguous ports.

There is no way to forward multiple dis contiguous ports on the ASA device.

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card