Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
3
Replies

ASA Port forwarding

jay_7301
Level 1
Level 1

‎08-06-2015 09:41 AM - edited ‎03-11-2019 11:23 PM

Hello,

 

I'm used to using Fortigate so any help would be great. When setting up a port forward for lets say from a public ip 81.176.13.2 to local of 172.30.1.1 port 80, then the same but using service port 25, i'm confused to were you define the ports because you can seem to either define it within the NAT process or within an ACL? 

 

would it be cleaner NOT to define the port within the NAT rule the lock the ports down within the ACL?

 

Thanks

Labels:
0 Helpful
3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎08-11-2015 07:01 AM

Hi,

The only reason it is recommended to use the ports with the NAT statement (Static PAT) is in the case when you have multiple internal hosts (Private addresses) that you want to make reachable from the Internet using a single Public IP.

If there is no sicu restriction , then it is recommended to use the Static NAT (one to One mapping) and then lock the ports using the ACL.

Hope that clears your query.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

jay_7301
Level 1
Level 1
In response to Vibhor Amrodia

‎08-11-2015 10:15 AM

Thanks so for example if i have 3 internal hosts

192.168.1.1 ( web server port 80 )

192.168.1.2 ( email server port 25 )

192.168.1.3 ( remote access 3389 )

maps to the same public ip lets say 1.1.1.1

i would have to create 3 NAT statements and define each port within the NAT statement? ( static PAT )

do i also have to add this to the ACL even though i have defined it within the NAT statement?

 

Thanks for for response much appreciated :)

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to jay_7301

‎08-11-2015 09:38 PM

Hi,

Yes , in this case you would have to use the Static PAT as there are many internal devices and a single Public IP.

Also , yes you would have to create an ACL for this port to allow the traffic in addition to the NAT statement.

For ASA 8.3 +

NOTE:- I have used the Outside interface as the mapped ip for the server.

object network obj-192.168.1.1

host 192.168.1.1

nat (inside,outside) static interface service tcp 80 80

access-list Outside_in permit tcp any ip obj-192.168.1.1

access-group Outside_in interface outside

Same for the other ports.

Thanks and Regards,

Vibhor Amrodia

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card