cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23710
Views
25
Helpful
21
Replies

Basic Port Forwarding ASA5505 Verion 8.4 ASDM 6.4

RalphSmithIII
Level 1
Level 1

Hi everyone,

I am very new to configuring the ASA particulary after the change to how NAT is implemented.  What I am trying to accomplish logically seems fairly simple, yet I cannot get it to work.  I have a Synology NAS at home that I am trying to reach via the internet.  Prior to using my ASA, I had Verizon's FIOS router as my gateway and everything forwarded with no issues. 

As much as I've researched I haven't had any luck.  The ports I need forwarded or reachable via the internet are TCP port 80 and 5000.

I can also configure it via command line if that's the easier/preferred method.

Any help would be greatly appreciated!

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Ralph,

Lets say internal NAS host is 192.168.12.2 and you will be using the outside public IP address to access it

object network NAS

host 192.168.12.2

object service 5000

service tcp source eq 5000

object service HTTP

service tcp source eq 80

nat (inside,outside) 1 source static NAS interface service 5000 5000

nat (inside,outside) 2 source static NAS interface service HTTP HTTP

access-list outside_in permit tcp any host 192.168.12.2 eq 5000

access-list outside_ in permit tcp any host 192.168.12.2 eq 80

access-group outside_in in interface outside

Remember to rate all of my posts ( How to? Mark The five stars at the bottom of my reply)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

21 Replies 21

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Ralph,

Lets say internal NAS host is 192.168.12.2 and you will be using the outside public IP address to access it

object network NAS

host 192.168.12.2

object service 5000

service tcp source eq 5000

object service HTTP

service tcp source eq 80

nat (inside,outside) 1 source static NAS interface service 5000 5000

nat (inside,outside) 2 source static NAS interface service HTTP HTTP

access-list outside_in permit tcp any host 192.168.12.2 eq 5000

access-list outside_ in permit tcp any host 192.168.12.2 eq 80

access-group outside_in in interface outside

Remember to rate all of my posts ( How to? Mark The five stars at the bottom of my reply)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

That did the trick!  Love the internet and people willing to contribute their time and knowledge.

Glad to know I could help

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Basic Port Forwarding ASA5505 Verion 8.4 ASDM 6.4

I have the same issue. But You wrote your answer in console commands not like asdm 6.4

Can you please help me with asa...

The problem is:

Router d-link di824 (ip 192.168.100.1 255.255.255.0) have rules(Virtual Servers port forwarding) tcp ports 34000-34300 send to asa5505 (vlan2 ip 192.168.100.4 255.255.252.0). Connections to this router ports comes from outside (exmpl 81.30.199.4 and etc)

So, the question how to configure NAT or PAT to port forwarding this connections to another inside ip addresses.

For example: 34234 to local ip 192.168.100.152:34234

and next        34235 to local ip 192.168.100.23:34235

and next        34236 to local ip 192.168.100.133:34236

and so on.

It's have to have like 300 rules. or a littel bit less.

Thank you so much!

Hello Kirill,

object service tcp-34234

service tcp source eq 34234

object network Internal-server1

host 192.168.100.152

nat (inside,outside) source static Internal-server1 interface service tcp-34234 tcp-34234

Those would be the commands for the nat rules

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you jcarvaja!

But it doesn't work for me exactly.

Propably you forget something, or i don't understand it right way.

Router dlink(192.168.100.1 have global inside ip 92.52.142.86 from ISP it is static)

Clients from public network have to connect to it using this ip (92.50.142.86 and specific tcp port 34601 and so on)

Router has connections to local PCs with ip's 192.168.100.23, 192.168.100.152 etc.

On this PCs running servers with ports 192.168.100.23:34601-34605, 192.168.100.152:34601-34605.

ASA has 2 interfaces: 1 inside (1-7 ports) and 2 outside (0 port)

inside: 192.168.100.4/24

outside: 192.168.0.4/24

Router Dlink connected with cisco from switch. Router lan port to switch and cisco interface inside with switch

Local PCs connected through switch as well.

Do I have to use outside interface (0 port) ?

You wrote this rule:

nat (inside,outside) source static Internal-server1 interface service tcp-34234 tcp-34234

Why it goes with outside "word"?

I did it and tryed packet tracet and it shows that everything is good.

But still there is no connections.

I even don't know how to monitor everithing..... )

Please help )

If I change virtual servers in Router dlink to connect straight to PCs it works. But only I cant write such number of rules. It allows me to write 23 rules lets say any 34605 to 192.168.100.23:34605 any 34606 to 192.168.100.152:34606. But it will be only 23 rules.

If I tryed to write only one rule any tcp 34600-34900 to asa5505 (192.168.100.4:34600-34900)  but asa don't undarstand where to send it forward

           

still don't have a solution. Please help!

       

        What i did.

Local PC lenovo (192.168.12.5) which is waiting connection from internet located in inside interface (192.168.12.4)

Also ASA has outside interface (192.168.100.4).

Routed dlink 192.168.100.1 has virtual server to port forwarding to 192.168.100.4 (ASAs outside interface)

ASA have to port it forward as well to 192.168.12.5 coz it has nat rules

and it still don't work!

Please any suggestions?

Hello Kirill,

Lets start from zero

So you are doing NAT on two parts.. your ASA and the Outside Router.....

On what port do you want to connect from the outside interface?

You will use the outside interface IP address to do the NAT right?

Can you share the following

Show run NAT

And the show run objects for each of the objects that you have created for the nat.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Result of the command: "show run object"

This part of objects:

object network lenovo

host 192.168.12.5

object network out

host 192.168.0.4

object service 34608

service tcp source eq 34608 destination eq 34608

Result of the command: "show run nat"

nat (inside,outside) source static lenovo interface service 34608 34608

Also:

Result of the command: "show run all"

: Saved

:

ASA Version 8.4(3)

!

interface Ethernet0/0

switchport access vlan 2

switchport mode access

no switchport protected

speed auto

duplex auto

delay 10

!

interface Ethernet0/1

switchport access vlan 1

switchport mode access

no switchport protected

speed auto

duplex auto

delay 10

!

On what port do you want to connect from the outside interface? 34608.

You will use the outside interface IP address to do the NAT right? What do You mean?

PC lenovo 192.168.0.5 located inside. He is waiting connection from outside.

Outside has only one port 0/0 Ethetnart and ip is 192.168.100.4 to this port cable going router 192.168.100.1

Thank you very much for helpong! You are only the person who can help!

Hello,

Please change this:

object service 34608

no service tcp source eq 34608 destination eq 34608

service tcp source eq 34608

leave it like that ,

do the following and share the output

packet-tracer input outside tcp 4.2.2.2 1025 192.168.0.4 34608

So just to confirm on the outside interface you are using the 192.168.0 range right?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank You jcarvaja!

It's working now! You are Great!

dffdejesus
Level 1
Level 1

Hi all,

please kindly help me on my issue

all I want to perform is all http port ( port 80 ) going to our public IP 210.4.104.xx will port

forward to our web server  10.0.1.155

and  all port 39393 ( port that I created ) going to our public IP 210.4.104.xx  will port

forward to 10.0.1.155:39393

I really appreciate you help

thanks

Hello Dexter,

What OS version are you running?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Jcarvaja,

thanks for the reply my OS version is 8.4(2 )

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: