cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

23044
Views
25
Helpful
21
Replies
RalphSmithIII
Beginner

Basic Port Forwarding ASA5505 Verion 8.4 ASDM 6.4

Hi everyone,

I am very new to configuring the ASA particulary after the change to how NAT is implemented.  What I am trying to accomplish logically seems fairly simple, yet I cannot get it to work.  I have a Synology NAS at home that I am trying to reach via the internet.  Prior to using my ASA, I had Verizon's FIOS router as my gateway and everything forwarded with no issues. 

As much as I've researched I haven't had any luck.  The ports I need forwarded or reachable via the internet are TCP port 80 and 5000.

I can also configure it via command line if that's the easier/preferred method.

Any help would be greatly appreciated!

21 REPLIES 21

Hello Dexter,

all I want to perform is all http port ( port 80 ) going to our public IP 210.4.104.xx will port

forward to our web server  10.0.1.155

and  all port 39393 ( port that I created ) going to our public IP 210.4.104.xx  will port

forward to 10.0.1.155:39393

object network Host-A

host 10.0.1.155

Object Network Outside_IP

host 210.4.104.xx

Object Service TCP_HTTP

service tcp source eq 80

object Service tcp_PORT2

service tcp source eq 39393

nat (inside,outside) source static Host-A Outside_IP service TCP_HTTP TCP_HTTP

nat (inside,outside) source static Host-A Outside_IP service  tcp_PORT2 tcp_PORT2

access-list out_in permit tcp any host  10.0.1.155 eq 80

access-list out_in permit tcp any host  10.0.1.155 eq 39393

access-group out_in in interface outside

That's it buddy As a thanks you can visit my webiste and make sure you talk about it with your friends hehe

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank for the Post..I will give it a try later and will update you..

I always visit your site, and its very helpful

Hello Dexter,

No problem my pleasure to help.

And it's always great to hear that kind of information

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Jcarvaja,

receiving error:

Error: Address 210.4.104.xx overlaps with outside interface address

Error: Nat Policy is not downloaded

thanks

Regards,

Dexter

Hello,

if you are using the Outside interface IP address then use:

nat (inside,outside) source static Host-A interface service TCP_HTTP TCP_HTTP

nat (inside,outside) source static Host-A interface  service  tcp_PORT2 tcp_PORT2

Interface is a keyword recognized by the ASA that lets you know you want to use the Outside IP address for the NAT

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Jcarvaja,

I tried the configuration you've provided me, but unfortunately I tested it this morning

and it dosn't work..I tried accessing our webserver 10.0.1.155 locally and the webpage appears.

but when I tried using outside it doesnt show anything

jgreene427
Beginner

Hello kindly help me with a small fwding issue.      i have a static outside-in ip mapped from 205.214.236.53 >>> 192.168.111.30    this is setup already..      what i need to do is any request made to 250.214.236.53:1610   needs to forward to the same port on the internal IP 192.168.111.30:1610

 

Also i simply need to open a few other ports 9000,85,40085,49005

 

please let me know how to do this through SSH console

 

Thanks

ASA 5505     show run   is below

 

ciscoasa(config)# show run
: Saved
:
ASA Version 9.0(2)
!
hostname ciscoasa
domain-name scec.local
enable password ol40hHpZTtZQFXMJ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ol40hHpZTtZQFXMJ encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif INSIDE
 security-level 100
 ip address 192.168.111.1 255.255.255.0
!
interface Vlan2
 nameif OUTSIDE
 security-level 0
 ip address 205.214.236.50 255.255.255.240
!
boot system disk0:/asa902-k8.bin
boot system disk0:/asa825-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup INSIDE
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
 name-server 192.168.111.50
 name-server 8.8.8.8
 domain-name scec.local
object network LAN
 subnet 192.168.111.0 255.255.255.0
object network SERVER1
 host 192.168.111.50
object network SERVER1_PUBLIC
 host 205.214.236.51
object network SERVER2
 host 192.168.111.20
object network SERVER2_PUBLIC
 host 205.214.236.52
object network SERVER3
 host 192.168.111.30
object network SERVER3_PUBLIC
 host 205.214.236.53
object network SERVER4
 host 192.168.111.40
object network SERVER4_PUBLIC
 host 205.214.236.54
object network SERVER5
 host 192.168.111.10
object network SERVER5_PUBLIC
 host 205.214.236.55
object-group service SERVER1_PORTS tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq pop3
 port-object eq imap4
 port-object eq 3389
object-group service SERVER2_PORTS tcp
 port-object eq 3389
object-group service SERVER3_PORTS tcp
 port-object eq 3389
object-group service SERVER4_PORTS tcp
 port-object eq 3389
object-group service SERVER5_PORTS tcp
 port-object eq 3389
 port-object eq www
 port-object eq https
access-list OUTSIDE_IN extended deny ip 10.0.0.0 255.0.0.0 any log
access-list OUTSIDE_IN extended deny ip 172.16.0.0 255.240.0.0 any log
access-list OUTSIDE_IN extended deny ip 192.168.0.0 255.255.0.0 any log
access-list OUTSIDE_IN extended deny ip 127.0.0.0 255.0.0.0 any log
access-list OUTSIDE_IN extended deny ip 0.0.0.0 255.255.255.0 any log
access-list OUTSIDE_IN extended deny ip 244.0.0.0 255.255.255.240 any log
access-list OUTSIDE_IN extended deny ip host 255.255.255.255 any log
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit tcp any object SERVER1 object-group SERVER1_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER2 object-group SERVER2_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER3 object-group SERVER3_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER4 object-group SERVER4_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER5 object-group SERVER5_PORTS
access-list inside-out extended permit ip any any
pager lines 24
logging asdm informational
mtu INSIDE 1500
mtu OUTSIDE 1500
ip audit name OUTSIDE_ATTACK attack action alarm drop
ip audit name OUTSIDE_INFO info action alarm
ip audit name INSIDE_ATTACK attack action alarm drop reset
ip audit name INSIDE_INFO info action alarm
ip audit interface INSIDE INSIDE_INFO
ip audit interface OUTSIDE OUTSIDE_INFO
ip audit interface OUTSIDE OUTSIDE_ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 6051 disable
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-509.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE,OUTSIDE) source static SERVER1 SERVER1_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER2 SERVER2_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER3 SERVER3_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER4 SERVER4_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER5 SERVER5_PUBLIC
!
object network LAN
 nat (INSIDE,OUTSIDE) dynamic interface
access-group inside-out in interface INSIDE
access-group OUTSIDE_IN in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 205.214.236.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 5
ssh version 2
console timeout 0

dhcpd option 3 ip 192.168.111.1
!
dhcpd address 192.168.111.100-192.168.111.200 INSIDE
dhcpd dns 192.168.111.50 8.8.8.8 interface INSIDE
dhcpd enable INSIDE
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username wti password OIEBfkGT1DRShCnN encrypted privilege 15
username admin password g/t7o/eHDKMomDrS encrypted privilege 15
username vpnuser password 8DcFkqJ9hi39UQw. encrypted privilege 15
username sysadmin password mi1AUI982JWkJuWt encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6dd04d2527e7929343ebd090969e18a1
: end

Create
Recognize Your Peers
Content for Community-Ad