cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
551
Views
0
Helpful
6
Replies

Cisco 5512-x v9.1 help

wayne loh
Level 1
Level 1

Hi Guys,

 

I need some help/advise on the configuration below. As I want to configuration port forwarding to separate devices internally to serve external parties. I have only one WAN IP which already assigned to the firewall outside interface...

 

External User ---->ASA------>Server, NAS

 

Pls help i having difficulties to make it working..

                                                  

6 Replies 6

Eddy Duran
Level 1
Level 1

Hello Wayne,

 

Its something that can be done.

 

You can use the following configuration as an example:

 

object network server

host 192.168.1.1

nat (Inside,Outside)  static interface service tcp 80 80 

 

object network NAS

host 192.168.1.10

nat (Inside,Outside)  static interface service tcp 443 443

 

Let me know if you have any doubt or question.

 

-Eddy Duran

Hi Eddy,

 

Thanks for reply. I tried the above command but it's not working...do i have to add any acl?  

 

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 pppoe client vpdn group gcmjp
 ip address pppoe setroute (1.1.1.1)
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif WiFi
 security-level 50
 ip address 192.168.3.1 255.255.255.0 
!
interface GigabitEthernet0/3
 nameif Phoneline
 security-level 90
 ip address 192.168.4.1 255.255.255.0 
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network JP_LAN
 subnet 192.168.2.0 255.255.255.0
object network SG_LAN
 subnet 192.168.1.0 255.255.255.0
object network Synology1
 host 192.168.2.155
object network Synology2
 host 192.168.2.243
object network BackupServer
 host 192.168.2.11
object network JP
 subnet 192.168.2.0 255.255.255.0
object network WiFi
 subnet 192.168.3.0 255.255.255.0
object network NAS5006
 host 192.168.2.155
object network Server3389
 host 192.168.2.11
object service RDP3389
 service tcp source eq 3389 destination eq 3389 
object service NAS5003
 service tcp source eq 5003 destination eq 5003 
object-group service RDP tcp
 port-object eq 3389 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WiFi 1500
mtu Phoneline 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static JP_LAN JP_LAN destination static SG_LAN SG_LAN no-proxy-arp route-lookup
nat (inside,outside) source dynamic JP_LAN interface
nat (WiFi,outside) source dynamic WiFi interface
!
object network Synology1
 nat (inside,outside) static interface service tcp 5003 5003 
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside

Wayne,

 

Correct, you also need to create an ACL to permit the inbound traffic from a low to a high security level.

 

Access-list outside_in extended permit tcp any host <Private IP> eq <Port>

 

Using the following NAT as an example:

object network Synology1

nat (inside,outside) static interface service tcp 5003 5003

 

Access-list outside_in extended permit tcp any host 192.168.2.155 eq 5003

Access-group outside_in in int outside

Let me know how it goes. 

 

-Eddy Duran

Hi Eddy,

 

Thanks once again. No luck after i command in...Pls help..

 

access-list outside_access_in extended permit tcp any object Synology1 eq 5003 
access-list outside_access_in extended permit tcp any object Synology2 eq 5007 
access-list outside_access_in extended permit tcp any object BackupServer eq 3389 
access-list outside_access_in extended permit tcp any object BackupServer eq 6050 
access-list outside_access_in extended permit udp any object BackupServer eq 6050 
access-list outside_access_in extended permit tcp any object Synology2 eq 5005 
access-list outside_access_in extended permit tcp any object Synology2 eq ftp 
access-list outside_access_in extended permit tcp any object Synology2 eq 5000 
access-list outside_access_in extended permit tcp any object Synology1 eq 5002 
access-list outside_access_in extended permit tcp any object Synology1 eq 5006 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WiFi 1500
mtu Phoneline 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static JP_LAN JP_LAN destination static SG_LAN SG_LAN no-proxy-arp route-lookup
nat (inside,outside) source dynamic JP_LAN interface
nat (WiFi,outside) source dynamic WiFi interface
!
object network Synology1
 nat (inside,outside) static interface service tcp 5003 5003 
object network Synology2
 nat (inside,outside) static interface service tcp 5007 5007 
object network BackupServer
 nat (inside,outside) static interface service tcp 3389 3389 
object network BackupServer_6050_tcp
 nat (inside,outside) static interface service tcp 6050 6050 
object network Synology2_ftp
 nat (inside,outside) static interface service tcp ftp ftp 
access-group outside_access_in in interface outside

Hello Wayne,

 

What are you doing for testing the connection?

Can you run the following command?

Packet input outside tcp 4.2.2.2 13254 <Outside IP address> 5003

If you are getting a flow control, captures will be needed in order to determine the problem.

capture out int  outside match tcp any host <Outside IP address> eq 5003

cap in int inside match tcp any host 192.168.2.155 eq 5003

 

You can verify the output by using show cap out and show cap in.

-Eddy Duran

wayne loh
Level 1
Level 1

Pls anyone can help???

 

Apreciated!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: