12-03-2014 05:09 AM - edited 03-11-2019 10:10 PM
Hi Guys,
I need some help/advise on the configuration below. As I want to configuration port forwarding to separate devices internally to serve external parties. I have only one WAN IP which already assigned to the firewall outside interface...
External User ---->ASA------>Server, NAS
Pls help i having difficulties to make it working..
12-03-2014 08:50 AM
Hello Wayne,
Its something that can be done.
You can use the following configuration as an example:
object network server
host 192.168.1.1
nat (Inside,Outside) static interface service tcp 80 80
object network NAS
host 192.168.1.10
nat (Inside,Outside) static interface service tcp 443 443
Let me know if you have any doubt or question.
-Eddy Duran
12-03-2014 09:05 AM
Hi Eddy,
Thanks for reply. I tried the above command but it's not working...do i have to add any acl?
interface GigabitEthernet0/0
nameif outside
security-level 0
pppoe client vpdn group gcmjp
ip address pppoe setroute (1.1.1.1)
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif WiFi
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet0/3
nameif Phoneline
security-level 90
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network JP_LAN
subnet 192.168.2.0 255.255.255.0
object network SG_LAN
subnet 192.168.1.0 255.255.255.0
object network Synology1
host 192.168.2.155
object network Synology2
host 192.168.2.243
object network BackupServer
host 192.168.2.11
object network JP
subnet 192.168.2.0 255.255.255.0
object network WiFi
subnet 192.168.3.0 255.255.255.0
object network NAS5006
host 192.168.2.155
object network Server3389
host 192.168.2.11
object service RDP3389
service tcp source eq 3389 destination eq 3389
object service NAS5003
service tcp source eq 5003 destination eq 5003
object-group service RDP tcp
port-object eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WiFi 1500
mtu Phoneline 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static JP_LAN JP_LAN destination static SG_LAN SG_LAN no-proxy-arp route-lookup
nat (inside,outside) source dynamic JP_LAN interface
nat (WiFi,outside) source dynamic WiFi interface
!
object network Synology1
nat (inside,outside) static interface service tcp 5003 5003
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
12-03-2014 09:30 AM
Wayne,
Correct, you also need to create an ACL to permit the inbound traffic from a low to a high security level.
Access-list outside_in extended permit tcp any host <Private IP> eq <Port>
Using the following NAT as an example:
object network Synology1
nat (inside,outside) static interface service tcp 5003 5003
Access-list outside_in extended permit tcp any host 192.168.2.155 eq 5003
Access-group outside_in in int outside
Let me know how it goes.
-Eddy Duran
12-03-2014 03:42 PM
Hi Eddy,
Thanks once again. No luck after i command in...Pls help..
access-list outside_access_in extended permit tcp any object Synology1 eq 5003
access-list outside_access_in extended permit tcp any object Synology2 eq 5007
access-list outside_access_in extended permit tcp any object BackupServer eq 3389
access-list outside_access_in extended permit tcp any object BackupServer eq 6050
access-list outside_access_in extended permit udp any object BackupServer eq 6050
access-list outside_access_in extended permit tcp any object Synology2 eq 5005
access-list outside_access_in extended permit tcp any object Synology2 eq ftp
access-list outside_access_in extended permit tcp any object Synology2 eq 5000
access-list outside_access_in extended permit tcp any object Synology1 eq 5002
access-list outside_access_in extended permit tcp any object Synology1 eq 5006
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WiFi 1500
mtu Phoneline 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static JP_LAN JP_LAN destination static SG_LAN SG_LAN no-proxy-arp route-lookup
nat (inside,outside) source dynamic JP_LAN interface
nat (WiFi,outside) source dynamic WiFi interface
!
object network Synology1
nat (inside,outside) static interface service tcp 5003 5003
object network Synology2
nat (inside,outside) static interface service tcp 5007 5007
object network BackupServer
nat (inside,outside) static interface service tcp 3389 3389
object network BackupServer_6050_tcp
nat (inside,outside) static interface service tcp 6050 6050
object network Synology2_ftp
nat (inside,outside) static interface service tcp ftp ftp
access-group outside_access_in in interface outside
12-04-2014 06:41 AM
Hello Wayne,
What are you doing for testing the connection?
Can you run the following command?
Packet input outside tcp 4.2.2.2 13254 <Outside IP address> 5003
If you are getting a flow control, captures will be needed in order to determine the problem.
capture out int outside match tcp any host <Outside IP address> eq 5003
cap in int inside match tcp any host 192.168.2.155 eq 5003
You can verify the output by using show cap out and show cap in.
-Eddy Duran
12-03-2014 09:03 PM
Pls anyone can help???
Apreciated!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: