Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
0
Helpful
2
Replies

External access to an internal router via ASA

VAbr AVib
Level 1
Level 1

‎01-01-2013 05:14 AM - edited ‎03-12-2019 06:04 PM

I am aware that we can allow external admins to telnet over a custom port to the internal router. Even i was allowed to connect to a remote router via the remote firewall. The way i was accessing the router is by telnet to the remote ASA address on port 8023.

I am not sure how exactly we can configure this on a ASA. Please help.

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-01-2013 05:23 AM

Hi,

So you would like to know how to forward certain TCP ports traffic from the ASAs outside interface to the local router behind it

Heres examples for both old and new softwares

  • 8.2 and below
  • 8.3 and above

Check your firewalls software level with "show version" command on the CLI

8.2 and below configuration format

static (inside,outside) tcp interface 8023 10.10.10.10 23 netmask 255.255.255.255

access-list OUTSIDE-IN permit tcp any host eq 8023

Where

  • inside = source interface
  • outside = destination interface
  • tcp = protocol for forward
  • interface = the public IP used is "outside" interfaces
  • 8023 = mapped port facing public network
  • 23 = real port on the local router

8.3 and above

  • Notice that contrary to the older software the ACL rules are made with the Local IP address and Local/real port of the LAN device

object network PORTFORWARD-MGMT

host 10.10.10.10

nat (inside,outside) static interface service tcp 23 8023

access-list OUTSIDE-IN permit tcp any object PORTFORWARD-MGMT eq 23

Where

  • PORTFORWARD-MGMT = name of the object under which the Local IP address for NAT and the actual NAT configuration
  • inside = source interface
  • outside = destination interface
  • tcp = protocol for forward
  • interface = the public IP used is "outside" interfaces
  • 8023 = mapped port facing public network
  • 23 = real port on the local router

Naturally in both cases you should consider what source address to use in the ACL statements. For examples sake I just used the keyword "any" that would allow anyone to connect.

Please rate the answer if the information was helpfull

- Jouni

0 Helpful

VAbr AVib
Level 1
Level 1
In response to Jouni Forss

‎01-01-2013 10:12 PM

Thanks a lot. Got some idea, let me try this.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card